Four researchers investigating the hacking group Lapsus$, on behalf of companies that were attacked, said they believe the teenager is the mastermind.

Lapsus$ has befuddled cybersecurity experts as it has embarked on a rampage of high-profile hacks. The motivation behind the attacks is still unclear, but some cybersecurity researchers say they believe the group is motivated by money and notoriety.

The teen is suspected by the researchers of being behind some of the major hacks carried out by Lapsus$, but they haven’t been able to conclusively tie him to every hack Lapsus$ has claimed. The cyber researchers have used forensic evidence from the hacks as well as publicly available information to tie the teen to the hacking group.

Bloomberg News isn’t naming the alleged hacker, who goes by the online alias “White” and “breachbase,” who is a minor and hasn’t been publicly accused by law enforcement of any wrongdoing.

Another member of Lapsus$ is suspected to be a teenager residing in Brazil, according to the investigators. One person investigating the group said security researchers have identified seven unique accounts associated with the hacking group, indicating that there are likely others involved in the group’s operations.  

The teen is so skilled at hacking—and so fast—that researchers initially thought the activity they were observing was automated, another person involved in the research said.  

Lapsus$ has publicly taunted their victims, leaking their source code and internal documents. When Lapsus$ revealed it had breached Okta Inc., it sent the company into a public-relations crisis. In multiple blog posts, Okta disclosed that an engineer at a third-party vendor was breached, and that 2.5% of its customers may have been impacted.

Lapsus$ has even gone as far as to join the Zoom calls of companies they’ve breached, where they have taunted employees and consultants who are trying to clean up their hack, according to three of the people who responded to the hacks.

Microsoft, which itself confirmed it was hacked by Lapsus$, said in a blog post that the group has embarked on a “large-scale social engineering and extortion campaign against multiple organizations.” The group’s primary modus operandi is to hack companies, steal their data and demand a ransom in order to not release it. Microsoft tracks Lapsus$ as “DEV-0537,” and said that the group has successfully recruited insiders at victimized companies in order to assist in their hacks.

The group suffers from poor operational security, according to two of the researchers, allowing cybersecurity companies to gain intimate knowledge about the teenage hackers.

“Unlike most activity groups that stay under the radar, DEV-0537 doesn’t seem to cover its tracks,” Microsoft said in a blog post. “They go as far as announcing their attacks on social media or advertising their intent to buy credentials from employees of target organizations. DEV-0537 started targeting organizations in the United Kingdom and South America but expanded to global targets, including organizations in government, technology, telecom, media, retail and health-care sectors.”

The teenage hacker in England has had his personal information, including his address and information about his parents, posted online by rival hackers.

At an address listed in the leaked materials as the teen’s home near Oxford, a woman who identified herself as the boy’s mother talked with a Bloomberg reporter for about 10 minutes through a doorbell intercom system. The home is a modest terraced house on a quiet side street about five miles from Oxford University.

The woman said she was unaware of the allegations against her son or the leaked materials. She said she was disturbed that videos and pictures of her home and the teen’s father’s home were included. The mother said the teenager lives at that address and had been harassed by others, but many of the other leaked details couldn’t be confirmed.

She declined to discuss her son in any way or make him available for an interview, and said the issue was a matter for law enforcement and that she was contacting the police. 

The Thames Valley Police, and the National Crime Agency, which investigates hacking in the U.K., didn’t immediately respond to messages about the alleged teen hacker. The FBI’s San Francisco field office, which is investigating at least one of the Lapsus$ intrusions, declined to comment.

Lapsus$ has also claimed to have breached Samsung Electronics Co., Vodaphone and Ubisoft. After breaching Nvidia, Lapsus$ posted stolen source code from the company on their Telegram channel.

After its claim of hacking Okta generated a wave of headlines Tuesday, Lapsus$ suggested it would be taking some time off from hacking the world’s biggest companies.

“A few of our members has a vacation until 30/3/2022. We might be quiet for some times,” the hackers wrote in its Telegram channel. “Thanks for understand us. – we will try to leak stuff ASAP.”