LAPSUS$ (also tracked as DEV-0537, Strawberry Tempest by Microsoft; UNC3661 by Mandiant.
and historically as a self-chosen brand stylized in all-caps with a trailing dollar sign) is a financially-motivated cyber-criminal cluster active publicly from approximately December 2021 through September 2022, with operational re-emergence patterns observed thereafter. The cluster is one of the most operationally consequential and publicly-visible English-speaking-native organized cyber-criminal clusters of the modern era. Multiple core members were teenagers at the time of operations, including Arion Kurtaj (UK, then aged 17, operating under the pseudonym "White") and at least one co-defendant aged 16, and members were subsequently arrested in both the United Kingdom (City of London Police, March 2022 and later) and Brazil (Polícia Federal, multiple arrests through 2022-2023). Operationally LAPSUS$ is distinctive on multiple dimensions versus the Russia-speaking organized-crime ransomware ecosystem (Conti, REvil, DarkSide, BlackCat) that dominated the cybercrime headlines of the same 2021-2022 period: (1) PURE-EXTORTION MODEL WITHOUT RANSOMWARE ENCRYPTION. LAPSUS$ operations were structured around data theft and public extortion-or-leak rather than ransomware encryption. Compromised victims were threatened with public release of stolen source code, customer data, or internal documentation rather than with decryption-key-purchase demands. This is the operationally defining feature that distinguishes LAPSUS$ from the broader ransomware ecosystem and that Microsoft's DEV-0537 disclosure identifies as "pure extortion and destruction model without deploying ransomware payloads." (2) PUBLIC OPERATIONAL PRESENCE ON TELEGRAM AND SOCIAL MEDIA. Unlike most cyber-criminal clusters that operate covertly, LAPSUS$ operated openly on Telegram with public channels (peak subscriber count approximately 50,000), publicly announced compromises before victim organizations could disclose them, publicly recruited insiders at target organizations through explicit Telegram job-posting messages, and ran public polls asking subscribers which organization to target next. This level of public operational visibility is operationally uncharacteristic of organized cyber-criminal activity and was key to both the cluster's notoriety and (ultimately) the law- enforcement investigation that identified members. (3) ENGLISH-SPEAKING-NATIVE MEMBER COMPOSITION. The cluster's core operational membership was predominantly English-speaking native (UK and Brazil-Portuguese-Spanish multilingual). The English-speaking-native composition enabled the cluster's signature voice-phishing (vishing) social-engineering tradecraft against English-language IT helpdesks, a capability not readily available to non-English-speaking-native organized- crime competitors. The English-speaking-native composition is also a key behavioral marker distinguishing LAPSUS$ from the predominantly-Russian-speaking organized-crime ecosystem. (4) IDENTITY-FIRST TRADECRAFT (CREDENTIALS-AND-MFA-CIRCUMVENTION RATHER THAN EXPLOITATION). LAPSUS$ operations consistently relied on identity compromise as initial access vector rather than exploitation of vulnerabilities. Initial-access vectors included: purchase of stolen credentials on dark-web criminal forums.
deployment of commodity credential-stealing malware (RedLine Stealer, Raccoon Stealer) against target-organization employees.
public-repository scraping for exposed credentials and secrets.
insider-recruitment of employees at target organizations through public Telegram channels offering payments for VPN, RDP, or SSO credentials. Once credentials were obtained, MFA enforcement was circumvented via session- token replay, MFA-fatigue (repeated MFA push notifications until legitimate users approved one), and helpdesk social- engineering calls in which native-English-speaking cluster members impersonated employees to request MFA resets. (5) HELPDESK-COERCION-AS-PRIMARY-MFA-DEFEAT. The cluster's signature tradecraft includes voice-phishing (vishing) calls to victim-organization IT helpdesks impersonating employees-of-interest to request password resets, MFA resets, or MFA-device-re-enrollment. The vishing tradecraft is operationally similar to (but predates and is genealogically distinct from) the Scattered Spider / UNC3944 vishing tradecraft observed from late 2022 onward. The two clusters share tradecraft patterns and may share some operator membership through "The Com" English-speaking online subculture, but LAPSUS$ and Scattered Spider are operationally distinct clusters with distinct branding, timing, and operational structures. (6) RAPID PUBLIC EXTORTION WITHOUT EXTENDED DWELL. LAPSUS$ operations were typically compressed in time scale relative to traditional organized-crime ransomware operations (which often featured weeks-to-months of dwell time for reconnaissance, lateral movement, and exfiltration). LAPSUS$ operations frequently moved from initial-credential-access to data exfiltration to public-extortion-announcement within days or sometimes hours. The compressed operational tempo enabled the cluster's high public profile relative to operational sophistication but also limited the cluster's ability to maintain persistence in victim environments after initial detection. Notable named operations attributed to the cluster include the December 2021 Brazilian Ministry of Health compromise.
the January 2022 Okta third-party-customer-support-provider compromise (operationally most consequential due to downstream supply-chain implications)
the February-March 2022 NVIDIA source-code-and-code-signing-certificate theft.
the March 2022 Samsung Electronics source-code theft (190 GB)
the March 2022 Vodafone Portugal nationwide-services-disruption attack.
the March 2022 Ubisoft cyber-security incident.
the March 2022 T-Mobile US internal-source-code theft (including attempted FBI and DoD SIM-swapping)
the March 20-22, 2022 Microsoft Corporation source-code theft (37 GB Bing/Bing Maps/Cortana source-code leak)
the March 30, 2022 Globant SA customer-source-code theft.
the September 2022 Uber Technologies cyberattack via MFA fatigue (attributed to a LAPSUS$-affiliated operator)
and the September 18, 2022 Rockstar Games Grand Theft Auto VI pre-release-source-code leak (same operator). The cluster has the strongest formal-attribution profile of any English-speaking-native organized-crime cluster in the modern era. UK City of London Police arrested seven individuals in March 2022 including Arion Kurtaj, the operator behind the "White" pseudonym. Brazilian Polícia Federal arrested additional members. UK Crown Court proceedings against Kurtaj and a co- defendant resulted in August 2023 convictions.
Kurtaj was ordered to be detained in a secure hospital indefinitely under the UK Mental Health Act, and the co-defendant received a youth-rehabilitation order. The US Department of Homeland Security Cyber Safety Review Board (CSRB) published its detailed August 10, 2023 review report, "Review of the Attacks Associated with Lapsus$ and Related Threat Groups", which represents the highest-tier US-government formal attribution and operational-analysis publication on the cluster. Analytically the cluster's operational pattern raised durable defensive lessons for the technology, telecommunications, identity-provider, and incident-response ecosystem regarding MFA-fatigue defense, IT-helpdesk-impersonation defense, third-party-customer-support supply-chain risk, insider- recruitment-threat detection, and SIM-swapping defense, all operational patterns that have subsequently been adopted or adapted by multiple other criminal clusters including Scattered Spider (UNC3944), the broader ALPHV/BlackCat affiliate ecosystem, and 2024-2025-era extortion-focused operations. Microsoft's framing in the original DEV-0537 disclosure that LAPSUS$ TTPs and infrastructure are "constantly changing" is operationally accurate: defenders should treat "LAPSUS$" as both a specific 2021-2022 cluster brand and as a durable intrusion-style framework that other clusters have since adopted.