Police in Britain have arrested seven people including a teenage boy following a series of online attacks by the Lapsus$ hacking group that hit major technology firms including Okta and Microsoft.
“The City of London Police has been conducting an investigation with its partners into members of a hacking group,” Detective Inspector Michael O'Sullivan said in a statement on Thursday.
“Seven people between the ages of 16 and 21 have been arrested in connection with this investigation and have all been released under investigation.”
City of London Police did not directly name Lapsus$ in its statement, but cyber security experts say the group is behind the high-profile attacks that they say were motivated by money and notoriety.
This week, researchers traced a series of cyber attacks to a 16-year-old boy living at his mother’s house near Oxford, England, with some claiming the teenager is the group's ringleader.
Another member of Lapsus$ is suspected to be a teenager residing in Brazil, investigators said. One person investigating the group said security researchers have identified seven unique accounts associated with the hacking group, indicating that there are likely others involved in the group’s operations.
The teenager is so skilled at hacking that researchers initially thought the activity they were observing was automated, another person involved in the investigation said.
Lapsus$ have publicly taunted their victims, leaking their source codes and internal documents. The group even posted a series of screenshots of software company Okta's internal communications on their Telegram channel late on Monday.
The group has also claimed to have breached Samsung, Vodafone and Ubisoft.
After breaching Nvidia, Lapsus$ posted stolen source code from the company on their Telegram channel.
Lapsus$ has reportedly gone as far as to join the Zoom calls of companies they’ve breached, during which they have taunted employees and consultants trying to manage the hack.
Microsoft, which confirmed it had been hacked by Lapsus$, said in a blog post that the group has embarked on a “large-scale social engineering and extortion campaign against multiple organisations”.
The group’s primary modus operandi is to hack companies, steal their data and demand a ransom to avoid its release, and Microsoft said Lapsus$ has recruited insiders at victimised companies to assist in the hacks.
However Lapsus$ suffers from poor operational security, two of the researchers said, allowing cyber security companies to gain intimate knowledge about the hackers.
The teenage hacker in England has had his personal information, including his address and information about his parents, posted online by rival hackers.
The Thames Valley Police and the National Crime Agency, which investigates hacking in the UK, didn’t immediately respond to messages about the reported teenage hacker. The FBI’s San Francisco field office, which is investigating at least one of Lapsus$'s intrusions, declined to comment.
After its claim of hacking Otka generated a wave of headlines on Tuesday, Lapsus$ suggested it would be taking some time off from hacking the world’s biggest companies.
“A few of our members has a vacation until 30/3/2022. We might be quiet for some times,” the hackers wrote in its Telegram channel. “Thanks for understand us. — we will try to leak stuff ASAP.”