A 16-year-old from Oxford has been accused of being one of the leaders of cyber-crime gang Lapsus$.
The teenager, who is alleged to have amassed a $14m (£10.6m) fortune from hacking, has been named by rival hackers and researchers.
City of London Police say they have arrested seven teenagers in relation to the gang but will not say if he is one.
The boy’s father told the BBC his family was concerned and was trying to keep him away from his computers.
Under his online moniker “White” or “Breachbase” the teenager, who has autism, is said to be behind the prolific Lapsus$ hacker crew, which is believed to be based in South America.
Lapsus$ is relatively new but has become one of the most talked about and feared hacker cyber-crime gangs, after successfully breaching major firms like Microsoft and then bragging about it online.
The teenager, who can’t be named for legal reasons, attends a special educational school in Oxford.
City of London Police said: “Seven people between the ages of 16 and 21 have been arrested in connection with an investigation into a hacking group. They have all been released under investigation. Our inquiries remain ongoing.”
Playing online games
The boy’s father told the BBC: “I had never heard about any of this until recently. He’s never talked about any hacking, but he is very good on computers and spends a lot of time on the computer. I always thought he was playing games.”
“We’re going to try to stop him from going on computers.”
The BBC has also spoken to the boy’s mother, who did not want to comment.
“White” was outed – or “doxxed” – on a hacker website, after an apparent falling out with business partners.
The hackers revealed his name, address, and social media pictures.
They also posted a biography of his hacking career, saying: “After a few years his net worth accumulated to well over 300BTC [close to $14m]… [he is] now is affiliated with a wannabe ransomware group known as ‘Lapsus$’, who has been extorting & ‘hacking’ several organisations.”
As first reported by Bloomberg, cyber-security researchers have been tracking “White” for nearly a year and have linked him to Lapsus$ and other hacking incidents.
“We’ve had his name since the middle of last year and we identified him before the doxxing,” said Allison Nixon, chief research officer at cyber-security investigation company Unit 221B.
“Unit 221B working with [cyber-security company] Palo Alto after identifying the actor, watched him on his exploits throughout 2021, periodically sending law enforcement a heads-up about the latest crimes.”
Mrs Nixon says researchers tracked him through a trail of activity linked through a nearly unbroken stream of the boy’s online accounts.
“We did it by watching the post history of an account and seeing older posts provide contact information for the guy.”
Mrs Nixon says the trail was followed thanks to mistakes “White” made in failing to cover his tracks.
The Lapsus$ cyber-extortion group has gained notoriety in a short space of time thanks to its high-profile targets and active presence on the messaging app Telegram. Its channel has grown to 47,000 subscribers.
The last message was posted on the channel on Wednesday, with the group saying: “A few of our members has a vacation until 30/3/2022. We might be quiet for some times. Thanks for understand us – we will try to leak stuff ASAP.”
Chris Morgan, from cyber-security company Digital Shadows, says Lapsus$ has risen in prominence in recent months “after targeting several enterprise technology companies, breaching significant amounts of data and posting on to their dedicated Telegram data leak channel”.
“Little is known of the origins of the group, however, given that Lapsus$’s initial activity was directed towards several organisations in Brazil, some researchers have speculated that the group is based in South America,” Mr Morgan said.
In a Wednesday blog post, Microsoft said Lapsus$ had gained limited access to its system.
Security company Okta admitted that it too had been hacked by the group, with consequences for hundreds of its clients.