AstraZeneca Data Breach Allegations by Hacker Group LAPSUS$

Article At A Glance

Hacker group LAPSUS$ has claimed responsibility for an alleged data breach of AstraZeneca, one of the world’s largest pharmaceutical companies, reportedly involving over 3GB of sensitive data.
The alleged stolen data includes source code written in Java, Angular, and Python, along with cloud infrastructure configurations, private keys, and employee datasets.
This is not AstraZeneca’s first security incident — a separate 2022 event exposed patient data through a simple developer password lapse.
LAPSUS$ does not use traditional ransomware — instead, they extort victims by threatening to publicly leak stolen data, a tactic that has already taken down major corporations.
Keep reading to understand exactly what was allegedly taken, how LAPSUS$ operates, and what your organization must do today to avoid becoming their next target.

If LAPSUS$ really did breach AstraZeneca, the damage goes far beyond stolen files — it’s a direct warning to every enterprise storing sensitive data in the cloud.

AstraZeneca is a global pharmaceutical and biotechnology giant headquartered in Cambridge, England, with operations spanning more than 100 countries. The company develops some of the world’s most critical medicines and vaccines, making it an exceptionally high-value target for cybercriminals. When a hacker group starts posting samples of what they claim to be your internal source code and cloud credentials, it sends shockwaves across the entire industry. HackRead, a cybersecurity news publication that closely tracks threat actor activity, has been among the outlets reporting on the LAPSUS$ claims against AstraZeneca.

Understanding this incident — whether fully confirmed or still alleged — matters for any security team protecting enterprise infrastructure today.

LAPSUS$ Claims a 3GB AstraZeneca Breach — Here’s What We Know

In early 2026, the threat actor group identifying itself as LAPSUS$ publicly claimed to have breached AstraZeneca’s internal systems. The group posted what they described as sample data from the alleged breach on their Telegram channel, a platform they have consistently used to publicize attacks and pressure victims. The claimed dataset reportedly totals approximately 3GB and contains a mix of source code, infrastructure configurations, credentials, and employee-related data.

Alleged Breach Summary: LAPSUS$ claims to have extracted roughly 3GB of AstraZeneca data including internal source code, cloud environment configurations across multiple platforms, private access keys, and employee datasets — all reportedly being offered for sale or threatened for public release.

AstraZeneca has not publicly confirmed a breach at the time of reporting. This is consistent with how many large corporations handle breach allegations — cautiously, legally, and often with minimal disclosure until an internal investigation concludes. However, the group’s track record of posting legitimate samples in previous attacks means these claims cannot simply be dismissed.

What Data LAPSUS$ Claims to Have Stolen

The alleged stolen data is particularly alarming because of how varied and deep it reportedly goes. It is not simply a database of customer emails — the group claims to have extracted materials that touch the core of AstraZeneca’s technical infrastructure. According to reports, the sample data posted publicly includes internal source code written in multiple programming languages, cloud environment configuration files, access credentials, private vault keys, and datasets containing employee information.

This type of data combination is a red flag. Source code gives attackers a detailed map of how an organization’s software works. Cloud configs and credentials can enable lateral movement into live production environments. Together, they represent the kind of access that can turn a one-time breach into a prolonged, silent infiltration.

How the Group Is Attempting to Monetize the Breach

LAPSUS$ has been operating a straightforward but highly effective extortion model. Rather than encrypting systems and demanding a ransom key, they steal data and threaten to release it publicly unless the victim pays or complies with their demands. This approach sidesteps many traditional ransomware defenses and puts companies in a uniquely difficult position — paying does not guarantee the data won’t be leaked anyway.

In the AstraZeneca case, the group reportedly posted sample files publicly as proof of access, which is a deliberate pressure tactic. By making portions of the alleged breach visible, they signal to AstraZeneca and the cybersecurity community that they have something real — or at least something convincing enough to cause reputational damage regardless of verification.

For pharmaceutical companies specifically, leaked proprietary data carries consequences that go beyond regulatory fines. Intellectual property tied to drug formulations, clinical trial data, or internal R&D pipelines can represent billions of dollars in competitive advantage. The extortion leverage is enormous.

The monetization strategy also includes selling the data directly to third parties. In some previous LAPSUS$ operations, data was reportedly offered for sale on dark web forums, meaning even if AstraZeneca managed to contain the immediate threat, the data could still circulate in criminal markets for years.

Public Telegram leaks used as proof of access and pressure
Data offered for direct sale to third-party buyers on underground markets
No ransomware encryption — extortion is purely data-based
Victims face reputational damage regardless of whether they pay
Pharmaceutical IP makes the leverage exponentially higher than in typical breaches

Who Is LAPSUS$?

LAPSUS$ is not your typical nation-state hacking collective. The group first gained widespread attention for a surprisingly simple but devastatingly effective approach to breaching some of the most well-defended organizations in the world. What makes them unusual is not their technical sophistication — it is their willingness to recruit insiders, use social engineering at scale, and operate almost entirely in the open through public Telegram channels.

Security researchers have noted that LAPSUS$ often targets employees directly, offering payments in exchange for credentials or remote access. This insider-threat angle makes them exceptionally difficult to defend against using purely technical controls.

When and Where LAPSUS$ First Emerged

LAPSUS$ first came to prominence in late 2021, initially targeting organizations in South America and the United Kingdom. Early victims included Brazilian government agencies and major telecom companies. By early 2022, the group had escalated dramatically in both ambition and reach, going after globally recognized technology and pharmaceutical brands. Several alleged members were identified and arrested in the UK in March 2022, including individuals reported to be teenagers — a detail that shocked the security community given the scale and impact of the group’s operations. Despite those arrests, activity attributed to LAPSUS$ has continued.

Their Signature Attack Method: Extortion Without Ransomware

Unlike ransomware groups that encrypt files and demand payment for decryption keys, LAPSUS$ focuses entirely on data theft and public exposure. They gain access through a combination of SIM swapping, phishing, recruiting insiders, and purchasing stolen credentials from initial access brokers. Once inside, they move quickly to exfiltrate high-value data before detection. Their public Telegram channel serves as both a recruitment tool and a pressure mechanism — they announce victims, post samples, and run polls asking their followers what data to release next.

High-Profile Victims Before AstraZeneca

The group’s alleged victim list before the AstraZeneca claims reads like a who’s who of global technology. LAPSUS$ claimed breaches involving Microsoft, Nvidia, Samsung, Okta, T-Mobile, Ubisoft, and Vodafone, among others. In the Microsoft breach, the group claimed to have stolen 37GB of source code. In the Nvidia incident, they reportedly threatened to release GPU driver source code. These were not small intrusions — they were direct hits on companies with security teams and budgets that most organizations could never match. That context makes the AstraZeneca allegations entirely credible from a capability standpoint.

What Was Allegedly Stolen From AstraZeneca

The specific categories of data LAPSUS$ claims to have extracted are what make this alleged breach particularly serious. This is not a case of leaked marketing emails or recycled login credentials from an old database. The group is claiming access to the kind of technical assets that sit at the absolute core of a pharmaceutical company’s operations and competitive position.

Source Code in Java, Angular, and Python

Among the most damaging claims is the alleged theft of internal source code written in Java, Angular, and Python. These are not peripheral codebases — Java and Python are workhorses of enterprise backend systems, and Angular is commonly used in internal-facing portals and dashboards. If the code is authentic, it means attackers potentially have a detailed blueprint of how AstraZeneca’s software systems are architected, including any vulnerabilities baked into the code that have not yet been patched.

Source code exposure is particularly dangerous because it enables second-order attacks. A competitor or nation-state actor purchasing that code could reverse-engineer proprietary pharmaceutical management systems, identify exploitable logic flaws, or simply use it as a map to plan deeper intrusions. The damage is not limited to what was taken — it extends to what can be done with it afterward.

Cloud Infrastructure Configs Across AWS, Azure, and Terraform

The alleged data also reportedly includes cloud infrastructure configuration files spanning AWS, Azure, and Terraform. This is an extremely serious category of exposure. Cloud configuration files often contain environment variables, API endpoints, access policies, and sometimes embedded credentials. Terraform configuration files in particular define the exact shape of an organization’s cloud infrastructure — essentially a detailed map of every resource, permission boundary, and network rule in place.

In the wrong hands, these files can enable an attacker to spin up unauthorized infrastructure inside a victim’s cloud environment, escalate privileges, or quietly establish persistent backdoor access that survives even a full credential reset. The fact that multiple cloud platforms are allegedly involved suggests AstraZeneca operates a complex multi-cloud environment — which, without rigorous secrets management, dramatically increases the attack surface.

Private Keys, Vault Data, and Access Credentials

Perhaps the most immediately actionable concern in the alleged breach is the reported theft of private keys, vault data, and access credentials. Private cryptographic keys are the foundation of secure communications and authentication across enterprise systems. If an attacker holds your private keys, they can impersonate your servers, decrypt your encrypted communications, or bypass authentication entirely. These are not theoretical risks — they are direct pathways into live systems.

Vault data refers to secrets stored in tools like HashiCorp Vault, which enterprises use to manage and distribute sensitive credentials, certificates, and tokens across their infrastructure. A breach of vault contents essentially hands an attacker the master key to an organization’s entire secrets ecosystem. Combined with valid access credentials, an attacker could move through internal systems without triggering most standard detection tools, because they would appear to be a legitimate, authenticated user.

Employee-Related Datasets

Beyond the technical infrastructure data, the alleged breach also reportedly includes employee-related datasets. While these may seem less dramatic than source code or vault secrets, they carry serious downstream risks. Employee data can be used to craft highly targeted spear-phishing campaigns, impersonate internal personnel in social engineering attacks, or identify individuals with privileged access who can be approached directly — a core tactic in LAPSUS$’s known playbook.

The combination of employee data and technical infrastructure information is particularly dangerous. When an attacker knows who your cloud administrators are and also holds credential data from your environment, they have everything they need to execute a highly convincing insider-threat scenario — either by impersonating that person or by recruiting them directly.

Java, Angular, and Python source code — exposes system architecture and potential logic vulnerabilities
AWS, Azure, and Terraform configs — maps cloud infrastructure and may contain embedded secrets
Private cryptographic keys — enables impersonation and encrypted traffic decryption
HashiCorp Vault-style secrets — grants access to the full secrets management ecosystem
Employee datasets — fuels social engineering, spear-phishing, and insider recruitment

Each category of data is damaging on its own. Together, they represent a layered breach that could enable everything from silent persistent access to large-scale intellectual property theft. Security teams need to treat this combination as a worst-case scenario benchmark when assessing their own exposure.

AstraZeneca’s Prior Security Incident in 2022

The LAPSUS$ allegations do not exist in a vacuum. AstraZeneca has faced a documented cybersecurity incident before — one that received significant coverage in 2022 and raised early questions about the company’s internal security controls.

How a Developer Exposed Patient Data Through a Password Lapse

In November 2022, TechCrunch reported that AstraZeneca had exposed patient data through a strikingly simple failure: a developer had left credentials — specifically a password — in code that was accessible via a public-facing system. That exposed endpoint allowed unauthorized access to a backend system containing patient information. The incident was not a sophisticated nation-state attack or a complex supply chain compromise. It was a preventable human error that slipped through the cracks of the company’s security review processes.

The 2022 incident is significant context for the current LAPSUS$ allegations. It demonstrates that AstraZeneca, like many large enterprises, has faced the very category of vulnerability — hardcoded or improperly secured credentials — that appears again in the 2026 breach claims. Credential hygiene failures are not a one-time mistake for many organizations; they are a systemic pattern that resurfaces unless addressed structurally.

Why Pharmaceutical Companies Are Repeat Targets

Pharmaceutical companies sit at an unusually high-value intersection of sensitive data types. They hold intellectual property worth billions — drug formulas, clinical trial results, proprietary research pipelines — alongside large volumes of patient health data, employee information, and global supply chain logistics. That combination makes them attractive to nation-state actors seeking competitive intelligence, criminal groups seeking ransom leverage, and hacktivists targeting corporate entities. AstraZeneca’s profile is especially high given its role in developing the Oxford-AstraZeneca COVID-19 vaccine, which put the company at the center of global attention for years and made it a target of documented cyberattack attempts even during the pandemic.

What Companies Must Do Right Now to Avoid the Same Fate

The AstraZeneca allegations are a case study that every security team should be studying, regardless of their industry. The attack vectors LAPSUS$ reportedly exploits are not exotic — they are well-documented weaknesses that exist in the majority of enterprise environments. The difference between companies that get breached and companies that don’t is often not the sophistication of the attacker — it’s whether the basics were actually done.

The five actions below are not theoretical recommendations. They are the specific controls that directly address the attack surface LAPSUS$ has repeatedly exploited across its alleged victim list. Implementing them is not optional if you are responsible for protecting enterprise data.

Before you can fix anything, you need a clear picture of your actual exposure. Most enterprises have more cloud credentials, API keys, and service account tokens floating around their environment than their security team is aware of — especially in multi-cloud setups involving AWS and Azure simultaneously. Start with a full audit.

Scan all code repositories — including private GitHub, GitLab, and Bitbucket repos — for hardcoded secrets using tools like GitGuardian or TruffleHog
Review all IAM roles and service accounts across AWS and Azure for excessive permissions
Audit Terraform state files for exposed resource configurations or embedded credentials
Check all third-party integrations and API connections for stale or overprivileged access tokens
Review employee offboarding logs to confirm credential revocation was completed for departed staff

1. Audit Cloud Credential Exposure Immediately

Start with your cloud environments. Run an automated secrets scan across every repository your engineering teams have touched in the last 24 months. Many breaches — including AstraZeneca’s 2022 incident — originate from credentials that were committed to code and never rotated. Tools like AWS IAM Access Analyzer, Microsoft Defender for Cloud, and open-source scanners like Gitleaks can surface exposed credentials quickly.

Credential Audit Priority Checklist:

Asset Type Risk Level Recommended Action

Hardcoded API keys in repos Critical Rotate immediately, remove from codebase

Terraform state files High Move to encrypted remote state, audit access

AWS/Azure service account tokens High Enforce expiry policies, review permissions

HashiCorp Vault access policies High Audit role bindings, rotate root tokens

Employee SSO and MFA enrollment Medium Verify all privileged users are enrolled

Asset Type	Risk Level	Recommended Action
Hardcoded API keys in repos	Critical	Rotate immediately, remove from codebase
Terraform state files	High	Move to encrypted remote state, audit access
AWS/Azure service account tokens	High	Enforce expiry policies, review permissions
HashiCorp Vault access policies	High	Audit role bindings, rotate root tokens
Employee SSO and MFA enrollment	Medium	Verify all privileged users are enrolled

Once you have identified exposed credentials, rotation alone is not enough. You need to trace the exposure window — determine how long the credential was accessible and whether any unauthorized access occurred during that period. This is where many organizations stop too early, rotating the key but never investigating whether it was already used.

Pay particular attention to long-lived credentials. Cloud environments frequently accumulate service accounts and API tokens that were created for a specific project and never decommissioned. These orphaned credentials are invisible in day-to-day operations but represent an open door for attackers who find them through automated scanning — exactly the kind of initial access technique LAPSUS$ has been associated with.

Implement a credential rotation policy with hard expiry windows. AWS supports automatic rotation through AWS Secrets Manager. Azure has an equivalent capability through Azure Key Vault. If you are not using these tools to enforce rotation, your credential hygiene is relying entirely on human discipline — and that is not a security strategy.

2. Remove Hardcoded Secrets From Source Code Repositories

Hardcoded secrets in source code are one of the most persistent and preventable vulnerabilities in enterprise environments. Every developer knows they should not commit passwords or API keys to a repository, but it happens constantly — especially under deadline pressure or in organizations where pre-commit hooks and automated scanning are not enforced. Implement a mandatory pre-commit scanning policy using tools like detect-secrets or GitGuardian that blocks credential commits before they ever reach the repository. Retroactively scan your entire commit history, not just the current state of your codebase — credentials committed years ago and since deleted from the latest version may still be recoverable from the git history.

3. Enforce Least-Privilege Access Across All Cloud Environments

Least-privilege access is one of the most cited security principles and one of the most consistently under-implemented. In practice, cloud environments accumulate over-permissioned roles over time — developers get admin access for a quick fix and it is never revoked, service accounts are granted broad permissions to avoid debugging access issues, and inherited policies grant more than intended. Each of these creates an opportunity for lateral movement once an attacker gains any foothold in the environment.

Conduct a full IAM review across every cloud platform in your environment. In AWS, use IAM Access Analyzer to identify overly permissive policies. In Azure, leverage Microsoft Entra ID’s access reviews to systematically validate role assignments. Establish a policy that no human user should hold standing access to production environments — all privileged access should be just-in-time, time-limited, and logged. This single control dramatically reduces the blast radius of any credential compromise.

4. Monitor for Insider Threats and Account Takeovers

LAPSUS$ has a well-documented history of recruiting insiders — paying employees, contractors, or help desk staff to hand over credentials or install remote access tools. This is not a vulnerability you can patch. It requires behavioral monitoring. Deploy a User and Entity Behavior Analytics (UEBA) solution that establishes baseline activity patterns for every privileged user and alerts on anomalies — unusual login times, bulk data downloads, access to systems outside a user’s normal scope, or remote access from unfamiliar geolocations. Tools like Microsoft Sentinel, Splunk UEBA, and Exabeam are built specifically for this detection layer.

Account takeover detection requires a separate but complementary focus. Watch for SIM-swapping indicators — sudden MFA device changes, unexpected phone number updates on employee accounts, or help desk requests to bypass MFA from users who claim to have lost access. These are classic LAPSUS$ precursors. Any MFA bypass request should trigger an immediate escalation, not a routine help desk ticket. The cost of a five-minute verification call is nothing compared to the cost of handing an attacker administrative access to your cloud environment.

5. Have a Public Breach Response Plan Ready Before an Attack Happens

Most organizations have an incident response plan buried in a document that was last reviewed two years ago. What they often do not have is a communications strategy designed specifically for the LAPSUS$ scenario — where stolen data is being published publicly in real time while the investigation is still ongoing. You need a pre-approved response framework that covers what your communications team says publicly, what you tell regulators, and how quickly your legal team can move to issue takedown requests or preservation orders on leaked data.

The window between a LAPSUS$-style public leak announcement and full media coverage can be measured in hours. If your response team is making decisions from scratch when that clock starts, you have already lost control of the narrative. Run tabletop exercises specifically simulating a data extortion scenario — not a ransomware lockout — where your team practices simultaneous technical containment and public communication. That muscle memory is the difference between a managed incident and a reputational disaster.

The LAPSUS$ Breach Claims Cannot Be Ignored — Even If Unverified

Whether or not AstraZeneca’s breach is fully confirmed, the nature of what LAPSUS$ claims to have stolen — source code, cloud infrastructure configs, private keys, vault data, and employee records — represents a precise blueprint of what modern pharmaceutical enterprises store and how attackers plan to use it. LAPSUS$ has proven they can breach Microsoft, Nvidia, Samsung, and Okta. The idea that a pharmaceutical giant is somehow better protected is not a security strategy — it is wishful thinking. The combination of a documented 2022 credential exposure and these new 2026 allegations suggests a pattern of security debt that every large enterprise should recognize in their own environment. The question is not whether your organization could be targeted. The question is whether your controls are mature enough to detect, contain, and respond when it happens. Start with the audit. Rotate the credentials. Enforce least privilege. And do it before LAPSUS$ — or a group exactly like them — does it for you.

Frequently Asked Questions

Below are the most common questions surrounding the AstraZeneca data breach allegations and the LAPSUS$ threat group, answered clearly based on what is currently known.

Has AstraZeneca confirmed the LAPSUS$ data breach?

As of the time of reporting, AstraZeneca has not publicly confirmed the breach alleged by LAPSUS$. This is consistent with standard corporate protocol during an active security investigation — companies typically avoid public confirmation until legal, regulatory, and forensic teams have completed their review. However, the absence of a denial is not the same as confirmation. LAPSUS$ has posted what they claim are sample files as proof of access. Whether those samples are authentic, fabricated, or sourced from a third party rather than AstraZeneca’s own systems directly remains unverified by independent security researchers at this stage.

What type of data does LAPSUS$ claim to have stolen from AstraZeneca?

LAPSUS$ claims to have extracted approximately 3GB of data from AstraZeneca’s internal systems. The alleged dataset spans several categories, each carrying its own distinct risk profile for the company and its stakeholders.

The breadth of the claimed data is what makes this allegation particularly serious compared to a standard credential dump or customer database leak. When source code, infrastructure configuration files, and cryptographic secrets are allegedly taken together, it creates the potential for compounding damage — each piece of data makes the others more exploitable.

Data Category Alleged Content Primary Risk

Source Code Java, Angular, Python codebases System architecture exposure, vulnerability mapping

Cloud Configs AWS, Azure, Terraform files Infrastructure mapping, embedded credential exposure

Cryptographic Secrets Private keys, vault data Authentication bypass, encrypted traffic decryption

Access Credentials Login credentials, tokens Lateral movement, unauthorized system access

Employee Data Internal personnel datasets Spear-phishing, insider recruitment, impersonation

Data Category	Alleged Content	Primary Risk
Source Code	Java, Angular, Python codebases	System architecture exposure, vulnerability mapping
Cloud Configs	AWS, Azure, Terraform files	Infrastructure mapping, embedded credential exposure
Cryptographic Secrets	Private keys, vault data	Authentication bypass, encrypted traffic decryption
Access Credentials	Login credentials, tokens	Lateral movement, unauthorized system access
Employee Data	Internal personnel datasets	Spear-phishing, insider recruitment, impersonation

It is worth noting that even if only a portion of these claimed data categories is authentic, the potential for targeted follow-on attacks — against AstraZeneca itself or against its partners and vendors — remains significant. Breach data does not lose its value once the initial incident passes. It circulates, gets combined with other datasets, and continues to be leveraged for months or years after the original exfiltration.

How does LAPSUS$ typically carry out its attacks?

LAPSUS$ does not rely on zero-day exploits or nation-state-level technical sophistication. Their methods are predominantly social engineering-based, which is part of what makes them so difficult to defend against using purely technical controls. Their most commonly reported tactics include SIM swapping to intercept MFA codes, phishing campaigns targeting employees with access to privileged systems, direct recruitment of insiders through financial incentives posted on Telegram and dark web forums, and purchasing initial access from brokers who have already compromised a target’s environment through earlier means.

Once inside a target environment, LAPSUS$ moves quickly and focuses on bulk data exfiltration rather than establishing long-term persistence. Speed is a deliberate part of their strategy — they want to extract and exit before detection tools can correlate anomalous activity into an alert. This is why behavioral monitoring and real-time data loss prevention controls are more effective against their methodology than perimeter-based defenses alone.

What other major companies has LAPSUS$ targeted?

LAPSUS$ has claimed or been attributed with breaches involving some of the most recognized technology companies in the world. Their alleged victim list includes Microsoft, from whom they claimed to have stolen 37GB of source code; Nvidia, where they reportedly threatened to release GPU driver source code unless demands were met; Samsung, from whom they claimed to extract nearly 190GB of internal data including source code for Galaxy devices; Okta, a major identity and access management provider whose breach had downstream implications for Okta’s own customers; T-Mobile, Ubisoft, and Vodafone. The scale and variety of these targets demonstrates that no industry vertical or company size provides inherent protection against this group’s methods.

What should a company do if it suspects a LAPSUS$-style attack?

The moment you suspect a LAPSUS$-style intrusion, containment speed is everything. Your first action should be to immediately revoke and rotate all potentially compromised credentials across every cloud environment — do not wait for confirmation before rotating. Assume breach and act accordingly. Simultaneously, lock down all MFA configurations to prevent device changes without secondary verification, and audit active sessions across AWS, Azure, and any identity provider for anomalous concurrent logins or unusual access patterns.

Engage your incident response team and, if you do not have one in-house, contact an external IR firm immediately. Preserve all logs before taking remediation actions that might overwrite them — forensic integrity matters for both the investigation and any subsequent regulatory reporting. Notify your legal team in parallel, as breach notification obligations under GDPR, HIPAA, or other applicable regulations have strict timing requirements that begin running from the moment you have reason to believe a breach occurred, not from the moment you confirm it.

On the communications side, prepare a holding statement for internal staff and external stakeholders before anything leaks publicly. LAPSUS$ operates on Telegram in near-real time — if they have breached you, there is a meaningful chance they will announce it publicly before your investigation concludes. Having a pre-drafted, legally reviewed statement ready to issue within the first two hours of detection is not overcautious — it is essential crisis management.

Finally, after containment, conduct a full post-incident review focused specifically on the entry point LAPSUS$ typically exploits: social engineering, insider access, and credential mismanagement. Use the incident — whether confirmed or suspected — as the forcing function to implement the five controls outlined in this article. The organizations that recover fastest and with the least lasting damage are the ones that treat every breach allegation as an opportunity to find and close the gaps before the next attempt arrives.

HackRead and cybersecurity firms like SentinelOne provide ongoing, expert-level threat intelligence coverage that can help your security team stay ahead of groups like LAPSUS$ — if you are not actively tracking threat actor activity as part of your security program, now is the time to start.