In a courtroom revelation that has sent shockwaves through the tech world, a court has determined that an 18-year-old from Oxford, Arion Kurtaj, was a key member of the notorious international cyber-crime gang, Lapsus$. This group is responsible for a series of audacious hacking attacks against major technology firms, including Uber, Nvidia, and Rockstar Games.
The audacity of Lapsus$'s attacks in 2021 and 2022 has left the cybersecurity community in disbelief. Among their bold exploits, Arion Kurtaj allegedly leaked clips of the highly-anticipated, unreleased Grand Theft Auto 6 game while out on bail, staying at a Travelodge hotel.
However, the courtroom drama took an unexpected turn when it was revealed that Arion Kurtaj is autistic, and psychiatrists deemed him unfit to stand trial. Consequently, he did not appear in court to provide evidence. The jury's task was to determine whether he had committed the alleged acts, not whether he did so with criminal intent.
Another 17-year-old, also on the autism spectrum, was convicted for his involvement in Lapsus$ activities. His identity remains protected due to his age.
Described as "digital bandits" by the court, the Lapsus$ gang, believed to comprise mostly teenagers, employed a blend of con-man tactics and hacking skills to infiltrate multinational corporations like Microsoft and the digital banking group Revolut. Their brazenness knew no bounds, as they regularly celebrated their crimes on the social network app Telegram, taunting their victims in both English and Portuguese.
The trial unfolded over seven weeks in Southwark Crown Court in London, revealing a series of hacking sprees that exposed the gang's increasing audacity.
Hacking Spree One: The court heard that Kurtaj, assisted by Lapsus$ associates, targeted telecoms giants BT and EE, demanding a £3.1 million ransom in August 2021 after hacking their servers and data files. Although the ransom went unpaid, the 17-year-old and Kurtaj used stolen SIM details from five victims to siphon nearly £100,000 from their cryptocurrency accounts secured by compromised mobile phone SIM identities. Both were initially arrested on January 22, 2022, but later released under investigation.
Hacking Spree Two: Undeterred by their arrest, Kurtaj and the 17-year-old continued hacking with Lapsus$ and successfully breached Nvidia, a Silicon Valley tech giant, in February 2022. They stole and leaked sensitive data and demanded a ransom to halt further releases. The court presented Telegram group chats in which the gang instructed an individual they had hired to impersonate a Nvidia employee when calling the company's staff help desk, seeking login credentials. In other hacks, the gang inundated employee phones with late-night access approval requests until staff capitulated. Both defendants were re-arrested on March 31, 2022.
Hacking Spree Three: Kurtaj's "flagrant disregard" for his bail conditions became evident when he was apprehended in a Travelodge hotel by City of London Police. During the search, an Amazon Fire Stick was discovered connected to the hotel TV, enabling him to access cloud computing services with newly acquired smartphone, keyboard, and mouse. It was revealed that he had also participated in attacks against Revolut, Uber, and Rockstar Games. His final act, hacking into Rockstar Games, was described as "audacious" as he publicly declared his actions on the company's Slack messaging service, boasting of downloading all data for Grand Theft Auto 6 and threatening to release the source code if not contacted within 24 hours. Nearly 90 video clips of unfinished gameplay for the highly-anticipated game were also leaked on a fan forum under the username TeaPotUberHacker. Kurtaj was subsequently detained until his trial.
The prosecution's lead barrister, Kevin Barry, emphasized that Kurtaj and his co-conspirators exhibited a "juvenile desire to stick two fingers up to those they are attacking." Once inside a company's computer network, the hackers often left offensive messages as they attempted to blackmail staff. Their motives appeared to oscillate between notoriety, financial gain, and amusement.
The Lapsus$ gang's hacking spree prompted a major review by US cyber authorities, highlighting the pressing need to bolster cyber defenses against the rising threat posed by teenage hackers. The report underscored how Lapsus$ demonstrated the ease with which its members, some of whom were juveniles, infiltrated well-defended organizations.
As the legal saga unfolds, members of the Lapsus$ gang remain at large, leaving the cybersecurity community on high alert. In a separate incident, Brazilian police apprehended an individual alleged to have collaborated with Lapsus$ in hacking various Brazilian and Portuguese companies and public bodies.
The financial gains from Lapsus$'s cybercrimes remain unclear, as no companies have publicly admitted paying ransoms, and the 17-year-old defendant has refused to grant police access to his cryptocurrency hardware wallet.
Both teenagers await sentencing, with Arion Kurtaj in custody and the 17-year-old remaining on bail, as they face the consequences of their high-profile cyber exploits. Their actions serve as a stark reminder of the evolving and increasingly audacious world of cybercrime, where even teenagers can leave a lasting impact on major corporations and governments alike.
Leave a Reply