Autistic Teenager Found Responsible for Spree of Crimes by Hacking Group

Autistic Teenager Found Responsible for Spree of Crimes by Hacking Group
Close view of the packaging of the console game Grand Theft Auto 5 at the midnight opening of the HMV music store in central London on September 17, 2013. Leon Neal/AFP/Getty Images
Chris Summers
Updated:
0:00

An autistic teenager has been found responsible for a spree of crimes by the Lapsus$ hacking group, including the blackmailing of the firm that makes the Grand Theft Auto video game.

A jury at Southwark Crown Court in London was told Arion Kurtaj, 18, and a 17-year-old who cannot be named for legal reasons, were “key players” in the Lapsus$ syndicate.

Kurtaj tried to blackmail Rockstar Games by threatening to “leak the stolen source code for the Grand Theft Auto sequel onto internet forums.”

The court heard Kurtaj also leaked clips of Grand Theft Auto 6—which had not yet been released—while in a Travelodge hotel and subject to bail conditions that supposedly banned him from using the internet.

Psychiatrists assessed Kurtaj as unfit to stand trial so the jury’s role was to decide if he had committed the crimes of which he was accused.

On Wednesday, following a two-month trial, a jury unanimously found Kurtaj had carried out 12 offences, including six counts of carrying out an unauthorised act to impair the operation of a computer, three counts of blackmail, two fraud offences, and one of failing to comply with a section 49 notice to disclose a key when he did not give up the password to his mobile phone when asked to by the police.

The 17-year-old was found guilty of fraud, blackmail and one count of carrying out an unauthorised act to impair the operation of a computer.

He was acquitted of carrying out an unauthorised act to impair the operation of a computer and one count of blackmail in relation to BT.

His mother wept as the verdicts were read out.

The youth had previously pleaded guilty to one offence under the Computer Misuse Act and one count of fraud.

Hackers Demanded $4 Million Ransom

Prosecutor Kevin Barry said the pair, along with several unidentified accomplices, hacked the servers and data files of broadband provider BT and mobile operator EE before demanding a ransom of $4 million on Aug. 1, 2021.

The pair, who met online, also hacked software company Nvidia in February 2022 before threatening to “release Nvidia Corporation’s intellectual property onto the web,” if it did not pay them.

They are both due to be sentenced later this year.

In his closing speech to the jury, Kurtaj’s barrister, David Miller, said the prosecution had sought to “criminalise and villainise” a youth who had been in care since the age of 14.

Mr. Miller said: “He is the most vulnerable of adolescents, now pitted against huge companies and corporations worth billions, who have unlimited funds and unlimited resources, including the FBI, NCA (National Crime Agency), Interpol and City of London Police.”

The trial heard rival hackers posted his family’s contact details online along with pictures of him on social media, a process known as doxxing. He was moved into a hotel in Oxfordshire but ignored one of his bail conditions, which banned him from using the internet.

After the verdicts, Detective Superintendent Richard Waight, of the City of London Police, said: “This has been a complex and sensitive investigation involving a multi-agency response and there have been a number of challenges throughout the police investigation and judicial process.”

“We thank the judge and jury for being patient throughout the trial, during deliberations and for the subsequent verdicts,” he added.

Lapsus$, which is believed to have been made up of individuals in Britain and Brazil, also gained access to giant corporations such as Microsoft and Uber and also the digital banking group Revolut.

‘Globally Active, Extortion-Focused Cyber Threat Actor Group’

Earlier this month the Cyber Safety Review Board in the United States published a report (pdf) which said: “Beginning in late 2021 and continuing late into 2022, a globally active, extortion-focused cyber threat actor group attacked dozens of well-known companies and government agencies around the world.”

“It penetrated corporate networks, stole source code, demanded payments while rarely following up, lodged political messages in shadowy online forums, and swiftly moved on to its next targets,” it added.

The report said: “These headline-grabbing incidents were perpetrated by a loosely organized threat actor group known as Lapsus$. Lapsus$ exploited systemic ecosystem weaknesses to infiltrate and extort organizations, sometimes appearing to do so for nothing more than attention and public notoriety.”

The review board said Lapsus$, “also showed a special talent for social engineering, luring a target’s employees to essentially open the gates to the corporate network.”

PA Media contributed to this report.
Chris Summers
Chris Summers
Author
Chris Summers is a UK-based journalist covering a wide range of national stories, with a particular interest in crime, policing and the law.
Related Topics