Attack on Microsoft and GTA 6
The hacking group Lapsus$ scared global corporations – now two teenagers have been convicted for the attacks
At the time of the crime, both accused were still minors (symbol image)
© monkeybusinessimages / Getty Images
They cracked Microsoft, blackmailed banks and stole the program code for the unannounced hit game “GTA 6”. Now the brains behind the hacker gang Lapsus$ have been convicted. In fact, they weren’t even adults yet.
It’s a cliché from hacker films and series: gifted teenagers sit in the children’s room and crack into corporations around the world. But those days are actually long gone: The lucrative attacks are usually carried out by highly professional criminals, often with the support of secret services. The court case against the notorious The Lapsus$ group now shows that the old cliché still exists.
In seven weeks of negotiations, the Southwark Crown Court in London met about the only 18-year-old Arion K. from Oxford, England, and a 17-year-old accomplice. Now the two have been found guilty of leading and executing successful attacks in 2021 and 2022 on global corporations such as tech giants Microsoft, Nvidia and Samsung, gaming studio Rockstar, banking app Revolut, Uber, and British mobile operators BT and EE. Not only were vast amounts of data stolen, ransoms in the millions were also demanded.
Spectacular attacks from the children’s room
The Lapsus$ group had managed a sensational series of hacker attacks in a very short time. In doing so, they relied primarily on human weaknesses: they specifically sought out individual company employees and tried to find out access data in conversations or by e-mail. In several cases, they bombarded employees at night with bogus requests for approval of a security measure until they agreed, annoyed.
The results were often spectacular – and the hackers celebrated them extensively on social media. The hackers stole internal customer data and captured 90 percent of the source code of the Microsoft search engine Bing. The biggest coup was the leak of the then unannounced game hit “GTA 6”: The hackers were not only able to prove the existence of the game, which had been awaited for years, but also published dozens of internal test videos. They were surprisingly bold towards the game developer. “I’m not an employee. I’m an attacker,” K. posted in the internal group channel on Messenger Slack.
Security
The main thing is that we all fall for these password myths
Bold action
K. himself did not have to testify at the court hearing. A psychiatric report confirmed that the 18-year-old was autistic and therefore not suitable to appear before a court. According to reports, his 17-year-old accomplice, whose name cannot be published because he is a minor, is also autistic. In court, the jury should only decide whether the two committed the crimes, not what their intentions were.
The two and other accomplices had not let their actions be deterred by clashes with the law. They were arrested as suspects for the first time in January 2022 and just continued despite the investigation. At the end of March of the same year, both were arrested a second time after K. had been “doxxed” by other hackers. They had released not only his identity, but also his address and family photos.
As a result, K. was accommodated in a hotel as a security measure, and he was given a strict internet ban as a condition. But that didn’t stop him: he initiated the GTA hack directly from his hotel room. A police raid of the hotel room then caught him in the act. Using a FireTV stick and a keyboard, he converted the hotel’s television into a hack station. The police drew a line: he will remain in custody until the expected sentence will be announced later. Most of the group, mostly from Brazil and Britain, remain at large.