Threat Intelligence Tarot
cups · 1
Criminal (UK/Brazil, mostly teenagers)
G1004
risk 4/5
The Jester
Lapsus$
DEV-0537 · Strawberry Tempest
MicrosoftNvidiaSamsungOktaRockstar GamesT-Mobile
Active ~2021–2022 · Data theft for extortion, Notoriety, Corporate embarrassment
The Jester is a teenager who called Microsoft's help desk. Then Samsung's. Then Nvidia's. Lapsus$ discovered that corporations spending millions on technical security had left their phone lines and help desks completely open - and that social engineering could defeat any MFA if someone was willing to make enough calls.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1566.004
Spearphishing Voice
Initial Access
T1078
Valid Accounts
Persistence
T1530
Data from Cloud Storage
Collection
T1621
Multi-Factor Authentication Request Generation
Credential Access
T1213
Data from Information Repositories
Collection
T1548.002
Bypass User Account Control
Privilege Escalation
Notable Operations
  • Nvidia source code theft - 1TB including DLSS (2022)
  • Samsung source code and biometric data theft
  • Microsoft Azure DevOps breach - Bing and Cortana source code
  • Rockstar Games GTA VI pre-release footage leak
  • Okta breach - customer support system access
Defenses
Reversed: Their Weakness
Multiple Lapsus$ members were identified, arrested, and prosecuted - many were teenagers operating without operational security. Their notoriety-seeking behavior, bragging in public Telegram channels, and recruitment of insiders provided law enforcement with extensive evidence.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Breach of TrustNext →The Sim Swap
Related Adversaries
The Sim Swap
UNC3944
4 shared TTPs
The Shape Shifter
Scattered Spider
3 shared TTPs
The Red Star
RedHack
3 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.