Arion Kurtaj – an 18-year-old from Oxford – was found guilty by a unanimous jury at Southwark Crown Court of 12 offences in a string of high-profile hacks carried out as part of prominent cyber criminal gang Lapsus$, while his 17-year old unnamed accomplice was found guilty of three offences.
Kurtaj worked as a key member of Lapsus$ – which grew to notoriety in 2021 after it attacked the servers of UK telecommunications company BT and EE, attempting to illicit a $US4 million ransom in exchange for compromised user data and source code.
While no ransom was paid, the incident saw Kurtaj as well as the 17-year-old arrested by police on 22 January 2022, and later accused of participating in a SIM-swapping scheme which used stolen details to remove nearly $200,000 (£100,000) from the cryptocurrency accounts of five victims.
The duo carried out a further hack alongside unknown Lapsus$ associates in February 2022 when they breached graphics card maker Nvidia and leaked sensitive data and demanding yet another ransom.
Both Kurtaj and his unnamed 17-year-old accomplice were re-arrested on 31 March 2022, but the hacks didn’t stop.
The Rockstar Games attack drew particular traction in cyber security and gaming circles, as Kurtaj’s hack coincided with an unprecedented leak of in-development gameplay for the highly-anticipated sequel to the Grand Theft Auto series.
As reported by the BBC, Kurtaj brazenly messaged all company employees on workplace messaging platform Slack with the statement “I am not a Rockstar employee, I am an attacker” before claiming to have downloaded all data for Grand Theft Auto 6 and threatening “if Rockstar does not contact me on Telegram within 24 hours I will start releasing the source code”.
Shortly after, 90 video clips of the unfinished game appeared on a forum under the username TeaPotUberHacker.
Kurtaj was re-arrested for a final time and detained until his trial.
Over 12 charges landed for hacking spree
Last week, after a two-month trial and over nine hours of deliberation, a jury found Kurtaj had carried out a total of 12 offences in his involvement with Lapsus$.
These included six counts of carrying out an unauthorised act to impair the operation of a computer, three counts of blackmail, two fraud offences and a final failure to disclose his mobile phone password to police.
Meanwhile, Kurtaj’s 17-year-old accomplice was found guilty on one count of fraud, one of blackmail, and one for carrying out an unauthorised act to impair the operation of a computer.
A significant underlying factor for the trial was that both Kurtaj and the unnamed 17-year-old defendant are autistic.
Psychiatrists deemed Kurtaj not fit to stand trial and the jury were asked only to determine whether or not he committed the acts alleged, rather than if he did so with criminal intent.
Neither defendant gave evidence during the jury trial.
“The victims in this case, and they undoubtedly were victims, they were members of the public who suffered the SIM swap frauds and losses as a result of that,” said prosecutor Kevin Barry during his closing speech to the jury.
“There were also big corporations who were targeted and attacked.
“It hasn’t been suggested by anyone that any of these attacks were just individuals out for larks and laughs.
“It’s perfectly plain from the evidence that those involved in the attacks were totally serious in this endeavour of hacking companies and stealing valuable data from those companies with the intention of profiting from that, sometimes on a huge scale, whether by blackmail or fraud.”
The teenagers will return to Southwark Crown Court for sentencing at a later date.