top of page

Convicted U.K. Teens Part of Notorious LAPSUS$ Gang Behind High-Profile Hacks

A duo of young British hackers have faced the gavel in London, pronounced guilty for their membership in the infamous LAPSUS$ cybernetic gang, and their audacious execution of high-profile pilferings out of notable tech corporations, extorting heavy ransoms in return for safeguarding the confidential data they stole. The culprits include Oxford-based Arion Kurtaj, aged 18, known by several pseudonyms such as White, Breachbase, WhiteDoxbin, and TeaPotUberHacker, together with an unidentified underage accomplice who partnered with Kurtaj in July 2021, having met him in cyberspace. A recent BBC report informed of their initial apprehension and consequent release pending investigation in January of 2022, only to be seized again for charges under the City of London Police by April 2022.

Kurtaj was briefly absolved with bail and relocated to a Bicester hotel following a doxxing incident on a cybercrime forum. Irrepressibly hacking major giants such as Uber, Revolut, and Rockstar Games, the young outlaw was once again arrested in September. An additional accomplice was detained in Brazil by October 2022. Key to their extortion machinations was their skill in SIM swapping and employing bombing attacks to infiltrate corporate networks after lengthy social engineering efforts.

The financial motivations of the operation extended to sharing confidential information on their telegram channel with the motive of soliciting traitorous insiders willing to offer VPN, VDI, or Citrix credentials for organizations. The U.S Government has issued a report that highlights that the culprits weren't shy to offer up to $20,000 per week for telecommunication provider accessibility for the successful execution of SIM swap attacks. The report labelled LAPSUS$ as unique on account of its "effectiveness, speed, creativity, and impudence," as well an ability to weaponize a working "playbook of effective techniques."

In executing their fraudulent SIM swaps, LAPSUS$ amassed basic personal details of their victims, ranging from their names to phone numbers, and their customer proprietary network information (CPNI). This process utilized several tactics such as issuing deceitful Emergency Disclosure Requests, along with account takeover techniques, enabling the hijack of accounts belonging to telecommunication provider employees and their contractors.

After illegally swapping SIM cards, the hackers assumed control of online accounts using sign-in and recovery protocols that sent one-time links or MFA passcodes via SMS or voice calls. A differentiation of initial access strategies ranged from hiring services of initial access brokers (IABs) to hacking security flaws, the hackers then buffered their access by escalating privileges, moving gradually across the network, establishing consistent access through remote desktop software such as AnyDesk and TeamViewer, and eventually disabling security monitoring tools.

Allegations point to infiltrations of corporate giants like BT, EE, Globant, LG, Microsoft, NVIDIA, Okta, Samsung, Ubisoft, and Vodafone. Current unfolding motions could answer whether any of these corporations paid ransoms to the hackers. Sentencing for the teenagers will be decided in due course, having gained infamy for their successful breaches of well-defended organizations using advance social engineering techniques.

At Darksteel Technologies, we are an Orlando based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.


bottom of page