Teenage Lapsus$ hacker sentenced to indefinite hospital confinement

17-year-old associate receives rehabilitation order

Teenage Lapsus$ hacker sentenced to indefinite hospital confinement

Image:
Teenage Lapsus$ hacker sentenced to indefinite hospital confinement

An 18-year-old hacker associated with the cybercrime group Lapsus$ has been sentenced to an indefinite stay in a secure hospital after being involved in high-profile data breaches and extortion attempts.

Arion Kurtaj from Oxfordshire pleaded guilty to 12 offences including computer intrusion, blackmail and fraud. He was deemed unfit to stand trial due to his severe autism, but a jury at Guildford Crown Court found that he had committed the criminal acts.

Between 2021 and 2022, the Lapsus$ gang compromised numerous high-profile targets including Uber, Nvidia, Revolut, BT, Microsoft, Samsung, Vodafone, Mercado Libre and Okta, stealing data and demanding millions in ransoms. It is not known whether any ransoms were paid.

Charged in April 2022, while out on bail Kurtaj breached video games company Rockstar Games, leaking 90 clips of the unreleased Grand Theft Auto 6 game. He demanded a ransom or threatened to release more data. This hack alone cost Rockstar $5 million, according to the company.

A doctor's report warned Kurtaj was at high risk of reoffending, given his skills and motivation. He will be detained indefinitely until doctors approve his release.

Kurtaj worked with a 17-year-old, not named because of his age, who was sentenced to an 18-month Youth Rehabilitation Order for his role.

Other members of Lapsus$ gang remain at large, according to the police. Some of their number are thought to live in South America.

The gang used social engineering and bribery to breach accounts, including paying employees for MFA codes, MFA "prompt bombing", phishing, credential harvesting, stealing API keys from GitHub and hijacking authentication cookies.

While none of the methods were particularly novel, the young age of the participants was something of a surprise to authorities around the world.

The gang often publicised its hacks and taunted victims.

Prosecutors told the court the teenagers were identified after investigators traced their IP addresses through various email and Telegram accounts that the pair used to boast about their activities.