Two members of the LAPSUS$ cybercrime and extortion group, British teens Arion Kurtaj and an unnamed 17-year-old, have been sentenced for their roles in orchestrating high-profile attacks against companies. Kurtaj, deemed unfit to stand trial, received an indefinite hospital order, while the 17-year-old was sentenced to an 18-month Youth Rehabilitation Order for offenses including fraud, Computer Misuse Act violations, and blackmail. The attacks, carried out between August 2020 and September 2022, targeted major entities such as BT, EE, Globant, LG, Microsoft, NVIDIA, Okta, Revolut, Rockstar Games, Samsung, Ubisoft, Uber, and Vodafone.
Kurtaj and the other teen were initially arrested in January 2022, released under investigation, and re-arrested in March 2022. Despite being granted bail, Kurtaj continued attacking companies until his arrest in September. LAPSUS$ is known for comprising members from the UK and Brazil. Another suspected teen member was arrested in Brazil in October 2022. The group, part of a larger entity called the Comm, engages in corporate intrusions, SIM swapping, crypto theft, real-life violence, and swatting. The Comm operates through online communication apps like Discord and Telegram. The case highlights the dangers young people can face online and the serious consequences it can have for their future.
Detective Chief Superintendent Amanda Horsburgh from the City of London Police emphasized the lure of the digital world for young people, where exploration and experimentation with technology can sometimes lead to criminal activities. The LAPSUS$ attacks involved various tactics, including SIM-swapping attacks and the use of a Telegram channel to publicize their operations and extort victims. The broader issue underscores the need to address the appeal of cybercriminal activities to young individuals and the potential long-term impact on their lives.