The story of the teenager who hacked tech giants and was sentenced to life in a mental hospital

A 18 year old English hacker with autism it was sentenced to a psychiatric hospital for life: Arion Kurtaj, member of the cybercrime group Lapsus$was responsible for accessing Rockstar Games’ internal information and filter videos of the GTA VI video gameas well as the Uber hack.

According to Justice, Kurtaj was a key player in the group, which he was based on Social engineering (deceptions through phishing and other techniques) extorted money from the affected companies in exchange for not disclosing the stolen information.

The group, made up of English and Brazilians, was responsible for unauthorized access to companies around the world Microsoft, Samsung and Nvidia at Mercado Libre and Globant in Argentina. Law enforcement estimates they have managed to raise nearly $10 million from the cyberattacks.

Kurtaj was sentenced this Thursday at Southwark Crown Court in London, according to the BBC – which followed the case – to remain in a psychiatric hospital for life, unless new experts establish that he no longer constitutes a danger to society .

What complicates the situation above all is the fact that, according to a medical report, the hacker “continued to express himself intentions to return to cybercrime as soon as possible: he was very motivated,” reconstructed Joe Tidy, a BBC reporter who followed the case.

This is consistent with the story of Kurtaj, who even entered Rockstar Games systems in an almost unusual way: from a hotel room with an Amazon Fire Stick, when he was in custody.

“I’m not a Rockstar employee, I’m an attacker”

Lapsus$ It was characterized by attacks based on social engineering, that is, tricking company users into impersonating and taking internal control of sensitive information.

The most sensational case involving Kurtaj was that of Rockstar Games, one of the largest video game developers in the world, known for the Grand Theft Auto (GTA) saga, which has been developing the sixth chapter of the game for years. Last year, The hacker leaked internal videos of what the game looks like (gameplay), something that has been brought up in media around the world.

The attacking technique was very surprising. British justice established that, in the last year, the hacker had purchased a Amazon Fire Stick -a device that connects to your TV’s HDMI port to access streaming services: a new phone, a mouse and a keyboard.

From there he accessed cloud computing services and was soon posting videos of GTA VI, a game that has not yet been released by Rockstar Games. Kurtaj was on bail for hacking Nvidia, at a Travelodge Hotel in Britain.

This was undoubtedly one of his most resonant attacks as Rockstar Games is one of the largest video game companies in the world. The studio has been developing GTA VI since at least 2015, the long-awaited sequel to the famous saga.

Last year, Kurtaj managed to steal videos of gameplay footage and post them online. In fact, before publishing the videos, he sent a message on the company’s Slack (work chat) and said: “I’m not a Rockstar employee, I’m an attacker.”

The defendant admitted to downloading and extorting Rockstar by publishing the company’s source code if he was not contacted within 24 hours. In total, he posted 90 GTA VI videos on a forum with the user “TeaPotUberHacker”, referring to Uber, another company he hacked.

In the six-week trial, his defense argued that the successful launch of the game’s trailer, which garnered 130 million views in just four days

Slips$, pure social engineering

“Lapsus$ has always presented challenges to court cases. Unlike most cyber criminal enterprises, His motivation was not just economicwhich made them unpredictable,” explains a Clarion Brett Callow, threat analyst at Emsisoft.

Among its members it is known, in the field of threat intelligence (threat information) that Brazilians, English and even Argentines have passed through.

The company that produces chips for video cards had to open the code, that is, create it open source– drivers, something for which Nvidia has been questioned due to its restrictive practices for operating systems other than Windows.

“A company’s scenarios are likely to respond to save requests, but I wouldn’t be so sure they specify what to do in the case of a request to make drivers open source,” adds Callow.

“The observed activity of the LAPSUS$/DEV-0537 group is varied and extensive. Among his TTPs (techniques, tactics and procedures) we can find both simple events, such as the use of leaked credentials“, to the exploitation of public applications and remote access services, to the creation of ‘ghost’ accounts to maintain persistence, up to more advanced techniques such as the theft of second factor authentication codes and the signing of malicious code”, puts Mauro into context this medium. Eldritch, director of Birmingham Cyber ​​​​​​Arms and threat analyst.

“The group was observed using multiple tools, some advanced and belonging to monitoring schemes. Malware as a service like the Redline thief, other common and simple ones like NordVPN or Mimikatz. Furthermore, the group has sometimes chosen to simply destroy the information of its victims, without further ado,” he added.

The impact of these hacks is very serious for the industry, which generates a lot of expectations among fans and creates an industry around this concept (hype). Earlier this month, Rockstar released the official trailer for GTA IV and collected 130 million views in less than a week.

At trial, the company said Kurtaj’s hack cost about $5 million.

Kurtaj was convicted in the trial together with another 17-year-old boy, who will have to serve only 18 months between rehabilitation, supervision and the ban on using VPNs, i.e. the impossibility of masking one’s identity online.

Kurtaj’s fate was not the same and now depends on whether, over time, a psychiatric expert will establish that he does not pose a threat to society. In the meantime he will spend his days in a mental institution.