Two British Teenagers Found Guilty of Belonging to LAPSUS$ SIM Swapping Hacker Gang

A jury has decided that two British boys, now aged 18 and 17, played leading roles in the hacking activities of LAPSUS$, which included stealing data from telcos, demanding a ransom not to reveal sensitive information belonging to chip-maker Nvidia, and threatening to release the source code for the Grand Theft Auto 6 video game before it had been released. The teenage terrors routinely taunted their victims by leaving abusive messages on corporate comms systems they hacked into. However, a predilection for bullying and gloating proved to be the cause of their downfall, as the older boy’s real-life identity was revealed by rivals on Doxbin. A series of arrests have been made but other members of the gang, which is believed to be mostly composed of Brits and Brazilians, have yet to be taken into custody.

The downfall of 18 year Arion Kurtaj (pictured) began when he provoked considerable anger amongst other hackers by purchasing, then mismanaging Doxbin, a text-based website dedicated to revealing the real identities of computer users, a practice known as ‘doxxing’. Matters came to a head when Kurtaj agreed to sell Doxbin back to its previous owner, but not before he used Telegram to publicly leak all of Doxbin’s data, including previously unpublished information. Other hackers took revenge by sharing extensive details about Kurtaj, his family and his criminal activities. Multiple sources claim that Kurtaj amassed approximately USD14mn through his crimes despite having “the brain of a 8 year old with severe autism”. The claims about Kurtaj’s personal wealth are consistent with the gang hiring others to assist with their crimes, including the offer of USD20,000 bribes for any employees of AT&T, T-Mobile and Verizon willing to do ‘inside jobs’ for LAPSUS$.

Kurtaj’s 17 year old apprentice was not named by the court because he is still a minor. Both boys are being treated as incompetent to understand their crimes because they have each been diagnosed as autistic. However, the extent of cybercrimes being committed by juveniles is testing the extent to which society can afford to show leniency to youths whose online activities are not monitored by parents. The 17 year old has denied the police access to the hardware wallet used to store the cryptocurrency he stole. Kurtaj was already on bail for the Nvidia hack when he infiltrated Rockstar Games to steal the source code of Grand Theft Auto 6. Incredibly, the latter crime was committed by Kurtaj from a hotel room where the authorities had placed him for his own safety following the doxxing of his identity and home address. Instead of being grateful for the care shown to him, Kurtaj violated his bail conditions by obtaining a Fire TV Stick in order to gain access to the internet.

The full extent of the crimes committed by these boys may never be known. No companies ever admitted to paying the ransoms demanded by LAPSUS$ but these boys were offering bribes that would tempt even a well-paid adult, whilst both were still too young to have legally left school. Kurtaj spent USD75,000 to purchase Doxbin before later offering a ‘bounty’ of USD100,000 for anyone willing to dox its previous owner. It is known that the boys successfully stole cryptocurrency worth almost USD100,000 by performing SIM swaps on phone users after they hacked the servers of BT and EE. They were arrested for this crime in January 2022 but the authorities naïvely released them, effectively giving them complete freedom to continue hacking, bribing and pillaging as they pleased. Their crimes then rapidly escalated, and they even hired stooges to perform social engineering on their behalf. Their crude but effective methods contributed to the compromise of Uber and Revolut as well as Nvidia and Rockstar Games. Kurtaj is also implicated in the theft of source code from T-Mobile US.

Some quarters of the press have reported the hacking endeavors of LAPSUS$ as ‘shocking’. What is truly shocking is that societies can continue to maintain such infantile expectations about how we will secure ourselves online. Security breach after security breach has still not prompted the kinds of changes that would actually be required to stop criminals who may be determined, but who are also deeply stupid. Kurtaj picked needless fights with peers who had the means and the motivation to seek revenge. He obtained valuable source code from T-Mobile US but never bothered to make a secure copy, with the result that the code was wiped when the FBI took control of an Amazon Web Services server used by one of his LAPSUS$ accomplices. He went on public forums to brag about stealing the source code for Grand Theft Auto 6 but then was caught red-handed with the equipment he had used to obtain it. This equipment was found in the hotel room he was given by the authorities for his own safety, even though possessing the equipment was sufficient to violate the terms of his bail.

Kurtaj was found guilty of three counts of blackmail, two counts of fraud and six charges under the Computer Misuse Act. The jury heard him described as a ‘key player’ in LAPSUS$. But his peers referred to him as an idiot. They despised his limited hacking skills. Kurtaj’s success as a criminal appears to mostly stem from the amount of time he would obsessively devote to expanding the number of exploits he possessed and the number of accomplices for his schemes. His unnamed co-defendant is representative of the further threat that Kurtaj posed to society because of his determination to find and recruit other impressionable youths.

The US Cyber Safety Reviewed Board recently published a report on LAPSUS$ activities that recommended straightforward but vital security improvements that others have been too weak, too afraid or too selfish to express support for. Their recommendations include neutralizing the threat posed by SIM swaps by urgently switching to alternative forms of multi-factor authentication that do not rely on sending a one-time password to somebody’s phone. They also identify the need for societal intervention to prevent juveniles being tempted by cybercrime. Kurtaj’s obsession with cybercrime reportedly began with a desire to control Minecraft servers. But the adults tasked with tackling cybercrime often demonstrate even less common sense than a teenager with learning difficulties. How else should we explain that a serial cybercriminal associated with major hacks in several countries, and who had already demonstrated both a willingness and the ability to spend huge amounts on committing crime, was left unsupervised in a hotel within a big retail estate? He violated his bail by buying a mobile phone, a keyboard and a device to connect to the internet, but how surprising is this when all of the equipment was openly on sale in the shop next to the hotel?

There is an understandable desire to treat wayward children with kindness but it is long past time for adults to grow up and treat cybercrime with the seriousness it deserves. Showing leniency towards these two boys will only result in much more harm later on. It will encourage other children to indulge their destructive fantasies because they fear no repercussions. Some SIM swapping criminals are already suggesting that older gang leaders are consciously choosing to recruit kids to work on their behalf because children will not be punished if caught. Meanwhile, the rest of the society pays the price for parents who are too indolent to notice or care if their children are making millions from crime. If parents are incapable of disciplining their children then the state will have to do it for them. We cannot simply turn a blind eye to these crimes and hope they will go away. The evolving pattern of the last few years has demonstrated that the literal opposite is happening: cybercriminals are getting younger and more brazen because other kids have already shown how easy it is to steal online.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.