Teens Found Responsible For Lapsus$ Cyber-Attacks

Written by

An Oxford teenager has been found responsible for a series of hacking incidents impacting big-name brands, as part of the infamous Lapsus$ group.

Arion Kurtaj, 18, was deemed by psychiatrists to be unfit to stand trial. Although he could not be found “guilty” of committing the acts with criminal intent, a jury at Southwark Crown Court determined that he was at least the individual that carried them out.

Among the firms Kurtaj is said to have compromised are Nvidia, Uber, BT and EE from which he demanded a $4m ransom from after stealing internal files. A 17-year-old accomplice used stolen SIM information from EE customers to take nearly $100,000 from their cryptocurrency wallets, according to the BBC.

Kurtaj’s last hack, of Rockstar Games, apparently took place when he was on bail in a Travelodge hotel room. He posted messages to the firm’s Slack channel and stole and released scores of clips of unfinished gameplay from the upcoming Grand Theft Auto 6.

The 17-year-old accomplice was convicted for his part in the Lapsus$ group, and both will reportedly be sentenced at a later date.

Read more on Lapsus$: Lapsus$ Hacker Group Exposed in Latest CSRB Report

An unknown number of Lapsus$ members are still at large, with some thought to be living in South America. At least one suspected member was arrested by federal police in Feira de Santana, a city in the north east of the country, back in October.

Lapsus$ carried out a string of successful attacks against big-name companies, also including Microsoft, Samsung, LG, Okta and Vodafone.

They combined multiple techniques including vishing, SIM swapping, soliciting insiders at targeted firms, accessing and scraping SharePoint sites for credentials stored in technical info, using credentials to access corporate VPNs, and cloning git repositories to access API keys.

Editorial image credit: Julio Ricco / Shutterstock.com

What’s hot on Infosecurity Magazine?