Lapsus$: court finds teenagers carried out hacking spree

A court has found an 18-year-old from Oxford was a part of an international cyber-crime gang responsible for a hacking spree against major tech firms.

Arion Kurtaj was a key member of the Lapsus$ group which hacked the likes of Uber, Nvidia and Rockstar Games.

A court heard Kurtaj leaked clips of the unreleased Grand Theft Auto 6 game while on bail in a Travelodge hotel.

The audacious attacks by Lapsus$ in 2021 and 2022 shocked the cyber security world.

Kurtaj is autistic and psychiatrists deemed him not fit to stand trial so he did not appear in court to give evidence.

The jury were asked to determine whether or not he did the acts alleged – not if he did it with criminal intent.

Another 17-year-old who is also autistic was convicted for his involvement in the activities of the Lapsus$ gang but can not be named because of his age.

The group from the UK, and allegedly Brazil, was described in court as “digital bandits”.

The gang – thought to mostly be teenagers – used con-man like tricks as well as computer hacking to gain access to multinational corporations such as Microsoft, the technology giant and digital banking group Revolut.

During their spree the hackers regularly celebrated their crimes publicly and taunted victims on the social network app Telegram in English and Portuguese.

The trial was held in Southwark Crown Court in London for seven weeks.

Jurors heard that the unnamed teenager started hacking with Kurtaj in July 2021 having met online.

Kurtaj aided by Lapsus$ associates, hacked the servers and data files of telecoms company BT and EE, the mobile operator, before demanding a $4m (£3.1m) ransom on 1 August 2021.

No ransom was paid but the court heard that the 17-year-old and Kurtaj used stolen SIM details from five victims to steal a total of nearly £100,000 from their crytpocurrency accounts which were secured by their compromised mobile phone SIM identities.

Both defendants were initially arrested on 22nd January 2022, then released under investigation.

That did not deter the duo who continued hacking with Lapsus$ and successfully breached Nvidia, a Silicon Valley tech giant that makes chips for artificial intelligence chatbots, in February 2022.

They stole and leaked sensitive and valuable data and demanded a ransom payment to stop them releasing more.

The jury were shown Telegram group chats of the gang instructing someone they’d hired to call the Nvidia staff help desk pretending to be an employee in an attempt to get log in details for the firm.

In other hacks the gang spammed employee phones late at night with access approval requests until staff said yes.

Kurtaj and the youth were both re-arrested on March 31st 2022.

Shortly before his arrest, Kurtaj was “doxxed” by rival hackers who posted his and his families contact details online along with pictures and videos of the keen fisherman from social media.

Kurtaj was moved into a Travelodge hotel in Bicester for his safety and given strict bail conditions including a ban from going on the internet.

But Kurtaj carried on hacking.

Prosecutors say he was “caught red handed” when City of London Police searched his hotel room.

In a “flagrant disregarded for his bail conditions” jurors were told that police found an Amazon Fire Stick in his hotel TV allowing him to connect to cloud computing services with a newly purchased smart phone, keyboard and mouse.

The court heard he had helped attack Revolut, Uber and Rockstar Games.

His final hack against the game-maker was described as his “most audacious” as Kurtaj posted a message on the company Slack messaging service to all employees, stating: “I am not a Rockstar employee, I am an attacker.”

He declared that he had downloaded all data for Grand Theft Auto 6, Rockstar’s hugely popular video game series, adding that “if Rockstar does not contact me on Telegram within 24 hours I will start releasing the source code”.

Meanwhile, 90 video clips of unfinished gameplay for the highly-anticipated new game were also published on a fan forum under the username TeaPotUberHacker.

Kurtaj was re-arrested and detained until his trial.

Prosecution lead barrister Kevin Barry said that Kurtaj and his co-conspirators repeatedly showed a “juvenile desire to stick two fingers up to those they are attacking”.

Once inside a company’s computer network, the hackers often left offensive messages on Slack and Microsoft Teams as they attempted to blackmail staff.

The gang’s actions were often erratic with motives apparently swinging from notoriety, financial gain or amusement.

Their hacking spree prompted a major review by US cyber authorities earlier this month which warned that cyber defences needed to be improved to counter the rising threat of teenage hackers.

The report said Lapsus$ “made clear just how easy it was for its members (juveniles, in some instances) to infiltrate well-defended organisations”.

It is thought that members of the gang are still at large.

In October, Brazilian police arrested an individual this is alleged to have hacked various Brazilian and Portuguese companies and public bodies with Lapsus$.

It is not clear how much money Lapsus$ has made from its cyber crimes. No companies publicly admitted paying the hackers and the 17-year-old refused to give police access to his cryptocurrency hardware wallet.

Both teenagers will be sentenced at a later date by Her Honour Judge Lees.

Kurtaj is remanded in custody and the 17-year-old defendant continues to have bail.