A London jury has discovered that an 18-year-old member of the Lapsus$ information extortion gang helped hack a number of high-profile firms, stole information from them, and demanded a ransom threatening to leak the data.
Believed to be one of many leaders of the group, Arion Kurtaj, from Oxford, England, was arrested twice in 2022, first in January after which once more in March, in reference to Lapsus$ hacking exercise.
He’s on trial for breaching fintech firm Revolut, ride-sharing service Uber, and sport developer Rockstar Video games.
Excessive-profile organizations impacted by Lapsus$ additionally embrace Microsoft, Cisco, Okta, Nvidia, T-Cell, Samsung, Vodafone, Ubisoft, 2K, and Globant.
Leaking information whereas on bail
Kurtaj is autistic and was not deemed match to be in courtroom. Nonetheless, a jury was requested to find out if he was chargeable for the alleged hacking exercise, disregarding legal intent.
{The teenager} is believed to have breached the Metropolis of London Police cloud storage after he was arrested in reference to the assault on cell operator EE.
It’s alleged that after that with the assistance of some Lapsus$ members, Kurtaj focused Revolut, Uber, and Rockstar Video games, demanding tens of millions of U.S. {dollars} in ransoms.
Utilizing the deal with ‘teapotuberhacker’ and whereas on bail at a lodge, Kurtaj leaked gameplay movies from the unreleased Grand Theft Auto 6, obtained after breaching the sport developer’s Slack server and Confluence wiki.
Kurtaj used greater than a dozen on-line names, White and Breachbase amongst them, and is believed to have made greater than 300 BTC from his hacking exercise, SIM-swapping included.
Many of the cash was misplaced to playing or hackers that breached White’s pc, allegedly twice.
Kurtaj will not be the one teenager on trial for Lapsus$-related hacking exercise. One other member of the gang, a 17-year-old additionally affected by autism, has been convicted for breaching firms as effectively.
Regardless of being a loosely organized group of largely youngsters, Lapsus$ managed to breach organizations with a robust sense of safety.
Expert actors nonetheless get caught
A latest report from the U.S. authorities notes that the gang used low-cost strategies to disclose “weak factors in our cyber infrastructure.”
The members of the group took SIM-swapping to the following degree by paying $20,000 per week for entry to a telecommunication supplier’s platform, which allowed them to hijack focused cellphone numbers and acquire one-time passcodes to numerous accounts.
Lapsus$ exercise unfold from 2021 to 2022 and concerned people from the U.Ok. and Brazil who used social engineering and hacking strategies of assorted complexity to breach firms for fame, monetary sport, and enjoyable.
Final yr in September Lapsus$ exercise died, as regulation enforcement began arresting a number of members of the group: a number of people within the U.Ok. [1, 2] and one other one in Brazil.