Lapsus$: Court finds teenagers carried out hacking spree
An 18-year-old from Oxford has been charged with being part of a cyber-crime gang responsible for hacking major tech companies.
Arion Kurtaj was a key member of the Lapsus$ hacking group that targeted Uber, Nvidia, and Rockstar Games.
While on bail in a Travelodge hotel, Kurtaj leaked clips from the unreleased Grand Theft Auto 6 game.
Lapsus$ shocked the cyber security world in 2021 and 2022 with its audacious attacks.
Due to his autism, Kurtaj was deemed unfit to testify at trial by psychiatrists.
It was the jury’s responsibility to determine whether or not he committed the acts alleged, not whether he intended to commit them.
As a result of his age, we are unable to identify another 17-year-old who was convicted for his involvement with the Lapsus$ gang.
In court, the UK and Brazil were described as “digital bandits”.
In order to gain access to multinational corporations such as Microsoft and Revolut, the gang used con-man-like tricks and computer hacking.
They taunted victims on the social networking app Telegram in English and Portuguese while celebrating their crimes publicly.
In London, Southwark Crown Court held the trial for seven weeks.
Hacking spree one
Having met online, the unnamed teenager began hacking with Kurtaj in July 2021.
By 1 August 2021, Kurtaj, assisted by Lapsus$ associates, had hacked BT’s and EE’s servers and data files before demanding a $4m (£3.1m) ransom.
The 17-year-old and Kurtaj did not pay a ransom, but the court heard that they stole nearly £100,000 from five cryptocurrency accounts secured by compromised mobile phone SIM cards.
Following their arrests on 22nd January 2022, both defendants were released under investigation.
Hacking spree two
In February 2022, the duo breached Nvidia, a Silicon Valley tech giant that makes chips for artificial intelligence chatbots, with the help of Lapsus$.
As a ransom payment was demanded to stop them from releasing more data, they stole and leaked sensitive and valuable information.
During the trial, the jury was shown Telegram group chats in which the gang instructed their hired workers to call Nvidia’s staff help desk pretending to be employees.
In other hacks, the gang spammed employee phones late at night with access approval requests.
Both Kurtaj and the youth were re-arrested on March 31st 2022.
Kurtaj and his family’s contact information was posted online along with photos and videos of the keen fisherman shortly before his arrest by rival hackers.
Kurtaj was moved into a Travelodge hotel in Bicester for his safety and was given strict bail conditions, including a ban on using the internet.
Kurtaj, however, continued hacking.
Hacking spree three
A City of London Police search of his hotel room resulted in his being “caught red handed”, according to prosecutors.
He used a newly purchased smart phone, keyboard, and mouse to access cloud computing services with an Amazon Fire Stick found in his hotel TV, a flagrant disregard for his bail conditions, jurors were told.
According to the court, he helped attack Revolut, Uber, and Rockstar Games. Kurtaj’s final hack against Rockstar Games was described as his “most audacious” since he posted a message on the company’s Slack messaging system stating: “I am not a Rockstar employee, I am an attacker.”
According to him, he had downloaded all data for Grand Theft Auto 6, Rockstar’s hugely popular video game series, adding that “if Rockstar doesn’t contact me on Telegram within 24 hours I will start releasing the source code.”.
Moreover, 90 unfinished gameplay clips of the highly anticipated new game were also posted on a fan forum under the username TeaPotUberHacker.
As a result of Kurtaj’s re-arrest, he was detained until his trial.
‘Juvenile’ showing off
Kevin Barry, the lead barrister for the prosecution, alleged that Kurtaj and his co-conspirators displayed a “juvenile desire to stick two fingers up to the people they are attacking”.
Blackmail was often attempted by hackers once they had gained access to a company’s computer network.
Apparently motivated by notoriety, financial gain or amusement, the gang’s behavior was often erratic.
Cyber authorities warned earlier this month that cyber defences needed to be improved in order to counter the rising threat of teenage hackers after their hacking spree.
Lapsus$ “clearly demonstrated how easily its members (sometimes juveniles) infiltrated well-defended organizations”, according to the report.
Gang members are still at large, according to reports.
A Brazilian police officer was arrested in October for allegedly hacking several Brazilian and Portuguese companies and public institutions with Lapsus$.
Amounts made by Lapsus$ from cybercrime are unclear. The 17-year-old refused to provide police with his cryptocurrency hardware wallet and no companies publicly admitted paying the hackers.
Her Honour Judge Lees will sentence both teenagers at a later date.
The 17-year-old defendant remains in custody, remanded in custody.