Mercor AI has officially confirmed a severe data breach following claims by the notorious Lapsus$ hacking group that they stole 4 terabytes of sensitive company data.
The incident, stemming from a recent supply chain attack on the open-source LiteLLM project, has exposed proprietary source code, internal databases, and massive amounts of user-verification data.
The hacking collective Lapsus$ has listed Mercor’s platform data for a live auction on the dark web, prompting interested buyers to “make an offer”. The threat actors claim to have exfiltrated the entirety of the 4-terabyte dataset by breaching the company’s Tailscale VPN.
The extensively detailed stolen cache reportedly includes 939GB of platform source code, a 211GB user database, and 3TB of storage buckets containing video interviews and identity verification passports.
Mercor AI Official Response
In response to the extortion attempts, Mercor AI released a public statement emphasizing that the privacy and security of their customers and contractors remain their foundational priority. The company clarified that the breach was the direct result of a widespread supply chain attack involving the open-source routing library LiteLLM.
Mercor’s security team promptly contained the incident and is currently conducting a comprehensive investigation alongside leading third-party forensics experts.
The root cause of Mercor’s breach traces back to late March 2026, when a threat actor known as TeamPCP compromised the PyPI publishing credentials for the LiteLLM library.
TeamPCP injected a three-stage malicious backdoor into versions 1.82.7 and 1.82.8, which was designed to harvest credentials and establish persistent system access. Because LiteLLM is widely integrated into AI applications, the malware executed immediately upon installation and impacted thousands of unsuspecting organizations.
Founded in 2023, Mercor operates a highly successful AI recruitment platform that claims over $500 million in revenue and connects specialized domain experts with major AI firms like OpenAI and Anthropic.
The startup facilitates over $2 million in daily payouts and now faces significant operational risks due to the exposure of its contractors’ personal information.
The leak of internal AI source code and sensitive KYC materials poses severe security implications for both the $10 billion platform and its extensive user base.
Lapsus$ is a well-known cybercrime syndicate with a history of targeting high-profile technology companies using aggressive extortion tactics. The group frequently uses public data leaks and dark web auctions to pressure victims into paying ransoms after initial private negotiations fail.
Their involvement in the Mercor AI breach highlights a continuing trend of threat actors exploiting upstream supply chain vulnerabilities to access massive downstream corporate datasets.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
