Lapsus$ cybercrime and extortion group member, Arion Kurtaj has been sentenced indefinitely in a ‘secure hospital’ by a UK judge.
Kurtaj who is 18 years of age and autistic is among the primary Lapsus$ threat actors, and was involved in the leak of assets associated with the video game, Grand Theft Auto VI.
Sentenced indefinitely in a ‘secure hospital’
Arion Kurtaj, a member of the Lapsus$ cybercrime group, was sentenced indefinitely to a “secure hospital” by a British judge, according to a BBC report.
Kurtaj, an Oxford resident, served as a key Lapsus$ member who leaked clips from Rockstar Games’ upcoming video game, Grand Theft Auto VI.
According to the judge, Kurtaj continued to be a “high risk” to the public given his abilities and desire to commit cybercrime.
As such, unless and until doctors clear him of no longer posing a danger, he shall remain at a secure hospital.
In addition to the hacker’s involvement in cybercriminal activity, the court heard that the hacker had been violent while in custody leading to “dozens of reports of injury or property damage.”
Because of his autism, healthcare professionals had deemed Kurtaj unfit to stand trial, deferring it to the jury to decide whether his alleged acts were committed with criminal intent.
The BBC reported that a mental health assessment conducted in conjunction with the sentencing hearing determined that Kurtaj remains highly motivated to “return to cyber-crime as soon as possible.”
In the same trial spanning six weeks, another 17-year-old Lapsus$ member (unnamed due to legal reasons), has been deemed guilty at Southwark Crown Court, London.
The unnamed minor collaborated with Kurtaj and other gang members to breach tech giants NVIDIA and telcos including BT/EE, before attempting to extort them for a $4 million ransom that was not paid. The minor has been sentenced to a Youth Rehabilitation Order for 18 months with rigorous supervision in place, and a “ban on using VPNs online.”
Previously, Kurtaj was “caught red handed” circumventing his bail conditions, state the prosecutors, when his hotel room TV was found with an Amazon Fire Stick that let him connect to cloud computing services with his smartphone, keyboard, and mouse. That’s how he was able to conduct the GTA 6 leak, despite having his laptop confiscated.
Believed to be one of the leaders of the group, Arion Kurtaj was arrested twice in 2022, first in January and then again in March, in connection with Lapsus$ hacking activity.
Lapsus$: hacking high-profile names
Although the Lapsus$ gang purportedly comprises teenagers, it may be naïve to underestimate their abilities or the threat posed by the group to an organization’s cyber infrastructure.
Lapsus$ cybercrime gang has previously taken responsibility for high-profile cyberattacks—ranging from the one at Okta to Uber to fintech giant Revolut as well as the attack concerning Microsoft’s internal Azure server through which the group allegedly leaked 37 GB of stolen source code for Bing, Cortana, and other Microsoft projects.
The group has also previously claimed to have breached breached LG Electronics (LGE) for a “second time” in a year.
BleepingComputer had been unable to confirm the claim at the time and had reached out to LG.
Data extortion groups like Lapsus$ breach victims, but as opposed to encrypting confidential files like a ransomware operator would, these actors steal and hold on to victims’ proprietary data, and publish it should their extortion demands not be met.