The Lapsus$ extortion group, responsible for high-profile breaches of Nvidia, Microsoft, Okta, Uber, Revolut, and Rockstar Games (including the September 2022 leak of pre-release Grand Theft Auto VI footage), drew an unusually coordinated international law-enforcement response. Although the prosecutions and arrests of core members occurred in the United Kingdom and Brazil, the United States Federal Bureau of Investigation (FBI) played a central role in attribution, evidence-sharing, victim notification, and the policy review that followed. This report examines the FBI's coordination function in the Lapsus$ investigation.
Lapsus$ emerged in late 2021, employing social engineering, SIM-swapping, and insider recruitment rather than sophisticated malware (Cyber Safety Review Board, 2023). Many victims were U.S.-headquartered technology firms, which placed the FBI's Cyber Division in a coordinating position despite the suspects operating from the United Kingdom and Brazil.
Because Nvidia (Santa Clara, California), Microsoft (Redmond, Washington), Okta (San Francisco), Uber (San Francisco), and Rockstar Games (New York) are all U.S. corporations, FBI field offices in San Francisco, Seattle, and New York opened parallel investigations and served as the primary federal point of contact for victim companies (Federal Bureau of Investigation, 2022). The FBI's Cyber Action Team assisted Uber and Rockstar Games immediately after their September 2022 breaches, preserving log data later used by U.K. prosecutors.
The FBI worked through its Legal Attaché (Legat) offices in London and Brasília to share indicators of compromise, Telegram account attribution, and cryptocurrency wallet tracing with the City of London Police, the U.K. National Crime Agency, and the Brazilian Federal Police (Polícia Federal). This coordination contributed to the January and March 2022 arrests of Arion Kurtaj and a 17-year-old co-defendant in Oxfordshire, and the October 2022 arrest of a suspected Brazilian member (BBC News, 2023; Polícia Federal, 2022).
The most visible outcome of FBI coordination was its contribution to the Department of Homeland Security's Cyber Safety Review Board review, published in August 2023. The FBI provided classified and unclassified briefings, victim interview data, and threat-actor telemetry to the Board, which concluded that Lapsus$ "showed adeptness in identifying weak points in the system" and recommended structural changes to telecommunications authentication and identity providers (Cyber Safety Review Board, 2023, p. 4). The FBI is identified throughout the report as a partnering investigative agency.
Because the principal suspects were juveniles outside U.S. jurisdiction, the FBI prioritised disruption — seizure of infrastructure, account takedowns with Telegram and Discord, and defensive notifications to potential next victims through the Joint Cyber Defense Collaborative (JCDC) — rather than extradition (Cybersecurity and Infrastructure Security Agency, 2023).
Kurtaj was convicted at Southwark Crown Court in August 2023 and detained indefinitely in a secure hospital in December 2023; his 17-year-old co-defendant received an 18-month Youth Rehabilitation Order (BBC News, 2023). No U.S. indictments have been unsealed against the U.K. defendants, reflecting a deliberate choice to defer to the host nation's prosecution while focusing U.S. resources on the still-at-large members of the group.
The FBI's contribution to the Lapsus$ case was less about courtroom prosecution and more about the connective tissue of modern cybercrime investigation: victim support across multiple U.S. tech firms, intelligence shared via Legat channels, and substantive input into the CSRB's landmark public review. The case demonstrates how, even when arrests occur abroad, the FBI's coordination role can shape both the operational outcome and the longer-term regulatory response.
BBC News (2023) 'Lapsus$: Court finds teenagers carried out hacking spree', BBC News, 23 August. Available at: https://www.bbc.com/news/technology-66549159 (Accessed: 14 May 2026).
Cyber Safety Review Board (2023) Review of the Attacks Associated with Lapsus$ and Related Threat Groups. Washington, DC: U.S. Department of Homeland Security. Available at: https://www.cisa.gov/sites/default/files/2023-08/CSRB_Lapsus%24_508c.pdf (Accessed: 14 May 2026).
Cybersecurity and Infrastructure Security Agency (2023) Review of the Attacks Associated with Lapsus$ and Related Threat Groups Report. Available at: https://www.cisa.gov/resources-tools/resources/review-attacks-associated-lapsus-and-related-threat-groups-report (Accessed: 14 May 2026).
Federal Bureau of Investigation (2022) Internet Crime Report 2022. Washington, DC: FBI Internet Crime Complaint Center.
Polícia Federal (2022) 'PF prende brasileiro suspeito de integrar organização criminosa internacional', Government of Brazil, October. Available at: https://www.gov.br/pf/pt-br/assuntos/noticias/2022/10/pf-prende-brasileiro-suspeito-de-integrar-organizacao-criminosa-internacional (Accessed: 14 May 2026).