An (apparent) arrest in the Uber and Grand Theft Auto cases.
N2K logoSep 26, 2022

There seems to have been an arrest in the Uber and RockStat breach cases, and there seems to be a connection to an earlier arrest of an alleged Lapsus$ member.

An (apparent) arrest in the Uber and Grand Theft Auto cases.

On Friday the City of London Police tweeted, "On the evening of Thursday 22 September 2022, the City of London Police arrested a 17-year-old in Oxfordshire on suspicion of hacking, as part of an investigation supported by the @NCA_UK’s National Cyber Crime Unit (NCCU)." The police have been relatively closed-mouthed about the arrest, and haven't publicly connected it with either the Uber or the RockStar Games incident. As the Verge points out, however, circumstantially the alleged crime looks like the Uber and RockStar hacks, and the suspect looks like a Lapsus$ operator. The Hacker News offers some informed speculation that the youth arrested was responsible for the Uber and Rockstar incidents.

Apparent connections to Laspsus$.

Without revealing the hacker's real identity, Flashpoint reports that the hacker, "Teapotuberhacker," was outed in an underground online forum, but the security firm urges caution in accepting the doxing at face value. Flashpoint reviewed what it found in the "online illicit forum" and reported evidence that the person responsible for the Uber and Grand Theft Auto hacks:

"On the day that the original post was made, Flashpoint analysts found that teapotuberhacker’s real world identity had been outed on an online illicit forum. In that thread, titled 'The Person Who Hacked GTA 6 and Uber is Arion,' the administrator for that forum claimed that teapotuberhacker was the same individual who had allegedly hacked Microsoft and 'owned' Doxbin.

"Additionally, the administrator linked teapotuberhacker to other aliases like 'White' and 'Breachbase,' and stated he was a member of LAPSUS$. While the tactics, techniques, and procedures employed by teapotuberhacker are consistent with LAPSUS$, these communities will often make false claims against one another. Flashpoint analysts identified previous doxes where the content may vary on the same individual; these are typically curated by individuals within these communities and should be treated with a healthy degree of skepticism."

And apparent similarities to an earlier Lapsus$ arrest.

Arrests in the UK back in March appeared to have cleared up the mystery of who Lapsus$ is (or was) and what it's been up to. The BBC reported that City of London Police have arrested at least seven "teenagers" in connection with the gang's activities, so Lapsus$ seems to have been a crew of script kiddies. Police at the time told the BBC that seven people between the ages of 16 and 21 have been arrested in connection with an investigation into a hacking group. They have all been released under investigation. Our inquiries remain ongoing. So Lapsus$ seems to have been a crew of script kiddies. For all that, their activities were damaging and disruptive. Lapsus$ was in it for the lulz and the lucre, cash and cachet. 

As minors, none of the names of those arrested were released. The apparent leader, who went by the hacker name White and Breachbase, which have surfaced again in connection with the Uber and RockStar hacks, was said to be a 16-or-17-year-old boy in Oxfordshire. The BBC talked with the kid's father, who said, "I had never heard about any of this until recently. He's never talked about any hacking, but he is very good on computers and spends a lot of time on the computer. I always thought he was playing games." The father added that the family intended "to try to stop him from going on computers." If it's indeed the same person arrested last week, that intention seems to have been frustrated.

It's also worth noting that the earlier arrests also followed doxing in an underworld forum. In the earlier case the BBC speculated that the doxing came from a falling out among hacking companions (or "business partners").