The September 2022 breach of Rockstar Games, in which approximately ninety in-development clips and source code fragments for Grand Theft Auto VI were exfiltrated and published by Lapsus$-affiliated hacker Arion Kurtaj, triggered a transnational law-enforcement response in which the United States Department of Justice (DOJ) played a coordinating, intelligence-sharing, and policy-review role rather than a lead prosecutorial role. Because the principal suspects were UK and Brazilian minors, primary criminal prosecution was conducted by the City of London Police and Brazilian Federal Police, with the DOJ, the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA) supporting the case through joint task-force liaison, victim-side coordination with Rockstar's parent Take-Two Interactive (a US-headquartered NYSE-listed issuer), and a formal post-incident review under the Cyber Safety Review Board (CSRB) (Cyber Safety Review Board, 2023; BBC News, 2023).
Although the leak was a US-corporate-victim incident, the DOJ's classical Title 18 toolset (Computer Fraud and Abuse Act, wire fraud, conspiracy) was constrained by two factors: the youth of the suspects and the fact that both Kurtaj and his unnamed 17-year-old co-defendant resided in the United Kingdom (BBC News, 2023). Per long-standing US-UK Mutual Legal Assistance Treaty (MLAT) practice, the DOJ's Office of International Affairs (OIA) supported evidence transfer, while the FBI's Cyber Division acted as the operational liaison with City of London Police. Uber's public confirmation that it was "in contact with the FBI" regarding the same actor underscores the parallel-track US federal involvement that wrapped the Rockstar incident (Robinson, 2022).
The FBI had already issued a public "Seeking Information" notice on Lapsus$ on 21 March 2022, six months before the Rockstar breach, which seeded an active intelligence file later applied to the GTA VI incident (Federal Bureau of Investigation, 2022). When the September 2022 leak surfaced on GTAForums, the Bureau's pre-existing case enabled rapid attribution and evidence-preservation requests to Discord, Telegram, and US-based hosting providers under 18 U.S.C. ยง 2703 preservation letters, supporting downstream UK charges. The DOJ's role was therefore catalytic: it preserved US-controlled digital evidence that the Crown Prosecution Service later relied upon at Southwark Crown Court (BBC News, 2023).
The most consequential DOJ-adjacent coordination was the CSRB's review of Lapsus$ tactics, published in August 2023 by CISA on behalf of the interagency board, which includes DOJ representation (Cyber Safety Review Board, 2023). The board interviewed forty organisations across victims, vendors, and law enforcement, explicitly examining the Rockstar incident as a case study of SIM-swap and MFA-fatigue tradecraft. Its recommendations on FCC SIM-swap rules, telecom authentication, and corporate identity hygiene were endorsed by the DOJ and now inform federal cybercrime prosecution priorities (Goodin, 2023).
Because Take-Two Interactive disclosed the breach in an 8-K filing on 19 September 2022, a parallel DOJ-SEC interest attached to potential market-manipulation or insider-trading angles around the leak window. No charges materialised, but the disclosure-timing dimension was reportedly scrutinised under the SEC's new cyber-disclosure regime, with DOJ retaining a watching brief for any future Title 15 referrals (Cyber Safety Review Board, 2023).
Kurtaj was ultimately sentenced in the UK to an indefinite hospital order in December 2023 after being found unfit to plead, ending realistic prospects of US extradition or DOJ indictment (BBC News, 2023). The DOJ's coordination model in this case โ intelligence support, MLAT facilitation, CSRB-mediated policy synthesis โ is now considered a template for cross-border juvenile cybercrime where domestic UK or Brazilian prosecution is faster and more proportionate than US federal charging.
BBC News (2023) Lapsus$: GTA 6 hacker handed indefinite hospital order, 21 December. Available at: https://www.bbc.co.uk/news/technology-67663128 (Accessed: 14 May 2026).
Cyber Safety Review Board (2023) Review of the attacks associated with Lapsus$ and related threat groups. Washington, DC: Cybersecurity and Infrastructure Security Agency. Available at: https://www.cisa.gov/sites/default/files/2023-08/CSRB_Lapsus%24_508c.pdf (Accessed: 14 May 2026).
Federal Bureau of Investigation (2022) Seeking Information: LAPSUS$, 21 March. Archived at: https://web.archive.org/web/20220403185934/https://www.fbi.gov/wanted/seeking-info/lapsus (Accessed: 14 May 2026).
Goodin, D. (2023) 'How fame-seeking teenagers hacked some of the world's biggest targets', Ars Technica, 11 August. Available at: https://arstechnica.com/security/2023/08/homeland-security-details-how-teen-hackers-breached-some-of-the-biggest-targets/ (Accessed: 14 May 2026).
Robinson, A. (2022) 'Uber "in contact with the FBI" over potential GTA 6 hacker', Video Games Chronicle, 19 September. Available at: https://www.videogameschronicle.com/news/uber-in-contact-with-the-fbi-over-potential-gta-6-hacker/ (Accessed: 14 May 2026).
Tobin, S. (2023) 'Teen hacked Uber, Revolut and Grand Theft Auto maker, London court hears', Reuters, 11 July. Available at: https://www.reuters.com/technology/teen-hacked-uber-revolut-grand-theft-auto-maker-london-court-hears-2023-07-11/ (Accessed: 14 May 2026).