The September 2022 cyberattack against Rockstar Games, which resulted in the unprecedented leak of approximately 90 videos of in-development Grand Theft Auto VI footage, was attributed to a 17-year-old hacker affiliated with the Lapsus$ extortion group. The age of the perpetrator at the time of the offence proved to be one of the most legally consequential facts of the entire case, dictating the venue of prosecution, the maximum sentence available, the anonymity protections afforded, and ultimately the disposition of the offender. This report examines why the suspect's status as a juvenile (specifically 17 years old, just under the threshold of adulthood under the law of England and Wales) materially shaped the criminal justice response to one of the largest video-game industry breaches in history (BBC News, 2023; Tobin, 2023; CISA, 2023).
The principal perpetrator, Arion Kurtaj, was 17 at the time of the Rockstar intrusion in September 2022, having been 16 during earlier Lapsus$ activity against Nvidia, Microsoft, Samsung and Okta. A co-defendant, who was also 17 and remained anonymous throughout proceedings on account of his age, was tried alongside him at Southwark Crown Court in a seven-week trial concluding in August 2023 (BBC News, 2023; Wikipedia, 2026). Kurtaj used a Firestick, a hotel-room television and a mobile phone to breach Rockstar's Slack channel and exfiltrate the GTA VI footage while on police bail and under the supervision of officers at a Travelodge โ a circumstance the court regarded as aggravating (Tobin, 2023).
Under section 49 of the Children and Young Persons Act 1933, the identity of a defendant under 18 in youth proceedings is automatically protected by reporting restrictions. Although Kurtaj's case was heard in the Crown Court (because of the gravity of the offences under the Computer Misuse Act 1990 and the Serious Crime Act 2007), section 45 of the Youth Justice and Criminal Evidence Act 1999 allowed the court to impose, and lift, anonymity orders. Kurtaj's name was permitted to be reported only because previous "doxxing" by online associates had already made his identity public, while his 17-year-old co-defendant retained full anonymity throughout the trial and beyond (BBC News, 2023; Goodin, 2023).
Because the offending occurred while the defendant was a "child" for sentencing purposes (under 18), the Sentencing Council's Sentencing Children and Young People definitive guideline applied. This guideline directs courts to treat custodial sentences as a last resort, to discount sentence length significantly compared with adult tariffs (typically by one-third to one-half), and to prioritise welfare and rehabilitation under section 44 of the Children and Young Persons Act 1933. Had Kurtaj been 18 at the time of offending, the Computer Misuse Act 1990 (as amended) would have exposed him to a maximum of life imprisonment for unauthorised acts causing serious damage, and substantial determinate sentences for blackmail under the Theft Act 1968 (CISA, 2023; Tobin, 2023).
The defendant's youth interacted critically with psychiatric assessments concluding he was unfit to stand trial owing to severe autism. Under the Criminal Procedure (Insanity) Act 1964, the jury was instead asked whether he had committed the acts alleged, rather than returning a conventional verdict. The judge ultimately imposed an indefinite hospital order under section 37 of the Mental Health Act 1983 with a restriction order under section 41, committing him to a secure psychiatric facility until clinicians determine he no longer poses a risk (BBC News, 2023). Sentencing experts noted that the combination of his age, autism diagnosis and the juvenile sentencing framework made an indeterminate hospital order more proportionate than a custodial term in a Young Offender Institution (Goodin, 2023).
The 17-year-old co-defendant, convicted of fraud and Computer Misuse Act offences, received a Youth Rehabilitation Order rather than a custodial sentence โ a disposal only available to those under 18 at conviction. The US Cyber Safety Review Board specifically highlighted the juvenile composition of Lapsus$ as a deterrence challenge: the group's members were "too young to be deterred by the threat of prosecution" because the available penalties under youth justice frameworks across jurisdictions are markedly less severe than for adults (CISA, 2023, p. 27).
The threshold between 17 and 18 in English law is sharp. An 18-year-old defendant would have been tried as an adult, named publicly without restriction, exposed to the full Computer Misuse Act maximum sentences, ineligible for Youth Rehabilitation Orders, and subject to adult prison rather than secure children's accommodation or YOI placement. Even with the hospital order ultimately imposed, the legal route to that outcome โ and the protections afforded throughout โ was shaped by the defendant being a child in law at the time of the offence (BBC News, 2023; CISA, 2023).
The 17-year-old status of the Rockstar/GTA VI hacker was not a peripheral biographical detail but the decisive legal fact governing how the criminal justice system of England and Wales responded to one of the most damaging IP breaches in gaming history. Anonymity protections, reduced sentence ceilings, welfare-focused sentencing principles, and the eventual hospital order disposal were all direct products of juvenile status. The case has prompted policy debate about whether existing youth justice frameworks adequately address sophisticated cybercrime committed by minors capable of inflicting eight- and nine-figure commercial losses (CISA, 2023).
BBC News (2023) Lapsus$: GTA 6 hacker handed indefinite hospital order, 21 December. Available at: https://www.bbc.co.uk/news/technology-67663128 (Accessed: 14 May 2026).
BBC News (2023) Lapsus$: Court finds teenagers carried out hacking spree, 23 August. Available at: https://www.bbc.co.uk/news/technology-66549159 (Accessed: 14 May 2026).
CISA (2023) Review of the attacks associated with Lapsus$ and associated threat groups. Washington, DC: US Government Cyber Safety Review Board. Available at: https://www.cisa.gov/sites/default/files/2023-08/CSRB_Lapsus%24_508c.pdf (Accessed: 14 May 2026).
Goodin, D. (2023) 'How fame-seeking teenagers hacked some of the world's biggest targets', Ars Technica, 11 August. Available at: https://arstechnica.com/security/2023/08/homeland-security-details-how-teen-hackers-breached-some-of-the-biggest-targets/ (Accessed: 14 May 2026).
Tobin, S. (2023) 'Teen hacked Uber, Revolut and Grand Theft Auto maker, London court hears', Reuters, 11 July. Available at: https://www.reuters.com/technology/teen-hacked-uber-revolut-grand-theft-auto-maker-london-court-hears-2023-07-11/ (Accessed: 14 May 2026).
Wikipedia (2026) Lapsus$. Available at: https://en.wikipedia.org/wiki/Lapsus$ (Accessed: 14 May 2026).