Cyber Incident Victim: Samsung Electronics

On March 4, 2022, the Lapsus$ extortion group publicly leaked approximately 190GB of data allegedly stolen from Samsung Electronics. This followed the group’s prior release of 20GB of Nvidia data earlier that week, establishing a pattern of high-profile cyber extortion campaigns. Lapsus$ initially teased the Samsung leak by posting a snapshot of C/C++ directives from Samsung software, then provided a detailed breakdown of the torrent contents. The leaked data comprised three archives: Part 1 contained source code and data related to Security/Defense/Knox/Bootloader/TrustedApps; Part 2 included device security and encryption source code; Part 3 held repositories from Samsung’s GitHub covering mobile defense engineering, Samsung Account backend, Samsung Pass backend/frontend, and SES services supporting Bixby, SmartThings, and Samsung Store. The group claimed the material represented confidential Samsung source code obtained through a breach but did not disclose whether they demanded ransom from Samsung prior to the leak.

Samsung confirmed the breach on March 7, 2022, acknowledging unauthorized access to source code used in Galaxy smartphones. The compromise exposed critical intellectual property, including bootloader and trusted application code foundational to device security architectures like Knox. The leak’s scope extended beyond hardware firmware to backend systems for Samsung Pass (authentication service) and Bixby (voice assistant), potentially undermining multiple product security postures. While Lapsus$ structured the leak to highlight sensitive components, Samsung did not disclose intrusion timelines, detection methods, or containment actions beyond validating the breach’s occurrence. The incident marked one of multiple concurrent attacks by Lapsus$ against major technology firms during early 2022, with confirmed impacts limited to source code exposure rather than customer data compromise based on available disclosures.