The hacking group known as Lapsus$ has been linked to cyber attacks on Microsoft, Nvidia, and Samsung (opens in new tab), among others, before core members of the group were said to have been arrested. Since then new text messages claimed to be from the hacking groups members suggest telecom company, T-Mobile, was also targeted and source code successfully stolen by the group. However, also that the FBI got involved and locked the group out of its own rented servers before they could do anything with the data.
Security blog KrebsOnSecurity (opens in new tab), written by journalist Brian Krebs, says it has received logs of the Telegram discussions between the core members of Lapsus$, in which the hack of T-Mobile and the subsequent seizure are mentioned.
"FFS, THAT AWS HAD TMO SRC [T-Mobile source code] code!," a member of the group, known as White, is said to have mentioned in the aftermath of the seizure.
White was shortly thereafter arrested by City of London police, and is reported to be a 16-year-old from Oxford, UK (opens in new tab). Other UK citizens, aged 15–21, were also arrested and alleged to be in connection with the group.
Lapsus$ is said to have preferred uploading stolen data to the cloud and rented servers to lower the risk of police raids on the members' homes from finding any of the stolen information. That plan didn't quite work out, however, as the remote content was scooped up by the FBI.
The hacking group is supposed to have tried to once again breach T-Mobile's systems and download the stolen data, however, found they were unable to regain access using the access tokens. These tokens were reportedly purchased online from the online equivalent of a man in a back alley opening a large trench coat, but the system may automatically revoke access to them when large repositories were downloaded many times in a short period.
"Cloning 30k repos four times in 24 hours isn’t very normal," White is reported to have said.
T-Mobile has since confirmed the incident took place, but says that nothing of value was stolen by the hackers in this instance.
"Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software," T-Mobile says. "The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value. Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete."
Ultimately, it appears the arrested Lapsus$ members' downfall may have been accelerated by infighting and retaliatory actions from other nefarious actors. Original arrest reports, paired with Krebs on Security's, suggest that at various times White would fall out with a member of the group and make an attempt to expose their identity. While similarly White was doxxed by a group of fellow doxxers on a doxxing website he himself ran called Doxbin following his own doxxing of the site's users.
The original owner of that website, a cybercriminal by the handle of 'KT', is reportedly the person that leaked the private chat logs to KrebsOnSecurity. What goes around, comes around, I suppose. And in this case it appears that the FBI and police were the ones to come around knocking at the door eventually.