A UK court has found an 18-year-old from Oxford was a part of international cybercrime gang LAPSUS$, responsible for a hacking spree against major tech firms. Arion Kurtaj was a key member of the LAPSUS$ group that hacked the likes of Uber, Nvidia, and Rockstar Games. A 17-year-old was also convicted for his involvement in the activities of the gang but cannot be named because of his age. The trial was held at Southwark Crown Court in London and lasted for seven weeks.
The pair were charged with three counts of unauthorized access to a computer with intent to impair the reliability of data, among other offenses, in April 2022. The cybercriminal gang is believed to be behind several high-profile cyberattacks including the data breach of internal systems of cloud-based authentication software provider Okta.
LAPSUS$ hackers attempted to blackmail victims
Prosecution lead barrister Kevin Barry said that Kurtaj and his co-conspirators repeatedly showed a “juvenile desire to stick two fingers up to those they are attacking,” reported the BBC. Once inside a company’s computer network, the hackers often left offensive messages on Slack and Microsoft Teams as they attempted to blackmail staff. The gang’s actions were often erratic with motives apparently swinging from notoriety, financial gain, or amusement, the BBC wrote.
It is not clear how much money LAPSUS$ has made from its cybercrimes, but it is thought that members of the gang are still at large. Both teenagers will be sentenced later. Kurtaj is remanded in custody and the 17-year-old defendant continues to have bail.
US authorities warn of lighter penalties for juvenile threat actors
The hacking spree prompted a major review by US cyber authorities earlier this month. It warned that cyber defences needed to be improved to counter the rising threat of teenage hackers. “The juvenile status of certain threat actors can limit federal law enforcement’s role and yield lighter penalties under their home countries’ legal frameworks,” the report read. “Less severe consequences may not adequately deter juveniles and few cyber-specific intervention programs exist that can help divert potential offenders to legitimate cybersecurity activities.”