- By Joe Tidy
- cyber correspondent
18-year-old Arion Kurtaj was a key member of the notorious cyber crime syndicate Lapsus
A court has found that an 18-year-old boy from Oxford was part of an international cybercrime gang that hacked a major tech company.
Arion Kurtaj was a key member of the Lapsus$ group that hacked Uber, Nvidia, Rockstar Games, and more.
A court has ruled that Kurtaj leaked clips from the unreleased Grand Theft Auto 6 game while out on bail at the Travelodge Hotel.
Kurtaj did not appear in court to give evidence because he has autism and a psychiatrist decided he was unfit to stand trial.
The jury was asked to determine whether he committed the alleged acts, not whether he did so with criminal intent.
Another 17-year-old, who also has autism, was convicted of involvement in the activities of the Lapsasdol gang, but cannot be named because of his age.
The group, allegedly from the UK and Brazil, were described in court as “digital bandits”.
The gang, believed to be mostly teens, used con-artist tricks and computer hacking to gain access to multinational corporations such as tech giant Microsoft and digital banking group Revolut.
During the crime, the hackers regularly publicly praised their crimes and mocked their victims in English and Portuguese on the social network app Telegram.
The trial lasted seven weeks at Southwark Court in London.
hacking spree 1
Jurors heard that an anonymous teenager began hacking with Kurtaj in July 2021 after meeting online.
Kurtaj, aided by Lapsus$ officials, hacked the servers and data files of telecom company BT and mobile operator EE and demanded a ransom of $4 million (£3.1 million) on 1 August 2021.
image source, city of london police
Hackers sent threatening text messages to 26,000 EE customers
Although no ransom was paid, the court found that SIM details stolen from five victims by a 17-year-old boy and Kurtaj were used to unlock cryptocurrency accounts that were protected by SIM IDs on compromised mobile phones. It was prosecuted that nearly £100,000 had been stolen from
hacking spree 2
Undeterred, the duo continued their hacks on Lapsus$ and in February 2022 successfully broke into Silicon Valley tech giant Nvidia, which makes chips for artificially intelligent chatbots.
They stole and leaked sensitive and valuable data and demanded ransom payment to prevent further disclosure.
The jury was shown a Telegram group chat in which a person hired by the gang was instructed to pretend to be an employee and call an NVIDIA staff helpdesk to obtain the company’s login information.
Another hack involved an employee spamming an employee’s phone in the middle of the night, sending access approval requests until the employee approves.
Kurtaj and the young man were rearrested on 31 March 2022.
Kurtaj was transferred to the Travelodge Hotel in Bicester for safety and given strict bail conditions, including no internet access.
But Kurtaj continued hacking.
Prosecutors said they were “caught red-handed” when London police raided a hotel room.
“His bail conditions were flagrantly disregarded,” jurors said, adding that the hotel TV had an Amazon Fire Stick installed and that he was using his newly purchased smartphone, keyboard and mouse to access cloud computing services. Police were reportedly found to have been able to connect to
The court found that he cooperated in attacks on Revolut, Uber and Rockstar Games.
image source, rockstar games
Grand Theft Auto is made by Rockstar Games
In the final hack against the game maker, Mr. Kurtaj posted a message to all employees on the company’s messaging service “Slack” saying, “I am not a Rockstar employee, I am an attacker” and said, “The most daring It was described as hacking.
He declared that he had downloaded all the data for Rockstar’s popular video game series, Grand Theft Auto 6, and said, “If we do not hear from Rockstar via Telegram within 24 hours, we will not release the source code. start,” he added.
Meanwhile, 90 video clips of unfinished gameplay of the highly anticipated new game have also been posted to fan forums under the username TeaPotUberHacker.
Mr. Kurtaj was re-arrested and held in custody pending trial.
Performing “Juvenile”
Prosecutor’s Chief Trial Counsel Kevin Barry said Mr Kurtaj and his co-conspirators repeatedly demonstrated “a youthful desire to put up two fingers on the person they are attacking”.
Once inside a company’s computer network, hackers often left offensive messages in Slack or Microsoft Teams in an attempt to intimidate staff.
Gang behavior was often deviant, and their motives apparently varied from notoriety, financial gain, or entertainment.
Their hacking behavior triggered Massive Investigation by U.S. Cyber Authorities The group warned earlier this month that cyber defenses need to be improved to combat the growing threat of teen hackers.
The report said Lapsus$ “has demonstrated how easily its members, and in some cases juveniles, can infiltrate a well-protected organization.”
Gang members are still believed to be on the run.
It is not clear how much Lapsus$ profited from cybercrime. No company publicly acknowledged paying the hackers, and the 17-year-old refused to allow police access to his own cryptocurrency hardware wallet.
The two teenagers are scheduled to be sentenced by the Leeds Honorary Judge at a later date.
Kurtaj was taken into custody and the 17-year-old remains on bail.