Unveiling the Audacious Hack: British Teens Breach Nvidia, Grand Theft Auto, and Uber Systems
Last September 22, police officers staked out a one-star budget hotel in England, waiting for the perfect moment to bust in. Someone inside was suspected of committing two major hacks - one on Uber Technologies and another on Rockstar Games. After some serious detective work, they zeroed in on a user of the messaging platform Telegram called @lilyhowarth. But when they broke in, they found not Lily Howarth but a 17-year-old kid named Arion Kurtaj. It turned out that he was also on bail for another hack against chip maker Nvidia and an intrusion at UK phone group BT Group. He was part of a shady group of online extortionists called Lapsus$. The cops had put him in the hotel for his own protection after he was outed by the hacker community. Now 18, Arion was taken to court with a 17-year-old co-defendant who couldn't be named due to his age. The two faced 12 charges blackmail, fraud, and hacking. Arion was found unfit to stand trial due to his autism, and this week a jury found him liable for all the charges. He's looking at either a community order or psychiatric care, not jail.
The defense had argued that the evidence linking the two to the crimes wasn't strong enough and that there was no way of knowing for sure that Kurtaj was responsible. But the jury said otherwise on Wednesday, and a judge will decide Kurtaj's fate at a later date. His hacker buddy was found guilty on three counts and not guilty on two, though he had already copped to two charges. Kurtaj's lawyer commented that this case should shed light on how people with developmental disorders interact with the law. The tech world has been totally confused by Lapsus$'s audacious hacking of businesses between 2021 and 2022, which caused millions of American dollars worth of damage. The trial gave an insight into the group's way of working, revealing that money, fame, and "lolz" were their main motives. It's still unclear how much money they made since none of the companies have admitted to paying them anything. The police haven't been able to get into their crypto accounts either.
The story of how these young people outsmarted some of the US's biggest tech companies was put together from London court records, documents, witness statements, the police investigation, and people from the cybersecurity sector. British authorities collaborated with US police, including the FBI. According to a July report from America's Cybersecurity & Infrastructure Security Agency, Lapsus$ was similar to other cyber-criminal groups but "was especially good because of its efficiency, speed, inventiveness, and boldness."
In the Grand Theft Auto case, Kurtaj and the other members of Lapsus$ had no problem stealing sensitive code and video footage of the latest installment of the Grand Theft Auto series from a hotel room in Oxfordshire. According to prosecutors, they tricked Rockstar's systems on September 16,2022 pretending to be an employee. After not being able to log in with the credentials of a former employee, they used a contractor's account, and once they got in, they used the former employee's credentials to access the game development part of the system. Plus, Rockstar's logs revealed that the device used for the hack was the same type of iPhone that was taken from Kurtaj at the Travelodge Bicester. On the following day, Kurtaj downloaded confidential video design documents and source code and then leaked some of it. It was so rare that people were skeptical of its authenticity when it first came out.
Kurtaj made headlines when he used a GTA fan forum to show off his leaked content and called himself TeaPotUberHacker - a nod to his other hacking work. He then threatened Rockstar to release the source code unless they contacted him, resulting in the company reporting it to the FBI. Daniel Emerson estimated that the company spent over $1.5 million (around Rs. 12.39 crore) on legal and communications firms, as well as over $2 million (roughly Rs. 16.52 crore) on third-party vendors and hundreds of hours of senior employees' time. Rockstar refused to comment on how they got hacked by teens or what systems they had put in place since. Kurtaj had previously hacked Uber and Revolut, trying to access 74,000 Revolut customer records to sell them on the black market. He also sent taunting messages to Uber staff, forcing the firm to temporarily shut down the app and incur a loss of $2.8 million (approximately Rs. 23.14 crore). When the cops raided Kurtaj's hotel room, they found an iPhone 13 Pro Max hidden under the bed covers which was connected to some of the hacks he was accused of - but he won't give them the PIN. The first set of offenses Kurtaj and an unnamed teen were charged with was a SIM-swapping spree against BT's EE phone service users in 2021. SIM swapping is when fraudsters take control of a phone number to access bank accounts and crypto wallets.
Victim EE customer Daria Jacinska testified that all content above £54,000 ($69,000, approximately Rs 5.7 million) was pulled from her online Coinbase account. Another victim, Robert Molloy, had £2,000 withdrawn from his online Monzo Bank account. Later that day, he received an email from the attacker saying "Thank you PS brother" (slang for money).
Uber, Revolt, and EE did not respond to requests for comment.
Kurtaj and the boy were arrested by police in January 2022. The teenager pleaded guilty to some of the BT-related allegations. He has admitted involvement in bartering and fraud but denied extortion charges.
The second hack, carried out by the two teenagers along with other Lapsus$ members, was a brazen attack on Nvidia on February 15, 2022. The U.S. government initially worried the hack could originate from Russia amid tensions on the Ukrainian border. told Bloomberg at the time. It doesn't last long. Lapsus$ was soon discussing the success of the hack in online Telegram chats, investigators said. Using its signature methods, it had seized control of contractors' accounts and managed to steal 1 terabyte of commercially sensitive company software known as firmware. Members of the group released 80 GB of it to the public and then demanded Nvidia pay a ransom if it wanted to block the publication of the rest.
Lawyers for the prosecution said police investigators and experts managed to link Kurtaj and his fellow hacker to the various incidents through a web of Internet Protocol addresses, emails, Telegram chat groups, and their signature methods. What each hack had in common was social engineering by stealing details of legitimate players to get into systems, grabbing data, and trying to extort money for them and a signature calling card in the form of a crude image — in the Uber hack, for instance, a picture of a “naked erect penis” was uploaded. Prosecutor Kevin Barry said, "It's the desire of young people to show two fingers to those who attack them." In defense, these were efforts by dumb teenagers to make themselves laugh.
For several years before the incident, Mr Kurtaj lived with his mother and brother in their home in Oxfordshire. During the trial, Kurtaj's pediatrician, Nicholas Hindley, described him as "a particularly disabled person" and his first contact with Kurtaj was because the special school he attended was unable to control him. He added that it was after Mr. Hindley told the court that Kurtaj had undergone complex medical tests for autism, ADHD, and other conditions and was at best functioning at the level of 1 percent of his peers.
Kurtaj finished her formal education in her early teens but was temporarily on welfare after being accused of assaulting her mother. In the end, he was attacked by an employee and convicted. Kurtaj's mother took him home, but it was difficult for her to monitor his computer usage. Claudia Camden-Smith, the doctor who treated him in adulthood, said the hack gave him "public credibility."
"He doesn't want to be different. He wants to be like everyone else, he wants to be seen as trendy and dangerous," she told the court, noting that his diagnosis made him feel vulnerable. It added that it did not fully reflect whether
Since Kurtaj broke his bail in the GTA and Uber raids, he has been detained at the Feltham Juvenile Criminals Institute, where doctors say he was in extreme pain, threw urine at guards, and was sent to jail. It is said that it destroyed the infrastructure of Judge Patricia Rees will decide what happens next.
"Despite having no formal training since age 14, he committed a series of security breaches that breached the world's largest systems and spent millions of dollars making cybersecurity impenetrable. It turned out to have exposed a vulnerability, he said. "Kurtaj's lawyer, Matthews Murphy". “We will use the skills of these individuals more proactively, protect our businesses, recognize and support the medical needs of vulnerable criminals, and achieve more mutually beneficial outcomes for all involved in these situations.” We need better systems that provide