At 9 p.m. on Sept. 22 last year, a group of City of London police officers waited outside room M15 at the Travelodge Bicester, a one-star budget hotel in Oxfordshire, England, for the right moment to bust in.
On the other side of the door was someone they believed to be behind two serious data hacks: one on Uber Technologies and the other an unprecedented leak of code for Rockstar Game’s unreleased Grand Theft Auto sequel.
A complicated tracing and surveillance operation had helped the police zero in on a user of messaging platform Telegram named @lilyhowarth.
Behind the door, however, was not Lily Howarth, but 17-year-old Arion Kurtaj — already on bail for a daring, largescale hack against chipmaker Nvidia and an intrusion at the U.K. phone group BT Group.
A member of a shadowy international bunch of loosely connected online extortionists who called themselves Lapsus$, Kurtaj had been lodged in the room by the police for his own safety after being outed by the hacker community.
Lily Howarth was just another moniker he hid behind for his hacking activities, the officers discovered.
Now 18, Kurtaj was at the center of a seven-week criminal trial in London alongside a 17-year-old male co-defendant who cannot be named because he is a minor.
The two, who met online, faced a 12-count indictment including blackmail, fraud, and hacking charges.
Kurtaj, who was solely responsible for half the charges, was found unfit to stand trial by a judge before it began because of his complex autistic-spectrum disorder — which means he cannot be found to have had “criminal intent,” and may be given a community order or sent to a psychiatric-care facility rather than a jail after a jury this week found him liable for all the charges.
Defense lawyers had argued that the evidence linking the two to the incidents was not strong enough and that there was no way of knowing Kurtaj was responsible for the hacks.
On Wednesday, the jury ruled otherwise. A judge will decide at a later date on Kurtaj’s future.
His fellow hacker was found guilty on three counts and not guilty for two others. He had previously pled guilty to two BT-related charges.
“Despite the outcome of the jury’s decision, which may be subject to an appeal, we hope this case will shine a light on the way that vulnerable individuals with severe neurodevelopmental disorders interface with the police and criminal justice system,’’ Niamh Matthews-Murphy, Kurtaj’s lawyer, said in a statement to Bloomberg.
The audacious hacks of technology firms by Lapsus$ has confounded cybersecurity experts since it went on a rampage of high-profile attacks between 2021 and 2022, causing millions of dollars of damages for its targets.
The trial provided a rare window into the workings of this secretive gathering of tech geeks, showing how the intrusions were orchestrated and the group’s motivations: notoriety, money, and also just “lolz.”
It's unclear how much money Lapsus$ made — none of the companies have admitted to paying it any money.
Police have not been able to access crypto accounts associated with the teens.
The story of how these youngsters got the better of some of the biggest U.S. technology companies was compiled from London court proceedings, documents, witness testimonies, the police investigation and sources in the cybersecurity industry.
U.K. authorities worked with U.S. law enforcement, including the Federal Bureau of Investigation.
A July report by the US Cybersecurity & Infrastructure Security Agency said that while Lapsus$ was like any other cyber-criminal group, it “was unique for its effectiveness, speed, creativity, and boldness.”