Cyber Incident Victim: T-Mobile US
Date:
Mar 2022
Location:
United States of America
Summary
The cybercrime group LAPSUS$ breached T-Mobile multiple times by purchasing stolen employee credentials from dark web markets and using social engineering to bypass multi-factor authentication, gaining VPN access to internal systems. The attackers focused on stealing proprietary source code repositories, exfiltrating over 30,000 projects, and briefly accessed customer account management tools, though enhanced security measures prevented unauthorized SIM swaps on government-associated accounts. The company confirmed no customer or government data was compromised, terminated the intrusion rapidly, and invalidated compromised credentials. LAPSUS$ subsequently lost the stolen source code when law enforcement seized their cloud server, and further attempts to reaccess the network failed after automated systems revoked abnormal cloning activity.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In March 2022, the LAPSUS$ cybercrime group breached T-Mobile US multiple times, stealing source code for internal company projects. According to leaked private Telegram chats among the group’s seven core members, LAPSUS$ initially gained access by purchasing compromised employee credentials from dark web markets like Russian Market, which sold access to remotely hacked systems and stored authentication details. The group targeted T-Mobile employees with access to internal tools, aiming to conduct SIM swaps—unauthorized transfers of phone numbers to attacker-controlled devices to intercept SMS-based multi-factor authentication codes. LAPSUS$ members repeatedly lost access when employees changed passwords or logged in but simply acquired new VPN credentials, leveraging T-Mobile’s global workforce of approximately 75,000 to maintain persistence. On March 19, 2022, the group accessed Atlas, a critical T-Mobile tool for managing customer accounts, and attempted to look up FBI and Department of Defense accounts. These government accounts required additional verification, preventing unauthorized changes. Facing protests from other members who wanted to monetize the access via SIM swaps, the group’s leader (a 17-year-old UK individual using aliases like “White” and “Oklaqq”) terminated the VPN connection to focus on stealing source code.
LAPSUS$ subsequently compromised T-Mobile’s Slack and Bitbucket accounts, using an automated script to exfiltrate over 30,000 source code repositories within 12 hours. T-Mobile’s monitoring tools detected the intrusion, revoked the compromised credentials, and shut down access, stating no customer or government data was stolen. The stolen source code was stored on an Amazon AWS server, which the FBI later seized, causing LAPSUS$ to lose the data permanently. Attempts to re-download the code failed when T-Mobile’s systems revoked their access token, likely triggered by abnormal cloning activity. LAPSUS$’s broader pattern involved extorting victims by threatening to leak stolen source code, though their motivations remained unclear beyond financial gain or competitive sabotage. The group’s operational security included storing all exfiltrated data in the cloud to avoid physical device seizures during law enforcement raids, a strategy that backfired when their server was confiscated. T-Mobile confirmed the breach weeks after detection, emphasizing their systems functioned as designed to contain the incident rapidly.