Home / Threat Intelligence bulletins / NVIDIA breached, code signing certificates stolen


GPU producer NVIDIA has been breached, with approximately 1TB of data stolen.
Breach advisory service, HaveIBeenPwned, says more than 70,000 employee records – including email addresses and password hashes – have been leaked.

The extortion group, Lapsus$, claim to have had access to NVIDIA’s servers for a week, gaining access to “schematics, drivers, firmware etc…” and “documentation, private tools and SDKs” with plans to leak or sell the data if demands are not met. Rather than asking for cash, the demand is that NVIDIA open source their drivers and remove a feature that limits the use of GPUs in crypto mining.

Unusually, the group also claim that they are victims and claim that NVIDIA connected to their file server and attempted to destroy the stolen data.


Malicious actors can sign malware with NVIDIA code signing certificates.

Vulnerability Detection

Researchers have published a yara rule on GitHub that can detect newly-created files signed with the old certificate.

Containment, Mitigations & Remediations

Advice from David Weston, director of enterprise and OS security at Microsoft, is to configure Windows Defender Application Control to limit what NVIDIA drivers can be loaded.

Indicators of Compromise

Stolen certificates use these serial numbers


Threat Landscape

This leak will be of particular interest to cheat developers, as signed NVIDIA drivers will usually be allow-listed by game security systems.

Mitre Methodologies

T1588.003 – Code Signing Certificates

Further Information

Malware now using NVIDIA’s stolen code signing certificates

Understand Windows Defender Application Control (WDAC) policy rules and file rules