Two teens were among those behind the Lapsus$ cyber-crime spree, jury finds

From BT and Nvidia to Grand Theft Auto 6, pair went on a total tear

Two teenage members of the chaotic Lapsus$ cyber-crime gang helped compromise computer systems of Uber and Nvidia, and also blackmailed Grand Theft Auto maker Rockstar Games among other high-profile victims, a jury has decided.

At Southwark Crown Court in London, England, on Wednesday, Arion Kurtaj, 18, and a 17-year-old male who because of his age cannot be identified for legal reasons were found to have committed various crimes. Kurtaj was held in custody while the other was released on bail; both await sentencing.

This was an unusual case in that the jury was told not to find Kurtaj, who is autistic, guilty or not guilty as psychiatrists had earlier assessed that he was unfit to stand trial. Instead, the panel was asked to decided whether or not he did the things he was accused of.

After a two-month process, jurors determined Kurtaj committed 12 offenses, including computer intrusion, blackmail, and fraud, while the 17-year-old was convicted of fraud, blackmail, and carrying out an unauthorized act to impair the operation of a computer.

The two teens, along with other Lapsus$ members, also broke into and attempted to extort telecoms giant BT, Microsoft, Samsung, Vodafone, fintech firm Revolut, and Okta during their crime spree between 2021 and 2022.

The duo met online, and one of their first acts of cyber-trespassing was sneaking into BT and cellphone network operator EE's servers, according to the BBC's crown court report.

The extortionists demanded a £3.1 million ($4 million) ransom, which wasn't paid. However, the teens did use some of the swiped data – specifically, details of their SIM cards – to steal about £100,000 ($130,000) from five people's cryptocurrency wallets.

Later, in February 2022, the Lapsus$ miscreants breached the security of GPU giant Nvidia. They stole employee credentials, schematics, and driver and firmware code, among other sensitive information, and leaked some of the files online. The dumped data also included a private key that could be used to sign Windows malware.

In yet another of the gang's high-profile heists, the two teens stole unreleased footage and source code for Grand Theft Auto 6, and then leaked some of it online.

London cops arrested and then released seven people between the ages of 16 and 21 for their alleged involvement in the hacks in March 2022 before re-arresting and charging Kurtaj and the 17-year-old on March 31, 2022.

The teens' hacking spree showed a "juvenile desire to stick two fingers up to those they are attacking," prosecution lead barrister Kevin Barry reportedly told the jury.

It also prompted the US Department of Homeland Security's Cyber Safety Review Board to investigate the threat posed by the teen hackers.

In a report [PDF] published earlier this month detailing attacks associated with Lapsus$, the board recommended that "Congress should explore funding juvenile cybercrime prevention programs and reducing criminal incentives by exploring ways to ensure continuity between federal and state law enforcement authorities." ®

Send us news

Uncle Sam probes cyberattack on Pennsylvania water system by suspected Iranian crew

CISA calls for stronger IT defenses as Texas district also hit by ransomware crew

MOVEit victim count latest: 2.6K+ orgs hit, 77M+ people's data stolen

Real-life impact of buggy software laid bare – plus: Avast tries to profit from being caught up in attacks

Mirai malware infects routers and cameras for new botnet

Akamai sounds the alarm – won't name the manufacturers yet

Scores of US credit unions offline after ransomware infects backend cloud outfit

Supply chain attacks: The gift that keeps on giving

Rogue ex-Motorola techie admits cyberattack on former employer, passport fraud

Pro tip: Don't use your new work email to phish your old firm

'Serial cybercriminal and scammer' jailed for 8 years, told to pay back $1.2M

Crook did everything from SIM swaps to fake verified badge scams

Top Ukrainian cyber officials fired after allegedly pocketing kickbacks from govt IT deals

Duo probed over alleged $2M embezzlement plot

Clorox CISO flushes self after multimillion-dollar cyberattack

Plus: Ransomware crooks file SEC complaint against victim

Look out, Scattered Spider. FBI pumps 'significant' resources into snaring data-theft crew

Absence of arrests doesn't mean nothing's happening, cyber-cops insist

Leader of pro-Russia DDoS crew Killnet 'unmasked' by Russian state media

Also: NXP China attack, Australia can't deliver on ransom payment ban (yet), and Justin Sun's very bad month

Impatient LockBit says it's leaked 50GB of stolen Boeing files after ransom fails to land

Aerospace titan pores over data to see if dump is legit

Industry piles in on North Korea for sustained rampage on software supply chains

Kim’s cyber cronies becoming more active, sophisticated in attempts to pwn global orgs