British LAPSUS$ Teen Members Sentenced for High-Profile Attacks

Dec 24, 2023NewsroomCyber Crime / Data Breach

Two British teens part of the LAPSUS$ cyber crime and extortion gang have been sentenced for their roles in orchestrating a string of high-profile attacks against a number of companies.

Arion Kurtaj, an 18-year-old from Oxford, has been sentenced to an indefinite hospital order due to his intent to get back to cybercrime “as soon as possible,” BBC reported. Kurtaj, who is autistic, was deemed unfit to stand trial.

Another LAPSUS$ member, a 17-year-old unnamed minor, was sentenced to an 18-month-long Youth Rehabilitation Order, including a three-month intensive supervision and surveillance requirement. He was found guilty of two counts of fraud, two Computer Misuse Act offenses, and one count of blackmail.

Both defendants were initially arrested in January 2022, and then released under investigation. They were re-arrested in March 2022. While Kurtaj was later granted bail, he continued to attack various companies until he was arrested again in September.

The attack spree, which took place between August 2020 and September 2022, targeted BT, EE, Globant, LG, Microsoft, NVIDIA, Okta, Revolut, Rockstar Games, Samsung, Ubisoft, Uber, and Vodafone.

LAPSUS$ is said to comprise members from the U.K. and Brazil. A third member of the group, also suspected to be a teen, was arrested in the South American nation in October 2022.

A report published by the U.S. Department of Homeland Security’s (DHS) Cyber Safety Review Board (CSRB) this year revealed the threat actor’s use of SIM-swapping attacks to take over victim accounts and infiltrate target networks. It also used a Telegram channel to publicize its operations and extort its victims.

Over the past year, the notoriety attracted by LAPSUS$ has also led to the emergence of another group called Scattered Spider. Both groups are part of a larger entity that calls itself the Comm.

According to the Federal Bureau of Investigation, the Comm consists of a “geographically diverse group of individuals, organized in various subgroups, all of whom coordinate through online communication applications such as Discord and Telegram” to engage in corporate intrusions, SIM swapping, crypto theft, real-life violence, and swatting.

“This case serves as an example of the dangers that young people can be drawn towards whilst online and the serious consequences it can have for someone’s broader future,” Amanda Horsburgh, detective chief superintendent from the City of London Police, said.

“Many young people wish to explore how technology works and what vulnerabilities exist. This can include learning to code, interacting with like-minded individuals online and experimenting with tools. Unfortunately, the digital world can also be tempting to young people for the wrong reasons.”