The prosecution of Arion Kurtaj, the 18-year-old Oxford resident identified as a key member of the Lapsus$ cybercrime gang, hinged on multiple counts brought under the United Kingdom's Computer Misuse Act 1990 (CMA). The trial, held at Southwark Crown Court over approximately seven weeks in mid-2023, examined a coordinated hacking spree spanning July 2021 to September 2022 that targeted Rockstar Games, Nvidia, BT/EE, Uber, Revolut and other firms (Tidy, 2023a). Because psychiatrists deemed Kurtaj unfit to stand trial on account of severe autism, the jury was asked only to determine whether he committed the alleged acts, not whether he did so with criminal intent (Tidy, 2023b). The indictment grouped the offending into discrete computer misuse counts mapped to sections 1, 2 and 3 of the CMA, alongside fraud and blackmail charges. This report summarises the six computer misuse counts at the heart of the case, situating each within its statutory basis and the factual matrix presented in court.
The CMA 1990 establishes the principal offences. Section 1 criminalises unauthorised access to computer material; section 2 covers unauthorised access with intent to commit or facilitate further offences; section 3 addresses unauthorised acts with intent to impair, or with recklessness as to impairing, the operation of a computer; section 3ZA covers unauthorised acts causing or creating risk of serious damage; and section 3A criminalises making, supplying or obtaining articles for use in those offences (Legislation.gov.uk, 1990). The Kurtaj indictment leaned heavily on sections 1 and 3, reflecting both intrusion and disruption elements of the Lapsus$ playbook.
The first count related to the July-August 2021 intrusion into telecoms operator BT and mobile carrier EE. Kurtaj and a 17-year-old co-defendant obtained access to internal servers and data files, culminating in a $4 million (ยฃ3.1m) ransom demand on 1 August 2021 (Tidy, 2023a). This count framed the initial unauthorised entry into protected systems.
A linked s.3 count concerned the dispatch of threatening SMS messages to approximately 26,000 EE customers using compromised infrastructure (Tidy, 2023a). The act of weaponising EE's messaging platform to deliver mass intimidation traffic constituted an unauthorised act intended to impair, or reckless as to impairing, the reliability of the carrier's communications service.
The February 2022 Nvidia breach formed a separate count. The defendants used social engineering, including instructing a hired caller to impersonate an employee to the Nvidia help desk, and multi-factor-authentication fatigue spamming to obtain credentials, then exfiltrated sensitive and valuable data (Tidy, 2023a; Sharma, 2023). The count captured the unauthorised entry into Nvidia's corporate environment.
A parallel s.3 count addressed the data theft, ransom demand and subsequent leak that followed the Nvidia intrusion. Lapsus$ exfiltrated and selectively published proprietary material to coerce payment, an act prosecutors framed as impairing the integrity and confidentiality of Nvidia's computing operations (Tidy, 2023b).
The most notorious count concerned the September 2022 breach of Rockstar Games. While on bail and confined to a Travelodge in Bicester under conditions banning internet use, Kurtaj reconstituted a workstation from an Amazon Fire Stick plugged into the hotel television, a newly purchased smartphone, keyboard and mouse, and used these to access Rockstar's cloud and internal systems (Tidy, 2023a; Sharma, 2023). The count covered the unauthorised access through which 90 unfinished GTA VI gameplay clips and source code were obtained.
The final computer misuse count addressed Kurtaj's conduct inside Rockstar's network: posting to the corporate Slack channel as "I am not a Rockstar employee, I am an attacker", threatening to release source code unless contacted on Telegram within 24 hours, and publishing the clips on a fan forum under the username "TeaPotUberHacker" (Tidy, 2023b). Rockstar told the court the incident cost approximately $5 million in recovery plus thousands of staff hours (Tidy, 2023b), evidencing material impairment.
The jury found that Kurtaj had performed the acts alleged across all counts. On 21 December 2023, Her Honour Judge Lees imposed an indefinite hospital order under mental health legislation, citing his persistent stated intent to return to cyber-crime and his continuing dangerousness (Tidy, 2023b; Sharma, 2023). The 17-year-old co-defendant received an 18-month Youth Rehabilitation Order with intensive supervision and a VPN-use ban (Tidy, 2023b).
The six computer misuse counts illustrate how the CMA's tiered scheme captures both intrusion (s.1) and consequential disruption or impairment (s.3). The pairing of s.1 and s.3 counts for each major victim (BT/EE, Nvidia, Rockstar) reflects standard prosecutorial practice in serious intrusion cases and provided the jury with a clear, victim-by-victim factual structure.
Legislation.gov.uk (1990) Computer Misuse Act 1990. Available at: https://www.legislation.gov.uk/ukpga/1990/18/contents (Accessed: 14 May 2026).
Sharma, A. (2023) 'Lapsus$ hacker behind GTA 6 leak gets indefinite hospital sentence', BleepingComputer, 21 December. Available at: https://www.bleepingcomputer.com/news/security/lapsus-hacker-behind-gta-6-leak-gets-indefinite-hospital-sentence/ (Accessed: 14 May 2026).
Tidy, J. (2023a) 'Lapsus$: Court finds teenagers carried out hacking spree', BBC News, 23 August. Available at: https://www.bbc.com/news/technology-66549159 (Accessed: 14 May 2026).
Tidy, J. (2023b) 'Lapsus$: GTA 6 hacker handed indefinite hospital order', BBC News, 21 December. Available at: https://www.bbc.com/news/technology-67663128 (Accessed: 14 May 2026).