The last two years of Arion Kurtaj’s life seem to be part of the movie script. The last chapter of his story, which was revealed during the trial, did not remain. Curtai, who is suspected of belonging to the international cybercriminal gang Lapsus$ since the age of 16 and hacking multinational companies such as Microsoft, Samsung, Vodafone or the Brazilian government, carried out the latest attack while in police custody and from a hotel room. where he (apparently) had no access to electronic devices.
Without a computer or mobile devices, the young man turned to the Fire TV Stick (Amazon’s device that turns any TV into a smart one) to buy a keyboard, mouse and phone, with which he performed his “most daring”. Hack, according to British prosecutors: 90 videos leaked of GTA 6, the yet-to-be-released title of one of the world’s most popular and profitable video game sagas. Rockstar Games, its developer, waived extortionate terms to keep it out.
It was “a blatant disregard for his bail conditions,” prosecutors described at his trial in London. They accuse him of six crimes, including blackmail, fraud and computer hacking. A jury finds him liable on all of them, but he will not be convicted. A psychiatric report declared him unfit to stand trial: the autism spectrum disorder he suffers from prevents him from assessing the “criminal intent” of his actions.
Another minor, who is still 17 years old and cannot be named, was sentenced along with Kurtaj. The latter, also autistic, was found guilty of three crimes and acquitted of two more. They met in July 2021 and became part of one of the most dangerous cybercriminal gangs dedicated to extorting and stealing data from large companies. It is believed that most of its members were teenagers.
“Regardless of the outcome of the jury’s decision, which is subject to appeal, we hope this case sheds light on how vulnerable individuals with severe neurodevelopmental disabilities interact with law enforcement and the criminal justice system,” Kurtai’s attorney said in a statement to Bloomberg. Agency. The youth may have to do community service or be sent to a psychiatric facility, a decision that will be made in the coming weeks.
Three arrests
British police had already arrested Kurtai twice before he was caught again trying to extort money from Rockstar from his hotel room. The young man was there for his own safety because before his second arrest in March 2022, he suffered a “doxing” attack by rival cybercriminals. This abuse, which is common among hackers, involves posting the victim’s identity and personal data online.
His, his relatives’ name, place of residence, age, study center and social media links were published on a popular page used by hackers to spread this information. That’s when Curtaj’s story began to become public: the leader of Lapsus$, a group that led security forces and cyber security specialists from around the world for their extraordinary ability to penetrate the systems of high-tech multinationals. He was a 16-year-old boy with autism who lived in Oxford with parents of Albanian descent and who regularly posted photos of him fishing with his uncle.
Kurtaj’s first arrest took place in January 2022. The young man and his partner, still a minor, were linked to two extortion attempts against the British telephone operator, BT, from which they demanded four million dollars in exchange for not leaking information that was previously there. stolen. The company refused, but the two teenagers used the data to hack into five cryptocurrency accounts using compromised SIM cards of BT customers, worth around $100,000. BBC.
After his release, a real wave of cyber attacks by Lapsus$ began. In two months, the group stole information and tried to extort money from chip maker Nvidia, Microsoft, T-Mobile, Samsung, Vodafone, technology company Globant, video game developer Ubisoft, or an Argentinian e-commerce portal. From Mercado Libre. elDiario.es explained its methods in this report.
Curtage and his partner, the British police, were only able to connect the hacker against Nvidia, for which they were found guilty at trial. The trial did not determine how much money Lapsus made from these attacks, although prosecutors believe that their main goal was not only economic, but also publicity and sometimes simple trolling. Curtaj denied police access to his cryptocurrency wallet.
His actions are believed to have caused millions of dollars in damages to the companies that suffered them because, in addition to the unreleased GTA, Lapsus$ also leaked information about a new Samsung phone, as well as confidential information from Nvidia.
from the hotel
After his second arrest and after his identity and contact details were revealed online, British authorities decided to release Kurtai on bail to a one-star hotel in Bicester, 18 kilometers west of Oxford. The young man was banned from connecting to the Internet and all his electronic devices were confiscated, but this was not enough. The young man used a Fire TV Stick to continue the hack.
Within days, Kurtai attacked Uber and published its financial information online. Then he hacked the electronic payments firm Revolut. He then went after Rockstar, and after failing to extort him, he released all the GTA 6 material he could get his hands on, which included, in addition to the videos, the source code for the game itself. After that, he was arrested for the last time, after which he was never released. Apart from the 17-year-old, who was also arrested and charged, other members of Lapsus$ are believed to be still at large.
A lawyer for the chief prosecutor’s office claims that Kurtaj and his accomplices repeatedly showed “a youthful desire to point the finger at those who attacked them.” They are based on the usual abuse of workers, which they uttered after penetrating the internal communication systems of companies, as well as the need to brag about their actions and ridicule the firms on the group’s Telegram channel. The youth’s defense argued that they were just irresponsible teenagers looking for fun.
Without knowing Curtaj’s immediate future, the Lapsus$ chain of cyberattacks leaves a series of lessons for the group’s preferred method of infiltrating large companies’ security measures, and especially their employee identification.
Source: El Diario
