Article Details

Lapsus$ teen sentenced to indefinite detention in hospital after Nvidia, GTA cyberattacks. Arion Kurtaj will remain hospitalized until a mental health tribunal says he can leave. Two British teens who were members of the Lapsus$ gang have been sentenced for their roles in a cyber-crime spree that included compromising Uber, Nvidia, and fintech firm Revolut, and also blackmailing Grand Theft Auto maker Rockstar Games. Arion Kurtaj, 18, of Oxfordshire, was sentenced Thursday to detention at a hospital in the UK for an unlimited amount of time. Kurtaj, who has autism, was assessed by psychiatrists as not fit to stand trial. He will remain hospitalized until a mental health tribunal says he can leave. Also on Thursday, a 17-year-old member of the chaotic crime gang, who cannot be named for legal reasons, was given a youth rehabilitation order. Kurtaj had reportedly been violent while in custody, and the court heard dozens of reports of injury or property damage. During his sentencing hearing, a mental health assessment determined that Kurtaj "continued to express the intent to return to cybercrime as soon as possible. He is highly motivated." Previously, Kurtaj was found guilty of 12 offenses, including computer intrusion, blackmail, and fraud. The 17-year-old was convicted of fraud, blackmail, and carrying out an unauthorized act to impair the operation of a computer. The two teenagers and other Lapsus$ members broke into and attempted to extort Brit telecoms giant BT, Microsoft, Samsung, Vodafone, Revolut, and Okta between August 2020 and September 2022. "This case serves as an example of the dangers that young people can be drawn towards whilst online and the serious consequences it can have for someone's broader future," said City of London Police Detective Chief Superintendent Amanda Horsburgh. "Unfortunately, the digital world can also be tempting to young people for the wrong reasons." In March 2022, London cops arrested and then released seven people, aged 16 to 21, for their alleged roles in the digital intrusions and extortion attempts. They then re-arrested and charged Kurtaj and the 17-year-old later that month. The crew's tactics included phone-based social engineering, SIM swapping, and even paying employees of target organizations for access to credentials and multi-factor authentication (MFA) codes. Following their string of high-profile attacks, the US government in August issued a report on Lapsus$ [PDF] and urged organizations to move away from voice- and SMS-based MFA and instead use a hardware-backed FIDO key or biometric authentication. It also called on the Federal Communications Commission (FCC) and Federal Trade Commission (FTC) to strengthen their oversight and enforcement activities of telecommunications providers related to SIM swapping.