British LAPSUS$ teen members sentenced for cyber attacks

Two adolescents hailing from the United Kingdom, integral members of the cybercrime and extortion syndicate known as LAPSUS$, have received sentencing for orchestrating a series of high-profile attacks against numerous companies.

In the case of 18-year-old Arion Kurtaj from Oxford, he has been handed an indefinite hospital order due to his explicit intent to swiftly return to cybercriminal activities, as reported by the BBC. Despite being diagnosed with autism, Kurtaj was deemed unfit to stand trial.

Another member of LAPSUS$, an unnamed 17-year-old minor, was sentenced to an 18-month-long Youth Rehabilitation Order, which includes a three-month intensive supervision and surveillance component. His conviction included charges of fraud, Computer Misuse Act offenses, and blackmail, totaling two counts of each.

The legal proceedings against both defendants began with their initial arrests in January 2022, followed by release under investigation. Subsequent re-arrests occurred in March 2022. While Kurtaj was granted bail initially, he persisted in attacking various companies until his re-apprehension in September.

The spree of attacks unfolded between August 2020 and September 2022, targeting prominent entities such as BT, EE, Globant, LG, Microsoft, NVIDIA, Okta, Revolut, Rockstar Games, Samsung, Ubisoft, Uber, and Vodafone.

LAPSUS$ is reportedly composed of members from the United Kingdom and Brazil. A third member, also suspected to be a teenager, was apprehended in Brazil in October 2022.

A report by the U.S. Department of Homeland Security’s Cyber Safety Review Board (CSRB) disclosed the threat actor’s utilization of SIM-swapping attacks to commandeer victim accounts and infiltrate target networks. The group employed a Telegram channel to publicize its operations and extort its victims.

The notoriety gained by LAPSUS$ over the past year has spawned the emergence of another group called Scattered Spider. Both entities are affiliated with a larger collective known as the Comm.

According to the Federal Bureau of Investigation, the Comm is comprised of a “geographically diverse group of individuals, organized in various subgroups, all of whom coordinate through online communication applications such as Discord and Telegram.” Their activities encompass corporate intrusions, SIM swapping, crypto theft, real-life violence, and swatting.

Detective Chief Superintendent Amanda Horsburgh from the City of London Police emphasized, “This case serves as an example of the dangers that young people can be drawn towards while online and the serious consequences it can have for someone’s broader future.” She acknowledged that while many young individuals are inclined to explore technology for educational purposes, the allure of the digital realm can sometimes lead them astray.