An 18-year-old hacker has been sentenced to an indefinite hospital order after a spree of cyber attacks including leaking assets from the much anticipated Grand Theft Auto (GTA) VI video game.
Arion Kurtaj, 18, and a 17-year-old accomplice who cannot be named due to his age, were both found guilty after a six-week trial at Southwark Crown Court.
The duo were members of the notorious Lapsus$ hacking group who were responsible for an attack on the Brazilian Ministry of Health in 2021. Described in court as ‘digital bandits’, the group’s members are thought to be primarily teens based in the UK and Brazil.
The group has targeted BT Group’s EE network, Nvidia, Uber, Revolut, and GTA developers Rockstar Games. Kurtaj and his accomplices tried to use data exfiltrated from BT/EE to demand a $4 million ransom from the telecoms giant.
The total damages caused by Lapsus$’s recent activities were estimated to be in the range of $10 million.
Reporting by BBC News revealed Kurtaj’s most infamous hack, leaking video snippets of the upcoming GTA VI was, in fact, carried out while under police custody.
After being apprehended for his initial attacks on Nvidia and BT, Kurtaj continued his spree of cyber attacks while under police supervision.
While being held under police protection at a Travelodge hotel, Kurtaj was able to continue his attack on Rockstar Games using a hotel TV, mobile phone, and Amazon Fire Stick, the court heard.
Kurtaj was able to steal 90 clips of unreleased footage from GTA VI as well as source code from the game, he also gained access to the company’s Slack to demand the company contact him to negotiate the deletion of their data.
“If Rockstar does not contact me on Telegram within 24 hours I will start releasing the source code,” his ransom note read.
The stolen clips and source code were uploaded to a forum, sparking Kurtaj’s rearrest and detainment until his trial.
GTA VI hacker judged a high risk to the public
Find out why it is essential to use a zero trust architecture to secure cloud workloads
DOWNLOAD NOW
Kurtaj was previously deemed unfit to stand a traditional trial due to his autism, but Judge Patricia Lees felt he remained a serious threat to the public, ruling he should be placed in a secure hospital indefinitely.
Lees said she felt Kurtaj represented “a high risk of serious harm to the public through [his] skill in gaining unfettered access to computers” and as such would remain in a secure hospital unit until a mental health tribunal deems him fit to leave.
A mental health assessment used during the sentencing found Kurtaj “continued to express the intent to return to cyber crime as soon as possible. He is highly motivated.”
