The City of London Police said they had detained seven people linked to the Lapsus$ data extortion ring as the gang indicated that some of its members were going on holiday. One of the group leaders that exposed closed source code and sensitive data from high-profile businesses, including Nvidia, Samsung, Microsoft, and Okta, is thought to be a minor from Oxford, England. Attacks against game maker Ubisoft, telecom operator Vodafone, and e-commerce giant Mercado have also been claimed by Lapsus$.
On Wednesday, the organization sent out a public statement announcing that some of its members would be on vacation until March 30. It is unknown how many people are in Lapsus$, but evidence from their Telegram chats suggests that they speak English, Russian, German, Turkish, and Portuguese. The City of London Police claimed in a statement to the BBC that it has detained seven persons aged 16 to 21 “in connection with an investigation into a hacking group” and that they are all being investigated.
Although no names have been revealed, the true identities of certain Lapsus$ members have been known for some time due to competing hackers doxing them. One of them is a juvenile known as White/Breachbase. He is said to have amassed over 300 BTC – approximately $13 million at present – from hacking operations, one of which is SIM swapping. White is said to have lost a significant part of his money gambling and by leaving their system vulnerable, causing it to be hacked twice.
The identities are only a handful of the more than a dozen the adolescent used online and several pseudonyms he employed on other portals and hacker forums. Rival hackers also uploaded private images of White with their family and identifying information such as the actual name,
date of birth, education, and home address. This was made possible by a long line of bad opsec decisions that created an identity trail, which looks to be a weakness that affects other Lapsus$ members as well. Bill Demirkapi, a senior security engineer at Zoom, discovered that Lapsus$ boasted about hacking Microsoft while obtaining the source code as an example of this. While this is not a critical error in disclosing the group’s identity, it does demonstrate their operational security skills, allowing security researchers and adversaries alike to link email accounts and usernames to their true identities. Many of the cybercrime gang’s members were likely identified and apprehended due to these operational security failures.