×

We've got news for you.

Register on Sunday Times at no cost to receive newsletters, read exclusive articles & more.
Register now

The evil mastermind of global hacking is ... a teen living with ...

World

The evil mastermind of global hacking is ... a teen living with his mom

The 16-year-old from Oxford leads the group that has held giant companies such as Microsoft and Samsung to ransom

William Turton and Jordan Robertson
Investigators say the youngster is so skilled and so fast that they initially thought what they were witnessing was automated.
LIGHTNING FAST Investigators say the youngster is so skilled and so fast that they initially thought what they were witnessing was automated.
Image: Bloomberg

Cybersecurity researchers investigating a string of hacks against technology companies, including Microsoft and Nvidia, have traced the attacks to a 16-year-old living at his mother’s house near Oxford, England. 

Four researchers investigating the hacking group Lapsus$, on behalf of companies that were attacked, said they believe the teenager is the mastermind.

Lapsus$ has befuddled cybersecurity experts as it has embarked on a rampage of high-profile hacks. The motivation behind the attacks is unclear, but some cybersecurity researchers said they believe the group is motivated by money and notoriety.

The teen is suspected by the researchers of being behind some of the major hacks carried out by Lapsus$, but they haven’t been able to conclusively tie him to every hack Lapsus$ has claimed. The cyber researchers have used forensic evidence from the hacks and publicly available information to tie the teen to the group.

Bloomberg News isn’t naming the alleged hacker, who goes by the online alias “White” and “breach base”, as he is a minor and hasn’t been publicly accused by law enforcement of any wrongdoing.

Another member of Lapsus$ is suspected to be a teenager residing in Brazil, according to the investigators. One person investigating the group said security researchers have identified seven unique accounts associated with the hacking group, indicating there are likely others involved in its operations.  

The teen is so skilled at hacking — and so fast — that researchers initially thought the activity they were observing was automated, a person involved in the research said.  

Lapsus$ has even gone as far as to join the Zoom calls of companies it has breached, during which its members have taunted employees and consultants trying to clean up its hacks.

Lapsus$ has publicly taunted its victims, leaking their source code and internal documents. When the group revealed it had breached US software company Okta, it sent the company into a public-relations crisis. In multiple blog posts, Okta disclosed that an engineer at a third-party vendor was breached and that 2.5% of its customers might have been impacted.

Lapsus$ has even gone as far as to join the Zoom calls of companies it has breached, during which its members have taunted employees and consultants trying to clean up its hacks, according to three people who responded to the attacks.

Microsoft, which confirmed it was hacked by Lapsus$, said in a blog post that the group has embarked on a “large-scale social engineering and extortion campaign against multiple organisations”. The group’s primary modus operandi is to hack companies, steal their data and demand a ransom to not release it. Microsoft tracks Lapsus$ as “DEV-0537”, and said the group has successfully recruited insiders at victimised companies to assist in its hacks.

The group suffers from poor operational security, according to two of the researchers, allowing cybersecurity companies to gain intimate knowledge about the teenage hackers.

“Unlike most activity groups that stay under the radar, DEV-0537 doesn’t seem to cover its tracks,” Microsoft said in a blog post. “They go as far as announcing their attacks on social media or advertising their intent to buy credentials from employees of target organisations. DEV-0537 started targeting organisations in the United Kingdom and South America, but expanded to global targets, including organisations in government, technology, telecom, media, retail and healthcare sectors.”

The teenage hacker in England has had his personal information, including his address and information about his parents, posted online by rival hackers.

At an address listed in the leaked materials as the teen’s home, a woman who identified herself as his mother talked with a Bloomberg reporter for about 10 minutes through a doorbell intercom system. The home is a modest terraced house on a quiet side street close to Oxford University.

A few of our members has a vacation until 30/3/2022. We might be quiet for some times. Thanks for understand us. - we will try to leak stuff ASAP.
Hackers

The woman said she was unaware of the allegations against her son or the leaked materials. She said she was disturbed that videos and pictures of her home and the teen’s father’s home were included. The mother said the teenager lives at that address and had been harassed by others, but many of the other leaked details couldn’t be confirmed.

She declined to discuss her son in any way or make him available for an interview, saying the issue was a matter for law enforcement and that she was contacting the police. 

The Thames Valley Police and the National Crime Agency, which investigates hacking in the UK, didn’t immediately respond to messages about the alleged teen hacker. The FBI’s San Francisco field office, which is investigating at least one of the Lapsus$ intrusions, declined to comment.

Lapsus$ has also claimed to have breached Samsung and Vodaphone. After breaching Nvidia, Lapsus$ posted stolen source code from the company on its Telegram channel.

When its claim of hacking Otka generated a wave of headlines on Tuesday, Lapsus$ suggested it would be taking some time off from hacking the world’s biggest companies.

“A few of our members has a vacation until 30/3/2022. We might be quiet for some times,” the hackers wrote on Telegram. “Thanks for understand us. — we will try to leak stuff ASAP.”

More stories like this are available on bloomberg.com

— Bloomberg

subscribe