Teen Hacker Behind Grand Theft Auto Leak Sentenced to Indefinite Hospital Order

An 18-year-old hacker, identified as Arion Kurtaj from Oxford, who played a key role in the international cybercrime group Lapsus$, has been sentenced to an indefinite hospital order after leaking clips of the highly anticipated Grand Theft Auto 6 (GTA 6). The gang, responsible for attacks on tech giants such as Uber, Nvidia, and Rockstar Games, incurred losses of nearly $10 million for the targeted firms.

 

Kurtaj, who is autistic, was deemed unfit to stand trial due to his acute autism, prompting a jury to determine whether he committed the alleged acts, not considering criminal intent. A mental health assessment revealed that Kurtaj remained a high risk to the public, expressing a strong intent to return to cybercrime at the earliest opportunity.

 

The court heard that Kurtaj, while on bail for previous hacking incidents involving Nvidia and BT/EE, managed to breach Rockstar Games using unconventional means, stealing 90 clips of the unreleased GTA 6. He posted the clips and source code on a forum, demanding contact from Rockstar within 24 hours. The hack cost Rockstar Games $5 million to recover from, along with thousands of hours of staff time.

 

Despite arguments from Kurtaj’s defense that the success of the GTA 6 trailer indicated minimal harm to the game developer, Judge Lees emphasized the real victims and harm caused by the multiple hacks conducted by Lapsus$.

 

In the same trial, a 17-year-old Lapsus$ member was found guilty of hacking tech giant Nvidia and phone company BT/EE, stealing data, and demanding a $4 million ransom. This member, who cannot be named due to age, received an 18-month Youth Rehabilitation Order, including intense supervision and a ban on using VPNs online. Additionally, he was sentenced for stalking and harassing two young women.

 

Kurtaj and the 17-year-old are the first members of the Lapsus$ group to be convicted, though it is believed that other members are still at large. The group, described as "digital bandits," shocked the cyber-security world with audacious attacks on multinational corporations, prompting US cyber-authorities to issue a report on Lapsus$ and similar teen hacker gangs.

 

The report concluded that Lapsus$ demonstrated how easily juveniles could infiltrate well-defended organizations, using a combination of hacking and con-man-like tricks. Despite their criminal activities, it remains unclear how much money Lapsus$ made from their cybercrimes, as no companies publicly admitted to paying the hackers, and the hackers did not provide passwords to seized cryptocurrency wallets.