The Washington PostDemocracy Dies in Darkness

They May Be Kids, But the Lapsus$ Hackers are Still Giants

Computer code displayed on screens arranged in Danbury, U.K., on Thursday, Jan. 7, 2021. In the spring, hackers managed to insert malicious code into a software product from an IT provider called SolarWinds Corp., whose client list includes 300,000 institutions.
Computer code displayed on screens arranged in Danbury, U.K., on Thursday, Jan. 7, 2021. In the spring, hackers managed to insert malicious code into a software product from an IT provider called SolarWinds Corp., whose client list includes 300,000 institutions. (Photographer: Bloomberg/Bloomberg)

In a house in Oxford, England, a 16-year-old living with his mother has been wreaking havoc on the other side of the world. Believed to be a male, he’s hacked victims from Microsoft Corp. to Okta Inc. and blazed a trail of mayhem along the way.

His apparent youth isn’t the only thing that sets this operator apart from better-known ransomware gangs like Conti and Revil. His outfit, dubbed Lapsus$, “is known for using a pure extortion and destruction model without deploying ransomware payloads,” Microsoft noted in a blog post this week. The U.S. software company uses the designation DEV-053 to track the group.

According to Bloomberg News, four researchers investigating Lapsus$ believe they’ve identified this kid as the mastermind of the group. Another member is suspected to be a teenager living in Brazil. On Thursday, City of London Police arrested seven people — aged 16 to 21 —  in connection with an inquiry into the group. Police didn’t identify the hacking gang, but a person involved in the probe said the arrests were related to the case. 

While the world has been watching Russian hacking of Ukraine, and other targets, Lapsus$ continued with its own operations, adding to the global spate of cybercrime that is estimated to cost the world economy more than $1 trillion annually.

Many of the tactics deployed by Lapsus$ are familiar to security-response teams. Among them is social engineering, where an attacker impersonates a person in order to trick a help-desk employee into giving access to systems or providing sensitive information which can be used to breach a target, Microsoft noted. SIM-swapping is another, in which the hacker successfully replaces a victim’s phone number with its own in order to receive a multi-factor security code sent by text message.

But rather than quietly planning an intrusion, including setting up a cryptocurrency wallet and tailoring a ransom note for each victim, Lapsus$ looks to have taken a somewhat more high-profile approach. One that’s far riskier than more disciplined operators solely motivated by money, and instead may be spurred by a desire for notoriety.

The group even advertised through a Telegram group its willingness to buy credentials from employees of victim companies, which would then be used to breach corporate security systems. The purported goal has been to access computers, steal data, and then demand payment to prevent the release of sensitive information to the public. That was the apparent motive for a breach on user-authentication provider Okta.

Call it overconfidence, or the brashness of youth, but the actions didn’t stop there. He, or they, went as far as joining victims’ discussion boards and crisis communications calls — on platforms like Slack and Microsoft Teams — to eavesdrop on the response, Microsoft noted.

By contrast, Conti and Revil tend to surreptitiously slip into a target’s servers, encrypt thousands of files, and leave a custom-made note outlining how payment can be made. That’s the approach taken by Darkside, which brought the Colonial Pipeline Co. to a halt in the U.S. last April.

Yet we shouldn’t conclude that youth fully explains Lapsus$’ bold approach. In fact, some of the world’s most notorious hackers were teenagers when they took their first big steps into the cyber underworld. Kevin Mitnick was 16 when he broke into Digital Equipment Corp.’s systems back in 1979. Jonathan James was 15 when he got started, and counted the U.S. Department of Justice among his victims. Canadian Michael Calce’s targets included the websites of Yahoo, eBay and Dell when he was 17.

That adolescence is a challenge for law enforcement and prosecutors. Many jurisdictions won’t charge perpetrators as adults. James, for example, ended up pleading guilty to two counts of juvenile delinquency and was sentenced to house arrest and probation. From the almost 20 charges filed against him, Mitnick entered a plea bargain and took the rap on just seven and served five years. Calce received eight months in a youth detention facility.

While jail time is an obvious risk, there’s also perceived upsides for youthful hackers. Mitnick ended up writing a book, inspired the Hollywood movie “War Games,” and went on to a prolific career as a security consultant. Calce also moved onto the side of the good guys as a white hat. But not all juvenile delinquents had a happy ending. James took his own life at the age of 24 after being accused of a hack he didn’t commit, while another, Adrian Lamo, died in what’s believed to be an accidental drug overdose.

Security professionals know that child hackers are smart, proficient and extremely dangerous. Police and courts also remember that they’re still just kids.

More From Bloomberg Opinion:

• What the Modi Twitter Breach Tells Us About Hackers: Tim Culpan

• The Mercenary Threat of Hackers-for-Hire: Bobby Ghosh

• Hacktivists Are Piercing Russia’s Propaganda Bubble: Parmy Olson

(Updates with arrests in third paragraph)

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

Tim Culpan is a technology columnist for Bloomberg Opinion. Based in Taipei, he writes about Asian and global businesses and trends. He previously covered the beat at Bloomberg News.

More stories like this are available on

©2022 Bloomberg L.P.