Lapsus$ Was Supposed to Be Finished After the Arrests—Lacoste Just Found Out They're Not

A Group That Would Not Stay Dead

In 2022, Lapsus$ tore through some of the largest technology companies on the planet. Microsoft, Samsung, Nvidia, Uber, Rockstar Games, and Cisco all fell victim to a hacking group that operated less like a traditional ransomware gang and more like a chaotic collective of young extortionists. Their methods were brazen: social engineering, SIM swapping, bribing insiders, and publicly taunting their victims on Telegram. They leaked source code, stole credentials, and humiliated corporate security teams that had spent millions on defenses.

Then law enforcement caught up. In 2022 and 2023, authorities in the United Kingdom arrested multiple suspected members, including teenagers. A 17 year old from Oxford was convicted of multiple charges related to the group's attacks. Brazil arrested another suspected member. The conventional wisdom was that Lapsus$ was finished, a cautionary tale about teenage hackers who flew too close to the sun.

That assessment turned out to be premature. On March 1, 2026, Lapsus$ resurfaced with a new target: Lacoste SA, the France based global luxury sportswear company known for its iconic crocodile logo.

What Happened to Lacoste

The breach was published on March 1, 2026, with discovery confirmed by March 5. Lapsus$ claimed to have compromised multiple internal systems at Lacoste, including employee databases, customer relationship management platforms, content management systems, and SAP enterprise databases. The full scope of the breach has not yet been publicly quantified, and Lacoste has not disclosed exact numbers of affected records.

What is known is that the attack reached deep into Lacoste's operational infrastructure. Employee data was compromised, and the CRM systems that manage customer interactions and purchase histories were among the affected platforms. For a luxury brand whose customers include high net worth individuals, the sensitivity of that data is significant.

The investigation is ongoing. Security researchers tracking the incident noted that Lapsus$ has not released a full data dump publicly, which suggests either ongoing negotiations or a shift in the group's tactics toward more targeted extortion rather than the indiscriminate leaking that characterized their earlier campaigns.

Why Luxury Brands Are High Value Targets

The choice of Lacoste is not random. Luxury retail customer data commands premium prices on dark web markets, and there are specific reasons why.

• High net worth profiles: Customers of luxury brands tend to have higher incomes and more financial assets, making their personal data more valuable for targeted fraud.
• Purchase histories: Detailed buying patterns from CRM systems reveal lifestyle information that can be used for sophisticated social engineering attacks.
• Shipping addresses: Home addresses of wealthy individuals create physical security risks, from targeted burglary to stalking.
• Corporate espionage value: SAP databases contain supply chain details, pricing strategies, and vendor relationships that competitors or counterfeit operations would pay to access.

Security analysts have noted that stolen luxury retail datasets routinely sell for multiples of what standard retail data fetches. A database of customers who regularly purchase items worth hundreds or thousands of dollars is fundamentally more useful to criminals than a list of discount store shoppers.

The Hydra Problem in Cybercrime

The return of Lapsus$ illustrates a persistent problem in cybercrime enforcement: arresting members of a decentralized group does not eliminate the group. Lapsus$ never operated like a traditional hierarchical criminal organization. It functioned more like a loosely connected network of individuals who shared techniques, tools, and targets through encrypted messaging channels.

When UK authorities arrested the Oxford teenager and others, they removed some of the most visible operators. But the knowledge, the playbooks, the social engineering techniques, and the network of contacts did not disappear. Other members, or new recruits inspired by the group's reputation, could reconstitute operations using the same brand name and methods.

This pattern is not unique to Lapsus$. Ransomware groups like LockBit, ALPHV, and Hive have all demonstrated the ability to survive law enforcement takedowns by reforming under new names or having dormant members resume operations. The Lapsus$ reemergence in 2026 after a roughly three year quiet period follows this established pattern.

What This Means Going Forward

The Lacoste breach carries several lessons for organizations and individuals.

For companies, especially those handling affluent customer data, the incident reinforces that threat groups do not permanently disappear after arrests. Security postures built around the assumption that a specific threat actor has been neutralized are inherently fragile. Lapsus$ was considered defunct for three years. During that time, companies may have deprioritized defenses against the specific social engineering and insider bribery techniques the group was known for.

For individuals whose data may have been compromised, the concern is more immediate. If Lacoste's CRM data is eventually leaked or sold, affected customers face an elevated risk of highly targeted phishing, identity theft, and physical security threats. The combination of personal information, purchase history, and home addresses creates a comprehensive profile that is difficult to protect against once it is in criminal hands.

The broader pattern is clear: law enforcement disruptions slow cybercrime groups but rarely stop them permanently. As long as the skills, tools, and financial incentives exist, groups like Lapsus$ will continue to rebuild. The Lacoste attack is not the end of this story. It is the beginning of the next chapter.