Child hackers posing as law enforcement officials were able to trick Meta and Apple into giving out customer information, according to a new report.
The now-defunct hacker gang called Recursion Team is said to be made up of minors in the US and UK, including the alleged teenage mastermind behind cybercrime group Lapsus$, Bloomberg reported on Wednesday.
Using compromised law enforcement email accounts, the hackers sent “emergency data requests” to Apple’s parent company and Facebook for subscriber information.
Although such requests typically require a court order, this standard does not apply to so-called “emergency” requests, and in several cases the companies have turned over customer information, people familiar with the matter told Bloomberg.
The website of the defunct hacking gang Recursion Team, also known as Infinity Recursion, is shown above. The group posed as police officers to make data requests to Apple and Facebook
This profile photo from a Telegram account shows a rendering of a 16-year-old boy from England believed to be the mastermind behind the hacking group LAPSUS$. He is also said to have been involved in Recursion Team’s previous hijinks
The hackers carried out the scam last year and were able to obtain subscriber addresses, phone numbers and IP addresses, according to the report.
Cybersecurity experts believe the information was used to harass victims and commit financial crimes through identity theft.
In a statement to , Facebook spokesman Andy Stone said: “We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse.”
“We are blocking known compromised accounts from requests and are working with law enforcement to respond to incidents of suspected fraudulent requests, as we did in this case,” the statement added.
An Apple spokesman referred a request for comment to the company’s law enforcement policy, which states that the manager of an agent who submits a request “may be contacted and asked to confirm to Apple that the emergency request was legitimate.”
Most big tech companies operate a dedicated law enforcement portal for data requests, but many also accept requests via email if the emails come from official government accounts.
Facebook CEO Mark Zuckerberg. The company says it is working with law enforcement on the incident and is blocking requests from known fake accounts
Apple CEO Tim Cook. The company has policies for responding to law enforcement requests and says it can review requests with a supervisor
Such accounts are easy to compromise, and credentials are sold on the dark web for as little as $10, cybersecurity experts say.
Recursion Team, also known as Infinity Recursion, is believed to be defunct, but many former members are said to continue their activities with the infamous Lapsus$ gang, responsible for breaches against tech heavyweights Microsoft and Nvidia.
One of the minors involved in recursion is said to be the British teenager suspected of being after Lapsus$, Bloomberg reported.
Cybersecurity experts hired by affected companies said they were able to trace the breaches to a teenager living near Oxford, known by the online nicknames “White” and “Breachbase.”
Bloomberg, which first reported these revelations, did not identify the 16-year-old because he is a minor.
BBC described the suspect as having autism and attending a special needs school in Oxford, and reported that he is said to have made a staggering $14 million from his hacking activities.
Lapsus$ has stunned and stunned cybersecurity professionals alike with its combination of youthful antics and high-level access to some of the world’s largest corporations.
Microsoft confirmed last week that hackers gained “limited access” to LAPSUS$’s source code and compromised an account. LAPSUS$ previously took responsibility for hacking Nvidia, which develops graphics processors for the gaming industry
The group uses a variety of methods, including bluffing, tricks and bribes, to steal passwords, Microsoft said in a blog post last week.
British authorities recently announced that seven people, aged between 16 and 21, had been arrested at an unspecified time in the past and later released.
Authorities gave few more details, but around this time, Lapsus$ announced to its fans that “some of our members” were going on vacation.
Still, the hacker gang hit back, claiming late Tuesday they broke into software services company Globant SA and stole 70 gigabytes of source code from the company’s customers.
On its Telegram channel, Lapsus$ posted a screenshot of more than two dozen folders allegedly containing customer source code, including from well-known tech companies.
The authenticity of the screenshot could not be determined immediately.
“We’re officially back from vacation,” the group said in announcing the Globant injury.