Rockstar, Uber, Okta, Microsoft and Other Big-Name Players Fell to Group’s Attacks
A London jury convicted two British teenagers of a raft of computer crimes, blackmail and fraud undertaken while the duo had been core members of adolescent hacking group Lapsus$. Victims included multibillion-dollar and multinational companies Nvidia, Uber and Rockstar Games.
Prosecutors said Oxfordshire resident Arion Kurtaj, 18, aka “White” or “Breachbase,” and a 17-year-old boy not named due to his age, had been “key players” in the now-inactive Lapsus$ theft and extortion gang.
Each faced charges tied to schemes that involved gaining remote access to corporate networks, social engineering and SIM swapping. Both were arrested in January 2022 by the City of London Police and released as its investigation continued. They were charged in April 2022 and released on bail.
The defendants’ hacking allegedly continued while they were on bail. Prosecutors accused the 17-year-old of hacking into the City of London Police servers. They also accused Kurtaj of leaking dozens of video clips from Rockstar’s still-unreleased Grand Theft Auto 6 video game while holed up in a Travelodge hotel room, where he lived after his and his family’s identities were revealed online by hackers. Prosecutors said Kurtaj violated his bail conditions, which prohibited him from going online, and that he was “caught red-handed” when police uncovered an Amazon Fire Stick and new smartphone during a search of his hotel room, the BBC reported.
Psychiatrists deemed Kurtaj, who is autistic, as unfit to stand trial. He did not appear in court to give evidence.
The judge presiding over the seven-week trial at Southwark Crown Court instructed the jury to determine not whether Kurtaj had criminal intent but simply if he had committed the crimes, the BBC reported.
After more than nine hours of deliberations, the jury unanimously found that Kurtaj had committed all 12 offenses with which he’d been charged, including six counts of unauthorized access designed to impair the operation of a computer, three counts of blackmail, two fraud counts and also failing to comply with a Section 49 notice, which requires a suspect to disclose a password or code allowing access to electronic data, pertaining to his mobile phone, the Independent reported.
The jury convicted the 17-year-old, who is also autistic, with participating in multiple Lapsus$ attacks. He was found guilty of one count each of unauthorized access to a computer, fraud and blackmail – committed with Kurtaj – against chipmaker Nvidia, the Independent reported.
“This has been a complex and sensitive investigation involving a multi-agency response and there have been a number of challenges throughout the police investigation and judicial process,” said Detective Superintendent Richard Waight of the City of London Police.
The judge scheduled a case review for Kurtaj for Sept. 21. The 17-year-old is set to return to court on Nov. 9 and may be sentenced then.
Lapsus$, apparently based not only in the U.K. but also Brazil, committed attacks from late 2021 through late 2022 that compromised dozens of well-resourced organizations. The group’s name combines the Latin word for “error” with a dollar sign.
Lapsus$ regularly boasted about its attacks and taunted victims, including posting what Uber described as “a graphic image” to some internal sites that employees saw, as well as via Telegram posts in English and Portuguese. In some cases, the group demanded ransoms from victims or stole cryptocurrency, but it said it didn’t employ ransomware. The group also claimed to have recruited insiders at a number of big-name firms.
The group “used primarily simple techniques, like stealing cellphone numbers and phishing employees, to gain access to companies and their proprietary data,” the U.S. Cyber Safety Review Board said in a report released earlier this month (see: Cyber Review: Teens Caused Chaos With Low-Complexity Attacks).
Uber’s breach investigation found that Lapsus$ likely gained access to its network after purchasing from an initial access broker legitimate access credentials stolen by information-stealing malware that infected an external contractor’s PC. While Uber restricted access using two-factor login approval request, which required a user to manually approve any login request, it found that after multiple attempts by attackers, the contractor eventually accepted one of the requests, allowing attackers to remotely log in.
In January 2022, hackers posted Kurtaj’s identity to Doxbin, a no- defunct Tor site to which users could post text, which Kurtaj allegedly ran under the moniker of WhiteDoxbin. Allison Nixon, chief research officer at Unit 221B, told security journalist Brian Krebs that after Kurtaj had purchased Doxbin, he failed to keep it running smoothly. Under pressure, he agreed to sell the site, for a loss, back to its original owners. Right before doing so, he leaked every Doxbin post ever made – including private drafts that had never been published – to a public Telegram channel, which led users to retaliate by revealing his true identity, including photographs of him fishing.