Southwark Crown Court has lifted a reporting restriction which has now allowed the naming of teenager Arion Kurtaj as the hacker accused of targeting Uber, Revolut, and Rockstar Games last September.
The defendant who is now 18, has been deemed not fit to stand trial by medical professionals and so the jury in his trial will decide whether he is liable for the hacking incidents rather than guilty of them.
Kurtaj (A.K.A. WhiteDoxbin) has been known to recruit insider office staff to gain access to systems to extort money.
Kurtaj bought the Doxbin website in 2019 from its original owner (kt) to gain access to all the dumped personal information of users. He eventually sold it back to kt, but not before he stole the doxed data from the site and leaked it on the Lapsus$ Telegram channel.
This naturally infuriated the user community of Doxbin who took it upon themselves to Dox Kurtaj himself. They hacked his personal information, including his school information, the IP address of every device he owned, and his mother’s home address.
Kurtaj fled to Spain in an attempt to evade the angry Doxbin users where he was arrested with seven other Lapsus$ hackers.
Long list of offenses
Prosecutors allege that Kurtaj was a member of the Lapsus$ hacking gang but acted independently when he broke into the systems of Uber, Revolut, and Rockstar over a few days back in September 2022.
Kurtaj, along with a 17-year-old who cannot be named for legal reasons, has also been accused of attempting to blackmail BT and Nvidia as part of their activities with the Lapsus$ gang.
The 17-year-old is accused of two counts of blackmail, two counts of fraud, and three charges under the Computer Misuse Act, all of which relate to the alleged Lapsus$ activities targeting BT and Nvidia.
Southwark Crown Court was informed by prosecutors that the 17-yr old also accessed City of London Police’s cloud storage weeks after the police detained him in connection with attacks against BT and EE.
Uber attack
The attack against Uber was reported on September 13th 2022 when the company announced that it was responding to an incident which saw its internal communications and engineering systems taken offline after being contacted by an unknown attacker.
The unknown hacker contacted various cyber security researchers boasting of the breach along with details of how they managed to gain access.
Revolut attack
Revolut announced their breach on the 16th September 2022 by way of a notification to the state protection agency of Lithuania where the digital banking service holds a banking licence.
In the breach, Revolut said that the data of 50,150 customers around the world (including 20,687 in the European Economic Area), such as names, addresses, e-mails, postal addresses, telephone numbers, part of the payment card data , account data, etc. may have been affected during the incident.
The breach occurred on the night of the 11th September and was “a highly targeted cyberattack from an unauthorized third party”.
Rockstar attack
Rockstar games confirmed their attack on the 19th September 2022 and said that a hacker had accessed their systems and had stolen confidential internal data, including footage from the next installment of its Grand Theft Auto series.
In statements posted to Twitter, Facebook and Instagram, Rockstar Games said it suffered a network intrusion that allowed someone to access and download “confidential information from our systems, including early development footage for the next Grand Theft Auto.”
The (as then) unknown attacker also posted on the GTAForums website that they had in-game images and video files along with source code to GTA 6 for sale.
