Lacoste Lapsus$ Returns from Law Enforcement Dismantlement to Breach French Luxury Giant

• .What: Lapsus$ exfiltrated source code and a Windows hosts file from Lacoste's internal systems before being detected and cut off mid-operation.
• .Who: Lacoste SA (EUR 3B revenue, ~10,000 employees, 98 countries). Subsidiary of MF Brands Group, owned by Switzerland's Maus family through Maus Freres.
• .How: Specific initial access vector undisclosed. Lapsus$ core TTPs include social engineering, SIM swapping, insider recruitment, credential purchasing from dark web markets, and MFA fatigue attacks.
• .Data: Approximately 12,200 lines of source code and a Windows hosts file containing internal server IP address mappings.
• .Actor: Lapsus$ (Microsoft tracking: Strawberry Tempest / DEV-0537). Now operating within the Scattered LAPSUS$ Hunters (SLH) collective alongside ShinyHunters and Scattered Spider.
• .Impact: Source code enables white-box vulnerability analysis; hosts file exposes internal network topology. Limited volume due to mid-operation detection. No consumer PII confirmed exposed.

On January 7, 2026, HackNotice flagged a dark web posting attributed to Lapsus$ claiming Lacoste as a victim. rar archive containing approximately 12,200 lines of source code and a Windows hosts file extracted from Lacoste's infrastructure.

BrinzTech confirmed the leak and analyzed its contents. live identified Lacoste on the Lapsus$ leak site on March 1, 2026, with BreachSense recording the discovery date as March 5, 2026.

The discrepancy between the January 7 initial posting and the March discovery dates on ransomware tracking platforms suggests the breach occurred in late 2025 or early January 2026, with the leak site listing surfacing weeks before automated monitoring platforms cataloged it.

Lapsus$ acknowledged in the posting that they were able to extract only a limited amount of data before Lacoste's security team detected the intrusion and patched the vulnerability being exploited.

This is consistent with Lapsus$ operational history - the group has previously been disrupted mid-operation when targets detected their activity, notably during the Okta breach in January 2022 when Okta's security team identified the intrusion within minutes and contained the blast radius.

Lacoste has not issued a public statement. No breach notification has been filed with CNIL (France's data protection authority). No regulatory investigation has been announced as of April 1, 2026.

While the exfiltrated volume - approximately 12,200 lines in a compressed .rar archive - is small relative to Lapsus$'s prior operations (37GB of Microsoft source code in 2022, 190GB from Samsung, 1TB from Nvidia), the nature of the stolen material carries outsized risk.

Source code exposure enables white-box analysis - the ability to read application logic, identify hardcoded credentials, discover API keys embedded in code, map authentication and authorization flows, and find business logic vulnerabilities that would be invisible to black-box external testing.

A 12,200-line sample could reveal how Lacoste handles customer authentication, payment processing, or internal API communication.

If the code contains hardcoded database credentials, cloud service keys, or internal API tokens - a common finding in enterprise codebases - the source code leak becomes an initial access vector for follow-on attacks.

The Windows hosts file is separately significant.

This file maps hostnames to IP addresses and, in enterprise environments, frequently contains mappings to internal servers, development environments, staging systems, databases, and administrative interfaces that are not publicly resolvable via DNS. The hosts file provides an attacker with a partial map of Lacoste's internal network topology - information that would normally require network reconnaissance after gaining an initial foothold.

Lapsus$ (tracked by Microsoft as Strawberry Tempest, formerly DEV-0537) emerged in late 2021 as a data extortion group that does not deploy ransomware encryption. Instead, the group steals data and threatens public release unless payment is made.

Between December 2021 and September 2022, Lapsus$ breached Microsoft (37GB of source code), Nvidia (1TB including chip schematics and driver source code), Samsung (190GB of source code), T-Mobile, Uber, Rockstar Games (GTA VI footage), Okta, Globant, Vodafone, Ubisoft, and Brazil's Ministry of Health.

The group's TTPs were documented in the CISA Cyber Safety Review Board (CSRB) report published August 10, 2023:

• .Social engineering - vishing, phishing, and pretexting targeting helpdesk staff to reset credentials and approve MFA prompts
• .SIM swapping - bribing or socially engineering telecommunications employees to transfer target phone numbers to attacker-controlled SIMs, intercepting SMS-based MFA codes
• .MFA fatigue (prompt bombing) - repeatedly triggering push notifications until the target approves out of exhaustion
• .Insider recruitment - operating a Telegram channel actively soliciting employees at telcos, tech companies, and managed service providers to sell VPN access, credentials, and direct system access
• .Credential purchasing - acquiring credentials and session tokens from infostealer malware logs (Redline, Raccoon) on dark web markets
• .Post-access lateral movement using legitimate tools (RDP, PsExec) rather than custom malware

Law enforcement dismantled the group's core through a series of arrests:

• .March 24, 2022: City of London Police arrested seven individuals aged 16-21 in connection with Lapsus$ operations
• .September 2022: Arion Kurtaj (alias "White"), arrested again while on bail after continuing to hack Uber, Revolut, and Rockstar Games
• .October 19, 2022: Brazilian Federal Police arrested a suspected Lapsus$ member in Feira de Santana, Bahia
• .August 2023: Seven-week trial resulted in convictions for Kurtaj (18) and a 17-year-old unnamed accomplice
• .December 2023: Kurtaj sentenced to an indefinite hospital order due to his stated intent to resume cybercrime "as soon as possible." The 17-year-old received an 18-month Youth Rehabilitation Order

Despite these arrests, Lapsus$ has reconstituted.

The group now operates within the Scattered LAPSUS$ Hunters (SLH) collective - a federated cybercrime brand uniting operators affiliated with three groups: Scattered Spider (Muddled Libra), ShinyHunters (Bling Libra), and Lapsus$.

Unit 42, LevelBlue, CYFIRMA, Resecurity, and SOCRadar have published analyses of SLH's structure and operations.

SLH's 2026 activity includes:

• .Lacoste - source code and network configuration (January 2026)
• .Adidas Extranet - usernames, passwords, and technical information (claimed; Adidas states no consumer data affected)
• .AstraZeneca - source code and employee data (claimed March 2026; AstraZeneca has not confirmed)
• .Mercor AI - 4TB of data exfiltrated via Tailscale VPN, confirmed by Mercor (March 2026)
• .Salesforce - claimed theft of 1 billion+ records via third-party integrations (unverified)
• .Gainsight - supply chain compromise claiming 300 organizations affected

SLH is also developing ShinySp1d3r, a new Ransomware-as-a-Service platform. The Hacker News reported that SLH is recruiting women for IT helpdesk vishing campaigns at $500-$1,000 per call, with pre-written social engineering scripts.

This represents an evolution from Lapsus$'s original ad-hoc Telegram recruitment to a structured, professionalized social engineering operation.

• .Source code (~12,200 lines) - Application source code that may contain authentication logic, API integrations, payment processing flows, internal service endpoints, and potentially hardcoded credentials or API keys. Source code cannot be rotated - once exposed, every vulnerability discoverable through code review remains exploitable until individually identified and patched.
• .Windows hosts file - Contains internal hostname-to-IP-address mappings revealing Lacoste's internal server infrastructure, development and staging environment addresses, database server locations, and administrative interface endpoints. This provides a partial network topology map useful for planning targeted attacks against specific internal systems.

No consumer PII (names, addresses, payment data, purchase histories) has been confirmed in the leaked archive based on available reporting.

However, the source code itself may reference database schemas, API endpoints, or data structures that reveal how and where consumer data is stored - information that would facilitate a future consumer-data-targeting attack.

1. Initial access vector unknown but consistent with Lapsus$ TTPs. Lapsus$ has never relied on zero-day exploits or sophisticated malware. Their documented attack chain is social engineering, credential theft, and insider recruitment.

" If the Lacoste breach followed Lapsus$ standard methodology, the likely vectors include: (a) vishing or phishing targeting a Lacoste employee or helpdesk to obtain VPN or SSO credentials; (b) purchasing credentials from dark web infostealer logs; (c) recruiting an insider with legitimate access; or (d) SIM swapping to intercept SMS-based MFA and complete authentication.

2. Source code accessible from the compromised position. Regardless of the initial access method, the attacker reached a position in the network where source code repositories were accessible.

This indicates either (a) the compromised account had direct access to code repositories (developer, DevOps, or IT administrator account), or (b) lateral movement from the initial foothold to systems hosting source code was possible without triggering detection until exfiltration was underway.

3. Internal network configuration files accessible. The exfiltration of a Windows hosts file indicates the attacker accessed a server or workstation containing internal network mapping information.

Enterprise hosts files on development or infrastructure servers frequently contain mappings to internal databases, staging environments, CI/CD servers, and administrative interfaces - all of which should be accessible only from hardened jump servers with session recording.

4. Detection occurred during exfiltration - not before. Lapsus$ stated they were cut off during active data extraction, and Lacoste patched the exploited vulnerability during the operation.

This means the attacker achieved initial access, navigated to source code repositories, began exfiltration, and was only detected when the transfer was already underway.

Pre-exfiltration controls - behavioral analytics, anomalous access detection on code repositories, data loss prevention - either did not exist or did not trigger until data was already leaving the network.

5. Vulnerability patched reactively rather than proactively.

The fact that Lacoste patched a vulnerability during the breach rather than before it indicates the exploited flaw was present in production and had not been identified through vulnerability scanning, penetration testing, or code review prior to the incident.

No specific technical indicators (IP addresses, file hashes, domains) have been published for this incident. Lapsus$ and the broader SLH collective are known to use the following infrastructure and tools:

• .SLH Telegram channels for operational coordination and victim announcements
• .Lapsus$ Tor-based leak site for publishing stolen data
• .Credential harvesting from Redline and Raccoon infostealer logs
• .RDP, PsExec, and legitimate remote management tools for lateral movement
• .No custom malware - Lapsus$ operates almost exclusively through living-off-the-land techniques and legitimate credentials

Organizations should monitor for:

• .Anomalous VPN or SSO authentication patterns consistent with credential compromise
• .SIM swap requests targeting employee phone numbers
• .Unauthorized MFA enrollment changes
• .Bulk access or download activity on source code repositories
• .Helpdesk social engineering attempts requesting credential resets or MFA bypass

• .GDPR (EU Regulation 2016/679) - Article 5(1)(f) integrity and confidentiality principle - Lacoste failed to prevent unauthorized access to internal systems. Article 32 security of processing - inadequate technical measures allowed source code exfiltration. Article 33 72-hour notification to supervisory authority - Lacoste has not disclosed whether a notification was filed with CNIL. If personal data was present in or accessible through the compromised systems and notification was not made within 72 hours, this constitutes a separate violation. Article 34 individual notification - required if the breach results in a high risk to rights and freedoms of natural persons. Fine exposure: up to EUR 20 million or 4% of annual global turnover, whichever is higher. At an estimated EUR 3 billion revenue, Lacoste's theoretical maximum GDPR fine is approximately EUR 120 million.

• .CNIL enforcement precedent - CNIL fined Free Mobile and Free EUR 42 million in January 2026 for inadequate security measures following a breach. CNIL fined France Travail EUR 5 million in January 2026 for failing to secure job seeker data. CNIL issued 83 sanctions totaling EUR 486.8 million in 2025 alone. Lacoste's breach profile - unauthorized access leading to source code exfiltration from a major French corporation - falls squarely within CNIL's enforcement scope.

• .Swiss revFADP (revised Federal Act on Data Protection) - MF Brands Group / Maus Freres is headquartered in Switzerland. The revFADP, effective September 1, 2023, introduces personal liability for individuals (not just corporate entities) with fines up to CHF 250,000 for natural persons who fail to ensure adequate data security. If the breach was facilitated by negligent security practices at the group level, individual executives could face personal liability.

• .CCPA/CPRA (California) - Lacoste operates e-commerce and retail stores in California. If California residents' data was accessible through the compromised systems, CCPA requires notification. Intentional violations carry fines of $7,500 per affected individual.

• .UK GDPR / Data Protection Act 2018 - Lacoste operates retail stores and e-commerce in the UK. The ICO can impose fines of up to GBP 17.5 million or 4% of global turnover for security failures.

• .Loi Informatique et Libertes (French Data Protection Act) - France's national data protection law supplements GDPR. CNIL enforcement under this law covers data security obligations for all French-domiciled data controllers.

• .NIS2 Directive (EU) - While Lacoste is not classified as an essential or important entity under NIS2's sector categories, its digital infrastructure and e-commerce operations may bring it within scope depending on member state transposition. NIS2 imposes mandatory incident reporting obligations with fines of up to EUR 10 million or 2% of global turnover.

1. No confirmation from Lacoste. The breach is based entirely on Lapsus$'s own claim and the leaked data analyzed by BrinzTech and other monitoring services. Lacoste has not confirmed, denied, or acknowledged the incident.

Without confirmation, the full scope of the intrusion remains unknown - the published archive may represent a fraction of what was accessed, or it may represent the entirety of what was obtained before detection.

2. Specific initial access vector undisclosed. Lapsus$ has not detailed how they gained entry.

The group's standard playbook includes at least five distinct initial access methods (social engineering, SIM swapping, insider recruitment, credential purchasing, MFA fatigue), and the specific vector used against Lacoste has not been established.

Understanding which method succeeded would directly inform defensive priorities.

3. No clarity on whether consumer data was accessed. The published archive contains source code and a hosts file.

Whether the attacker accessed customer databases, CRM systems, SAP systems, or employee HR records during the intrusion - even if that data was not exfiltrated before detection - has not been established. Source code access frequently precedes database access in the kill chain.

4. No disclosure of the patched vulnerability. Lacoste reportedly patched the vulnerability that Lapsus$ exploited, but the nature of this vulnerability has not been disclosed. Was it a web application flaw, a misconfigured VPN, an unpatched CVE, a weak authentication mechanism?

The answer matters for assessing whether the same vulnerability exists in Lacoste's other systems or in other MF Brands Group subsidiaries (Aigle, Gant, Technifibre, The Kooples).

5. Relationship between Lapsus$ claim and the Socloz breach is unexplored. In February 2026, hacker group DumpSec claimed a breach of Socloz - a French omnichannel retail platform used by Lacoste, Apple, Nike, and other brands - potentially affecting up to 31 million customers.

Whether the Lapsus$ intrusion into Lacoste's infrastructure is connected to the Socloz breach, whether compromised Lacoste credentials facilitated access to Socloz, or whether these are entirely independent incidents has not been examined.

6. SLH collective attribution uncertainty. The Lapsus$ brand is now part of the Scattered LAPSUS$ Hunters collective.

Whether the Lacoste operation was conducted by original Lapsus$ affiliates, by ShinyHunters or Scattered Spider operators using the Lapsus$ brand, or by new recruits operating under the SLH umbrella is not determinable from available evidence.

1. Deploy phishing-resistant MFA across all employee accounts. The CISA CSRB Lapsus$ report's primary recommendation was the elimination of SMS-based and push-notification-based MFA in favor of FIDO2 hardware security keys.

Lapsus$ has repeatedly bypassed SMS MFA via SIM swapping and push MFA via prompt bombing. FIDO2 keys (YubiKey, Google Titan) are cryptographically bound to the legitimate authentication domain and cannot be phished, intercepted, or fatigued.

This single control eliminates multiple Lapsus$ initial access vectors.

2. Implement strict access controls on source code repositories. Source code repositories should enforce the principle of least privilege - only developers actively working on a project should have read access to that project's code.

Repository access should require MFA, generate audit logs, and trigger alerts on bulk clone or download operations. Enterprise GitHub, GitLab, or Bitbucket instances should disable personal access tokens with unlimited scope and enforce short-lived, scoped tokens.

3. Harden helpdesk identity verification procedures.

Lapsus$ and the broader SLH collective specialize in helpdesk social engineering - calling IT support, impersonating employees, and convincing agents to reset credentials or bypass MFA. Helpdesks should require video verification for all credential reset requests, should never process MFA changes over phone, and should implement callback verification to registered corporate phone numbers (not caller-provided numbers).

4. Remove hardcoded credentials and secrets from source code. Source code repositories should be scanned continuously for hardcoded API keys, database credentials, cloud provider tokens, and other secrets using tools such as GitGuardian, Trufflehog, or GitHub secret scanning.

Every discovered secret should be rotated immediately. The assumption after a source code leak must be that every credential in the code is compromised.

5. Conduct a post-breach assessment of the exposed hosts file and rotate affected infrastructure. The leaked Windows hosts file reveals internal IP-to-hostname mappings.

Every server, service, and endpoint referenced in that file should be assumed compromised in terms of targeting information. Where feasible, rotate internal IP addresses, rename internal hostnames, and update network segmentation to invalidate the exposed topology.

At minimum, increase monitoring and access controls on every system referenced in the hosts file.

6. Monitor for follow-on attacks leveraging the stolen source code. Source code leaks are not endpoints - they are enablers.

The 12,200 lines published by Lapsus$ will be analyzed by the broader threat community for exploitable vulnerabilities, API endpoints, authentication weaknesses, and hardcoded secrets.

Lacoste should conduct an immediate internal review of the leaked code to identify every vulnerability, credential, and endpoint it contains, and should assume that every issue discoverable through code review will be discovered by adversaries.

RedPacket Security, BrinzTech, Ransomware.live, HackNotice, BreachSense, ScanComply, SharkStriker, LeakRadar, CISA CSRB (Lapsus$ report August 2023), Unit 42 (Palo Alto Networks), CYFIRMA, Resecurity, LevelBlue, Picus Security, SOCRadar, ZeroFox, BleepingComputer, The Hacker News, Cybersecurity News, CyberPress, Industrial Cyber, CSO Online, Dark Reading, SecurityWeek, The Record, FashionNetwork, S-RM Inform, MOXFIVE, Wikipedia (Lapsus$, Maus Freres), X (@seblatombe)