Teapotuberhacker Identification

Overview

"Teapotuberhacker" is the GTAForums username under which, on 18 September 2022, ninety internal development videos of Grand Theft Auto VI were posted, constituting what journalists have repeatedly characterised as the largest leak in the history of the video game industry (MacDonald, 2022; Wikipedia, 2026). While the handle was later legally attributed to a single individual — 17-year-old Arion Kurtaj of Oxford, a key member of the Lapsus$ extortion group — contemporaneous forensic analysis by GTAForums moderation staff strongly suggested that the account was not operated by one person, but was in practice a collaborative posting identity shared by at least two distinct actors (Tidy, 2023; Wikipedia, 2026). This report consolidates the public record around that identification, with particular focus on the multi-account / shared-account theory advanced on GTAForums.

Background: The 18 September 2022 Leak

On the evening of 18 September 2022, an account registered as "teapotuberhacker" on the long-running fan community GTAForums uploaded a RAR archive containing roughly fifty minutes of unfinished GTA VI footage spanning multiple development milestones (MacDonald, 2022). The same account claimed responsibility for the Uber security breach of the previous week, stated that the files had been exfiltrated from Rockstar's internal Slack workspace, and threatened the release of source code and internal builds of both GTA V and GTA VI unless Take-Two opened negotiations (Tidy, 2023; Wikipedia, 2026). Take-Two Interactive responded with mass DMCA takedowns on YouTube and direct contact with GTAForums and Reddit moderators; Rockstar formally confirmed the "network intrusion" the following day (Wikipedia, 2026).

The Multi-Account Theory at GTAForums

The most consequential, but least widely reported, finding of the leak's immediate aftermath came not from law enforcement but from GTAForums' own moderation team. Based on a combination of posting cadence, stylistic inconsistencies, and IP-address telemetry available to forum administrators, staff publicly stated that they believed the "teapotuberhacker" account was being operated collaboratively by two distinct individuals, internally referred to as "Teapot" and "Lily" (Wikipedia, 2026, citing Eurogamer and Kotaku reporting from September 2022).

According to the forum staff's reconstruction:

• "Teapot" was the original leaker — the actor in possession of the actual exfiltrated Rockstar material, who uploaded the ninety video clips and conducted the substantive bargaining posture toward Rockstar/Take-Two.
• "Lily" appeared subsequently on the same account and offered to sell the Grand Theft Auto V source code in exchange for Ethereum, but — critically — was not believed by GTAForums staff to actually possess any of the hacked materials. "Lily" was, in the moderators' assessment, opportunistically piggy-backing on the credibility the "teapotuberhacker" handle had accrued, using shared credentials to monetise a reputation rather than a payload (Wikipedia, 2026).

This is materially distinct from the simpler "lone wolf" narrative later cemented by the Crown Prosecution Service. It implies that even within the very first 48 hours of the leak, the public-facing identity through which the world received the GTA VI footage was already functioning as a small distributed brand rather than a single coherent persona — a pattern consistent with broader Lapsus$ operational tradecraft, in which Telegram channels and handles were routinely shared, traded and impersonated among teenage members (Tidy, 2023).

Legal Identification: Arion Kurtaj

On 22 September 2022, four days after the initial post, the City of London Police, supported by the National Cyber Crime Unit and US federal authorities, arrested a 17-year-old from Oxfordshire later named in court as Arion Kurtaj (Tidy, 2023). At the time of the Rockstar intrusion he was already on police bail for the EE and Nvidia hacks and was being housed under police protection at a Travelodge hotel; despite the seizure of his laptop he breached Rockstar using a hotel television, an Amazon Fire TV Stick and a mobile phone, then posted to Rockstar's internal Slack the demand "if Rockstar does not contact me on Telegram within 24 hours I will start releasing the source code" before publishing the clips under the teapotuberhacker handle (Tidy, 2023; Wikipedia, 2026).

In mid-2023, at Southwark Crown Court, Kurtaj faced twelve charges including six counts of computer misuse, three of blackmail and two of fraud. He was deemed unfit to stand trial owing to his autism; a jury accordingly determined only whether he had committed the acts (Tidy, 2023). In December 2023 the court placed him under an indefinite hospital order on the grounds that he remained a high public risk, having stated an intention to resume cybercrime at the earliest opportunity (Tidy, 2023).

Reconciling the Two Accounts

The legal identification of Kurtaj does not, by itself, refute the GTAForums multi-account theory. Three points are worth emphasising:

1. Scope of charges. Kurtaj was convicted in relation to the intrusions and the blackmail, not specifically the attempted Ethereum sale of GTA V source code attributed to the "Lily" persona, which the forum staff explicitly assessed as unbacked by genuine material.
2. Tradecraft of Lapsus$. A second Lapsus$ member, a 17-year-old who cannot be named, was convicted in the same trial of co-conducting the Nvidia and EE intrusions (Tidy, 2023). The group's documented practice of shared infrastructure makes a single-handle, multi-operator posting model entirely plausible (CISA, 2023, as cited in Tidy, 2023).
3. Forensic basis. The GTAForums determination rested on data — IP logs, session timing, writing-style drift — that was never publicly contested by the leaker(s) and that the criminal proceedings, focused on the substantive intrusion, had no need to adjudicate.

The most defensible synthesis, therefore, is that "teapotuberhacker" was primarily Arion Kurtaj — the person who actually had Rockstar's data and who is now legally accountable — but that the public-facing handle was, at minimum intermittently, shared with at least one other actor whose contribution was performative rather than evidentiary.

Significance

The teapotuberhacker case matters beyond GTA VI because it illustrates a recurring pattern in 2020s adolescent cybercrime: a high-value intrusion is conducted by a small technical core, but the identity through which the breach is monetised and publicised behaves like a brand, accessible to adjacent actors. For incident-response and attribution analysts this complicates the otherwise tidy mapping of "one handle = one person", and it explains why some bargaining behaviour observed on GTAForums (notably the Ethereum solicitation) looked inconsistent with the technical sophistication of the underlying intrusion.

References

• MacDonald, K. (2022) 'Rockstar owner issues takedowns after Grand Theft Auto VI leak', The Guardian, 19 September. Available at: https://www.theguardian.com/games/2022/sep/19/rockstar-owner-issues-takedowns-after-grand-theft-auto-vi-leak (Accessed: 14 May 2026).
• Tidy, J. (2023) 'Lapsus$: GTA 6 hacker handed indefinite hospital order', BBC News, 21 December. Available at: https://www.bbc.com/news/technology-67663128 (Accessed: 14 May 2026).
• Wikipedia (2026) Grand Theft Auto VI. Available at: https://en.wikipedia.org/wiki/Grand_Theft_Auto_VI (Accessed: 14 May 2026).
• Cybersecurity and Infrastructure Security Agency (CISA) (2023) Review of the Attacks Associated with Lapsus$ and Related Threat Groups. Available at: https://www.cisa.gov/resources-tools/resources/review-attacks-associated-lapsus-and-related-threat-groups-report (Accessed: 14 May 2026).