3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Lapsus$

Lapsus$

ID: 15af095288f8cee571ae8f73e9a340e849031
Crimeware Spyware/Stealer
Threat types: Intrusion, Social Engineering, Recruitment, Extortion, Phishing, Swapping
United Kingdom BRA, FRA, PRT, GBR, USA
Updated: 2026-03-25
Created: 2025-10-21
Progress: 84% Completeness: 82% Freshness: 90%
Operation zone: Brazil, France, Portugal, United Kingdom, United States
Aliases Limited alias preview
DEV-0537 Strawberry Tempest
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium-high
Actor Techniques page ATT&CK® Diagram

Lapsus$ is an extortion-focused cybercrime actor best characterized by identity- and workflow-centered intrusion paths. Public reporting emphasizes credential theft, helpdesk and contractor social engineering, telecom number takeovers that undermine SMS-based MFA, and rapid abuse of password reset and MFA enrollment processes. Once privileged access is obtained, the actor moves quickly to steal source code and sensitive documentation for extortion leverage, and in some cases destructive actions have been reported. Defensive priority is phishing-resistant MFA, hardened recovery and helpdesk processes, and detection of identity anomalies leading to mass repository access.


Technique Technique name Tactics Evidence
T1566.002 Spearphishing Link TA0001
  • 2022-03-22 — Microsoft describes phishing and social engineering as common initial access paths for the actor. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2022-03-22 — Use of valid accounts and stolen credentials to access systems is emphasized in Microsoft’s narrative. · ref
T1110.003 Password Spraying TA0006
  • 2022-03-22 — Password spraying and credential abuse are discussed as part of initial access patterns (where applicable). · ref
T1621 Multi-Factor Authentication Request Generation TA0006
  • 2023-08-10 — CSRB comms emphasize telecom/SIM and identity recovery weaknesses as key enablers (INFERENCE to SIM swapping technique). · ref
T1556.006 Multi-Factor Authentication TA0003 TA0005 TA0006
  • 2022-03-22 — Abuse of MFA/reset/enrollment workflows described as a common tactic in public reporting (INFERENCE from identity workflow abuse). · ref
T1098 Account Manipulation TA0003 TA0004
  • 2022-03-24 — Okta investigation describes factor addition attempt and account access attempts, illustrating account manipulation pathways (map cautiously). · ref
T1567.002 Exfiltration to Cloud Storage TA0010
  • 2022-03-22 — Microsoft describes exfiltration and publication pressures; map to exfiltration to cloud/web services where applicable (INFERENCE). · ref
T1485 Data Destruction TA0040
  • 2022-03-22 — Microsoft references destructive actions in some intrusions (data destruction / disruption). · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-28T01:50:37+00:00
Lapsus$ — Social-Engineering–Centric Intrusion Collective (G1004)

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — Lapsus$


Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Lapsus$ (Identity-First Extortion Intrusions)


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-28T01:44:10+00:00

IOC Appendix — Lapsus$ (Identity & Workflow Compromise Focus)


More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-28T01:44:24+00:00

OSINT Library — Lapsus$


2023-08-10 — DHS — “Cyber Safety Review Board releases report on activities of global extortion-focused Lapsus$ group”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/1
Address Verification SOCMINT
t.me/Lap************ Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.