Skip to main content

Operator dossier

lapsus$ is a ransomware operator currently active on public leak sites. Darkfield has indexed 27 public victims claimed by this operator between December 10, 2021 and June 23, 2026. Lapsus$ is a financially motivated cybercriminal group that emerged in December 2021, gaining notoriety for their aggressive extortion tactics and high-profile targeting of major corporations and government entities. The group is believed to have originated from South America, particularly Brazil, with suspected ties to young hackers operating independently rather than as a traditional ransomware-as-a-service operation, though they have demonstrated sophisticated coordination and insider recruitment capabilities. Lapsus$ primarily relies on social engineering techniques, SIM swapping, and insider threats to gain initial access to target networks, often recruiting employees through bribes or coercion rather than relying on traditional malware delivery methods, and they frequently employ data theft and public leak tactics for extortion rather than always deploying encryption-based ransomware. The group has conducted notable attacks against major technology companies including Microsoft, Nvidia, Samsung, and Okta, as well as targeting organizations across France, the United States, Brazil, Germany, and Canada, with a particular focus on consumer services, education, government facilities, and critical manufacturing sectors, leading to significant law enforcement attention and arrests of suspected members. Following arrests of key members by Brazilian and UK authorities in 2022, the group's activity has significantly diminished, though some security researchers suggest remnants may still be operational under different identities.

Most-targeted sectors

Most-affected countries

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

lapsus$

27 victims indexed · first seen 5 years ago · last activity 22 days ago

27
Victims indexed
#146 of 364 tracked operators
4y 6m
Active period
Dec 2021 → Jun 2026
8
Countries hit
top FR · 5

At a glance

Status
active
First seen
5 years ago
Last activity
22 days ago
Primary sector
Not Found · 2 hits

About

Lapsus$ is a financially motivated cybercriminal group that emerged in December 2021, gaining notoriety for their aggressive extortion tactics and high-profile targeting of major corporations and government entities. The group is believed to have originated from South America, particularly Brazil, with suspected ties to young hackers operating independently rather than as a traditional ransomware-as-a-service operation, though they have demonstrated sophisticated coordination and insider recruitment capabilities. Lapsus$ primarily relies on social engineering techniques, SIM swapping, and insider threats to gain initial access to target networks, often recruiting employees through bribes or coercion rather than relying on traditional malware delivery methods, and they frequently employ data theft and public leak tactics for extortion rather than always deploying encryption-based ransomware. The group has conducted notable attacks against major technology companies including Microsoft, Nvidia, Samsung, and Okta, as well as targeting organizations across France, the United States, Brazil, Germany, and Canada, with a particular focus on consumer services, education, government facilities, and critical manufacturing sectors, leading to significant law enforcement attention and arrests of suspected members. Following arrests of key members by Brazilian and UK authorities in 2022, the group's activity has significantly diminished, though some security researchers suggest remnants may still be operational under different identities.

References

4 links

External sources curated by the MISP threat-intel community.

Timeline

5 months
2021-12-01T00:00:00+00:00 · 12022-01-01T00:00:00+00:00 · 12022-02-01T00:00:00+00:00 · 12022-03-01T00:00:00+00:00 · 12026-03-01T00:00:00+00:00 · 10
2021-12-01T00:00:00+00:002026-03-01T00:00:00+00:00

Top countries

🇫🇷 France
5
🇺🇸 United States
2
🇧🇷 Brazil
1
🇩🇪 Germany
1
🇨🇦 Canada
1
🇵🇹 Portugal
1
🇮🇹 Italy
1
🇯🇵 Japan
1

Top sectors

Consumer Services
2
Education
2
Government Facilities
1
Critical Manufacturing
1
Technology
1
Public Sector
1
Energy
1
IT Manufacturing
1

MITRE ATT&CK

43 techniques · 13 tactics

Tactics

CollectionCommand And ControlCredential AccessDefense ImpairmentDiscoveryExecutionImpactInitial AccessPersistencePrivilege EscalationReconnaissanceResource DevelopmentStealth

Techniques

Recent victims

Loading…

Source

Updated 22 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time lapsus$ posts a victim.

Add lapsus$ to your watchlist — Pro pings you within 5 minutes of any new lapsus$ leak-site post, Telegram callout, or affiliate-rebrand inference.