By Joe Tidy
Cyber correspondent
An 18-year-old hacker who leaked clips of a forthcoming Grand Theft Auto (GTA) game has been sentenced to an indefinite hospital order.
Arion Kurtaj from Oxford, who has autism, was a key member of international gang Lapsus$.
The gang’s attacks on tech giants including Uber, Nvidia and Rockstar Games cost the firms nearly $10m.
The judge said Kurtaj’s skills and desire to commit cyber crime meant he remained a high risk to the public.
He will remain at a secure hospital for life unless doctors deem him no longer a danger.
The court heard that Kurtaj had been violent while in custody with dozens of reports of injury or property damage.
Doctors deemed Kurtaj unfit to stand trial due to his acute autism so the jury was asked to determine whether or not he committed the alleged acts – not if he did so with criminal intent.
A mental health assessment used as part of the sentencing hearing said he “continued to express the intent to return to cybercrime as soon as possible. He is highly motivated.”
The jury was told that while he was on bail for hacking Nvidia and BT/EE and in police protection at a Travelodge hotel, he continued hacking and carried out his most infamous hack.
Despite having his laptop confiscated, Kurtaj managed to breach Rockstar, the company behind GTA, using an Amazon Firestick, his hotel TV and a mobile phone.
Kurtaj stole 90 clips of the unreleased and hugely anticipated Grand Theft Auto 6.
He broke into the company’s internal Slack messaging system to declare “if Rockstar does not contact me on Telegram within 24 hours I will start releasing the source code”.
He then posted the clips and source code on a forum under the username TeaPotUberHacker.
He was re-arrested and detained until his trial.
Earlier this month, the trailer for GTA 6 was released clocking up 128m views on YouTube in just 4 days.
In sentencing hearings, Kurtaj’s defence team argued that the success of the game’s trailer indicated that Kurtaj’s hack had not caused serious harm to the game developer and asked that this be factored into the sentencing.
But Her Honour Judge Lees said that there were real victims and real harm caused from his other multiple hacks on individuals and the companies he attacked with Lapsus$.
Rockstar Games alone told the court that the hack cost it $5m to recover from plus thousands of hours of staff time.
Another Lapsus$ member, who is 17 and cannot be named because of his age, was found guilty in the same trial, which lasted six weeks at Southwark Crown Court.
He worked with Kurtaj and other members of Lapsus$ to hack tech giant Nvidia and phone company BT/EE and steal data before demanding a four million dollar ransom, which was not paid.
They also stole directly from individuals through their cryptocurrency wallets.
The 17-year-old was sentenced to an 18 month long Youth Rehabilitation Order, including intense supervision and a ban on using VPNs online.
As well as hacking offences the boy was sentenced for what the judge described as “unpleasant and frightening pattern of stalking and harassment” of two young women.
Kurtaj and the 17-year-old are the first members of the Lapsus$ group to be convicted but it is thought others are still at large.
The gang’s audacious attacks in 2021 and 2022 shocked the cyber security world. The group from the UK, and allegedly Brazil, was described in court as “digital bandits”.
The gang – thought to mostly be teenagers – used con-man like tricks as well as computer hacking to gain access to multinational corporations such as Microsoft, the technology giant and digital banking group Revolut.
During their spree, the hackers regularly celebrated their crimes publicly and taunted victims on the social network app Telegram in English and Portuguese.
It prompted US cyber authorities to issue a lengthy report into Lapsus$ and other teen hacker gangs.
It concluded that Lapsus$ “made clear just how easy it was for its members (juveniles, in some instances) to infiltrate well-defended organisations”.
It is not clear how much money Lapsus$ has made from its cyber crimes. No companies publicly admitted paying the hackers and the hackers did not provide the passwords to seized cryptocurrency wallets.