Initially, both defendants faced arrest and were later released under investigation in January 2022. However, they were subsequently re-arrested and formally charged by the City of London Police in April 2022. Kurtaj, one of the defendants, was eventually granted bail but, due to being doxxed in an online cybercrime forum, relocated to a hotel in Bicester.
Despite these circumstances, Kurtaj continued his hacking activities, targeting prominent companies like Uber, Revolut, and Rockstar Games. As a result of his ongoing activities, he was arrested again in September. Another individual believed to be a part of the same group was apprehended by Brazilian authorities in October 2022.
A key factor in their ability to carry out their extortion schemes was their proficiency in SIM swapping and conducting prompt bombing attacks. These tactics enabled them to gain unauthorized access to corporate networks following an elaborate phase of social engineering.
Their financially-driven operation also involved reaching out through their Telegram channel to seek out rogue insiders who could provide credentials for Virtual Private Networks (VPNs), Virtual Desktop Infrastructures (VDIs), or Citrix systems to various organizations.
A recent report from the U.S. government revealed that these actors were willing to pay substantial amounts, up to $20,000 per week, for access to telecommunications providers, specifically for executing SIM swap attacks. The report characterized the group, known as LAPSUS$, as distinct for its “effectiveness, speed, creativity, and boldness,” highlighting its use of an innovative “playbook of effective techniques.”
To execute fraudulent SIM swaps, LAPSUS$ obtained essential details about their victims, including names, phone numbers, and customer proprietary network information (CPNI). This information was obtained through a range of methods, including fraudulent Emergency Disclosure Requests, as well as account takeover techniques, which allowed them to compromise the accounts of telecommunications provider employees and contractors.
Following this, they conducted fraudulent SIM swaps using the tools provided by the telecommunications providers’ customer management systems. After successfully executing these fraudulent swaps, LAPSUS$ took control of online accounts by manipulating sign-in and account recovery processes, which involved sending one-time links or passcodes via SMS or voice calls.
Their initial access techniques varied from enlisting the services of initial access brokers (IABs) to exploiting security vulnerabilities. Once they gained entry, the group would then work to escalate privileges, move laterally across networks, establish persistent access through remote desktop software like AnyDesk and TeamViewer, and disable security monitoring tools.
LAPSUS$ managed to infiltrate a range of notable companies, including BT, EE, Globant, LG, Microsoft, NVIDIA, Okta, Samsung, Ubisoft, and Vodafone. At present, it remains uncertain if any of the breached companies paid ransoms. The sentencing of the teenagers involved is expected to take place at a later time.
The group gained notoriety for their successful attacks on well-secured organizations, using highly effective social engineering techniques. They also targeted supply chains through compromises of business process outsourcing (BPO) companies and telecommunications providers. Furthermore, they utilized a public Telegram channel not only to discuss their operations, targets, and successes but also to communicate with and extort their intended victims, as noted by the Cyber Safety Review Board (CSRB) under the Department of Homeland Security.