LAPSUS$ collective recently breached Microsoft and Samsung, calling the motivations and power of cyber gangs into question
Last week, London police announced that two hackers had been charged with various crimes, including “fraud by false representation” and “intent to hinder access to data.” They were members—supposedly, ringleaders—of the infamous LAPSUS$ cyber gang, who’ve breached massive companies including Microsoft, Samsung, Ubisoft, Nvidia, and Okta since December. You might be wondering about the identities of these masterminds, who were allegedly behind it all: two teenagers, aged 16 and 17 years old.
Getting the pair offline hasn’t stopped the attacks. So far, LAPSUS$’s MO has been simply to cause maximum chaos: tweeting from stolen accounts, redirecting homepages to porn sites, releasing company secrets—sometimes asking for a ransom first, other times going ahead without warning. It seems the group could be larger and further reaching than previously believed; seven members have been arrested so far, the oldest of them 21. They seem to be fearless, as teenagers tend to be, most recently moving in on targets like Apple, Discord, and Meta even while law enforcement works to locate and block them. They aren’t driven by money—rather, by something like notoriety, power, or adolescent idealism.
“I was motivated as a teenager by the idea that this internet was this utopian space that shouldn’t be controlled or filtered or segmented or chopped up into little blocks and distributed out.”
In 2017, the Guardian published a quote from Jack Davis, a former teen member of a hacking collective who was arrested for targeting government sites. “I was motivated as a teenager by the idea that this internet was this utopian space that shouldn’t be controlled or filtered or segmented or chopped up into little blocks and distributed out,” he said. “That it should be open and free, and anyone in the world should be able to use it.” LAPSUS$ might be driven by a parallel political goal. Instead of seeking internet sovereignty, the collective is challenging large-scale collection and monetization of consumer data—whether they’re doing it consciously, or it’s a byproduct of anarchic acts.
Okta, an identity management company based in San Francisco, is the perfect example. Its software allows users to securely sign into “any application on any device”—as Wired put it, they essentially “[hold] the keys to the kingdom for thousands of major organizations.” Getting hacked by LAPSUS$ threw Okta’s credibility into question, raising the question: If teenagers could breach the integrity of the platform, steal the very information they guaranteed they’d protect, couldn’t anybody?
Of course, teenagers have always been good coders. Where there’s incentive, there’s a way—and the World Wide Web provides plenty of it. Born into the digital age, teens understand the internet more intuitively than most, easily locating and exploiting its vulnerabilities; it can start with torrenting or reverse engineering video games, and lead to breaching confidential databases. LAPSUS$ is the most recent iteration of a long line of adolescent hackers, who have historically posed a big risk to corporations and institutions who underestimate their ability, and overestimate the watertightness of their sensitive systems. Maybe, breaches like these will start to push companies to take security—especially when it comes to customer data—a little more seriously, if only for the sake of their own image. In any case, young, persistent cyber gangs like LAPSUS$, with their many motivations ranging from ‘heroic’ to ‘devious,’ are not to be dismissed.