A court in the UK has found that an 18-year-old from Oxford, Arion Kurtaj, was a part of the Lapsus$ hacking group responsible for hacking a range of tech firms including Nvidia and Rockstar Games. These intrusions resulted in a major leak of footage from the upcoming Grand Theft Auto 6, a game that Rockstar has yet to officially unveil, and the court heard that Kurtaj leaked the clips from a Travelodge hotel while he was already on bail after being arrested for another hack.
The trial was at Southwark Crown Court and lasted seven weeks and the jury was asked to determine whether or not Kurtaj was liable for the acts alleged, not if they were done with criminal intent. The judge ruled Kurtaj unfit to stand trial, following assessment by psychiatrists, so the accused did not give evidence.
The jury found Kurtaj liable for all 12 charges (via Bloomberg). Alongside this, a 17-year-old who cannot be named because of their age pled guilty to two hacking charges, was found guilty of another, and cleared over two more.
The pair had met online before beginning to hack together in July 2021. Lapsus$ targeted telecoms firms BT and EE on August 1, 2021, demanding a $4 million ransom. The ransom was not paid but SIM details were used to steal £100,000 worth of cryptocurrency from linked wallets.
Both hackers were arrested on January 22, 2022 and released pending further investigation. They kept hacking, and were found to have been involved in Lapsus$' successful attack on Nvidia in February 2022. The group stole and leaked Nvidia internal data, threatening to release more unless a ransom was paid. This hack targeted Nvidia employees with phone calls and late-night texts
Shortly after this, Kurtaj was doxxed by rivals, before both hackers were re-arrested on March 31, 2022. Due to concerns over his safety due to the doxxing, Kurtaj was placed in a Travelodge by police and put under bail conditions: including an internet ban.
It was here that Kurtaj was involved in hacking Rockstar Games (as reported by the BBC). During this attack the court heard Kurtaj posted a message on Rockstar's Slack (a company-wide messaging system) saying, "I am not a Rockstar employee, I am an attacker." He said he'd got all the data for Grand Theft Auto 6 and that if Rockstar did not make contact within 24 hours, he would "start releasing the source code." 90 clips of the game were then posted on a GTA forum from user TeaPotUberHacker.
When police later searched Kurtaj's hotel room, they found an Amazon Fire Stick in the TV, a smart phone, a keyboard and a mouse: a setup that allowed him to get online. Or as the prosecution put it, Kurtaj was "caught red handed". He was immediately re-arrested and detained until the trial.
While the scale of Lapsus$' success is undeniable, the methods it used were as much about classic cons like phishing employees as hacking itself. The prosecutors described them as "digital bandits" and noted especially the group's public celebrations of their work and how breached targets would subsequently be taunted and threatened. Kurtaj and his fellow Lapsus$ members showed a "juvenile desire to stick two fingers up to those they are attacking", said the prosecution's lead barrister Kevin Barry.
None of the companies hacked have publicly admitted paying Lapsus$ any ransom, and it is unknown how much money the group made from its activities. It is thought that members of Lapsus$ remain at large. In October 2022, Brazilian police arrested an individual alleged to have been part of the group, though has issued no subsequent public update on whether charges were or will be filed.
Kurtaj is remanded in custody, and the 17-year-old is on bail. Both will be sentenced at a later date, with the judge to decide whether Kurtaj will be hospitalised or released under supervision.