Lapsus$ Claims 4TB Voice-Biometric Haul from AI Contractor Platform Mercor

What Happened

On April 4, 2026, the extortion group Lapsus$ claimed to have published data stolen from Mercor, a platform that recruits freelancers to label data, record voice samples, and complete verification calls for AI training clients. The primary public account of the incident is an unattributed blog post published by ORAVYS, a company that sells synthetic-voice detection and forensic analysis services — and one that includes a promotional offer for its own breach-victim product at the foot of the same post. The alleged archive is described as approximately four terabytes, covering more than 40,000 contractor records.

Why It Matters

The ORAVYS post argues the claimed breach differs from prior voice-data incidents because it combines audio recordings with identity documents in a single linked dataset. Earlier voice-data exposures — including call-center recording breaches and identity-document broker leaks — typically kept audio and identity information separated, limiting their utility for targeted impersonation fraud. A merged dataset would, if authentic, provide ready-made inputs for commercial voice cloning pipelines.

The ORAVYS post attributes to a Wall Street Journal report from February 2026 the claim that off-the-shelf voice cloning tools now require approximately 15 seconds of clean reference audio. The Mercor recordings are described in the same post as averaging two to five minutes of studio-quality speech per contractor. MegaOne AI could not independently confirm the WSJ figure, the recording duration characterization, or the overall breach scope.

Technical Details

According to the ORAVYS post, Mercor’s onboarding pipeline collected three data types in sequence — a government ID scan, a webcam selfie, and a scripted voice recording made in a quiet room — and stored them in linked database records. The post claims this structure mirrors the input format required by commercial voice cloning services: a verified identity, a face reference, and clean audio. The ORAVYS post identifies seven forensic markers it says distinguish synthetic voice samples from genuine recordings: codec signature mismatches relative to the claimed capture device, abnormal breath-pattern timing, reduced micro-jitter in simulated vocal-fold vibration, implausible vowel formant transitions, reverb inconsistency within a single file, narrowed pitch and energy variance, and metronomic speech rate across extended passages.

The post also cites a Pindrop report attributing a 475 percent year-over-year increase in synthetic voice attacks against insurance call centers during 2025, and references the February 2024 Arup incident in which a finance employee transferred approximately $25 million following a deepfake video call constructed from publicly available footage — a case that received contemporaneous coverage in mainstream press.

Who’s Affected

If the breach is confirmed, the directly affected population would be freelance contractors who enrolled with Mercor for AI data-labeling tasks. Five civil lawsuits were reportedly filed within ten days of the Lapsus$ post, alleging that Mercor collected voice prints without disclosing their function as permanent biometric identifiers — a potential violation of biometric privacy statutes in Illinois, Texas, Washington, and other US states with active biometric data laws. The ORAVYS post additionally describes downstream fraud risk to the contractors’ employers, financial institutions, and family members through voice-cloned impersonation.

What’s Next

Mercor had not issued a public statement on the claimed breach as of April 28, 2026, and no independent security researcher had publicly authenticated the Lapsus$ dump. The five civil suits are at initial filing stage with no court dates publicly set. ORAVYS, in the same post that describes the incident, offers free forensic analysis of three audio samples per affected contractor before routing users to its paid platform.