Lapsus$ Ransomware's owner doxed.

[UnknownDeath]

TO THE MODS: THIS INFORMATION IS FROM 3RD PARTY SOURCES, IT IS EDUCATIONAL AS IT SHOWCASES BAD OPSEC IN HOPES OTHERS LEARN FROM THE MISTAKES OF OTHERS.
IF YOU HAVE A PROBLEM PLEASE RESTRICT OR REMOVE THE THREAD. I'M JUST RELAYING INFO.

NVIDIA + Samsung recently suffered a data breach, however 2 months prior: Lapsus$ ransomware's owner "Lapsus$" Was doxed by doxbin's staff. However NVIDIA nor Samsung wants to do anything regarding the matter.
LAPSUS$ is 16 almost 17 year old autistic skid whom previously lived in the United Kingdom and bought a website called "Doxbin" for $75,000 USD after running the site for a while he completely derailed it via lack of care.
KT the owner of the site inquired about it, although he was active in LAPSUS$'s group chat during that time.... completely lacking the care to maintain a website he bought. After numerous issues finally he put doxbin back up for sale.
Both the former admins re-bought the site. Unfortunately LAPSUS$ wasn't happy and tried to steal the discord vanity URL which was replaced in 2 hrs. He than took to twitter to request the dox of the former admin and would pay $100k USD.
However the reinstated admin broke in to the twitter and basically attacked him for using bad passwords/reusing them. Over the next few days. He was bullied until ultimently leaking doxbin's User base which the database included emails, passwords, usernames, user agents, 2FA codes and hashed passwords. Nothing too major.

With the whole backstory out of the way: LAPSUS$ Had the police called on him, they showed up to his mother's house which he wasn't there so they drove down the road to his father's house which he was in the process of fleeing. He's now in spain hacking companies like Samsung and NVIDIA.

Here is the official dox of LAPSUS$ Ransomware's owner. Figured this should help anyone effected by this little worm who has bad opsec as well help others not make the same mistakes.

https://doxbin.com/upload/white

 

[Rehub]

Линк твой не работает, 504я

 

[hidden_serviceg]

Пожалуйста, исправьте ссылку, поскольку она ведет на панель 'upload', а не на конкретную корзину.

 

[UnknownDeath]

Линк твой не работает, 504я

Пожалуйста, исправьте ссылку, поскольку она ведет на панель 'upload', а не на конкретную корзину.

Proof of the owner from the dox

https://z.zz.fo/IziGz.png

 

[Nosymptoms]

Линк твой не работает, 504я

работает в моем браузере Бро

 

[UnknownDeath]

работает в моем браузере Бро

Посмотреть вложение 33270

Это проблема с сервером, он восстанавливается после утечки данных.

 

[Rehub]

Да уже заработало ок

 

[UnknownDeath]

Я ищу обратную связь, изучаю неудачи, чтобы помочь другим не совершать подобных ошибок.

Итак, если кто-то хочет больше новостей об этом типе вещей, пожалуйста, дайте мне знать. Из поста на doxbin я знаю, что у него здесь есть профиль, так что.... Я хотел бы лично сказать то же самое, что и в твиттере: Арион, надеюсь, ты подавишься 14 миллионами долларов, идиот.

В связи с этим, если вам нравится этот тип контента/идеи, пожалуйста, оставьте отзыв, скорее это будет палец вверх, палец вниз или даже комментарий.

Как я уже сказал, это поможет другим не совершать тех же ошибок.

 

[UnknownDeath]

Update:

According to twitter Lapsus$ has officially moved to Spain, He's located near the capital. Thanks to DarkOwl Cyber for the OSINT idea.

In a reply to me: Lapsus$ AKA @oxf_arion decides to post this gem. Unfortunately for him I Just got done reading an article from Forbes.... Which used the weather + Time to calculate the location of Lapsus$ which was in london. However this the weather, Time of day + that lovely email at the top only exposes him further. Lapsus$ AKA Arion loves to go fishing with his uncle however if you notice the 3-rd tab you notice he's going "Carp fishing in Beeauval Zoo" Which is northern France. Interesting isn't it.

The photo he posted was to 'disprove he was white' to only get laughed at for such a terrible attempt to lie. Arion doesn't seem to understand SQL database structures which may have led to the issue of him breaking the site on numerous occasions. First thing here is he tries and tells me someone changed their password 4 times which wasn't possible, than moved to telling me it logs Incorrect passwords. He also claimed there was 66 results for incorrect passwords regarding the password: Arion20051212 which there is 66 results but 65 are edited paste entries or dox removals there is one instance of that password + a similar one one Lines: 231111 and 231112 however the rest are just edits, removals, updates or whatever.

However: When a "new" database entry is added it becomes stored.... However when you "Login" the database is quarried for a matching set of data. In this case: username:password.
To sum it up, he left his username at the top of the Notepad++, Left his fishing trip open and finally didn't censor his timezone, date or weather allowing me to calculate his location to mid-spain around the capital.
Time: 18:57 PM | Date: 13/03/2022 (13th of march, 2022), Weather is 18º C which seems to align with: Madrid, Spain but it is possible to be another near by location but given his wealth it is possible he has somewhere to stay or He's with a known friend their. Although he's 16, he's autistic and would be foolish to trust someone close to him, Which would be good for law enforcement to utilize. We know he's going to France so his Uncle would be a prime choice.



Proof of password reuse:
arionkurtajgaming@outlook.com + Arion20051212 is his email + password the email is associated with PayPal among other things.

 

[UnknownDeath]

To add insult to Injury: Lapsus$ had 7 members arrested + Released, However the method used to dox lapsus$ was very lovely. Basically the owners of Doxbin pwned some Police websites in countries with low security, Filed an EDR or Emergency Data Request which is typically filed in nations with a "Guilty until Proven Innocent" clause within their laws to request data in a timely manner when someone maybe at risk of dying or becoming harmed greatly. In the US Especially there's a process of getting legal documents from companies however an EDR Bypasses them. You can leak people's nude photos/videos from snapchat with these requests.


FuckMox & Several Others were either doxed by Lapsus$ or were doxed by Doxbin staff on behalf of Arion Kuraj AKA Lapsus$.
It doesn't end there either: Arion's password as seen above was used just shy of 3 years before he dumped the doxbin Data base.... His father claimed "I thought he was playing games" Which is a big lie, KT the Previous and once again current owner of doxbin Had Texted his Father about the illegal acts. He was aware of the Crimes for well over 2 months.

Arion who goes by @oxf_arion on twitter which appears to be short for "Oxford_Arion" Decided to be an idiot & Had a representative pay KT $20,000 USD in Bitcoin to edit the dox & Claim it was idenity fraud and leave it pinned for 28 days, After that she would get the remainder of the $75k. Thankfully KT isn't an Idiot and she proceeded to take the $20,000 and Leak the conversations.


But it doesn't end their either, Arion's Parents restricted him from the internet & He confirms he was on a Vacation in spain.... Isn't that lovely? Not only that but he had Minecraft running on a computer running Windows 11 if you pay Attention to some of the screenshots this is another opsec failure. He runs a Windows 10 VM within a Windows 11 Desktop. So, the more he posts the easier it is to prove he's the mastermind behind it all.