Among the most surreal episodes in modern cyber-crime history is the September 2022 breach of Rockstar Games by Arion Kurtaj, an 18-year-old Lapsus$ hacker from Oxford who was, at the time of the attack, residing in a Travelodge hotel in Bicester under police protection. The setting itself โ a budget chain hotel room, ostensibly chosen as a safe house โ has become emblematic of how unconventional, low-budget, and improvised the most consequential intrusion in video-game history actually was. The contrast between the multi-billion-dollar target (Rockstar Games and parent Take-Two Interactive) and the spartan circumstances of the attacker (a teenager with a confiscated laptop, an Amazon Fire TV Stick, a hotel television, and a newly purchased smartphone) is a defining feature of the event (Tidy, 2023a; Tidy, 2023b).
Kurtaj had been arrested twice already in 2022 for his role in the Lapsus$ hacking spree against BT, EE, and Nvidia (Tidy, 2023a). Released on bail under strict conditions โ including a ban on internet access โ he was subsequently "doxxed" by rival hackers who published his and his family's personal details, photographs, and videos online (Tidy, 2023a). For his own physical safety, City of London Police moved him from his family home to a Travelodge in Bicester, Oxfordshire, treating the hotel as a de facto witness-protection lodging. The arrangement was supposed to neutralise him: laptop confiscated, internet prohibited, location monitored. Instead, it became the operating base for what prosecutors would later describe as his "most audacious" attack (Tidy, 2023a).
Inside the hotel room, Kurtaj reconstructed a functional cyber-attack platform from off-the-shelf consumer electronics. According to evidence presented at Southwark Crown Court, City of London Police found:
The Cyber Safety Review Board's post-mortem on Lapsus$ noted that the group's attacks repeatedly demonstrated how relatively unsophisticated tooling โ social engineering, SIM-swapping, and commodity hardware โ could defeat the defences of multinational corporations (CISA, 2023). Kurtaj's Travelodge setup is perhaps the purest expression of that thesis: no zero-day exploit, no nation-state malware, just a streaming device and a phone.
From this hotel room, Kurtaj penetrated Rockstar Games' internal network, reportedly via stolen credentials and social-engineering of Slack access (Tidy, 2023b). He then exfiltrated approximately 90 video clips of unfinished gameplay from Grand Theft Auto VI, alongside source code fragments. In a now-infamous flourish, he posted a message in Rockstar's internal Slack channels โ visible to every employee โ declaring: "I am not a Rockstar employee, I am an attacker," and demanding the company contact him on Telegram within 24 hours or face the public release of source code (Tidy, 2023a). The clips were subsequently leaked on the GTAForums fan community under the username "teapotuberhacker", a callback to his earlier Uber breach (Tidy, 2023a; Tidy, 2023b).
When City of London Police searched his hotel room, Kurtaj was, in the prosecution's words, "caught red handed" (Tidy, 2023a). He was rearrested and remanded in custody. In August 2023 a jury at Southwark Crown Court found he had committed the acts; in December 2023 he was given an indefinite hospital order, the judge ruling he remained a high-risk offender with continued intent to commit cyber-crime (Tidy, 2023b). Rockstar told the court the hack cost the studio approximately $5 million plus thousands of staff hours to remediate (Tidy, 2023b).
The Travelodge setting matters for three reasons. First, it dramatises the asymmetry of modern cyber-conflict: a hotel room with a Fire Stick versus a AAA studio's enterprise security. Second, it exposed a procedural failure in how UK law enforcement managed a technically-capable suspect โ police protection was conceived in physical, not digital, terms (CISA, 2023). Third, it has entered popular and journalistic mythology around GTA VI, frequently cited as the strangest backdrop to the biggest leak in gaming history. The image of an autistic teenager hacking the world's most anticipated game from a budget chain hotel TV has become a cultural shorthand for the entire Lapsus$ era.
CISA (2023) Review of the Attacks Associated with Lapsus$ and Related Threat Groups Report. Cybersecurity and Infrastructure Security Agency / Cyber Safety Review Board, 10 August. Available at: https://www.cisa.gov/resources-tools/resources/review-attacks-associated-lapsus-and-related-threat-groups-report (Accessed: 14 May 2026).
Tidy, J. (2023a) 'Lapsus$: Court finds teenagers carried out hacking spree', BBC News, 23 August. Available at: https://www.bbc.com/news/technology-66549159 (Accessed: 14 May 2026).
Tidy, J. (2023b) 'Lapsus$: GTA 6 hacker handed indefinite hospital order', BBC News, 21 December. Available at: https://www.bbc.com/news/technology-67663128 (Accessed: 14 May 2026).