Skip links

Lapsus$ teen sentenced to indefinite detention in hospital after Nvidia, GTA cyberattacks

Two British teens who were members of the Lapsus$ gang have been sentenced for their roles in a cyber-crime spree that included compromising Uber, Nvidia, and fintech firm Revolut, and also blackmailing Grand Theft Auto maker Rockstar Games.

Arion Kurtaj, 18, of Oxfordshire, was sentenced Thursday to detention at a hospital in the UK for an indefinite amount of time. Kurtaj, who has autism, was assessed by psychiatrists as not fit to stand trial. He will remain hospitalized until a mental health tribunal says he can leave.

Also on Thursday, a 17-year-old member of the chaotic crime gang, who cannot be named for legal reasons, was given a youth rehabilitation order.

Kurtaj had reportedly been violent while in custody, and the court heard dozens of reports of injury or property damage. During his sentencing hearing, a mental health assessment determined that Kurtaj “continued to express the intent to return to cybercrime as soon as possible. He is highly motivated.”

Previously, Kurtaj was found guilty of 12 offenses, including computer intrusion, blackmail, and fraud. The 17-year-old was convicted of fraud, blackmail, and carrying out an unauthorized act to impair the operation of a computer.

The two teenagers and other Lapsus$ members broke into and attempted to extort Brit telecoms giant BT, Microsoft, Samsung, Vodafone, Revolut, and Okta between August 2020 and September 2022.

Among other things, Kurtaj, while under police protection at a Travelodge hotel while out on bail and with his laptop confiscated, broke into Rockstar Games using an Amazon Firestick, his room’s TV, and a phone, stole and leaked some internal videos and source code, and told the biz it had 24 hours to contact him or he would leak the lot. He also swiped 1TB of corporate material from Nvidia and shared 80GB of it publicly while threatening to dump the rest online.

“This case serves as an example of the dangers that young people can be drawn towards whilst online and the serious consequences it can have for someone’s broader future,” said City of London Police Detective Chief Superintendent Amanda Horsburgh. “Unfortunately, the digital world can also be tempting to young people for the wrong reasons.”

In March 2022, London cops arrested and then released seven people, aged 16 to 21, for their alleged roles in the digital intrusions and extortion attempts. They then re-arrested and charged Kurtaj and the 17-year-old later that month.

The crew’s tactics included phone-based social engineering, SIM swapping, and even paying employees of target organizations for access to credentials and multi-factor authentication (MFA) codes.

Following their string of high-profile attacks, the US government in August issued a report on Lapsus$ [PDF] and urged organizations to move away from voice- and SMS-based MFA and instead use a hardware-backed FIDO key or biometric authentication.

It also called on the Federal Communications Commission (FCC) and Federal Trade Commission (FTC) to strengthen their oversight and enforcement activities of telecommunications providers related to SIM swapping. ®

Source