Sunday, March 26

Arrested a 16-year-old accused of leading one of the most dangerous cybercriminal gangs

The Lapsus$ cybercriminal group is one of the most active and dangerous groups operating at the moment. They have violated the cybersecurity of technological multinationals such as Microsoft and their trail goes through multiple public administrations and governments. They are very aggressive, with attacks like the one that brought down the entire Vodafone network in Portugal, which have come to be described as a “terrorist act” for leaving emergency services, firefighters, the main banks and millions of citizens incommunicado. This Thursday the British police have arrested seven teenagers for their relationship with these events.

An “unprecedented” wave of cyberattacks puts Portugal in check

Know more

British authorities have not confirmed whether they include AK, a 16-year-old who in recent hours had been identified by multiple cybersecurity researchers as the mastermind behind Lapsus$, as well as by rival hackers.

One of the first indications that a teenager could be one of the key people in this cybercriminal group was the Spanish company Quantika14. This digital forensics and computer expertise firm was able to track him down thanks to an internal conflict at Lapsus$, during which several of its members attacked each other and left clues that allowed investigators to start following their tracks. As Quantika14 documented on March 9one of the people behind Lapsus$ was 16-year-old AK.

“He is a teenager who lives in the United Kingdom but who comes from Albania,” the director of Quantika14, Jorge Coronado, explained to on Thursday morning, before the arrests took place. Off the Internet, AK is a young man who likes to go fishing with his uncle. On the net, he was one of the singing voices of Lapsus$. “There are many indications that he is their leader,” Coronado asserted.

In the last few hours, this battle between cybercriminals escalated and led to the publication of all AK’s personal data on the Internet. His conflict with other rival hackers made him the target of a doxing, a type of cyberattack based on revealing all of a person’s private information on the Internet. The young man saw his data exposed on a web page that is dedicated to publishing this type of attack. His reaction was to try to buy the website and destroy it. The owner cheated on him, took the money but kept the doxing against AK

“This kid began to interact with different people who are dedicated to attacking other companies. He ends up making a lot of money but also a lot of enemies”, continues the director of Quantika14. According to the British police to the BBC, his fortune already amounted to 10 million euros. “When the published doxing about him we realize that the kid is experiencing a quite complicated situation. It would not surprise me if, in the same way that large companies and their investigators are looking for him, the mafia is also looking for him.”

“He has become a target right now, he has quite a bit of money. It is commented, and I would not be surprised at all because I have analyzed his social networks from top to bottom, that he has some type of Asperger, “Coronado continued. The BBC indicates that he was autistic. His father has told the British public broadcaster that the family “was worried about him and tried to keep him away from computers.”

The fence against the young man had tightened on more flanks. Four independent cybersecurity researchers working for the companies hacked by Lapsus$ they had pointed out to Bloomberg who had also identified AK as “the mastermind” behind the most wanted group of cybercriminals. They found the same forensic evidence as Quantika14: adolescent, 16 years old, resident in Oxford, in her parents’ house..

Sources in contact with the US media point out that forensic evidence links the teenager to some of the main hacks carried out by Lapsus$, but not all of them. The investigators anticipated that there are up to seven different people who have participated in the actions of the gang. At least one of the remaining six would be another Brazilian teenager. Brazil and the United Kingdom were the first two areas where Lapsus$ started attacking local targets before moving to the big leagues and hacking multinationals like Microsoft or Nvidia.

AK had multiple investigators hot on his heels. “We have his name since the middle of last year and we identified him before doxing”, Allison Nixon, head of research at the cybersecurity research company Unit 221B, told the BBC. “Unit 221B, in collaboration with [la empresa de ciberseguridad] Palo Alto, after identifying the actor, monitored his movements throughout 2021, periodically sending security forces a tip about the latest crimes.

They baffled the researchers

The modus operandi of Lapsus$ had baffled cybersecurity specialists, who had been studying its attacks for months. “They don’t seem to cover his tracks. They come to announce their attacks on social networks or to announce their intention to buy credentials from the employees of the target organizations, ”Microsoft stated this Wednesday in a statement in which it recognized that members of the gang had sneaked into its systems.

One of the specialties of Lapsus$ was to obtain official identifications of the workers of the companies they intended to attack, either by bribing them or by deception. “Their tactics include phone-based social engineering; SIM swapping to facilitate account takeover; access to personal email accounts of employees of target organizations; paying employees, vendors, or business partners of target organizations to access credentials and pass multi-factor authentication (MFA); and meddling with your targets’ ongoing crisis communication calls,” Microsoft summarizes.

In addition to against Microsoft and Nvidia, Lapsus$ has claimed successful cyberattacks against Samsung or Ubisoft. In Spain, Telefónica has been one of its objectives. However, one of the actions that aroused the most concern among researchers was the hacking of Okta, a company specializing in providing identification services to employees of other companies. With access to your systems, cybercriminals can compromise by jumping into the networks of hundreds of your customers.

Okta initially denied that Lapsus$ had infiltrated its structure, to end up acknowledging this Wednesday that a cyberattack has affected part of your customers (up to 400). “After an exhaustive analysis, we have come to the conclusion that a small percentage of clients – approximately 2.5% – have been potentially affected and whose data may have been seen or manipulated,” said its security chief in a statement. release.