Security

Cyber-crime

Two teens were among those behind the Lapsus$ cyber-crime spree, jury finds

From BT and Nvidia to Grand Theft Auto 6, pair went on a total tear


Two teenage members of the chaotic Lapsus$ cyber-crime gang helped compromise computer systems of Uber and Nvidia, and also blackmailed Grand Theft Auto maker Rockstar Games among other high-profile victims, a jury has decided.

At Southwark Crown Court in London, England, on Wednesday, Arion Kurtaj, 18, and a 17-year-old male who because of his age cannot be identified for legal reasons were found to have committed various crimes. Kurtaj was held in custody while the other was released on bail; both await sentencing.

This was an unusual case in that the jury was told not to find Kurtaj, who is autistic, guilty or not guilty as psychiatrists had earlier assessed that he was unfit to stand trial. Instead, the panel was asked to decided whether or not he did the things he was accused of.

After a two-month process, jurors determined Kurtaj committed 12 offenses, including computer intrusion, blackmail, and fraud, while the 17-year-old was convicted of fraud, blackmail, and carrying out an unauthorized act to impair the operation of a computer.

The two teens, along with other Lapsus$ members, also broke into and attempted to extort telecoms giant BT, Microsoft, Samsung, Vodafone, fintech firm Revolut, and Okta during their crime spree between 2021 and 2022.

The duo met online, and one of their first acts of cyber-trespassing was sneaking into BT and cellphone network operator EE's servers, according to the BBC's crown court report.

The extortionists demanded a £3.1 million ($4 million) ransom, which wasn't paid. However, the teens did use some of the swiped data – specifically, details of their SIM cards – to steal about £100,000 ($130,000) from five people's cryptocurrency wallets.

Later, in February 2022, the Lapsus$ miscreants breached the security of GPU giant Nvidia. They stole employee credentials, schematics, and driver and firmware code, among other sensitive information, and leaked some of the files online. The dumped data also included a private key that could be used to sign Windows malware.

In yet another of the gang's high-profile heists, the two teens stole unreleased footage and source code for Grand Theft Auto 6, and then leaked some of it online.

London cops arrested and then released seven people between the ages of 16 and 21 for their alleged involvement in the hacks in March 2022 before re-arresting and charging Kurtaj and the 17-year-old on March 31, 2022.

The teens' hacking spree showed a "juvenile desire to stick two fingers up to those they are attacking," prosecution lead barrister Kevin Barry reportedly told the jury.

It also prompted the US Department of Homeland Security's Cyber Safety Review Board to investigate the threat posed by the teen hackers.

In a report [PDF] published earlier this month detailing attacks associated with Lapsus$, the board recommended that "Congress should explore funding juvenile cybercrime prevention programs and reducing criminal incentives by exploring ways to ensure continuity between federal and state law enforcement authorities." ®

Send us news
20 Comments

China's APT41 crew adds a stealthy malware loader and fresh backdoor to its toolbox

Meet DodgeBox, son of StealthVector

Ransomware crews investing in custom data stealing malware

BlackByte, LockBit among the criminals using bespoke tools

'Gay furry hackers' say they've disbanded after raiding Project 2025's Heritage Foundation

Ultra-conservative org funnily enough not ready to turn the other cheek

Privacy expert put away for 9 years after 'grotesque' cyberstalking campaign

Scumbag targeted many victims – and those who tried to help them

You had a year to patch this Veeam flaw – and now it's going to hurt some more

LockBit variant targets backup software - which you may remember is supposed to help you recover from ransomware

Eldorado ransomware-as-a-service gang targets Linux, Windows systems

US orgs bear the brunt of attacks by probably-Russian crew

TeamViewer can't bring itself to say someone broke into its network – but it happened

Claims customer data, prod environment not affected as NCC sounds alarm

Fiend touts stolen Neiman Marcus customer info for $150K

Flash clobber chain fashionably late to Snowflake fiasco party

WhisperGate suspect indicted as US offers a $10M bounty for his capture

Russian national accused of attacks in lead-up to the Ukraine war

Feds put $5M bounty on 'CryptoQueen' Ruja Ignatova

OneCoin co-founder allegedly bilked investors out of $4B

UK and US cops band together to tackle Qilin's ransomware shakedowns

Attacking the NHS is a very bad move

Big Tech's eventual response to my LLM-crasher bug report was dire

Fixes have been made, it appears, but disclosure or discussion is invisible