Teenage members of Lapsus$ ransomware gang convicted

A wave of video game developer compromises has come to a court-based conclusion for those responsible, with several convictions the end result. Arion Kurtaj, and a second teen who cannot be named due to their age, are finding themselves to be in quite a lot of trouble after repeated and sustained attacks on multiple businesses.

The infamous Lapsus$ ransomware gang gained notoriety for a number of attacks against companies involved in game development, or companies closely associated with gaming, such as Nvidia. Other compromises involved major telecoms companies like EE and BT. In 2021, two of the teens now found to be responsible for the telecoms attacks breached their servers and went on to demand a $4m ransom.

No ransom was paid, despite the attackers claiming to have source code belonging to Orange, BT, and EE in text messages sent out to 26,000 EE customers. Even so, they were able to steal close to $126,000 from five victims by abusing the SIM data used to secure their cryptocurrency accounts.

At the time, the teens (aged 16 and 17) were arrested for this incident and then released while being kept under investigation. You would think someone in this situation would steer clear of trouble. Here, things played out very differently.

Both teens continued to work with the group, going on to score more successful compromises like Nvidia in the first few months of 2022. One particularly unusual aspect of this attack would be Lapsus$ demanding that Nvidia make all of their graphics card drivers open source, or else risk internal data being leaked.

Nvidia was also rightly concerned that something dubious could have been inserted into a software update. If something bad were to sneak into people’s graphics card drivers, total chaos would be the end result. In terms of reach, this could have been very bad indeed. Other audacious attacks on services like Okta and Globant underscored how dangerous this particular ransomware group was if given the chance to jump onto a network.

Both teens were re-arrested at the end of March 2022, as a result of potential involvement in some of the above crimes. Kurtaj had his personal data leaked online, and had to be moved into a secure location for his own safety.

At this point, you would think that it would be a game over. There is no way that somebody in this situation, with their details leaked, and their hands caught in the cookie jar, would keep going. Right?


According to the BBC, police searched his hotel room and caught him “red handed”. Law enforcement discovered that Kurtaj used an Amazon Fire Stick plugged into his hotel television. This meant he was able to access cloud computing services. The court was told that he’d helped take on Uber, Revolut, and (in what may be the most publicised attack) Rockstar Games.

He posted a message to Rockstar’s Slack channel to all employees which said “I am not a Rockstar employee, I am an attacker”. He also claimed to have downloaded all of the data for the upcoming Grand Theft Auto 6, with the threat of releasing source code if he was not contacted on Telegram within 24 hours. Elsewhere, no fewer than 90 clips of unfinished gameplay ended up on a fan forum.

As you may have expected by this point, Kurtaj was indeed arrested and detained until his trial.

The prosecution mentions that members of the group had a desire to show off and highlight their skills for all to see. In the case of Kurtaj, this desire led to various hacking incidents he surely had little to no hope of concealing as the arrests and re-arrests continued apace.

It’s possible an older and more experienced crew would have cut their losses and gone silent for a while. In this case, those responsible were lighting the digital equivalent of emergency flares every five minutes during what would otherwise be covert attacks. Indeed, prosecutors tied some of the incidents to the teens responsible via IP addresses associated with their email and Telegram accounts. This is very much something you wouldn’t expect them to be caught out by. An amateur mistake, or that sense of youthful invulnerability coming to the fore?

Either way, for both of the teens involved their wave of compromises is now over.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.