- Teen Member of Hacking Group Lapsus$ Convicted
- Cyber Attacks on Major Tech Companies
- Hacking Motives and Consequences
A court has determined that an 18-year-old from Oxford was a member of an international cyber-criminal organization responsible for a hacking rampage against major technology companies.
Arion Kurtaj was a prominent member of the hacking group Lapsus$, which targeted Uber, Nvidia, and Rockstar Games, among others.
While on bail in a Travelodge hotel, Kurtaj allegedly transmitted footage from the unreleased Grand Theft Auto 6 game.
In 2021 and 2022, the audacious assaults by Lapsus shocked the cyber security community.
Since Kurtaj is autistic and psychiatrists deemed him unfit to stand trial, he did not testify in court.
The jury was asked to determine whether he committed the alleged offenses, not whether he did so with criminal intent.
A second autistic 17-year-old was convicted for his participation in the activities of the Lapsus$ gang, but he cannot be identified due to his age.
The group from the United Kingdom and, purportedly, Brazil was described as “digital bandits” in court.
The gang believed to consist primarily of adolescents, used con artist techniques and computer hacking to gain access to multinational corporations such as Microsoft, the technology behemoth, and Revolut, a digital banking company.
Hackers celebrated their crimes in public and ridiculed victims in English and Portuguese on Telegram.
The trial lasted seven weeks at the Southwark Crown Court in London.
One hacking rampage
The jury was informed that the unidentified adolescent began hacking with Kurtaj in July 2021 after meeting him online.
Kurtaj and Lapsus$ sought $4 million (£3.1 million) for BT and EE systems and data files on 1 August 2021.
The court heard that the 17-year-old and Kurtaj used stolen SIM information from five victims to steal nearly £100,000 from their cryptocurrency accounts, which were secured by their compromised mobile phone SIM identities. No ransom was paid.
The two defendants were initially arrested on January 22, 2022, and then released pending further investigation.
Two hacking sprees
The pair infiltrated Nvidia, a Silicon Valley tech behemoth that makes chatbot chips, with Lapsus$ in February 2022.
They stole and leaked sensitive and valuable data, then demanded a ransom to prevent them from disseminating more.
The jury was shown Telegram group chats in which the group instructed an imposter to contact the Nvidia staff help desk posing as an employee in an attempt to obtain login credentials.
In other breaches, the group bombarded employee phones with access approval requests until they were granted.
On March 31, 2022, Kurtaj and the youth were both re-arrested.
Shortly before his arrest, rival hackers “doxxed” Kurtaj by posting his and his family’s contact information online along with social media photos and videos of the avid fisherman.
For his safety, Kurtaj was sent to a Bicester Travelodge hotel and given tight bail terms, including an internet ban.
However, Kurtaj continued to infiltrate.
Three hacking sprees
The prosecution asserts that he was “caught red-handed” when City of London Police searched his hotel room.
In a “flagrant disregard for his bail conditions,” police discovered an Amazon Fire Stick in his hotel television, allowing him to connect to cloud computing services using a newly acquired smartphone, keyboard, and mouse.
The court heard that he had participated in attacks against Revolut, Uber, and Rockstar Games.
As Kurtaj posted a message on the company’s Slack messaging service to all employees asserting, “I am not a Rockstar employee, I am an attacker,” it was described as his “most audacious” hack.
He stated that he had downloaded all data for Grand Theft Auto 6, the sixth installment in Rockstar’s immensely popular Grand Theft Auto video game franchise, and that “if Rockstar does not contact me on Telegram within 24 hours, I will begin releasing the source code.”
TeaPotUberHacker shared 90 unfinished gameplay snippets for the widely anticipated new game on a fan forum.
Kurtaj was re-arrested and held in custody pending his prosecution.
“Childish” showing off
Also Kevin Barry, the chief prosecutor, stated that Kurtaj and his co-conspirators repeatedly displayed a “juvenile desire to thumb their noses at those they are attacking.”
Hackers published insulting comments on Slack and Microsoft Teams to persuade employees after gaining network access.
Motives for the gang’s actions appeared to fluctuate between notoriety, financial gain, and amusement.
Teenage hackers’ hacking spree prompted a significant review by US cyber authorities earlier this month, which warned that cyber defenses must be bolstered to combat their growing threat.
According to the report, Lapsus$ “made clear how simple it was for its members (in some cases, minors) to infiltrate well-defended organizations.”
It is believed that gang members are still at large.
A suspect was detained in October for hacking Brazilian and Portuguese businesses and government entities with Lapsus$.
It is unclear how much Lapsus$ has profited from its cybercrimes. No companies have publicly paid the hackers, and the 17-year-old refused to give authorities his cryptocurrency hardware wallet.
Her Honour Judge Lees will pass judgment at a later date on both juveniles.
Kurtaj is remanded in custody, while the 17-year-old defendant’s parole remains unchanged.
