Lapsus$ teen who turned the world of cybersecurity on trial begins

A teenage hacker from the Lapsus$ group attacked Uber, Revolut and Rockstar Games, and then extorted money from the developers of the popular video game Grand Theft Auto, prosecutors said at a trial in London.

Arion Kurtai, 18, is accused of hacking into Revolut and Uber in September 2022, gaining access to information on approximately 5,000 Revolut customers and causing nearly $3 million in damage to Uber.

Prosecutors allege that he hacked into Rockstar Games a few days later and threatened to release the source code for the planned Grand Theft Auto sequel in a Slack message sent to all Rockstar employees.

He is also accused along with a 17-year-old, whose name has not been released, of extorting Britain’s largest broadband internet provider BT Group and mobile operator EE between July and November 2021, demanding a $4 million ransom.

The couple, who prosecutors describe as “key players” in Lapsus$, are also accused of hacking chip maker Nvidia Corp in February 2022 and demanding payment for not distributing its data.

Prosecutor Kevin Barry told jurors in a South London trial last week that a 17-year-old hacker broke into the London Police cloud storage weeks after police arrested him in connection with the attack on BT and EE.

Kurtai later launched a solo cybercriminal campaign, Barry said, first attacking Revolut, then Uber two days later, and then hacking Rockstar Games.

Kurtai has been declared mentally insane by psychiatrists, so the jury will determine whether he did the acts he is charged with, rather than reaching a verdict of guilt or innocence. He will also avoid prison if found guilty.

He is charged with 12 offences, including three counts of extortion, two counts of fraud and six counts under the Computer Misuse Act.

The 17-year-old is facing trial on two extortion charges, two fraud charges and three computer misuse statute charges in connection with the BT and Nvidia hack, which he denies.

He previously pleaded guilty to two charges under the Computer Misuse Act and one charge of fraud.

Who are Lapsus$?

Lapsus$ is a hacker group that has claimed responsibility for high-profile attacks on a number of major tech companies such as T-Mobile, Samsung, Ubisoft, Microsoft and Vodafone in recent months. In addition to these attacks, Lapsus$ also successfully carried out an attack on the Brazilian Ministry of Health.

Lapsus$ is unique in several ways. The mastermind of the attacks and several other alleged accomplices were teenagers. Unlike more traditional ransomware hacker groups, Lapsus$ is extremely active on social media. The attackers are very well known for their approach to exfiltrating data. The grouping stole the source code, service information and often leaked data to the network.

Lapsus$ attacks provide two important insights that companies should pay attention to. The first important conclusion is that cybercriminal gangs are no longer content with ordinary cryptographers demanding a ransom for decrypting data. Instead of traditional data encryption, Lapsus$ is more focused on cyber extortion, gaining access to the organization’s most valuable intellectual property and threatening to leak information if a ransom is not paid.

The second important takeaway is that weak passwords make companies much more vulnerable to attacks. The leaked Nvidia credentials showed that many employees used very weak passwords. Some of these passwords were plain words (welcome, password, September, etc.) which are extremely susceptible to dictionary attacks. Many other passwords included the company name as part of the password (nvidia3d, mynvidia3d, etc.). One employee even used the word Nvidia as his password!