Autistic teen behind spate of Lapsus$ hacks sentenced to indefinite hospital stay

Jason Macuray
Arion Kurtaj, a teenager described as a key member of the Lapsus$ group, was sentenced to an indefinite hospital order on Thursday for a series of high-profile hacks last year.

Arion Kurtaj, a teenager described as a key member of the Lapsus$ group, was sentenced to an indefinite hospital order on Thursday for a series of high-profile hacks last year.

Kurtaj, who is 18 and has severe autism, was deemed unfit to stand trial by psychiatrists. In August, a jury found that he had committed the hacks. Due to his condition, jurors were only asked to find whether he had committed them rather than was guilty of them.

The teenager broke into the systems of ride-hailing business Uber, fintech firm Revolut, and the developer of Grand Theft Auto — while using an Amazon Fire Stick connected to a hotel room television, the court heard — in a spate of successive incidents while already on bail for other hacks in September 2022.

Kurtaj will remain in a secure hospital for life or until doctors think he is no longer a danger to society, with Judge Patricia Lees in Southwark Crown Court saying he remained “determined to commit further serious offences if the opportunity arose.”

The court was also told that while in custody Kurtaj had been violent, resulting in dozens of reports of injuries and property damage.

A co-defendant in the same trial, who cannot be named due to his age, was also found guilty back in August. The 17-year-old was sentenced to a Youth Rehabilitation Order lasting 18 months that restricts his internet usage because of what the judge said was an “unpleasant and frightening pattern of stalking and harassment.”

The Lapsus$ gang became notorious for its brazen hacks that often involved extensive social engineering and very little if any technical ability to exploit vulnerabilities.

A number of suspects remain at large, although prosecutors said investigators found the two British teens after resolving IP addresses used for a number of email and Telegram accounts which the pair used to boast about their antics.

A string of high-profile cyberattacks carried out by the wider group of teenage hackers in the Lapsus$ gang in 2021 and 2022 was described as highlighting systemic weaknesses in the telecommunications industry by a U.S. Department of Homeland Security review.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Alexander Martin is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

First American becomes latest real estate industry giant hit with cyberattack

Next Post

Kazakhstan to extradite Russian cyber expert to Moscow despite US requests

Related Posts

Cloudzy Elevates Cybersecurity: Integrating Insights from Recorded Future to Revolutionize Cloud Security

Cloudzy, a prominent cloud infrastructure provider, proudly announces a significant enhancement in its cybersecurity landscape. This breakthrough has been achieved through a recent consultation with Recorded Future, a leader in providing real-time threat intelligence and cybersecurity analytics. This initiative, coupled with an overhaul of Cloudzy's cybersecurity strategies, represents a major
Read More