Among the twelve criminal counts that the Crown Prosecution Service laid against Arion Kurtaj โ the Oxford teenager identified by the City of London Police as the prominent Lapsus$ member responsible for the September 2022 Grand Theft Auto VI breach โ two charges of fraud sat alongside the better-publicised offences under the Computer Misuse Act 1990 and the blackmail counts (BBC News, 2023a; Tidy, 2023). The two fraud counts are the least-discussed element of the trial but the most legally diagnostic, because they reframe the GTA VI leak not merely as an act of digital trespass but as part of a wider pattern of pecuniary deception targeting individual consumers and corporate victims. This report sets out what is known about those two fraud counts, the statutory basis on which they were brought, and how they were resolved at Southwark Crown Court in August and December 2023, drawing on BBC News, Reuters and the United States Cyber Safety Review Board.
Both fraud counts were charged under the Fraud Act 2006, which consolidated and replaced the eight separate deception offences previously scattered across the Theft Acts (Ormerod and Williams, 2007). The Act creates a single offence of fraud committed by one of three means โ by false representation (section 2), by failing to disclose information (section 3), and by abuse of position (section 4) โ each carrying a maximum sentence of ten years' imprisonment on indictment (Fraud Act 2006, s.1(3)). Reuters' contemporaneous court reporting and the BBC's coverage of the seven-week trial indicate that both Kurtaj counts were brought as section 2 fraud by false representation, the limb most commonly used in prosecutions arising from SIM-swap and credential-theft conspiracies (Tobin, 2023; BBC News, 2023a).
The first fraud count concerned the SIM-swapping operation through which the Lapsus$ group obtained the privileged credentials it subsequently used to attack Rockstar Games, Uber, Revolut, Nvidia, Microsoft, Samsung and BT/EE itself (Krebs, 2022; CISA, 2023). Prosecutors at Southwark Crown Court told the jury that Kurtaj had impersonated mobile-network customers to telecommunications providers, inducing call-centre staff to port victims' phone numbers onto SIM cards under the defendant's control โ a textbook false-representation fraud in which the dishonest statement ("I am the account holder") is made with intent to make a gain or cause a loss within the meaning of section 5 of the 2006 Act (Tobin, 2023; BBC News, 2023b). The Cyber Safety Review Board (CISA, 2023) catalogued more than 130 individual SIM-swap victims attributable to the cluster of activity that produced the GTA VI breach, with cryptocurrency theft and downstream multi-factor-authentication bypass identified as the principal harms. The Reuters court report noted that Kurtaj's hotel-room hacking spree continued even while he was on police bail, with the fraudulent SIM-swap pattern materially identical to that used in the earlier Nvidia, Microsoft and Okta intrusions (Tobin, 2023).
The second fraud count was tied to the Rockstar Games incident itself. After exfiltrating roughly ninety in-development GTA VI video clips from Rockstar's internal Slack workspace on 18 September 2022, Kurtaj posted the material to GTAForums under the alias "teapotuberhacker" and issued a demand for payment, threatening further disclosures โ including the source code to Grand Theft Auto V โ unless Rockstar Games or Take-Two Interactive complied (MacDonald, 2022; BBC News, 2023a). Crown counsel framed this conduct as fraud by false representation in addition to blackmail, on the basis that the demand misrepresented Kurtaj's willingness and ability to "return" or destroy the stolen material in exchange for payment (Tobin, 2023). Rockstar's parent Take-Two later told the court that the breach had cost the company approximately US $5 million and thousands of staff hours to remediate, a figure that became part of the loss particulars supporting the fraud count (BBC News, 2023b; Wikipedia, 2026).
After a seven-week trial, the jury at Southwark Crown Court found on 23 August 2023 that Kurtaj had carried out the acts alleged, including both fraud counts; because he had been assessed by psychiatrists as unfit to plead, the jury's task was confined to the factual question under section 4A of the Criminal Procedure (Insanity) Act 1964 (BBC News, 2023a; Tobin, 2023). On 21 December 2023, Mr Justice Hilliard imposed an indefinite hospital order under section 37 of the Mental Health Act 1983, with a section 41 restriction, citing the defendant's stated intention to resume offending at the earliest opportunity (BBC News, 2023b). The co-defendant, an unnamed 17-year-old, was convicted in the ordinary way of separate computer-misuse and fraud-related offences (BBC News, 2023a).
The two fraud counts in the Kurtaj trial illustrate the legal architecture by which English prosecutors now translate distributed cyber-extortion conduct into chargeable offences: a SIM-swap predicate fraud against telecommunications customers, paired with a downstream extortion-fraud against the ultimate corporate target. For the Grand Theft Auto VI story, the fraud counts confirm that the September 2022 leak was not an isolated act of teenage curiosity but a monetisation attempt embedded in a wider fraudulent enterprise โ a framing that has since informed Rockstar Games' return-to-office mandate, its post-breach security investment, and the Cyber Safety Review Board's 2023 recommendations on SIM-swap mitigation (CISA, 2023; Wikipedia, 2026).
BBC News (2023a) 'Lapsus$: Court finds teenagers carried out hacking spree', BBC News, 23 August. Available at: https://www.bbc.co.uk/news/technology-66549159 (Accessed: 14 May 2026).
BBC News (2023b) 'Lapsus$: GTA 6 hacker handed indefinite hospital order', BBC News, 21 December. Available at: https://www.bbc.co.uk/news/technology-67663128 (Accessed: 14 May 2026).
CISA (2023) Review of the attacks associated with Lapsus$ and associated threat groups. Washington, DC: US Government Cyber Safety Review Board.
Fraud Act 2006, c. 35. London: The Stationery Office.
Krebs, B. (2022) 'A closer look at the LAPSUS$ data extortion group', Krebs on Security, 23 March.
MacDonald, K. (2022) 'Grand Theft Auto 6 leak: who hacked Rockstar and what was stolen?', The Guardian, 19 September.
Ormerod, D. and Williams, D.H. (2007) Smith's Law of Theft. 9th edn. Oxford: Oxford University Press.
Tidy, J. (2023) 'GTA 6 hacker given indefinite hospital order', BBC News, 21 December.
Tobin, S. (2023) 'Teen hacked Uber, Revolut and Grand Theft Auto maker, London court hears', Reuters, 11 July.
Wikipedia (2026) 'Lapsus__CONTENT__#39;, Wikipedia. Available at: https://en.wikipedia.org/wiki/Lapsus$ (Accessed: 14 May 2026).