Two Teens Accused of Masterminding Hacks on Grand Theft Auto and Uber

Two UK teenagers were accused of being key members of the notorious hacking group Lapsus$, with prosecutors alleging that the pair were involved in attacks on companies including Nvidia Corp., Rockstar Games Inc., and Uber Technologies Inc.

(Bloomberg) — Two UK teenagers were accused of being key members of the notorious hacking group Lapsus$, with prosecutors alleging that the pair were involved in attacks on companies including Nvidia Corp., Rockstar Games Inc., and Uber Technologies Inc.

Arion Kurtaj, 18, and a 17-year-old male, who can’t be named for legal reasons, were hit with joint charges including serious computer misuse, blackmail and fraud against BT Group Plc, and Nvidia. 

Kurtaj is also separately accused of hacks into Uber, Rockstar’s Grand Theft Auto, and fintech firm Revolut Ltd. 

The pair are facing a criminal trial in London with prosecutors telling a jury that Kurtaj hacked into Revolut, Uber and Rockstar Games systems in September last year while he was already on bail for the other charges.

The lawyers said Kurtaj — together with other unknown members of Lapsus$ — was responsible for stealing commercially sensitive code and video of the latest installment of the Grand Theft Auto series. It’s alleged he posed as a contractor at the firm and was responsible for leaking the hack on forums and soliciting a ransom payment. 

Kurtaj was found unfit to stand trial due to medical reasons. That means a jury will only decide whether he is liable for the alleged crimes, rather than guilty of them. He will also avoid jail should he be found liable. The trial is set to last 8 weeks.

A lawyer for Kurtaj didn’t immediately respond to a request for a comment. Kurtaj’s name can only be reported after reporting restrictions on naming him were lifted Tuesday.

The 17-year-old pleaded guilty to two charges relating to the BT hacks but not guilty to the others. 

Nvidia Hack, SIM Swapping 

Prosecutors also claim the two teens together hacked into Nvidia in February 2022 by seizing control of two contractors’ accounts. The pair allegedly gained access to sensitive company data including some of the software building blocks of the company’s products. 

The hackers stole as much as one terrabyte of data from Nvidia and publicly released some, prosecutors said. They then demanded a ransom payment, threatening to release the rest online if Nvidia didn’t comply, they added.

Meanwhile, both teens allegedly hacked into the servers of BT’s EE network between July and November 2021 and threatened to release source code unless a ransom was paid. They also embarked on SIM swap frauds that drained multiple customers cryptocurrency and bank accounts, according to prosecutors.

The pair were not just playing “juvenile pranks online” but were using a “very modern criminal method attempting to make money” from the firms, the lawyers told the jury.

“Having hacked those companies, the group then attempted to blackmail them and threatened to publish confidential material online unless their demands were met,” said Kevin Barry, the prosecution’s lawyer. “They also used some of the material which they requested during the hacks for fraudulent purposes.”

Prosecutors said police and investigators managed to link the hacks to the teenagers through IP addresses linked to various email addresses, mobile devices, and Telegram messaging platform accounts. The teens also regularly boasted online about the hacks.

Kurtaj is “highly competent and a genius” but “he’s a teenage lad and he can’t resist bragging,” Barry said.  

(Updates with details on a reporting restriction being uplifted in the seventh paragraph)

More stories like this are available on bloomberg.com

©2023 Bloomberg L.P.