City of London Police arrested seven people in connection with an investigation into a hacking group called Lapsus$, which has said it’s responsible for a rash of recent cyberattacks against companies including Microsoft and Nvidia, according to a person involved in the investigation.
The suspects, ages 16 to 21, have been released while the investigation continues, Detective Inspector Michael O’Sullivan said in a statement. “Our inquiries remain ongoing,” he said. Police didn’t identify the hacking gang, but the arrests were related to a broad investigation into the Lapsus$ hacks, according to the person.
The arrests followed a report Wednesday by Bloomberg News in which cybersecurity researchers investigating the Lapsus$ hacks said they had traced the breaches to a 16-year-old who lives with his mother near Oxford, England. The researchers said they believed the teenager was the mastermind of the operation.
The identity management company, which has many bank clients, said it learned the extent of a January breach five days before hackers told the world about it.
The identities of the people who were arrested in the U.K. weren’t known.
In the U.K., it’s common for suspects in nonviolent offenses to be released after their arrest, pending the results of the investigation. When authorities detain suspects, they typically have only 24 hours to bring charges before being required to release them. There are also strict rules prohibiting the release of information about suspects, after they’re charged, to avoid prejudicing a potential trial.
Lapsus$ seeks to compromise companies by persuading employees at victim organizations to provide hackers with access to company data.
BBC News previously reported that seven people had been arrested.