Lapsus$, the English-speaking, Telegram-flamboyant extortion crew that compromised Microsoft, Nvidia, Samsung, and Okta in 2022, went quiet after the UK arrests of several alleged members in late 2022 and early 2023. Across 2025-2026 a steady stream of rumors has circulated suggesting a revival, either by surviving members or by a successor crew operating with the same playbook. Here’s what’s credibly sourced and what isn’t.
What’s credibly observed
Several intrusions in late 2025 and early 2026 share TTPs that closely resemble the Lapsus$ playbook: aggressive social engineering against IT and help desks, SIM-swap to defeat MFA, smash-and-grab data theft, public taunting of victims on Telegram, no encryption phase. Specific incidents have been linked by IR firms to a cluster currently tracked as “ShinyHunters successor activity” or “COM-tagged crews,” with the caveat that the attribution is less confident than the TTP overlap.
What’s clearly true: the English-speaking threat actor pool that produced Lapsus$ is still active. The COM (Community of Mischief) ecosystem on Telegram and Discord recruits new participants weekly. SIM-swap services aimed at this population are still operating. The supply side of “Lapsus$-style operators” hasn’t dried up.
What’s not credibly sourced
The frequent claims on Telegram channels of “Lapsus$ is back” attached to specific incidents rarely hold up under verification. The brand name itself is now a kind of clout, and unrelated extortion operators occasionally co-opt it. Treating any claim of “Lapsus$ did this” with skepticism is the right default.
What’s also not clear: whether the survivors of the original Lapsus$ are actively operating again or have moved on. The arrested individuals served varying sentences, some short. Whether any have returned to the activity is genuinely unknown publicly.
What it means for defenders
The brand-attribution question matters less than the TTP question. Whether the operators are actually Lapsus$ or a successor with similar methods, the defensive priorities are the same: harden help-desk MFA-reset procedures, eliminate SMS as an authentication factor, monitor for impossible-travel after MFA reset events, and assume the social-engineering attack is more sophisticated and persistent than your training has prepared employees for.
The Lapsus$-style threat, well-resourced English-speaking teenagers with social-engineering skill, SIM-swap access, and willingness to operate publicly, is structurally durable. It will continue to produce major incidents whether or not any specific named crew is the operator.
The takeaway
“Is Lapsus$ back?” is the wrong framing. The English-speaking, COM-tagged extortion crew ecosystem is active and producing successor groups continuously. The 2022-vintage Lapsus$ operatives are mostly out of the picture. The TTPs are alive and well in the hands of the next generation. Plan for that, not for any specific brand.