Two teens were among those behind the Lapsus$ cyber-crime spree, jury finds
From BT and Nvidia to Grand Theft Auto 6, pair went on a total tear
Two teenage members of the chaotic Lapsus$ cyber-crime gang helped compromise computer systems of Uber and Nvidia, and also blackmailed Grand Theft Auto maker Rockstar Games among other high-profile victims, a jury has decided.
At Southwark Crown Court in London, England, on Wednesday, Arion Kurtaj, 18, and a 17-year-old male who because of his age cannot be identified for legal reasons were found to have committed various crimes. Kurtaj was held in custody while the other was released on bail; both await sentencing.
This was an unusual case in that the jury was told not to find Kurtaj, who is autistic, guilty or not guilty as psychiatrists had earlier assessed that he was unfit to stand trial. Instead, the panel was asked to decided whether or not he did the things he was accused of.
After a two-month process, jurors determined Kurtaj committed 12 offenses, including computer intrusion, blackmail, and fraud, while the 17-year-old was convicted of fraud, blackmail, and carrying out an unauthorized act to impair the operation of a computer.
The two teens, along with other Lapsus$ members, also broke into and attempted to extort telecoms giant BT, Microsoft, Samsung, Vodafone, fintech firm Revolut, and Okta during their crime spree between 2021 and 2022.
The duo met online, and one of their first acts of cyber-trespassing was sneaking into BT and cellphone network operator EE's servers, according to the BBC's crown court report.
The extortionists demanded a £3.1 million ($4 million) ransom, which wasn't paid. However, the teens did use some of the swiped data – specifically, details of their SIM cards – to steal about £100,000 ($130,000) from five people's cryptocurrency wallets.
Later, in February 2022, the Lapsus$ miscreants breached the security of GPU giant Nvidia. They stole employee credentials, schematics, and driver and firmware code, among other sensitive information, and leaked some of the files online. The dumped data also included a private key that could be used to sign Windows malware.
In yet another of the gang's high-profile heists, the two teens stole unreleased footage and source code for Grand Theft Auto 6, and then leaked some of it online.
- Mandiant's 'most prevalent threat actor' may be living under your roof – the teenager
- Devil-may-care Lapsus$ gang is not the aspirational brand infosec needs
- Lapsus$ back? Researchers claim extortion gang attacked software consultancy Globant
- More charged in UK Lapsus$ investigation
London cops arrested and then released seven people between the ages of 16 and 21 for their alleged involvement in the hacks in March 2022 before re-arresting and charging Kurtaj and the 17-year-old on March 31, 2022.
The teens' hacking spree showed a "juvenile desire to stick two fingers up to those they are attacking," prosecution lead barrister Kevin Barry reportedly told the jury.
It also prompted the US Department of Homeland Security's Cyber Safety Review Board to investigate the threat posed by the teen hackers.
In a report [PDF] published earlier this month detailing attacks associated with Lapsus$, the board recommended that "Congress should explore funding juvenile cybercrime prevention programs and reducing criminal incentives by exploring ways to ensure continuity between federal and state law enforcement authorities." ®