A teenage member of the Lapsus$ data extortion group, Arion Kurtaj (18), was convicted by a London jury of having hacked multiple high-profile companies, including Uber, Revolut, and blackmailed the developers of the gaming firm Rockstar Games.
Since September 2022, Kurtaj conducted a series of solo attacks, he gained access to around 5,000 Revolut customers’ records and hacked Uber causing $3 million of damage. Then he targeted Rockstar Games and threatened to release the source code for the popular video games Grand Theft Auto sequel.
Other victims of the man are the Britain broadband provider BT Group and Nvidia.
Kurtaj has autism and was assessed by psychiatrists as not fit to stand trial. However, a jury was asked to determine if the teenager was responsible for the series of attacks and if he acted with the criminal intent.
“Prosecutors said Kurtaj and a 17-year-old, who cannot be named for legal reasons and whose case was heard alongside Kurtaj’s, were “key players” in Lapsus$.
“The jury on Wednesday found Kurtaj committed 12 offences, including three counts of blackmail, two counts of fraud and six charges under the Computer Misuse Act.” reads the report published by Reuters. “The 17-year-old was found guilty of one count of fraud, one count of blackmail and one count under the Computer Misuse Act relating to Nvidia. He was found not guilty of one count of blackmail and one count under the Computer Misuse Act in relation to BT.”
Kurtaj had previously pleaded guilty to one count under the Computer Misuse Act and one count of fraud in relation to the BT, and to one count under the Computer Misuse Act for the hack of the City of London Police.
The Lapsus$ group was one of the most active gangs in the threat landscape, they targeted a lot of high-profile organizations, including NVIDIA, Samsung, Ubisoft, Mercado Libre, Vodafone, Microsoft, Okta, and Globant.
The group’s activity ceased last year in September.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, Lapsus$)