Teens on trial for hacking Uber, Rockstar and others
They are also alleged to have links with Lapsus$ gang
Prosecutors told a court on Tuesday that two British teenagers were key members of the infamous hacking group Lapsus$ and played a significant role in orchestrating cyberattacks against several companies, including Uber, Nvidia and Rockstar Games last year.
Joint charges, encompassing serious computer misuse, blackmail, and fraud were filed against Arion Kurtaj, 18, and a 17-year-old, whose identity cannot legally be disclosed. The court has now lifted a reporting restriction, thereby permitting the disclosure of Arion Kurtaj's name.
Medical professionals have determined that Kurtaj is unfit to stand trial. Instead of being asked to deliver the usual verdict of guilty or not guilty, the jury will be asked to decide if Kurtaj committed the alleged offences.
Prosecutors alleged that Kurtaj, while being associated with the Lapsus$ operation, independently breached the security systems of prominent firms such as Uber, Revolut and the developer of Grand Theft Auto in a series of hacks in September 2022. Kurtaj is said to have gained unauthorised access to approximately 5,000 customers' information within Revolut and to have caused significant damage to Uber, amounting to almost $3 million.
Prosecutors also claimed that Kurtaj hacked Rockstar Games and sent a Slack message to all Rockstar staff. In this message, he reportedly threatened to release the source code of the upcoming Grand Theft Auto sequel.
As reported by Reuters, Kurtaj is facing a total of 12 charges, which include two counts of fraud, three counts of blackmail, and six charges under the Computer Misuse Act. The final charge Kurtaj faces, along with the 17-year-old, is one of engaging in blackmail against BT and mobile operator EE.
The alleged blackmail occurred between July and November 2021, and involved issuing a ransom demand of $4 million.
The pair are also accused of hacking American chip maker Nvidia in February 2022. Following the breach, they purportedly demanded a payment from Nvidia in exchange for not leaking data.
The unnamed 17-year-old is currently facing trial on two counts of fraud, two counts of blackmail, and three charges under the Computer Misuse Act, related to the hacking incidents involving BT and Nvidia. The young person denies these charges, although had previously pleaded guilty to one count of fraud and two offenses under the Computer Misuse Act.
Prosecutors told the court that all these hacks were linked to the teenagers after investigators traced their IP addresses through various email and Telegram accounts that the pair allegedly used to boast about their activities.
Last year, it was reported that Uber experienced a security breach, allegedly carried out by a threat actor who exploited a social engineering attack on the company's computer network. Subsequently, the same actor claimed responsibility for hacking Rockstar Games in a fan forum.
Media reports at that time indicated that Uber employees received a Slack message from an unidentified sender, informing them of a data breach within the company. The sender provided specific information regarding several internal databases they claimed to have compromised.
The reports claimed that the hacker compromised an employee's Slack app and used it to distribute the message to other employees within the company. The attacker seemingly exploited their access to Slack to gain entry into other internal systems, as indicated by the posting of an explicit picture on an internal employee information page.
Furthermore, the individual sent screenshots of emails, cloud storage, and code repositories to both The New York Times and cybersecurity researchers, claiming that Uber's inadequate security measures enabled unauthorised access to the company's servers.