Artur Marciniec - Fotolia

Teenage Lapsus$ ringleader was responsible for crime spree, UK court rules

A court has ruled that Arion Kurtaj, allegedly a key player in the Lapsus$ cyber extortion syndicate, was responsible for the group’s year-long campaign of cyber attacks

The alleged teenage ringleader of the Lapsus$ cyber extortion collective, which hacked into the systems of multiple high-profile victim organisations in 2021 and 2022, has been ruled responsible for his hacking spree at Southwark Crown Court.

The 18-year old from Oxford, who was first named as Arion Kurtaj earlier is year, is autistic and was earlier deemed unfit to stand trial, so he did not appear in court to give evidence.

He was charged with offences including blackmail and fraud, and six counts under Section 3 of the Computer Misuse Act, which covers unauthorised acts with intent to impair the operation of a computer.

A second teenager, who is still 17 and as such cannot be named, was convicted of an offence under the Computer Misuse Act and on one count of fraud, and will likely be sentenced later this year.

Following the verdict, detective superintendent Richard Waight of the City of London Police described a “complex and sensitive investigation” that had involved a multi-agency response, and spoke of the various challenges faced throughout the police investigation and judicial process.

“We thank the judge and jury for being patient throughout the trial, during deliberations and for the subsequent verdicts,” he told reporters.

Kurtaj’s defence counsel, David Miller, described a “vulnerable” adolescent who had spent time in care. “Keep in mind Arion Kurtaj’s psychological make-up, and in particular his psychological condition, his education or lack thereof – could he be the highly intelligent, competent genius that the prosecution set out at the beginning?” he told the jury during closing speeches.

Year-long crime spree

The Lapsus$ squad first came to attention in the security community towards the end of 2021, when they attacked the systems of BT and EE and attempted to extort them for over £3m, and targeted various organisations in Latin America through associates likely based in Brazil.

In 2022, Kurtaj and his associates went on to target the systems of companies such as Microsoft, Nvidia, Okta, Revolut, Rockstar Games, Samsung, Uber and Ubisoft, crimes which they boasted of on a Telegram group which at one point had more than 35,000 members.

They targeted SharePoint, VPNs and virtual machines, and used social engineering techniques to exploit weaknesses in multi-factor authentication (MFA) policies to gain access to their victims’ systems to steal data.

Though billed as a ransomware gang at first, they never deployed a ransomware locker, and did not even extort all of their victims, leading to some puzzlement as to their motives.

Read more about young people and cyber crime

Kurtaj was among a group of seven arrested in the spring of 2022 by City of London Police in connection with Lapsus$’s activities, and was charged in April. However, the group’s activities did not cease, prompting some speculation that the gang was a sophisticated, hydra-like entity and represented a new paradigm in security threats.

But according to the BBC, in reality, Kurtaj had been moved into the Bicester Travelodge for his own safety after being doxxed by rival hackers, where he skirted a ban on using the internet imposed as a bail condition by connecting an Amazon Fire Stick to his hotel room TV.

He went on to conduct several more cyber attacks, including some of his most widely known hits on the likes of Rockstar Games, from which he stole unreleased footage taken from the upcoming Grand Theft Auto 6 game, and Uber.

William Wright, CEO of Closed Door Security, an MSSP based on the Isle of Lewis in Scotland’s Outer Hebrides, commented: “Prosecuting one of the group’s leaders sends a clear message to other members – you are not above the law.

“Today, law enforcement across most nations are highly focused on catching cyber criminals, and this has birthed several partnerships and international collaborations,” he said. “Law enforcement also possesses some of the most advanced technology to track criminals, and they are also running espionage programmes to infiltrate the workings of major groups.

“This means the chances of getting caught today are higher than ever,” said Wright. “Hackers and wannabe cyber criminals must keep this in mind.

“However, these young, opportune hackers are prevalent because companies are still falling foul of basic security controls.”

Read more on Hackers and cybercrime prevention