At 9pm on September 22 last year, a group of London City Police officers waited outside Room M15 of the Bicester Tourist Hotel in Oxfordshire, England, waiting for the right moment to break in. They believe that those inside the door are behind two serious data hacks: one targeting Uber Technologies and an unprecedented leak of code from Rockstar Games’ unreleased Grand Theft Auto episode.
After a complex tracking and surveillance operation, the police managed to target a user of the messaging platform Telegram called @lilyhowarth. However, the person behind the door is not Lily Howarth, but 17-year-old Arion Kurtaj, who is accused of a daring massive hack of chipmaker Nvidia and Bail was granted for the intrusion of British telephone group BT Group. Kurtaj, a member of a loose-knit group of mysterious international cyber-extortionists calling themselves “Lapsus$,” was housed by the police for his own safety after being exposed by the hacker community. Police discovered that Lily Howarth was just another nickname he had been hiding for his hacking activities.
Kurtaj, 18, is facing a seven-week criminal trial in London with a 17-year-old male co-defendant, who cannot be named because he is a minor. The pair, who met online, face 12 charges, including extortion, fraud and hacking charges. Kurtaji, who is solely responsible for half of the charges, was ruled unfit to stand trial by a judge before the trial began because he suffers from complex autism spectrum disorder, meaning he could not be found to have “mens rea,” And it is possible that after a jury this week finds him responsible on all charges, he will be given a community order or sent to a psychiatric facility instead of prison.
Defense attorneys argued that the evidence linking the two men to the incidents was not strong enough, and there was no way of knowing whether Kurtaj was responsible for the hacks. On Wednesday, the jury found otherwise. A judge will decide on Kurtaj’s future later. His fellow hacker was found guilty of three counts and not guilty of two others. He has previously pleaded guilty to two BT-related charges.
Niamh Matthews-Murphy said: “While the jury’s verdict may be subject to appeal, we hope this case sheds light on the conflicts between vulnerable individuals with severe neurodevelopmental disabilities and police and criminal justice. The way the judicial system interacts,” Kurtaji’s attorney said in a statement to Bloomberg.
Lapsus$’s audacious hacking of tech companies has confounded cybersecurity experts as the company unleashes a series of high-profile attacks between 2021 and 2022 that have caused millions of dollars in damage to targets. The trial provided a rare window into how the secretive gathering of tech geeks worked, showing how the intrusion was orchestrated and the group’s motivations: notoriety, money, and just “haha.” It’s unclear how much money Lapsus$ made—none of the companies admitted to paying it any money. Police were unable to access encrypted accounts associated with the teens.
The story of how these young men overcame some of the largest tech companies in the United States was compiled from London court proceedings, documents, witness testimony, police investigations and sources in the cybersecurity industry. British authorities are cooperating with U.S. law enforcement, including the FBI. A July report by the U.S. Cybersecurity and Infrastructure Security Agency said that while Lapsus$ was like any other cybercriminal group, it was “unique for its effectiveness, speed, creativity and audacity.”
Take the Grand Theft Auto case, for example.
Kurtaji, along with other unknown members of Lapsus$, relatively easily stole commercially sensitive code and video footage of the latest installment in the Grand Theft Auto series in development from an Oxfordshire hotel room. According to prosecutors, they used social engineering to gain access to Rockstar’s systems on Sept. 16, 2022, “posing as employees or contractors who had ‘lost’ or ‘forgotten’ passwords.”
Prosecutors allege they used an account linked to a contractor named Siwar Jrad (siwar.jrad) after a failed login using the former employee’s credentials. Once inside, the credentials of the former employee “mohd.hidaytullah” were used to access parts of the system related to game development, they said. Rockstar’s logs show that the device used for the registration was the exact same type and specification as the iPhone seized at the Travelodge Bicester’s Kurtaj.
The day after gaining access, Kurtaj downloaded a series of videos and design documents and source code for the Grand Theft Auto sequel — all of which are highly classified — before leaking some of them. The leak has given an unauthorized look at one of the most valuable games in the industry. The occurrence is so rare that some people questioned its authenticity when it first emerged, Bloomberg previously reported.
Kurtaj then highlighted the leak on the GTA fan forums and called himself TeaPotUberHacker – a nod to his other hacking work. Then, via Rockstar’s Slack Messenger account, he threatened to release the source code unless the company contacted him. By Sept. 19, the company had disabled his access and reported the matter to the FBI. But the damage has already been done.
“This is one of the biggest entertainment industries ever, and something like this would destroy our marketing,” Daniel Emerson, chief legal officer of Rockstar subsidiary Take 2 Interactive Software, said in court testimony. Emerson estimates that the company spent more than $1.5 million (approximately Rs. 123.9 crore) on legal and communications firms, in addition to spending over $2 million (approximately Rs. 16.52 lakh) on third-party vendors and wasted senior staff Hundreds of hours of time. Rockstar declined to answer questions about how teens got the experience so easily and what obstacles have been put in place since.
The upcoming Grand Theft Auto VI has been in development in some form since 2014, and has been so highly anticipated that when Take 2 first acknowledged its existence in 2022, the stock price soared. The new game will feature a playable female protagonist for the first time.
Kurtaj is so good at hacking that just a few days ago he used similar tactics to break into the systems of Uber and UK fintech companies. Revolut attorneys explained that Kurtaj attempted to gain access to 74,000 Revolut customer records, allegedly in order to sell the information on the black market. The exact number of affected customers is unknown. For the Uber hack, Kurtaj sent taunting messages to employees, forcing the company to temporarily shut down the entire app. Uber said its financial loss was about $2.8 million (Rs 231.4 crore).
When police raided Kurtaji’s hotel room, they found an iPhone 13 Pro Max under a bedspread, an investigator said during the trial. The phone was later linked to some of the hacking incidents he was involved in. Police have been unable to access the device because Kurta refused to share the PIN code. Among the first crimes Kurtaj and the unnamed teen are accused of taking part in is the 2021 SIM swapping spree targeting users of BT EE phone services. SIM swapping is when fraudsters take control of a phone number and then receive text messages and calls, giving them access to bank accounts and encrypted wallets.
EE customer Daria Jasinska, who was the victim, said in a witness statement that the entire contents of more than £54,000 ($69,000, approximately Rs 5.7 lakh) in her online Coinbase account had been withdrawn. Another victim, Robert Molloy, had £2,000 stolen from his Monzo online banking account. Later that day, he received an email from the attacker saying, “Thank you ps bro” — slang for “money.”
Uber, Revolut and EE did not respond to requests for comment.
Kurtaj and the teen were arrested by police in January 2022. The teen pleaded guilty to certain aspects of the charges involving BT. He admitted to participating in the swap and fraud, but denied the extortion charges.
The second hack the two teens carried out along with other Lapsus$ members was an audacious attack on Nvidia on February 15, 2022. The U.S. government initially feared the hack could come from two Russian officials who were speaking to Bloomberg at the time, according to reports, as tensions rose on the Ukrainian border. Not very long. Lapsus$ was quick to discuss the success of the hack in a Telegram live chat, investigators said. Using its signature method, it took control of the contractor’s account and managed to steal 1 terabyte of commercially sensitive company software, known as firmware. Members of the group released 80 GB of it to the public, then demanded that Nvidia pay a ransom if it wanted to prevent the release of the rest.
Lawyers for the prosecution said police investigators and experts managed to link Kurtaj and his fellow hackers to various incidents through a network of internet protocol addresses, emails, Telegram chat groups and their signature methods. The common denominator of every hack is social engineering, gaining access to the system by stealing legitimate player details, obtaining data, and attempting to extort money for them, extorting a signed calling card in the form of an original image – for example, in the case of the Uber hack During the attack, a photo of a “naked erect penis” was uploaded.
“Teenagers were eager to stick two fingers at their targets,” said the prosecution’s attorney, Kevin Barry. To the defense, they were silly teenage efforts to make fun of them.
A few years before the incident, Kurtagj lived at home in Oxfordshire with his mother and brother. During the trial, Kurtaji’s childhood doctor, Nicholas Hindley, described him as “a particularly damaged individual”, adding that he first came into contact with the young man at the special school he attended. After needing the school can’t control him. Hindley told the court that Kurtaj suffered from autism, ADHD and other complex health diagnoses which meant he was at best in the 1% of his peers.
Kurtaj ended his formal education as a teenager and was briefly placed in social care for beating his mother. It all ended when he himself was attacked by a staff member for whom he was convicted. Kurtaji’s mother brought him back, but it was difficult for her to monitor his computer use. Claudia Camden-Smith, the doctor who cared for him into adulthood, said the hacking had given him “street cred”.
“He didn’t want to be different, he wanted to be like everyone else, he wanted to be seen as stylish and adventurous,” she told the court, adding that his diagnosis didn’t fully reflect how vulnerable he was.
Since Kurtaj was released on bail over the GTA and Uber attacks, he has been held at the Feltham Institute for Juvenile Offenders, where doctors say he was in excruciating pain, threw urine at guards and damaged prison infrastructure. It will now be up to Judge Patricia Lees to decide on his future.
“Despite having had no formal education since the age of 14, he was found to have committed numerous security breaches that penetrated and exposed weaknesses in the systems of the world’s largest companies that spent millions of dollars trying to make their Cybersecurity has become impenetrable,” said Kurtaj’s attorney, Matthews Murphy. “There must be a better system that leverages the skills of these individuals in a more aggressive way, protecting businesses, recognizing and supporting the medical needs of vulnerable offenders and provide a more mutually beneficial outcome for all stakeholders in these situations”.
© 2023 Bloomberg
Svlook
