By Sam Tobin
LONDON (Reuters) -A teenage member of the Lapsus$ hacking group was on Wednesday found by a London jury to have hacked Uber and fintech firm Revolut, and blackmailed the developers of best-selling videogame Grand Theft Auto.
Arion Kurtaj, 18, embarked on a solo cybercrime spree in September 2022 while on police bail for earlier offences.
He targeted Revolut, accessing around 5,000 Revolut customers’ information, and then Uber two days later, causing nearly $3 million of damage to Uber, prosecutors said.
Revolut declined to comment. Uber did not immediately respond to a request for comment.
Kurtaj then hacked Rockstar Games and threatened to release the source code for the company’s planned Grand Theft Auto sequel in a Slack message to all Rockstar staff.
Jurors at Southwark Crown Court were played clips of the latest installment of Grand Theft Auto, which Kurtaj had hacked and uploaded to an online gaming forum.
Rockstar did not immediately respond to a request for comment.
As Kurtaj, who has autism, was assessed by psychiatrists as not fit to stand trial, the jury was asked to find whether he had committed the acts rather than deliver a verdict of guilty or not guilty.
Kurtaj had previously hacked and blackmailed Britain’s biggest broadband provider BT Group and mobile operator EE in 2021, demanding a $4 million ransom or else he would delete data from their servers.
He hacked chipmaker Nvidia Corp in February 2022, taking around one terabyte of sensitive data, releasing about 80 gigabytes and threatening to publish the rest.
BT and Nvidia did not immediately respond to a request for comment.
Prosecutors said Kurtaj and a 17-year-old, who cannot be named for legal reasons and whose case was heard alongside Kurtaj’s, were “key players” in Lapsus$.
The jury on Wednesday found Kurtaj committed 12 offences, including three counts of blackmail, two counts of fraud and six charges under the Computer Misuse Act.
The 17-year-old was found guilty of one count of fraud, one count of blackmail and one count under the Computer Misuse Act relating to Nvidia.
He was found not guilty of one count of blackmail and one count under the Computer Misuse Act in relation to BT.
The 17-year-old had previously pleaded guilty to one count under the Computer Misuse Act and one count of fraud in relation to the BT hack.
He had also admitted a Computer Misuse Act offence relating to the hacking of the City of London Police’s cloud storage, weeks after the force arrested him in 2022.
(Reporting by Sam Tobin; editing by William James and Bernadette Baum)