Cold Open
The following presentation is about an active investigation that involves minors. Some names have been withheld for the privacy of the accused. Listener discretion is advised.
In May 2021, an IT worker at the massive game company Electronic Arts, or EA, received an innocent-seeming message over their internal Slack messaging service
SFX: MESSAGE DING
“Hi, I’m so sorry, I left my phone at a party last night,” the message read. “I’m locked out of my 2fa, could you send me my token?”
The IT worker rolled their eyes. This wasn’t the first time this had happened—if they looked through the previous messages with this employee, they would see basically the exact same thing had happened a few days before.
SFX: TYPING
“You’ve got to be more careful,” the IT person responded. There was a pause, then the employee sent a cry-laughing emoji.
“I’m sorry!”
With a sigh, the IT worker had the employee enter their password. The system sent a text to their phone with a custom token—standard two-factor authentication, that most secure people online are used to.
SFX: PHONE MESSAGE DINGS
“Here it is,” the IT worker sent the six-digit code over—it went to them along with the employee’s phone. “Thanks,” the EA employee said, “you’re a lifesaver.”
The IT worker smiled, and in a chat to some of their coworkers put in a little note that said it had happened again. One of their colleagues sent over a gif making fun of the forgetful employee.
A totally innocent thing. The sort of thing that happened a couple times a day at a company the size of EA, a massive game company with nearly five billion dollars in revenue in 2019 alone, and nearly ten thousand employees all over the globe.
But there was one problem. The EA employee at the other end of that message wasn’t really an employee. He was a 16-year-old British teenager living at home.
And he was working with a criminal group known as Lapsus$ (“lap-suss”) that was about to run wild through EA’s servers.
Over the next week, Lapsus$ members who’d broken into the EA system downloaded seven hundred and eighty gigabytes of proprietary information, from information about games and employee records, to the source code files for some of EA’s biggest games, including the upcoming installment in their hit soccer franchise, FIFA21.
FIFA games made EA more than 3 billion dollars that year. And this teenager had stolen everything. They could leak it to competitors, give it away for free, use it to make their own game. This could bankrupt a company that employed more than ten thousand people. Hundreds of those employees worked in security to stop exactly this situation from happening.
And they were defeated by teenagers using nothing more nefarious than publicly available information, and ten bucks worth of stolen credentials.
Who were Lapsus$? How did a group of teenagers in Brazil and the United Kingdom end up breaking into Electronic Arts, Microsoft, Samsung, and the Brazilian Ministry of Health?
Much of this story is still a mystery—the whole network of Lapsus$ is still being investigated, and court cases are still ongoing. But what we do know is a story of doxxing, parents not knowing what their kids are up to, and flagrant abuse of social engineering.
On this episode: dark room vulnerabilities, teenage hackers and the power of social engineering.
I’m Keith Korneluk and you’re listening to Modem Mischief.
INTRODUCTION
You're listening to Modem Mischief. In this series we explore the darkest reaches of the internet. We'll take you into the minds of the world's most notorious hackers and the lives affected by them. We'll also show you places you won't find on Google and what goes on down there. This is the story of Lapsus$.
Act 1
A quick note before we get started: Modem Mischief has always been an independent production which is why we could use your support. If you like the show, consider supporting us on Patreon. For as little as $5 per month, you’ll receive an ad-free version of the show plus special bonus episodes only for patrons. Or, if you prefer to wear your support on your sleeve, check out our latest merch. We’ve got everything from comfy hoodies to sick coffee cups. Your support will help keep this show in production and we’re grateful as all hell for those who have been supporting us. And now…on with the show.
MUSIC CUE: OMINOUS 80S SYNTH
When people of a certain age think of hacking, they usually picture a scene out of Mission Impossible, or a similar movie.
SOUND CUE: “I’m in”
You know how the scene goes: in a dark room somewhere, a nefarious agent sends a piece of malware into a network, probing for vulnerabilities in the code. We talk about it almost like the hacker is feeling a balloon in the dark, looking for the weakest spot so they can pop it.
SFX: POP
But most hacking isn’t quite like that.
SFX: BALLOON DEFLATING
Or rather, the weak spot isn’t some piece of code, it’s usually something more basic. The tallest wall in the world can’t stop an invading army if the guard opens the door.
SFX: CROWD SOUNDS.
Most hacks aren’t about using programming to get through security, but instead target the people in charge of the security. They call it social engineering, but at its core, it’s about finding ways to get people to let outsiders in.
SFX: DOOR OPENING
Social engineering can come in a lot of different forms: getting people to enter their security credentials in a fake password reset email, running quizzes that ask for personal information to get through security questions, or even just those spam calls pretending to be from medicare.
And when done right, the people in charge of keeping networks safe don’t even know social engineering’s been going on, because why would they? Everything looks good from their end: the defenses are up. And once an invader is inside, they’ll find a wealth of resources. The networks have tight security, the only people in the network have been verified, so why would they have any security inside the walls for registered users?
There’s been an explosion of social engineering hacks over the last few years, to the point that there’s a whole other ecosystem on top of that. Dark web marketplaces are full of legitimate login tokens to a range of places: from banks to fortune 500 companies. All available for easy purchase using crypto.
SFX: CASH REGISTER
Bad actors can hack into nearly anywhere, without that much programming knowledge, just the right amount of money, time, and ability to impersonate people.
And Lapsus$ was a group of hackers who were very good at this.
MUSIC SHIFT: LAPSUS$ THEME
To tell the story of Lapsus$, we have to talk about the founder of it, the mysterious figure known as White.
This is the part that gets a little tricky—this is an active investigation and there isn’t a lot proven in court yet. But we know a little about White, also known as breachbase.
For one thing, White seemed to have gotten their start as a founding member of a short-lived malicious group of hackers that called itself the Recursion Team.
In 2021, a british teenager who went by the codename Everlynn founded the Recursion Team, announcing themselves on hacking forums, in a way that was 90% a prank group. They would do pretty nasty things: like SWATTING people’s houses—
SFX: SHOUTING AND A DOOR BEING BUSTED OPEN
—and zoombombing corporate zoom rooms—you remember, one of the three million shitty things about 2020? That when people would break into random company’s zoom meetings, and distract it like the worst kind of class clown by talking over people, sharing memes or porn, and just being a dick.
SFX: ZOOM NEW MEMBER JOINING, LAUGHTER
Annoying stuff, but hardly the kind of thing to set the world on fire. But this group had found a way to get some money too, by using a pretty basic workaround to people’s security online: they engaged in something called SIM-swapping.
SFX: CARD GOING IN A SLOT
So many people’s security depends on having a phone number. But what happens if someone switches where a phone call goes?
SFX: PHONE RINGING
Groups like Recursion specialized in getting phone carriers like Verizon or T-Mobile, and getting them to reroute phone numbers to different SIM cards. Which is pretty easy to do: it just means convincing someone working for the phone company that you changed phones. As long as a hacker has enough convincing personal details it can be done in a few minutes. Every phone carrier is full of people who change strangers phone numbers to different phones every day. All a hacker would have to do is be able to answer some pretty basic security questions.
SFX: PHONE CLICK
Ance they had access to someone’s phone number, Recursion could impersonate them online, and use the phone number to break into anyone’s email or not-that-well secured online services. And that means anyone. Even law enforcement. Which opened up a whole world to the Recursion Group.
SFX: SIRENS
Because on April 5th, 2021, the founder of the Recursion group, who went by the username Everlynn, posted an ad on a cybercrime forum called Cracked.to, selling fake law enforcement data from most websites.
Everlynn was underage—14 at the time of the posting—so details are scant, but we know they lived in England, liked to joke around, and had found a way to SIM-swap into police accounts. Once they got access to a police email address, they could contact most companies and ask for information about users by claiming there was an imminent threat of terrorism or self-harm.
Everlynn and the other Recursion Group people knew it was risky, but also had found out that most companies would go along with police orders like this, without asking too many questions.
Want information about users on a website? Send a note from the police asking for it.
Needless to say, even if Everlynn couldn’t use the information they got, there was a whole world of people who’d spend money for things like that. So the Recursion Group charged anywhere from $100-250 to whoever wanted their service.
SFX: EMAIL DING.
And people bought their services. In quick succession both Apple, and Meta—Facebook’s parent company—got emailed by what they thought were legitimate police requests, only to find out later it was the Recursion Group.
SFX: GIGGLES.
The money started coming in, which was great for some teenagers. The Recursion Group seemed like it was just a group of friends fucking around. But one member had bigger plans.
White was very good at SIM swapping. They could find weak points, and convince most security to let them in without tripping any flags.
But being good at social engineering meant that White also had vision, and didn’t just want to be splitting a few hundred bucks forever. No, they wanted to go bigger.
Using the name of Breachbase, they created an account on a specialized Telegram service that specialized in denial-of-service attacks, and tried to move past the shadow of the Recursion Group.
Through selling fake credentials, they’d collected over a hundred thousand dollars worth of bitcoin, and wanted to flex their muscles.
SFX: CASH REGISTER
And they figured out something special: they didn’t have to be convincing and know lots of personal information. They could just buy off people who worked for phone companies.
SFX: CASH REGISTER
The first time they found somebody working at a phone company, it must have felt like a miracle.
And it gave them an idea to go big.
SFX: MESSAGE POSTING
And that’s where Lapsus$ comes in.
Starting around November 2021, messages started showing up on reddit, asking for some very specific types of people.
SFX: MESSAGE WHOOSH
“I am looking for insiders/employees at either ATT, Verizon, or T-Mobile,” one such message read.
“I can offer you upwards of $20,000 a week to do some inside jobs… for me. Low risk for you and me… plus you will get paid insanely well. You won’t even be noticed! …. We can discuss further on Telegram or email.” Signed, whitedoxbin, who called themselves Alex. Though Alex looked like it was a fake name.
Messages like that went out targeting a number of different companies and major organizations. Roughly half of them were written in English, half in Portuguese. Maybe White was working with someone in Portugal or Brazil. Or maybe they were Portuguese.
If anyone responded, they were invited to join a Telegram chat group called Lapsus$.
And clearly someone with access somewhere joined. Because less than a month later, at 1am on Friday December 10, 2021, systems at the Brazilian Ministry of Health went down.
SFX: POWER OUT.
Someone had gotten inside the network, copied over 50 gigabytes of records, including immunization records for the whole country, then deleted them. Then they’d edited the website to put up a ransom note: If the ministry wanted that information back—valuable personal information that was being used to make vaccine passports—they’d have to pay up.
SFX: PEOPLE SHOUTING
This was a big deal, and definitely not what the ministry needed, still reeling from a horrific COVID death toll in that country.
The data had been backed up earlier that week, and IT professionals revoked everyone’s logins, so the ministry got back control pretty quickly. But it was scary. And with the information they stole from the ministry, even if their ransom wasn’t getting paid, Lapsus$ could still make a profit from this—they could sell personal information on the Dark Web.
White probably saw this as a pretty good test case. Plus it gave some cash to fund doing more of this.
And it was just the beginning.
On December 12, they put out an ad offering fifteen thousand dollars to anyone working in Brazilian police to help them. Lapsus$ was growing, and felt like they had the cash to grow.
Over the next few months they hit another 15 targets in Latin America and Portugal. On January 11 they broke into one of the largest car rental companies in Latin America, Localiza, and changed the website so that if anyone wanted to rent a car, instead they’d be sent to a porn site.
SFX: MOANING
They hit three of Portugal’s largest media companies, Impresa, Expresso, and Confina in January and February. When they infiltrated Expresso they took over its twitter page, cheekily proclaiming, in Portuguese “Lapsus$ is the new president of Portugal”.
SFX: CHEERS
At the end of February they took out Vodafone Portugal’s cell service.
SFX: POWER OUT
Lapsus$ was on a roll. More and more people joined the Telegram channel, and they’d found a decent business: infiltrate organizations, ransom materials from those places, and sell off everything else on the dark web.
They divided the enterprise in two parts: one, a semi-public Telegram channel where they’d post requests, taunts, extortion threats, and look for users. In the second, a private small chat, seven members would strategize targets, and work to do the real work. Most of these members came from Recursion Group, now here to make money.
White had even recruited the founder of the Recursion Group, Everlynn, now going by the name Amtrak. But it was clear that this was White’s show. But who was the mysterious white? And could they get away with these high-profile hacks, depending on a huge army of gig workers, without making some enemies?
White had created what seemed like a sprawling criminal enterprise. But they didn’t know that storm clouds were on the horizon: they were about to fuck with the wrong people. In fact, they already had. But to figure out how, we have to go back a few months.
SFX: THUNDERCLAP
Act 2
Microsoft, Electronic Arts, Nvdia. These tech companies are massive operations that bring in billions of dollars, and employ tens of thousands of people across the globe. But having that many people working together with trade secrets, means that while the companies might have multiple layers of security, at their core, they have to rely on a surprising amount of trust.
Mossab Hussein, the spectacled Marvel comics-loving chief security officer, knows about this better than most. His company, spiderSilk, is a cybersecurity company that makes its living testing the defenses of the major companies to see how—not if—they left themselves open to attack.
SFX: COMIC HIT
And on November 19, 2019, Hussein discovered that a former engineer working at Electronic Arts had left one of those openings: a publicly available engineering tool had been uploaded to Github that would let a curious interloper see a list of all employees at the company, as well as all the projects they were working on, as well as descriptions of what the projects were.
Electronic Arts, or EA, is one of the biggest game companies in the history of the planet, responsible for games from the Sims to Apex Legends. In 2019 alone they had revenue of just under five billion dollars. That’s with a b.
They spent a relative fortune on security to protect their games from piracy. Yet they’d done the equivalent of leaving their windows wide open, so anyone could look inside and see exactly where and what was inside.
Hussein did what any responsible whitehat cyber official would do, and contacted EA, and told them to metaphorically close the curtains.
SFX: CURTAINS SHUTTING
A few weeks later they quietly updated their Github to remove the vulnerability. Hussein hoped that was it.
But it wasn’t. It never is.
While the opening was there, someone had downloaded the information, and sold it on the darkweb.
Over at White’s bedroom, they saw the listing for EA, and saw an opportunity. They were still working with Recursion Group, but they wanted a way to make real money and hadn’t figured out how to franchise yet.
SFX: CASH REGISTER
They bought the list of internal documents for EA, and got to work.
SFX: DOCUMENT SCROLLING
See, what made White really good at social engineering, better than the others in Recursion, was that they were willing to put in the work to fixate on a subject. They could spend hours going through boring documents trying to see the vulnerabilities.
And hours after going through the github files showing the list of all of EA’s channels, they saw an opportunity.
On another dark web forum called Genesis, someone had posted login cookies for one of the employees listed in the EA github leak. All white had to do was pay a couple bucks, and they got credentials that let them send slack messages to IT.
Jackpot.
So white logged in using the stolen credentials they’d bought from one place, and used information they’d bought from another. And voila, they had enough to trick IT.
White logged in, but couldn’t get any further. They tried to use the login to get into the main EA server, but couldn’t, it was asking for 2-factor authentication.
No big deal to someone who’d been doing a lot of social engineering. They scrolled through old messages, and was a good enough mimic to figure out how people messaged on this slack, and got to work.
SFX: TYPING
“Hi, I’m so sorry, I left my phone at a party last night,” White typed out. “I’m locked out of my 2fa, could you send me my token?”
Then they waited. Not sure if this would work. They lived for this, this moment of fear, that someone would figure out what was going on.
The IT person they messaged started typing. This was it, moment of truth.
The IT person stopped typing. The screen went blank.
SHIT, White thought to themselves. This wouldn’t work.
After another moment, the IT person started typing again.
White prepped themselves to get in trouble—they reached out to the ethernet cable hooked into their computer, ready to pull it in case they had to fast.
The message came in, just saying: “You’ve got to be more careful.”
FUCK YEAH, White thought, and sent a cry-laughing emoji—the universal sign for a white collar worker caught making a mistake.
And like that, they were in. IT opened the door for them.
SFX: DOOR CREAKS OPEN
Once in, White was able to download a lot of information. This was going to be their big ticket. EA would pay a fortune for this. They made billions off these games, and White was going to sell it to the highest bidder.
They came in and downloaded everything they could—almost a terabyte of information, including the source code to EA’s biggest game.
Then they posted feelers with all the major players on the darkweb, waiting for their payday to come.
White was so happy, and sure of the fortune they were going to get, that they started spending.
There’s a notorious darknet site called doxbin, that nearly a decade before had been a hive of scum and villainy. Hackers would doxx people—find their real names, personal information, addresses, things like that—and post it on doxbin. If people wanted info about specific people, they could hire hackers on doxbin to track them down.
It was illegal, and very gross. Users would take revenge on lovers who rejected them, go after people they didn’t like online, would out porn actors, things like that.
And needless to say, for people who lived and breathed on the darkweb, like White, it was a big deal. They loved information like that-both for their hacks, and out of a sick pleasure.
It had gone through different owners and moderators over the years, because it was a headache. In 2014 after a federal judge’s information had been posted on it, doxbin went down for a little while. Things like that happened a lot. Which was rough for someone like White who spent a lot of time on there.
So, knowing they were about to get a fortune, White went ahead and bought doxbin for a hefty sum from the hacker known as KT, the owner.
SFX: KA-CHING
White didn’t want to lose access to all that juicy data they could use for social engineering. And more than that, it was clout-this way they had power. More power than Everlynn or those others back at Recursion Group, the hacking group White had been part of before. That’s why they became known as whitedoxbin, to show the status they had.
They were the head of a hacking empire now. Doxbin would be the way to prove it.
There was only one problem though: even though White had told people on their usual darknet sources that they’d stolen all this EA data, there weren’t any buyers.
SFX: CRICKETS
It had been weeks, and no one seemed to want to mess with it. This was a big thing, going after a company like EA. They could—and did—hire the very best cybersecurity in the world. This wouldn’t just be getting in trouble with some people online, if something went wrong, this could mean real jail time.
And what were hackers going to do with the source code to a game? This wasn’t bank information, or something they could use to make easy money. This was just… a game. Only valuable to a game company.
Well that’s okay, they happened to know of a game company that would be very interested in the data.
So on June 10, they released screenshots and showed their hand: they admitted they’d broken into EA, and said they would sell all the information back to Electronic Arts for twenty-eight million dollars.
Sure, maybe hackers wouldn’t care. But surely the studio wanted to protect its investment?
Over at EA, the news dropped like a bombshell.
SFX: BOOM
How did they do this?
Corporate security and IT went through security logs with a fine-toothed comb.
And they realized that as crappy as this was, it didn’t symbolize a crack in their metaphorical wall. Rather that someone had gotten lucky.
So white got the same message from EA that they’d been getting from everyone on the darkweb: silence.
This was a big moment for them. They had been unhappy at Recursion, hoping to go out on their own. But instead of making a fortune, they were left with nothing. Less than nothing: they’d blown a bunch of money on buying doxbin.
But they’d learned one big lesson: it was shockingly easy to get into a big company if they used social engineering.
So white used this moment to grow, and to move towards starting Lapsus$.
But what they didn’t know was that EA had used this moment too. EA’s very expensive security knew about white now, and they were talking to other companies. And they weren’t going to take the next thing lying down.
Which is too bad for white, because after their run of success as Lapsus$, they finally felt ready to go after big companies again. Not knowing the company was going to be waiting, and that White had been making stupid calls as they built their criminal empire.
Act 3
The hacker known as White had spent the fall of 2021 and early spring of 2022 building a social engineering franchise called Lapsus$—run on Telegram, it recruited people with ins at different telecom and tech companies, as a way to break into systems. Once there, they could steal user data and sell it on the darkweb.
It had been a pretty good system when the targets were local governments, small media companies, and others without strong cybersecurity backgrounds.
And the members of Lapsus$ were both easier and harder to track down than most hackers. They didn’t depend on impressive tools, or need the support of governments or other major resources. They depended on social engineering to break into networks: basically scamming their way in through the back door.
White had been able to build a franchise by doing this, and probably thought they were on top of the world.
But little did they know there was a ticking time bomb—because when White had broken into the game company Electronic Arts the year before, they’d left behind a lot of clues for how they work.
Here’s the thing about social engineering, and other confidence games: they depend on trust, so if the trust is broken, they can’t do anything.
But White didn’t notice, or if they did, they didn’t care. They were building a ransomware empire on their Telegram chat.
The way Lapsus$ and White worked was a little like using a discord or other kind of forum. A member of their Telegram chat—an encrypted messaging app that with a little bit of work anyone could join. Thousands of people were on their main chat.
SFX: MULTIPLE MESSAGES DING
Managing this empire was hard work, and meant that White spent most of their time online fielding messages, trying to solicit sources, or sell the information they granted.
Which was a lot of work no matter what, but especially for someone who was—in theory—supposed to be managing another group entirely.
The year before, White had bought the notorious darkweb site doxbin, a site that hosted doxxed information.
They’d bought it before starting Lapsus$. It’s possible they even started Lapsus$ as a way to raise the cash to pay back the fees it took to buy the site.
But now they had a thriving franchise, White didn’t have time to run doxbin any more.
And it required a fair amount of work: like any other site, there was a fair amount of moderation, and general maintenance. Which White didn’t seem to care about, and let the site fall into general neglect.
Which—probably anyone could have predicted—wasn’t great. People got pissed. And specifically, they got pissed at White.
During the fall as White would spend hours working on Lapsus$, they tried to dodge messages from doxbin members, and stopped visiting the site. But unsurprisingly, people who use a page for doxxing people, were pretty good at figuring out who White was, so would track them down anyway. White got messages in different email accounts, asking why the gamergate page wasn’t in better shape. White would close that window in a huff, only to find a message on their phone.
ANSWER US, the message said. White threw the phone across the room, and turned up the music on their headphones.
So after months of member complaining to White, they’d had enough. White had bigger things to worry about, and didn’t feel like they needed the clout anymore.
They contacted the old owner, KT, and sold the site back to them, losing a lot of money in the process.
But before they did, White did something stupid. They were mad, the doxbin people had been assholes, and they’d bugged them at home.
So White used the resources they had, and in January 2022 leaked the whole user database of doxbin to the world.
SFX: DOWNLOAD
Anyone who’d been uploading or downloading materials to this very shady darkweb site was suddenly exposed.
Which probably felt great at the time.
But meant that White had just pissed off people who knew everything about them. Literally everything.
A week later, White loaded up their Telegram, to see a message from one of the doxbin members who’d been most actively trying to get them to talk.
Hello White, or should I say… the message started. White blanched.
What followed was their real name. And a picture of their house.
We aren’t going to repeat the name or anything like that. Because White—while a criminal mastermind—was also only a 16-year-old boy living in England, going to a special education school because of his autism diagnosis.
The person who’d been able to break past some of the most intense security in the history of the planet was too young to buy cigarettes.
His father, when questioned by the media, said he thought that White just loved playing videogames, and that’s why he was always online.
The police weren’t there yet, it was just on the darkweb. But it was bad. Really bad. White had started out by SWATing people, then made a lot of enemies, and now his personal information was out there. It was a matter of time before they started going after him in real life, and maybe his family.
This was bad. Very bad. But instead of laying low, White decided that the only way out of this was through. He started aggressively hiring people with access to security firms.
By late february forty-seven thousand people were on the telegram page. It buzzed with traffic.
SFX: MESSAGE DINGS
If hackers knew everything about White, well then he was going to be so big as to not worry about it.
On February 26th, they broke into NVIDIA, and stole more than a terabyte of source code and user data.
User data was the useful part of that for making money, but it didn’t seem like enough for White. He wanted source code. He wanted to know how things worked.
On an internal chat, with the seven leaders of Lapsus$ including Amtrak—his former Recursion Group friend, white laid out the plan:
He wanted to move past just petty extortion. He wanted to get into the big stuff: the FBI, department of defense.
Other members pleaded with him not to mess it up. But white insisted, and said he wanted to go after T-Mobile, a big telecom company that could let him SIM-swap to get into one of those big places.
And after a while, Amtrak relented, but he had a request, since he’d gotten in trouble before.
“Can u hide the t-mobile logo?”
“The fuck?” White asked, genuinely confused. “Sorry? Are you high?”
“Parents know I simswap,” Amtrak replied, a little sheepish, “so if they see [the phone logo] they think I’m hacking. Kek.”
“LOL” White replied, but got to work.
MUSIC CUE: LAPSUS$ THEME
That month Lapsus$ hit Samsung and Microsoft. But White kept trying to get into T-Mobile.
And on March 19, they finally got into the holy grail for SIM-swapping: Atlas, T-Mobile’s internal service for managing user accounts.
SFX: KEY UNLOCKING
This was it—it could be used to get nearly anyone’s phone information.
But unfortunately for white, the accounts associated with the department of defense and FBI needed extra work. So it was useless to him.
“Junk,” he wrote, in the private chat.
“Nooo,” Amtrak wrote back, pleading “this is good!” He could use this to SIM-swap wealthy targets for some serious cash.
White didn’t care though. He wanted to get into the department of defense.
SFX: PLUG BEING PULLED
“WHY CLOSE ATLAS,” Amtrak typed in all-caps. “THAT WAS WHAT I WAS WANTING SINCE THE BEGINNING.”
“I know,” White replied. The teen smirk practically jumping off the screen. “That’s why I closed it.”
White was an asshole, and when he fixated on something, he fixated hard. He closed the access to Atlas, and instead spent the next twelve hours downloading all the source code he could find. Hoping he could find a way to get into those dangerous accounts. T-Mobile figured out what was going on, and closed down his access, but he didn’t care, he had the info he wanted.
But he hadn’t realized that he’d made two mistakes.
First: he’d been making a lot of enemies in the darkweb community. People who knew who he really was.
And second, by targeting Microsoft, Samsung, NVIDIA, and T-Mobile, he’d set off traps that had been in place since he’d broken into EA the year before.
Security researchers had been on the lookout for something like this since then. And the mix of sloppiness at getting the source code, and his public bragging had gotten their attention.
And they could go to doxbin just like anyone else, and see all the information about who White really was.
SFX: BRITISH POLICE SIRENS
On the morning on March 24, less than 4 days after White had stolen T-Mobile’s source code, he woke up to the sound of sirens outside his quiet suburban home.
City of London arrested him, dragging him out of the house past his protesting and confused mother.
All across the country six other teens were arrested in connection with it. The command center of Lapsus$ had been shut down. But the problem with any kind of franchise is that it’s hard to take it down in one go.
Act 4
In March of 2022, after being doxxed by a group of people he’d doxed before, the british teenager named White, along with 6 other teens were arrested.
They were underage, so the punishment wasn’t that severe, but it put a damper in the whole Lapsus$ operation.
Though White didn’t even stop. On September 19 someone broke into Rockstar Games, the maker of Grand Theft Auto, and stole the source code to the newest game, just like had happened to EA years before.
But unlike with EA, he didn’t get away with it. 4 days later, police showed back up outside White’s house and re-arrested him.
SFX: BRITISH POLICE SIRENS
He and the other high-ranking Lapsus$ members are awaiting trial now. But no matter what happens, this was a big operation—sure only seven people were involved at the top, but forty-seven thousand people were on the public telegram channel, and had learned their tips.
And it’s not like the leadership was doing anything technologically complicated: their method was just to buy information on the darkweb and use it to break into big networks.
Anyone could do it. And so they did. In September the Brazilian branch of Lapsus$ broke into Uber.
But police around the world were paying attention now. In October Brazilian police arrested the people involved.
Since then, multiple groups all over the world have branched off, using Lapsus$’s techniques, and other tricks learned from White.
Though they aren’t the only ones who’ve learned.
Cybersecurity firms are going through dark web forums to look for login tokens to their internal networks as a matter of course, and phone companies are trying to beef up security to stop SIM-swapping. They’re doing their best to make it harder for groups like Lapsus$ to break in.
But the best security in the world can’t do much, so long as there are social engineers like White out there.
I’m Keith Korneluk and you’re listening to Modem Mischief.
CREDITS
Thanks for listening to Modem Mischief. Don’t forget to hit the subscribe or follow button in your favorite podcast app so you don’t miss an episode. This show is an independent production and is wholly supported by you, our listeners and the best way to support the show is to share it. And another way to support us is on Patreon or a paid subscription on Apple Podcasts. For as little as $5 a month you’ll receive an ad-free version of the show plus monthly bonus episodes exclusive to subscribers. You can also support us through our merch store if soft tees, cool stickers and comfy hoodies is your thing. Modem Mischief is brought to you by Mad Dragon Productions and is created, produced and hosted by me: Keith Korneluk. This episode is written and researched by David Burgis. Edited, mixed and mastered by Greg Bernhard aka that dope dial twister. The theme song “You Are Digital” is composed by Computerbandit. Sources for this episode are available on our website at modemmischief.com. And don’t forget to follow us on social media at @modemmischief. Thanks for listening!