Arion Kurtaj, an 18-year-old hacker, has been sentenced to an indefinite hospital order following his involvement in the leak of unreleased Grand Theft Auto game footage, according to a recent BBC report. Diagnosed with acute autism, Kurtaj was a key figure in the notorious hacking group Lapsus$, known for targeting several tech giants, including Uber, Nvidia, and Rockstar Games, the developer behind GTA.
The group’s cyber-attacks, which involved data theft and ransom demands, caused nearly $10 million in damages to the affected companies. The court determined that Kurtaj’s advanced hacking skills and persistent inclination towards cyber-crime posed a significant public risk. Consequently, he will remain in a secure hospital for an indefinite period, subject to ongoing assessments by medical professionals.
The Lapsus$ group’s notorious hacks
Kurtaj’s most infamous act was the leak of 90 clips from the highly anticipated Grand Theft Auto 6. He managed to breach Rockstar’s internal systems and threatened to release the game’s source code unless contacted by the company. Remarkably, he executed this hack while under police protection and without his primary hacking tools, using an Amazon Firestick, a hotel TV, and a mobile phone.
Rockstar Games reported substantial financial and operational impacts due to Kurtaj’s actions, including a recovery cost of $5 million and extensive staff hours. Additionally, the City of London Police revealed that Lapsus$ sent threatening messages to 26,000 EE customers, further demonstrating the group’s wide-reaching cyber-terror.
In a related trial at Southwark Crown Court, another Lapsus$ member, a 17-year-old, was found guilty alongside Kurtaj. This younger hacker, involved in attacks on Nvidia and BT/EE, received an 18-month Youth Rehabilitation Order, including strict supervision and a prohibition on VPN usage. He also faced charges for stalking and harassing two young women.
The Lapsus$ group, primarily composed of teenagers from the UK and Brazil, gained infamy for their audacious cyber-attacks on multinational corporations like Microsoft and Revolut. Their combination of social engineering and technical hacking skills led to a comprehensive report by US cyber-authorities on the activities of teen hacker gangs.
This report emphasized the ease with which Lapsus$ members infiltrated highly secure organizations, highlighting significant cybersecurity vulnerabilities. The total financial gain from Lapsus$’s cyber-crimes remains uncertain, as no companies have publicly acknowledged paying ransoms, and the hackers did not release passwords for the seized cryptocurrency wallets.