British police arrested seven people earlier this week in relation to a wave of attacks launched by the LAPSUS$ hacking group, against firms such as Microsoft, NVIDIA, Ubisoft, Samsung, and Okta.
LAPSUS$ has become notorious not only for its successful breaches, but also the brazen way it has attempted to recruit rogue employees inside businesses to help them breach defences.
Amongst those arrested was a 16-year-old boy from Oxford, who has been described as being the group’s “mastermind”. According to online claims, the boy may have amassed a 300 Bitcoin fortune worth approximately US $14 million.
Inevitably, it is this youngster who has captured the media’s attention. The boy’s father spoke to the BBC:
“He’s never talked about any hacking, but he is very good on computers and spends a lot of time on the computer. I always thought he was playing games. We’re going to try to stop him from going on computers.”
Hmm.. you might want to take a slightly stronger line than that, mate.
Although the Oxford teenager is not being named due to his age, researchers believe he goes by the online handles “White”, “Breachbase”, and “Oklaqq.”
According to cybersecurity investigator Brian Krebs, a hacker using the name “Oklaqq” was offering employees at AT&T, T-Mobile, and Verizon up to US $20,000 a week to perform “inside jobs.”
A BBC News report described the boy as autistic, and said he attended a special needs education school in Oxford.
Detective Inspector Michael O’Sullivan said that the police has released all seven people, pending further investigation:
“Seven people between the ages of 16 and 21 have been arrested in connection with an investigation into a hacking group. They have all been released under investigation. Our inquiries remain ongoing.”
I don’t know if those arrested are members of the LAPSUS$ gang or have any connection with cybercrime, and we have to assume their innocence unless they are found guilty at some later date.
But I really hope we don’t see the media fall into its familiar pattern of glamourising the criminal acts of malicious teenage hackers, portraying them as geniuses who don’t really do any harm.
Many of the elements in the LAPSUS$ case remind me of the notorious LulzSec hacking group, some of whose members tried to exploit their notoriety by starting a new career on the speaking circuit.
It’s never cool, or funny, or admirable, to hack into companies and expose the private information of the public.