LAPSUS$: How a Group of Teenagers Changed Cybercrime Forever
Keegan Henckel-Miller
Reading time: 7 minutes
How social engineering and social engineering attacks turned LAPSUS$ into a blueprint for modern cybercrime.
The Rise of LAPSUS$ and Social Engineering Attacks
In September 2022, an attacker gained access to Uber’s internal systems using the credentials of a third-party contractor. When multi-factor authentication got in the way, the attacker simply flooded the contractor’s phone with approval requests until one was accepted.
In the year leading up to the attack, LAPSUS$ had breached Okta, and stolen source code from NVIDIA and Samsung. Days later, it would leak unreleased Grand Theft Auto VI footage from Rockstar Games.
If you laid these incidents side by side, they would look like completely different stories. Different companies. Different industries. Different targets. But they shared the same MO.
LAPSUS$ became one of the most closely watched cybercrime groups of the early 2020s not because it discovered a revolutionary new exploit, but because it repeatedly exposed one simple truth: people are often easier to compromise than technology.
The obvious question is: how did a relatively small group of attackers have such an outsized impact on some of the world’s largest organizations?
Who Is LAPSUS$?
LAPSUS$ first emerged publicly in 2021 and quickly became one of the most disruptive cybercrime groups in the world. Its first major breakout attack came in December 2021, when attackers disrupted Brazil’s Ministry of Health and took critical COVID-19 systems offline. In the months that followed, the group was linked to attacks against government agencies, technology companies, telecommunications providers, and some of the most recognizable brands on the internet.
Those attacks made headlines because of the organizations involved. But they also forced security teams to reconsider what was once deemed axiomatic: that meaningful access begins with a technical vulnerability.
Many cybercriminal groups focus on malware, ransomware deployment, or exploiting software vulnerabilities. But rather than breaking into systems directly, LAPSUS$ repeatedly found ways to convince people to open the door for them.
In some cases, the group reportedly offered cash to employees, contractors, and suppliers in exchange for a foothold inside corporate networks. In others, it relied on social engineering techniques to bypass security controls that were functioning exactly as designed.
Across incident after incident, the details changed but the logic remained consistent. The group spent less time looking for weaknesses in software and more time looking for weaknesses in trust.
That’s why LAPSUS$ attracted so much attention. The group wasn’t exposing a flaw in a particular product or platform. It was exposing a flaw in the security program itself.
Why LAPSUS$ Didn’t Disappear
By 2022 and into 2023, law enforcement agencies had closed in on many of the LAPSUS$ frontmen. But what they found was not the picture many expected.
After years of headlines about attacks on Microsoft, Uber, Okta, NVIDIA, and Rockstar Games, the public finally got a glimpse behind the curtain. There was no underground bunker. No criminal mastermind directing operations from a wall of monitors. They were gamers, many of them children, who communicated through discord servers.
A loose collection of young people had embarrassed some of the most powerful companies in the world, stolen proprietary source code, disrupted critical systems, and generated millions in damages along the way.
For a moment, it appeared the story might be ending. Arrests were made. The people behind some of the group’s most visible attacks had been unmasked.
So why didn’t the arrests work? The initial assumption was that LAPSUS$ was a conventional organization. But LAPSUS$ was never operating in isolation. The group emerged from a much larger online ecosystem where techniques, relationships, and members flowed freely between communities. By the time authorities began making arrests, the playbook had already spread far beyond the people who originally popularized it.
The Com—short for “The Community”—is a sprawling online ecosystem made up of thousands of participants, many not even old enough to drive, with constantly shifting affiliations. They recruit one another through gaming platforms, social media, and online communities. Groups splinter, collaborate, disappear, and reappear under new names.
This is less a criminal organization and more a philosophy. An attack model. An “infinite money glitch,” as the kids would say, shared through forums and online communities the same way previous generations shared cheat codes for Grand Theft Auto.
In V for Vendetta, the titular V famously says: “Behind this mask is more than a man. Behind this mask is an idea, and ideas are bulletproof.”
LAPSUS$ is not bulletproof. People get arrested. Groups fracture. Operations collapse.
But ideas are harder to kill.
One of the groups to emerge from that ecosystem would eventually call itself Scattered Lapsus$ Hunters, combining the names of LAPSUS$, Scattered Spider, and ShinyHunters. Whether viewed as a merger, a rebranding, or simply the latest evolution of overlapping criminal networks, the name reflected a broader reality: the attack model that made LAPSUS$ famous was no longer confined to a single group.
The vulnerability isn’t LAPSUS$. The vulnerability is that the playbook works.
The Jaguar Land Rover Attack and the Modern LAPSUS$ Playbook
By 2025, the names were different. Some of the people were too. The Telegram channels that once carried the LAPSUS$ banner had been replaced by new ones with new branding and new personalities. But the attacks continued. And for anyone who had followed the group’s rise a few years earlier, the underlying logic felt remarkably familiar.
In September 2025, automaking giant Jaguar Land Rover suffered a major cyberattack that forced production lines offline and disrupted operations across its global supply chain. Thousands of workers were sent home. Parts shortages rippled through dealerships. Manufacturing delays stretched for weeks. Reports estimated the disruption was costing the company tens of millions of pounds per week.
As details of the incident emerged, it became apparent that the attack was consistent with the same old LAPSUS$ playbook: identify the people closest to access, earn their trust, and let them open the door for you.
The JLR attack was a wake-up call.. Not because it introduced a new technique, but because it demonstrated how much damage the old techniques could still cause.
Years after law enforcement had all but shuttered LAPSUS$’ doors, the group’s lasting contribution to cybercrime had calcified: the cheat code still worked.
What LAPSUS$ Teaches Us About Managing Our Human Attack Surface
Over the course of four years, the group transformed from something concrete into something abstract. The arrests disrupted the actors, but not the strategy.
Most security programs are designed to protect systems. They inventory assets, patch vulnerabilities, monitor networks, and harden infrastructure. All of those investments still matter—it’s not like the technical threats went away overnight.
But there is a new attack surface that must be approached with the same diligence. If attackers can achieve the same outcome with a LinkedIn profile, a phone number, and a convincing pretext, why burn a zero-day?
This technique proliferated because technical exploits are scarce, and information is abundant. So the best way to fight back is to make information a scarce resource as well. You can’t punch a hurricane.
Human Attack Surface Management emerged from that realization. If attackers are using publicly available information to gain access, that information belongs inside the attack surface conversation.
For years, organizations have invested heavily in understanding their technical attack surface. HASM applies the same thinking to people. Instead of asking, “Which servers can attackers reach?” it asks, “What can attackers learn about our employees?”
Every attack we’ve discussed began long before initial access. The research phase happens quietly, long before a security alert is triggered or an incident response team is engaged. The defense team only becomes aware of an attacker once they’re actively being exploited, and by then, it’s already too late.
Human Attack Surface Management is the practice of understanding what attackers can learn about your people before they do.
The lesson of LAPSUS$ isn’t that attackers became more sophisticated. It’s that information became more valuable.
For years, organizations treated public information as a personal problem. Groups like LAPSUS$ demonstrated it is also a company problem.
- Employees, Executives, and Board Members complete a quick signup
- DeleteMe scans for exposed personal information
Opt-out and removal requests begin - Initial privacy report shared and ongoing reporting initiated
- DeleteMe provides continuous privacy protection and service all year
DeleteMe is built for organizations that want to decrease their risk from vulnerabilities ranging from executive threats to cybersecurity risks.
news?
Is employee personal data creating risk for your business?



