Posted on: August 24, 2023, 06:36h.
Last updated on: August 24, 2023, 06:36h.
One of the primary actors behind a massive ransomware scheme in the UK will likely go to prison, according to the BBC, despite being a teenager. In a groundbreaking verdict, a panel of London jurors has determined that Arion Kurtaj, who’s barely 18 but had a penchant for online gambling, was a main figure of the notorious Lapsus$ data hacking collective.
Kurtaj played a prominent role in breaching the security systems of numerous companies, including Microsoft, Nvidia, T-Mobile, Samsung, Cisco, Ubisoft, Revolut and more. Lapsus$ even targeted the London police department.
The hackers pilfered valuable data from the target companies’ digital vaults and perpetrated a series of ransomware attacks. By exploiting the threat to disclose confidential information as leverage, the group made a small fortune.
As one of the primary leaders of the group, Kurtaj, from Oxford, England, gained recognition as a prominent figure in hacking circles, as well as in the police blotter. He was arrested twice last year, once in January and the second time in March, on suspicion of hacking, but always walked away.
Guilty, Not Guilty
The case surrounding Kurtaj was a unique one. He is officially and legally autistic, leading a psychologist to determine that he wasn’t fit to stand trial. Nevertheless, the jury was instructed to assess his culpability regarding the presumed hacking activity, disregarding any criminal intentions involved.
Kurtaj, aided by certain individuals from Lapsus$, repeatedly launched attacks on various companies, from which he demanded exorbitant sums of money. In helping him achieve hacker stardom, going by the alias teapotuberhacker, he unveiled a secret gameplay video of Grand Theft Auto 6.
The game was still in post-production and hadn’t been publicly released at the time. Kurtaj acquired the exclusive footage had by infiltrating the developer’s Slack server and the game’s Confluence wiki. He published the info while being temporarily released on bail at a hotel – for hacking.
Online, Kurtaj cunningly operated under various aliases, such as White and Breachbase, extending his digital footprint across more than a dozen identities. His hacking escapades proved quite lucrative, as he managed to amass a staggering sum of 300 BTC.
Today, that would be worth around $7.9 million. Lapsus$ likely made a lot more, although most companies are often unwilling to admit to an attack or specify how much they paid to make it go away.
Kurtaj reportedly squandered the majority of the funds through gambling. In an ironic twist, though, some of it was lost to hackers who broke into his computers.
An accomplice also faces prosecution for similar acts. The unidentified 17-year-old, also diagnosed with autism, was found guilty of unlawfully breaching regulations. There’s no information available about when they’ll return to court for sentencing.
Sim-Swapping Specialists
The US government, in a separate report on Lapsus$, has detailed how the group worked. It employed cost-effective techniques to find vulnerabilities within the digital infrastructure, using SIM-swapping scams to then carry out their attacks.
In a SIM-swapping attack, a criminal contacts the mobile phone carrier while impersonating the phone number’s owner. They convince the carrier to activate a new SIM card with the same number, which can provide the hackers with access to almost all digitally-stored data.
By paying $200,000 a week to a telecom provider’s network, the hackers were able to take over high-level and sensitive phone numbers, giving them access to crucial codes to enter company networks. These codes were then adeptly employed across various accounts, further expanding their illicit activities.
From 2021 until 2022, Lapsus$ took off. It gained in strength as it pulled in more hackers from the UK, Brazil and other locations. Their motivations encompassed a trifecta of seeking recognition, monetary gains and simple amusement.
Things began to fall apart for Lapsus$ last September. Following extensive investigations involving multiple law enforcement offices around the world, police began apprehending many of the group’s members, including multiple UK residents and one individual located in Brazil. With that, Lapsus$, as an entity, came to an end.