British Teenagers Convicted for Hacking Uber, Rockstar Games, and Microsoft
Two British teenagers have been convicted by a London jury for their involvement in hacking activities that targeted major companies including Uber, Rockstar Games, and Microsoft. The duo, identified as Arion Kurtaj and an unnamed 17-year-old, were core members of a hacking group called Lapsus$.
The defendants faced charges related to various computer crimes, blackmail, and fraud, which included gaining unauthorized access to corporate networks, social engineering, and SIM swapping. The crimes took place while they were still active members of the Lapsus$ gang, which has since disbanded.
Following their arrest in January 2022, the teenagers were released on bail as the investigation by the City of London Police continued. It was during this time that their hacking activities allegedly persisted. The 17-year-old was accused of hacking into the City of London Police servers, while Kurtaj was accused of leaking video clips from Rockstar’s upcoming Grand Theft Auto 6 video game.
Kurtaj, who is autistic, was deemed unfit to stand trial by psychiatrists and did not appear in court. The judge instructed the jury to determine if he had committed the crimes, regardless of criminal intent.
After over nine hours of deliberation, the jury unanimously found Kurtaj guilty on all 12 charges brought against him. These included unauthorized access to computers, blackmail, fraud, and failing to comply with a Section 49 notice regarding his mobile phone.
The 17-year-old, also autistic, was found guilty of participating in multiple Lapsus$ attacks, including unauthorized access to a computer, fraud, and blackmail against chipmaker Nvidia.
Lapsus$, which operated in both the UK and Brazil, conducted attacks between late 2021 and late 2022, targeting numerous high-profile organizations. The group utilized techniques such as SIM swapping, social engineering, and phishing to gain access to companies’ networks and steal their proprietary data.
During their attacks, Lapsus$ would often taunt and post messages to its victims, demanding ransoms or stealing cryptocurrency. Although the group maintained that it did not employ ransomware, it claimed to have recruited insiders from various well-known firms.
The investigation into Lapsus$ revealed that the group gained access to Uber’s network by purchasing stolen access credentials. Although Uber had security measures in place, the attackers eventually gained entry after an external contractor approved a login request, which had been persistently attempted by the hackers.
Kurtaj’s identity was exposed when hackers posted it on a now-defunct Tor site. Faced with pressure, he sold the site back to its original owners and leaked all the previously made posts, resulting in retaliation from users who exposed his true identity.
The judge has scheduled a case review for Kurtaj in September and the 17-year-old is expected to return to court in November for potential sentencing.
The conviction of these teenage hackers sends a strong message regarding the consequences of engaging in cybercrime. It serves as a reminder that even young offenders will be held accountable for their actions in the digital world.