British court convicts two teen Lapsus$ members of hacking tech firms
A court in London on Wednesday found two teenagers guilty of participating in a hacking spree that involved breaking into the computer networks of Uber, Revolut, and video game developer Rockstar Games.
Arion Kurtaj, 18, was described as a key member of the Lapsus$ group who was acting independently when he broke into the systems of ride-hailing business Uber, fintech firm Revolut, and the developer of Grand Theft Auto in a spate of successive incidents in September 2022.
The second defendant found guilty in London today is age 17 and is not being named for legal reasons, as reported by BBC News.
The 17-year-old was convicted of participating in attempts to blackmail the telecommunications company BT as well as the graphics-card maker Nvidia as part of activities with Lapsus$.
The Lapsus$ gang gained notoriety for its erratic behavior, its public boasts of successful attacks and because several of its members appeared to be teenagers. It had purported links to Brazil, where Federal Police last year announced the arrest of another alleged member.
Kurtaj, who has autism, was deemed unfit to stand trial by psychiatrists. The court heard he hacked Rockstar Games, the maker of Grand Theft Auto, while on bail in a hotel by using an Amazon Fire Stick connected to his hotel television.
At the time of the Uber hack, a person claiming to be responsible contacted The New York Times and security researchers to claim they had managed to access the ride-hailing company's computer network through social engineering.
Uber said the hacker had posted what was described as pornographic material to an internal information page for employees, alongside the message: “Fuck you wankers.”
The Grand Theft Auto incident was disclosed on a fan forum for the video game series by an individual who claimed to have also hacked Uber. This individual then shared a link to clips from Grand Theft Auto 6, a title which Rockstar had not publicly confirmed was in development.
At the time of the Revolut incident, some users on Reddit reported seeing messages with inappropriate language on the app’s support chat. Revolut replied that it was aware of those messages and “taking steps to ensure this does not happen again.”
Prosecutors said that the hacking incidents were linked to the teens by investigators who found their IP addresses through a number of email and Telegram accounts which the pair allegedly used to boast about their antics.
Alexander Martin is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.