Teen Uber Hacker Sent to Indefinite Hospital Detention

Arion Kurtaj Was a Member of Lapsus$ Group That Also Hacked Nvidia and Revolut
Teen Uber Hacker Sent to Indefinite Hospital Detention

A British judge sentenced a teenage member of the now-defunct Lapsus$ hacking group to indefinite hospital detention for his role in several high-profile hacks.

See Also: What GDPR Means for Cybersecurity

A London jury in August convicted Arion Kurtaj and an unidentified teenager for computer crimes, blackmail and fraud charges for their role in hacks of Uber and Revolut and several other major hacks while they were members of the now-inactive, teenager-dominated Lapsus$ theft and extortion gang (see: Jury Finds 2 Teenagers Perpetrated Lapsus$ Group Hacks).

The BBC reported Thursday that Kurtaj, who has been diagnosed with severe autism, will remain at a secure hospital for life unless doctors can certify he's no longer a danger. Doctors deemed Kurtaj unfit to stand trial and removed criminal intent as an element of his prosecution.

Just before sentencing, the judge heard that a mental health assessment conducted on Kurtaj found him still planning to return to criminal hacking "as soon as possible."

Prosecutors identified Kurtaj, who also goes by the name "White" or "Breachbase," as one of the "key players" in the Lapsus$ group's 2022 hacks of Microsoft, Nvidia, Okta and the British broadband service's EE network.

A jury in August convicted Kurtaj on 12 offenses, including six counts of unauthorized access designed to impair the operation of a computer, three counts of blackmail, two fraud counts and one count each of unauthorized access to a computer, fraud and blackmail.

During Thursday's hearing, prosecutors said Kurtaj had carried out the hacks against Nvidia and EE network while on bail in a Travelodge hotel under police protection. Despite the authorities confiscating his laptop during this time, Kurtaj also hacked into Rockstar Games using Amazon Fire Stick, a hotel TV and a mobile phone. He then leaked dozens of video clips from Rockstar's still-unreleased Grand Theft Auto 6 video game. At least one cybersecurity expert has said the narrative sounds exaggerated. "The story sounds like he'd hacked into the company and stolen the content weeks before. He then just logged into their Slack to taunt them while in the hotel room. Accessing Slack from your phone is not terribly difficult," tweeted Rob Graham, CEO of Errata Security.

A second Lapsus$ hacker was found guilty of two counts of fraud, two Computer Misuse Act offenses and one count of blackmail. The jury sentenced him to a youth rehabilitation facility.

Lapsus$, formed in 2019, has been inactive since the arrests of members in London and Brazil.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.