At 9 p.m. on Sept. 22 last year, a group of City of London police officers waited outside room M15 at the Travelodge Bicester, a one-star budget hotel in Oxfordshire, England, for the right moment to bust in. On the other side of the door was someone they believed to be behind two serious data hacks: one on Uber Technologies Inc. and the other an unprecedented leak of code for Rockstar Games Inc.’s unreleased Grand Theft Auto sequel.
A complicated tracing and surveillance operation had helped the cops zero in on a user of messaging platform Telegram named @lilyhowarth. Behind the door, however, was not Lily Howarth, but 17-year-old Arion Kurtaj — already on bail for a daring, largescale hack against chip maker Nvidia Corp. and an intrusion at the UK phone group BT Group Plc. A member of a shadowy international bunch of loosely connected online extortionists who called themselves Lapsus$, Kurtaj had been lodged in the room by the police for his own safety after being outed by the hacker community. Lily Howarth was just another moniker he hid behind for his hacking activities, the officers discovered.
Now 18, Kurtaj was at the center of a seven-week criminal trial in London alongside a 17-year-old male co-defendant who can’t be named because he’s a minor. The two, who met online, faced a 12-count indictment including blackmail, fraud, and hacking charges. Kurtaj, who was solely responsible for half the charges, was found unfit to stand trial by a judge before it began because of his complex autistic-spectrum disorder — which means he can’t be found to have had “criminal intent,” and may be given a community order or sent to a psychiatric-care facility rather than a jail after a jury this week found him liable for all the charges.
Defense lawyers had argued that the evidence linking the two to the incidents was not strong enough and that there was no way of knowing Kurtaj was responsible for the hacks. On Wednesday, the jury ruled otherwise. A judge will decide at a later date on Kurtaj’s future. His fellow hacker was found guilty on three counts and not guilty for two others. He had previously pled guilty to two BT-related charges.
“Despite the outcome of the jury’s decision, which may be subject to an appeal, we hope this case will shine a light on the way that vulnerable individuals with severe neurodevelopmental disorders interface with the police and criminal justice system,’’ Niamh Matthews-Murphy, Kurtaj’s lawyer, said in a statement to Bloomberg.
The audacious hacks of technology firms by Lapsus$ has confounded cybersecurity experts since it went on a rampage of high-profile attacks between 2021 and 2022, causing millions of dollars of damages for its targets. The trial provided a rare window into the workings of this secretive gathering of tech geeks, showing how the intrusions were orchestrated and the group’s motivations: notoriety, money, and also just “lolz.” It's unclear how much money Lapsus$ made — none of the companies have admitted to paying it any money. Police haven't been able to access crypto accounts associated with the teens.
The story of how these youngsters got the better of some of the biggest US technology companies was compiled from London court proceedings, documents, witness testimonies, the police investigation and sources in the cybersecurity industry. UK authorities worked with US law enforcement, including the Federal Bureau of Investigation. A July report by the US Cybersecurity & Infrastructure Security Agency said that while Lapsus$ was like any other cyber-criminal group, it “was unique for its effectiveness, speed, creativity, and boldness.”
Take the Grand Theft Auto case, for instance.
With relative ease and from the hotel room in Oxfordshire, Kurtaj — together with other unknown members of Lapsus$ — stole commercially sensitive code and video footage of the latest installment of the in-development Grand Theft Auto series. According to the prosecution, they got into Rockstar’s systems on Sept. 16 2022 using social engineering, “by masquerading as an employee or contractor who had ‘lost’ or ‘couldn’t remember’ their password.”
After failing to log in with the credentials of a former employee, they used an account linked to a contractor named Siwar Jrad (siwar.jrad), prosecutors said. Once inside, credentials of the former employee “mohd.hidaytullah” were used to access a part of the system associated with game development, they said. Rockstar’s logs show that the device used for the enrollment was the exact type and specification of the iPhone seized from Kurtaj at the Travelodge Bicester.
The day after gaining access, Kurtaj downloaded a series of videos and design documents for the GTA sequel as well as source code — all highly confidential — before leaking some of it. The leak offered an unauthorized look at one of the most valuable games in the industry. It was so rare that some people cast doubt on its authenticity when it first emerged, Bloomberg previously reported.
Kurtaj then used a GTA fan forum to highlight the leaked content, calling himself TeaPotUberHacker — a nod to his other hacking work. He then took to Rockstar’s Slack messenger account to threaten to release the source code unless the firm contacted him. By Sept. 19, the company had disabled his access and reported the matter to the FBI. But the damage had been done.
“It’s one of the biggest entertainment properties of all time and something like this would spoil our marketing,” said Daniel Emerson, the chief legal officer of Take 2 Interactive Software Inc., a subsidiary of Rockstar, giving evidence in court. Emerson estimated that the company spent over $1.5 million on legal and communications firms in addition to over $2 million on third party vendors and hundreds of wasted hours for senior employees. Rockstar declined to respond to questions on how it was so easily had by the teens and what barriers it had put in place since.
The upcoming Grand Theft Auto VI has been in development in some form since 2014, and is so hotly anticipated that when Take 2 first acknowledged its existence in 2022, it sent the stock surging. The new game will feature a playable female protagonist for the first time.
Kurtaj was so adept at hacking that just days earlier he had used similar tactics to get into the systems of both Uber and UK fintech Revolut Ltd. Lawyers explained that Kurtaj tried to access 74,000 Revolut customer records, allegedly to sell that information on the black market. The precise number of affected customers is unknown. For the Uber hack, Kurtaj sent taunting messages to staff, which forced the firm to temporarily shut down the entire application. Uber said its financial loss was around $2.8 million.
When the police raided Kurtaj’s hotel room, they found an IPhone 13 Pro Max slightly under the bed covers, an investigator said at the trial. This phone was later connected to some of the hacks in which he was implicated. The police haven’t managed to access the device since Kurtaj refuses to share the PIN. The first batch of offenses Kurtaj and the unnamed teen were accused of taking part in was a SIM-swapping spree against users of BT’s EE phone service in 2021. SIM swapping is when fraudsters take control of a phone number to then receive messages and calls that enable them to access bank accounts and crypto wallets.
Daria Jasinska, an EE customer who was a victim, said in a witness statement that the entire content – over £54,000 ($69,000) – of her online Coinbase account was withdrawn. Robert Molloy, another victim, had £2000 drained from his online Monzo bank account. Later that day he got an email from the attackers saying “thanks for the ps bro” — a slang term for money.
Uber, Revolut and EE didn't respond to requests for comment.
Kurtaj and the teen were arrested by police in January 2022. The teen pleaded guilty to some aspects of the charges involving BT. He admitted being involved in conducting the swaps and the frauds but denied the blackmail charges.
The second hack the two teens undertook, alongside other Lapsus$ members, was an audacious attack against Nvidia on Feb. 15 2022. Coming as tensions mounted at the Ukrainian border, the US government initially feared the hack may have come from Russia, according to two officials who spoke to Bloomberg at the time. Not for long. Lapsus$ was soon discussing the success of the hack in online Telegram chats, investigators said. Using its signature methods, it had seized control of contractors’ accounts and managed to steal 1 terabyte of commercially sensitive company software known as firmware. Members of the group released 80 GB of it to the public and then demanded Nvidia pay a ransom if it wanted to block the publication of the rest.
Lawyers for the prosecution said police investigators and experts managed to link Kurtaj and his fellow hacker to the various incidents through a web of Internet Protocol addresses, emails, Telegram chat groups and their signature methods. What each hack had in common was social engineering by stealing details of legitimate players to get into systems, grabbing data and trying to extort money for them and a signature calling card in the form of a crude image — in the Uber hack, for instance, a picture of a “naked erect penis” was uploaded.
“A juvenile desire to stick two fingers up to those that they are attacking,” prosecution lawyer Kevin Barry said. For the defense, they were the efforts of silly teenagers out to get a laugh.
In the years before the incidents, Kurtaj lived at home in Oxfordshire with his mother and younger brother. During the trial, Kurtaj’s childhood doctor Nicholas Hindley described him as “a particularly impaired individual,” adding that his first contact with the youngster came after the special needs school he was attending was unable to control him. Kurtaj’s autism, ADHD and other complex health diagnosis means he functions at best at the level of 1% of his peers, Hindley told the court.
Kurtaj, who ended his formal education in his early teens, was briefly taken into social care for physically assaulting his mother. That ended when he himself was attacked by a staff member, who was convicted for the act. Kurtaj’s mother took him back, but oversight of his computer use has been difficult for her. Claudia Camden-Smith, the doctor responsible for his care as an adult, said hacking gave him “street cred.”
“He doesn’t want to be different, he wants to be like everyone else, wants to be seen as trendy and risky,” she told the court, adding that his diagnosis doesn’t fully capture how vulnerable he is.
Since Kurtaj broke his bail with the GTA and Uber attacks, he has been held in Feltham Young Offenders Institute, where doctors said he has been extremely distressed, throwing urine at guards and destroying prison infrastructure. It will now be for Judge Patricia Lees to decide on what lies ahead for him.
“Despite receiving no formal education since the age of 14, he has been found to have committed a number of breaches of security that have infiltrated and exposed weaknesses in the systems of the largest global companies, who spend millions trying to make their cyber security impenetrable,” Kurtaj’s lawyer Matthews-Murphy said. “There has to be a better system that enables the skills of such individuals to be utilised in a more positive way that protects corporations, acknowledges and supports the medical needs of vulnerable perpetrators and offers a more mutually beneficial outcome for all stakeholders in these situations.”
--With assistance from Andrew Martin and William Turton.