Credential Theft
- Mimikatz
LAPSUS$ is a financially motivated cybercrime and extortion group best known for high-profile intrusions against major technology, telecommunications, gaming, and identity-management organizations.
Profile source: Mallory opens in a new tabLAPSUS$
LAPSUS$ is a financially motivated cybercrime and extortion group best known for high-profile intrusions against major technology, telecommunications, gaming, and identity-management organizations. Widely used aliases include DEV-0537, Slippy Spider, Strawberry Tempest, Lapsus, and LAPSUS$. The group has also been associated with the broader English-speaking cybercriminal ecosystem known as The Com. Public reporting has linked individual members and associates to the United Kingdom, and multiple arrests and prosecutions have tied teenage and young adult suspects to the group, but law-enforcement disruption has not fully eliminated activity conducted under the LAPSUS$ name.
LAPSUS$ became notable for targeting prominent enterprises such as Microsoft, Samsung, Nvidia, Ubisoft, Okta, Globant, and Rockstar Games, with additional claims and partnerships appearing in later extortion activity. The group has focused heavily on theft of source code, internal communications, credentials, customer or employee data, and other sensitive corporate information, then used public leak channels and direct extortion to pressure victims. Unlike many traditional ransomware operations, LAPSUS$ has often emphasized data theft, public shaming, and resale or release of stolen material, though some reporting also attributes ransomware-style monetization and leak-site activity to the group.
Its tradecraft is strongly associated with social engineering rather than bespoke exploitation alone. Reported techniques include vishing, help-desk impersonation, credential theft, MFA fatigue or approval abuse, insider recruitment or bribery, abuse of authentication and identity workflows, and privilege escalation after initial access. The group has repeatedly demonstrated that strong perimeter defenses can be bypassed through identity-centric attacks and manipulation of support processes. LAPSUS$ activity has also been linked to opportunistic collaboration with other criminal actors to monetize stolen access or data.
Known overlaps or reported partnerships include TeamPCP, Vect, ShinyHunters, and actors associated with Scattered Spider, although these relationships appear fluid and do not necessarily indicate a single unified organization. Some reporting places LAPSUS$ within a loose constellation of cybercriminal communities rather than a rigid hierarchical structure. The group’s operations have therefore ranged from direct intrusions to joint extortion or data-sale efforts with other actors.
LAPSUS$ is best understood as a high-impact extortion and intrusion collective that helped popularize aggressive identity-focused social engineering against large enterprises. Its significance lies less in stealth or advanced malware development than in its ability to rapidly convert stolen credentials, insider access, and authentication abuse into disruptive breaches of globally recognized organizations.
Ransomware.live
Ransomware.live
bdcb86e57332cc0b98c9f86456c4d014f6cf9ff96c21287af25046dc9dff8fa5Ransomware.live
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.