Lapsus$ (stylised LAPSUS$) is an international extortion-focused black-hat hacker collective that rose to global prominence in late 2021 and early 2022 through a string of high-profile intrusions against major technology companies, including Microsoft, Nvidia, Samsung, Okta, Ubisoft, T-Mobile, and ultimately Rockstar Games. Tracked by Microsoft under the threat actor identifier DEV-0537 (later renamed Strawberry Tempest under Microsoft's weather-themed taxonomy), the group is notable for combining crude but effective social engineering with bold public posturing on Telegram, deviating sharply from the operational secrecy typical of organised cybercrime (Microsoft, 2022). The group's relevance to the Grand Theft Auto VI story is direct: Arion Kurtaj, a teenage Oxford resident identified as a core Lapsus$ member, was responsible for the September 2022 Rockstar Games breach that leaked roughly 90 development videos of GTA VI (BBC News, 2023). Understanding Lapsus$ โ its composition, methods, and prior victims โ is therefore essential context for the GTA VI leak event.
Lapsus$ first surfaced in December 2021 with an attack on Brazil's Ministry of Health, in which approximately 50 TB of internal data was exfiltrated and the ConecteSUS COVID-19 vaccination portal was knocked offline (Wikipedia, 2026). Investigators later established that the group was an unusually young and loosely organised collective. According to the indictment and subsequent reporting, the alleged mastermind was Arion Kurtaj, then a 16-year-old living with his mother in Oxford, England, with another core member being a teenager in Brazil (Krebs, 2022; BBC News, 2023). A Bloomberg analysis at the time estimated roughly seven members, several of them minors, recruited and coordinated largely via Telegram (Microsoft, 2022). The City of London Police arrested seven individuals aged 16โ21 in March 2022 in connection with the group (Wikipedia, 2026).
Microsoft's incident response team characterised Lapsus$ as operating a "pure extortion and destruction model without deploying ransomware payloads" (Microsoft, 2022). Initial access was typically obtained through identity compromise rather than malware exploitation. Documented techniques include: deploying the Redline information stealer; purchasing credentials and session cookies on criminal forums; paying insiders at target organisations or their suppliers for credentials and MFA approvals; SIM-swapping employees to intercept phone-based authentication; and multi-factor authentication (MFA) fatigue attacks, where the victim is spammed with push prompts until they approve one (Microsoft, 2022). Once inside, the group used AD Explorer, Mimikatz, and DCSync to escalate privileges, harvested secrets from internal Confluence, JIRA, GitLab, and SharePoint instances, and exfiltrated source code and customer data via NordVPN egress nodes. In several cases, Lapsus$ joined the victim's own incident-response bridge calls to monitor the defensive response (Microsoft, 2022).
On 23 February 2022, Nvidia detected an intrusion in which Lapsus$ claimed to have exfiltrated roughly one terabyte of data, including proprietary GPU schematics and driver code. The group demanded that Nvidia open-source its device drivers and remove the cryptocurrency mining limiter (LHR) from GeForce cards (Wikipedia, 2026). On 3 March 2022, credentials for more than 71,000 Nvidia employees were dumped online.
On 4 March 2022, Lapsus$ published a 195 GB torrent containing Samsung internal data, including source code relating to the Samsung Galaxy line, TrustZone trusted applets, bootloaders, and Knox authentication components. Samsung confirmed the breach three days later (Wikipedia, 2026).
On 20 March 2022, Lapsus$ posted a screenshot of an internal Microsoft Azure DevOps server to Telegram, and the following day released a 37 GB archive that the group claimed contained roughly 90% of the source code for the Bing search engine, alongside material from Bing Maps and Cortana. Microsoft confirmed that a single account had been compromised, granting limited access, and emphasised that "viewing source code does not lead to elevation of risk" because its security model does not depend on code secrecy (Microsoft, 2022).
In the same period the group breached identity provider Okta via a third-party support engineer's workstation, stole T-Mobile source code, and โ after a brief lull and arrests โ re-emerged in September 2022 with attacks on Uber and Rockstar Games, the latter producing the GTA VI footage leak (Wikipedia, 2026).
Following a seven-week trial in 2023, Kurtaj and a 17-year-old co-defendant were convicted; Kurtaj, assessed as unfit to stand trial, was given an indefinite hospital order (BBC News, 2023). The U.S. Cyber Safety Review Board issued a detailed post-mortem in 2023 highlighting weaknesses in MFA, telecom SIM controls, and outsourced help-desk processes (CISA, 2023).
BBC News (2023) Lapsus$: GTA 6 hacker handed indefinite hospital order. Available at: https://www.bbc.co.uk/news/technology-67663128 (Accessed: 14 May 2026).
CISA (2023) Review of the attacks associated with Lapsus$ and related threat groups. U.S. Cyber Safety Review Board. Available at: https://www.cisa.gov/sites/default/files/2023-08/CSRB_Lapsus%24_508c.pdf (Accessed: 14 May 2026).
Krebs, B. (2022) 'A Closer Look at the LAPSUS$ Data Extortion Group', Krebs on Security, 23 March. Available at: https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/ (Accessed: 14 May 2026).
Microsoft (2022) DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Microsoft Security Blog, 22 March. Available at: https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/ (Accessed: 14 May 2026).
Wikipedia (2026) Lapsus$. Available at: https://en.wikipedia.org/wiki/Lapsus$ (Accessed: 14 May 2026).