Prosecutors say two British teens showed no mercy during a 2022 hacking spree targeting big names such as Uber, Revolut, Nvidia, and Rockstar Games – one teen even hacked the City of London police after being arrested.
A teenage member of the Lapsus$ cybercriminal group hacked Uber and fintech firm Revolut then blackmailed the developers of best-selling videogame Grand Theft Auto, prosecutors told jurors at London's Southwark Crown Court last week.
Arion Kurtaj, 18, is said to have targeted both Revolut and Uber in September 2022, accessing around 5,000 Revolut customers' information and causing nearly $3 million of damage to Uber.
At the time, Uber said the hacker was able to breach the network using the compromised password of a third party contractor bought off the dark web.
The alleged hacker, who went by the online name “Teapot,” bombarded the contractor with two-factor authentication requests (a technique known as multi-factor authentication fatigue) until they accidentally accepted the request, allowing him to log into the system and escalate privileges.
The suspect also logged in to Uber’s Slack messaging platform announcing the hack to employees, along with the hashtag "Uber underpays drivers."
Prosecutors say Kurtaj hacked Rockstar Games days later, claiming to have accessed the company's Slack servers via a social engineering attack, similar to Uber.
Kurtaj threatened to release the planned Grand Theft Auto sequel's source code in a Slack message sent to all Rockstar staff.
Multiple videos of the upcoming Grand Theft Auto 6 video game wound up being leaked by the hackers anyway, showing unreleased features of the game, such as character movement and conversations.
Before Kurtaj’s solo cybercrime spree against Revolut, Uber, and Rockstar Games, prosecutors say he paired up with a 17-year-old, who cannot be named, to blackmail Britain's biggest broadband provider BT Group, as well as mobile operator EE.
Those attacks took place between July and November 2021, and involved a $4 million ransom.
Additionally, the pair, who prosecutors claim were "key players" in Lapsus$, are alleged to have hacked chip maker Nvidia Corp in February 2022 and demanded payment not to publish its data.
Even more audacious, prosecutor Kevin Barry told jurors that the 17-year-old hacked City of London Police's cloud storage just weeks following his arrest in connection with the BT and EE hacks.
The 17-year-old is standing trial on two counts of blackmail, two counts of fraud and three charges under the Computer Misuse Act relating to the hacking of BT and Nvidia, which he denies.
The unnamed teen had previously pleaded guilty to two offenses under the Computer Misuse Act and one count of fraud.
Kurtaj has been charged with 12 offenses, including three counts of blackmail, two counts of fraud and six charges under the Computer Misuse Act.
Psychiatrists have deemed the 18-year old as not fit to stand trial, meaning the jury will determine whether he committed the acts “alleged” rather than deliver a guilty or not guilty verdict.
Lapsus$ script kiddies
The Lapsus$ extortion gang first appeared on the scene in 2019, and often is referred to as just a bunch of script kiddies.
Lapsus$ behavior has been documented as immature and impulsive, close to a teenager in a basement stereotype.
In March 2022, seven individuals between the ages of 16 and 21 were arrested by Oxford police in connection with Lapsus$, including a 16-year old thought to be the mastermind behind the group, and some teens from Brazil.
“Extortion groups like Lapsus$ focus on opportunistic data theft and threats to publicly release the stolen data. Occasionally, these groups will also delete the original data,” Tenable researcher Claire Tills said back in 2022.
The Lapsus$ group made a splash in 2022 after bragging about attacks against Microsoft, Okta, Globant, Nvidia, and even Samsung.
“Even though the breaches at Samsung, Microsoft, and Okta did not have the technical impact we all fear from an incident at companies of that caliber, the disruption was still considerable,” Tills said.
More from Cybernews:
AO3 fanfiction site shut down and extorted by Anonymous Sudan
Kremlin cyber gang targets NATO meeting place website
YouTube need not fear Odysee, but positive signs for decentralized apps
John Hopkins confirms MOVEit breach
Subscribe to our newsletter
Your email address will not be published. Required fields are marked