The notorious hacker group Lapsus$ has been making headlines over the past year with high-profile cyber attacks against major tech companies. But one of their members, 18-year-old Arion Kurtaj, is now facing consequences for his involvement.
Kurtaj was recently sentenced to an indefinite hospital order in connection with leaks of clips from the forthcoming Grand Theft Auto 6 game.
Who is Arion Kurtaj?
Kurtaj is an 18-year-old hacker with autism from Oxford, UK. He was a key member of the international hacking group Lapsus$, which conducted cyber attacks against companies like Uber, Nvidia, and Rockstar Games.
As part of Lapsus$, Kurtaj participated in hacks that ended up costing targeted companies close to $10 million in damages. But his most infamous hack was on Rockstar Games, the developer behind the popular Grand Theft Auto franchise. Despite having his equipment confiscated while out on bail, Kurtaj managed to breach Rockstar's systems using just a hotel TV and an Amazon Firestick - BBC reported.
The GTA 6 Leak
Kurtaj gained access to Rockstar's Slack messaging system and stole 90 clips of the unreleased GTA 6 game that was under development. He threatened to release the source code if the company did not contact him. Kurtaj then leaked the gameplay clips on a hacking forum under the username "TeaPotUberHacker."
This brazen attack, which generated a lot of buzz when the leaks emerged online, ended up costing Rockstar Games over $5 million according to their own estimates.
Due to Kurtaj's acute autism, he was deemed unfit to stand trial. So the jury was asked to determine if he committed the criminal acts rather than whether he did so intentionally.
In the sentencing hearing, Kurtaj's defense attorney argued that the now released GTA 6 trailer's success showed the hack did not seriously harm Rockstar. But the judge maintained there were real victims impacted by the broader pattern of Lapsus$ attacks.
Ultimately, Kurtaj received an indefinite hospital order. He will remain in a secure hospital unless doctors no longer see him as a danger to the public based on his advanced hacking skills.
Kurtaj was not the only Lapsus$ member brought to justice. A 17-year-old partner was also convicted for assisting with hacks against companies like Nvidia and BT/EE. He received an 18-month youth rehabilitation order.
These sentences are the first convictions of Lapsus$ members, but authorities believe others remain at large. The group's bold attacks shocked the cybersecurity world and prompted warnings about the threat of young, skilled hackers.
Lapsus$ relied on both technical means and social engineering tactics to infiltrate corporations like Microsoft. Security experts have called for companies to strengthen their defenses in response.
The investigations into Lapsus$ are still ongoing. And the full scope of what data or funds they have stolen remains unknown.
But the convictions of Kurtaj and his 17-year old accomplice show that to age remains no barrier to facing consequences for cybercrime. As hacking skills and tools continue to proliferate to younger generations, defending against these threats may prove one of the biggest challenges in online security.