UK Cyberterrorist Teen Convicted After Gambling Stolen Funds

Posted on: August 24, 2023, 06:36h. 

Last updated on: August 24, 2023, 10:49h.

Erik Gibbs Read More
Expertise: Asia Pacific Gaming, Gaming Business, Global Gaming.

One of the primary actors behind a massive ransomware scheme in the UK will likely go to prison  despite being a teenager, according to the BBC. In a groundbreaking verdict, a panel of London jurors determined that Arion Kurtaj, who’s barely 18 but had a penchant for online gambling, was a main figure of the notorious Lapsus$ data hacking collective.

Arion Kurtaj on a fishing boat
Arion Kurtaj on a fishing boat. The 18-year-old hacker has been found guilty of stealing millions of dollars through ransomware attacks. (Image: Corriere)

Kurtaj played a prominent role in breaching the security systems of numerous companies, including Microsoft, Nvidia, T-Mobile, Samsung, Cisco, Ubisoft, Revolut, and more. Lapsus$ even targeted the London police department.

The hackers pilfered valuable data from the target companies’ digital vaults and perpetrated a series of ransomware attacks. The group made a small fortune by exploiting the threat to disclose confidential information as leverage.

As one of the group’s primary leaders, Kurtaj, from Oxford, England, gained recognition as a prominent figure in hacking circles and the police blotter. He was arrested twice last year — once in January and the second time in March — on suspicion of hacking, but always walked away.

The case surrounding Kurtaj was a unique one. He is officially and legally autistic, leading a psychologist to determine he wasn’t fit to stand trial. Nevertheless, the jury was instructed to assess his culpability regarding the presumed hacking activity, disregarding any criminal intentions involved.

Cyberattacks & Grand Theft Auto

Kurtaj, aided by individuals from Lapsus$, repeatedly launched attacks on various companies, demanding exorbitant sums of money. In helping him achieve hacker stardom, going by the alias teapotuberhacker, he unveiled a secret gameplay video of Grand Theft Auto 6.

The game was still in post-production and hadn’t been publicly released at the time. Kurtaj acquired the exclusive footage by infiltrating the developer’s Slack server and the game’s Confluence wiki. He published the info while being temporarily released on bail at a hotel – for hacking.

Online, Kurtaj cunningly operated under various aliases, such as White and Breachbase, extending his digital footprint across more than a dozen identities. His hacking escapades proved quite lucrative, as he managed to amass a staggering sum of 300 BTC.

Today that would be worth around $7.9 million. Lapsus$ likely made a lot more, although most companies are often unwilling to admit to an attack or specify how much they paid to make it disappear.

Kurtaj reportedly squandered the majority of the funds through gambling. In an ironic twist, some of it was lost to hackers who broke into his computers.

An accomplice also faces prosecution for similar acts. The unidentified 17-year-old, also diagnosed with autism, was found guilty of unlawfully breaching regulations. There’s no information available about when they’ll return to court for sentencing.

Sim-Swapping Specialists

In a separate report on Lapsus$, the U.S. government detailed how the group worked. It employed cost-effective techniques to find vulnerabilities within the digital infrastructure, using SIM-swapping scams to carry out their attacks.

In a SIM-swapping attack, a criminal contacts the mobile phone carrier while impersonating the phone number’s owner. They convince the carrier to activate a new SIM card with the same number, which can give hackers access to almost all digitally stored data.

The hackers could take over high-level and sensitive phone numbers by paying $200K a week to a telecom provider’s network, giving them access to crucial codes to enter company networks. These codes were applied across various accounts, further expanding their illicit activities.

From 2021 until 2022, Lapsus$ took off. It gained in strength as it pulled in more hackers from the UK, Brazil, and other locations. The group’s motivations encompassed a trifecta of seeking recognition, monetary gains, and simple amusement.

Things began to fall apart for Lapsus$ last September. Following extensive investigations involving multiple law enforcement offices worldwide, police began apprehending many of the group’s members, including multiple UK residents and one individual located in Brazil. With that, Lapsus$, as an entity, came to an end.