In September 2022, a teenager working from a Travelodge hotel room in the south of England carried out one of the most consequential corporate hacks of the decade. Arion Kurtaj β a core member of the loosely organised extortion crew known as Lapsus$ β broke into Rockstar Games, exfiltrated roughly ninety video clips of the then-unannounced Grand Theft Auto VI, posted them on a public forum, and threatened to release source code unless the studio negotiated with him on Telegram. He was at the time on bail for earlier intrusions against Nvidia and BT/EE, under police protection, and had had his primary laptop seized. The toolset he used, as established by the UK court that later tried him, amounted to a hotel television, an Amazon Fire TV Stick, a smartphone, and basic peripherals (BBC News, 2023a).
The case is unusual not because the techniques were novel β they were not β but because it crystallised, in a single defendant and a single victim, the structural weaknesses that the US Cyber Safety Review Board (CSRB) had already begun documenting across the broader Lapsus$ campaign. The Board's August 2023 report, Review of the Attacks Associated with Lapsus$ and Related Threat Groups, presented the group as a case study in how unsophisticated social engineering, SIM-swap fraud, and helpdesk manipulation could repeatedly defeat well-funded, well-staffed corporate security teams (Cyber Safety Review Board, 2023). This report summarises the publicly available record of the Rockstar intrusion, the CSRB's findings on Lapsus$ tradecraft, the wider industry response, and the sentencing of Kurtaj β without speculating on non-public technical detail.
Lapsus$ first surfaced in December 2021 with an attack on Brazil's Ministry of Health that disrupted the country's COVID-19 vaccination certificate service. Over the following nine months the group β believed by City of London Police and Bloomberg researchers to consist of perhaps seven core members, mostly teenagers based in the United Kingdom and Brazil β claimed or was credibly linked to intrusions at Nvidia, Samsung, Vodafone Portugal, Ubisoft, Mercado Libre, Microsoft, Okta, T-Mobile, Globant, Uber, and Rockstar Games (Wikipedia, 2026; Cyber Safety Review Board, 2023).
What set Lapsus$ apart from contemporaneous ransomware crews was the near-total absence of advanced exploitation. There were no zero-days, no custom malware families of note, and no encryption-based extortion. Instead, as Ars Technica's Dan Goodin summarised in his coverage of the CSRB report, "what the group lacks in software exploitation, it makes up for with persistence and creativity" (Goodin, 2023). The CSRB itself was blunt: Lapsus$ "did not use the type of novel zero-day techniques the industry is used to seeing frequently in the news", yet it nonetheless "made clear just how easy it was for its members (juveniles, in some instances) to infiltrate well-defended organisations" (Cyber Safety Review Board, 2023).
The group's standard playbook, as reconstructed by the Board and corroborated in court, broke down roughly as follows. First, identify a target's privileged or contractor-held credentials, either by purchasing them from initial-access brokers, by recruiting insiders openly on Telegram, or by SIM-swapping a chosen employee. Second, defeat any multi-factor authentication standing between those credentials and corporate single sign-on β typically through MFA-fatigue "bombing" of push notifications, or by socially engineering the target's helpdesk to enrol an attacker-controlled device. Third, pivot through internal collaboration tools such as Slack, source repositories, ticketing systems, and cloud consoles to identify high-value data. Finally, extort the victim publicly on Telegram, often with theatrical flourishes including polls inviting followers to vote on the next victim (Krebs, 2022; Cyber Safety Review Board, 2023).
The group's public-facing persona β taunting victims in English and Portuguese, celebrating each breach with screenshots β gave researchers and law enforcement an unusually rich evidentiary trail and ultimately contributed to its dismantling.
Strictly within the public record, the following is established. Arion Kurtaj was sixteen years old at the time of the first Lapsus$ attacks attributed to him, resident in Oxford, England, and operated under the online handle "White" within the group, with "TeaPotUberHacker" used in connection with the Rockstar leak (BBC News, 2023a; Wikipedia, 2026). He was first arrested by City of London Police in March 2022, alongside six other suspects aged sixteen to twenty-one (The Verge, reported in Wikipedia, 2026). He was charged in April 2022.
Court-appointed psychiatrists assessed Kurtaj as unfit to stand trial owing to severe autism. As a consequence, the six-week proceedings at Southwark Crown Court in 2023 took the form of a "trial of the facts": the jury was asked only to determine whether Kurtaj had committed the alleged acts, not whether he had done so with criminal intent (BBC News, 2023a). The court was told that, during the trial preparation period and despite being on bail and under police protection, he had continued to commit cyber-offences. A mental-health assessment placed in evidence at sentencing reported that Kurtaj "continued to express the intent to return to cyber-crime as soon as possible. He is highly motivated" (BBC News, 2023a).
Beyond these public-record items β name, age, location, diagnosis, handle, charges, trial format, court findings β this report does not speculate.
The most striking element of the Lapsus$ saga, and the reason it became a security-industry parable, is the manner of the Rockstar intrusion in September 2022. According to evidence presented at Southwark Crown Court and reported by the BBC, Kurtaj was at the time on bail for the Nvidia and BT/EE intrusions and had been placed in police protection at a Travelodge hotel. His laptop had been confiscated. The court heard that he nevertheless breached Rockstar Games using "an Amazon Firestick, his hotel TV and a mobile phone" (BBC News, 2023a).
From this minimal kit Kurtaj obtained access to Rockstar's internal systems, including the company's Slack workspace. He used that access to post a message internally announcing that "if Rockstar does not contact me on Telegram within 24 hours I will start releasing the source code" (BBC News, 2023a). When no negotiation followed, he posted ninety video clips of Grand Theft Auto VI β together with associated material β to the GTAForums community under the handle "TeaPotUberHacker". The leak was instantly recognised by the gaming press and confirmed by Rockstar's parent company Take-Two Interactive shortly thereafter.
Rockstar Games told the sentencing court that the incident cost the company approximately five million US dollars to recover from, in addition to thousands of hours of staff time (BBC News, 2023a). Across all Lapsus$ activity, the BBC reported the group's attacks on Uber, Nvidia and Rockstar cost the affected firms nearly ten million dollars combined (BBC News, 2023a).
Beyond the publicly reported devices β Fire TV Stick, hotel television, smartphone β the precise technical chain of access into Rockstar's environment has not been disclosed in court reporting available through the sources cited here. This report therefore does not speculate on the specific account, vector, or credential reused. What is on the public record is that Kurtaj reached an internal Slack workspace and was able to exfiltrate development assets at scale.
The Cyber Safety Review Board was established by US presidential executive order in 2021 and is convened by the Department of Homeland Security to investigate significant cyber incidents in the manner of an aviation safety board. Its second-ever report, published on 10 August 2023, was devoted entirely to Lapsus$ and "related threat groups" β a deliberately broad scope acknowledging that the same tradecraft was visible across overlapping crews (Cyber Safety Review Board, 2023).
Several findings stand out in the publicly released version of the report.
Helpdesk and identity-provider abuse. The Board found that attackers repeatedly defeated multi-factor authentication not by breaking it cryptographically but by manipulating the human processes around it. Calls to corporate helpdesks asking for an MFA device reset, calls to mobile carriers to port a victim's number to an attacker-controlled SIM, and "MFA fatigue" push-bombing were all documented as effective. The Board quoted a Lapsus$ operator's own description of the fatigue technique: "Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it" (Goodin, 2023, citing the CSRB report).
Supplier and contractor exposure. Several Lapsus$ intrusions began not at the named victim but at a downstream supplier. The Okta incident, for example, originated through the compromised laptop of an engineer at Okta's third-party customer-support contractor Sitel, who held remote-desktop access into Okta's environment (Newman, 2022). The Board treated this as systemic: privileged contractor access remains under-governed across the industry.
Telecommunications-sector weaknesses. SIM-swap fraud, the Board found, remained too easy. Carrier staff were socially engineered or bribed, and the regulatory regime around number portability was insufficiently strict. The CSRB recommended that the Federal Communications Commission and Federal Trade Commission strengthen rules around SIM porting (Cyber Safety Review Board, 2023; Goodin, 2023).
The need for phishing-resistant MFA. The Board's headline technical recommendation was a transition away from one-time passcodes and push-notification MFA toward FIDO2-based, phishing-resistant authenticators such as hardware security keys and passkeys. These bind the second factor cryptographically to the legitimate site and cannot be relayed by an attacker on the phone to a tired employee (Cyber Safety Review Board, 2023).
Juvenile threat actors. The Board explicitly drew attention to the fact that several Lapsus$ members were minors, and noted the policy gap this exposed: traditional law-enforcement deterrence assumes adult, financially motivated actors. A juvenile crew operating partly for notoriety, with limited concern for consequences, requires a different response model β combining safeguarding, education, and intervention with criminal process (Cyber Safety Review Board, 2023).
Transparency as evidence. Unusually, the Board observed that Lapsus__CONTENT__#39;s own public theatrics β its Telegram channel, its taunts, its bragging β provided "unparalleled transparency into the inner workings of how it targeted organisations" and were themselves a data source the Board drew on (Cyber Safety Review Board, 2023).
The CSRB report did not appear in a vacuum. Across 2022 and 2023, in part because of Lapsus$ but also driven by parallel incidents (the Twilio breach, the Uber breach, the MOVEit campaign), a recognisable set of defensive themes consolidated across enterprise security.
Phishing-resistant MFA and passwordless authentication. Adoption of FIDO2 security keys and passkeys accelerated noticeably. Cloudflare's well-publicised escape from the same Twilio-targeting campaign β credited to its enforcement of FIDO2 keys for staff β became a reference example cited by the Board and the security press (Goodin, 2023).
Zero-trust architecture for collaboration tools. The Rockstar incident in particular drew attention to "Slack hygiene": the practice of treating internal chat as a high-value target rather than as a casual scratch-pad. Recommendations that circulated in the aftermath included aggressive segmentation of channels, restriction of file-attachment scopes, just-in-time access to sensitive workspaces, automated session re-authentication, and the assumption that any single compromised employee identity might reach the entire workspace unless explicitly constrained.
Contractor and identity-provider governance. Following Okta-Sitel and similar incidents, larger enterprises began auditing the privileges held by outsourced support and BPO contractors more aggressively, and tightening the legal and technical controls on remote-desktop access into customer environments.
Helpdesk hardening. A specific operational lesson β sufficiently widely reported that it became a recurring talking point at industry conferences in 2023 and 2024 β was that helpdesks needed scripted, callback-based identity verification, with out-of-band confirmation, rather than knowledge-based questions that a determined social engineer could research or guess.
Insider-recruitment monitoring. Lapsus$ had openly advertised on Telegram for insiders willing to sell credentials. The CSRB's documentation of this normalised, within corporate security teams, the practice of monitoring such channels for solicitations targeting one's own staff.
None of these are, individually, novel ideas; what the Lapsus$ episode did was concentrate evidence for them into a single, citeable government report that CISOs could take to their boards.
Kurtaj's trial concluded in August 2023, with the jury finding that he had committed the acts alleged in respect of the Lapsus$ intrusions, and that a seventeen-year-old co-defendant (who could not be named for legal reasons relating to his age) had also committed offences in connection with the Nvidia and BT/EE intrusions (BBC News, 2023a).
Sentencing took place on 21 December 2023 at Southwark Crown Court before Her Honour Judge Lees. Kurtaj was made the subject of an indefinite hospital order: he will remain in a secure psychiatric facility for life unless and until clinicians judge he no longer poses a danger to the public. The judge stated that his demonstrated skills and his expressed continuing motivation to commit cyber-crime made him a high risk. Evidence at sentencing included reports of dozens of incidents of violence or property damage during his time in custody (BBC News, 2023a).
His co-defendant received an eighteen-month Youth Rehabilitation Order, including intensive supervision and a ban on VPN use, and was additionally sentenced for a separate pattern of stalking and harassment of two young women that the court described as "unpleasant and frightening" (BBC News, 2023a).
The defence's submission that the success of the official Grand Theft Auto VI trailer β released earlier in December 2023 to 128 million YouTube views in four days β demonstrated that the leak had not caused lasting commercial harm was rejected by the judge, who pointed to the real costs incurred by Rockstar and to the harm done to individual victims of other Lapsus$ activity (BBC News, 2023a).
In Brazil, a separate suspected Lapsus$ member was arrested in Feira de Santana, Bahia, in October 2022 under "Operation Dark Cloud" in connection with the Ministry of Health attack (Wikipedia, 2026). Other members of the wider group are believed to remain at large.
The RockstarβLapsus$ case became a defining corporate-cybersecurity case study of the 2020s for several reasons that the public record makes legitimate to state.
First, it collapsed the conceptual distance between "sophisticated nation-state adversary" and "teenager with a hotel television". For a generation of CISOs who had built threat models around state-sponsored APTs and organised ransomware crews, the Travelodge fact-pattern was a forcing function: if a teenager on bail with no laptop could reach a major studio's Slack and walk out with development assets, then defences premised on adversary sophistication had been mis-calibrated.
Second, it exposed identity, not endpoint, as the dominant attack surface. The Lapsus$ portfolio across Nvidia, Microsoft, Okta, Uber and Rockstar showed repeatedly that the path into the network ran through people, helpdesks, and identity providers rather than through unpatched servers. This accelerated the industry's pivot toward identity-centric, zero-trust architectures and toward phishing-resistant authenticators.
Third, it gave the security community an authoritative, US-government-issued narrative β the CSRB report β that could be cited internally to justify investment. Where individual incidents could be dismissed as the victim's bad luck, the Board's aggregated analysis across multiple Lapsus$ targets made the pattern undeniable.
Fourth, the human dimension of the case β a defendant on the autism spectrum, found unfit to plead, sentenced to indefinite hospitalisation β raised difficult questions about how the criminal-justice system should respond to juvenile cyber-offenders whose technical capability outstrips the deterrence assumptions of conventional sentencing. The CSRB's explicit call for intervention and safeguarding pathways acknowledged that prosecution alone was unlikely to be sufficient.
Finally, the case has acquired symbolic weight because of the cultural visibility of its victim. Grand Theft Auto is among the most commercially significant entertainment franchises in the world. A breach that became inseparable, in public memory, from one of the most anticipated game launches of the decade ensured that the technical lessons would be discussed not only inside enterprise security teams but in mainstream media and policy fora. For better or worse, "the GTA 6 hack" is likely to remain the shorthand by which a generation of practitioners refers to the broader Lapsus$ chapter.
The following items in this report are drawn directly from the cited public sources and are treated as high-confidence:
The following items are explicitly not asserted in this report, because they fall outside the cited public record:
Where this report describes industry defensive responses (zero trust, Slack hygiene, contractor governance, helpdesk hardening), those are characterisations of well-documented industry trends and of the CSRB's published recommendations, not claims about any specific organisation's internal practices.
BBC News (2023a) Lapsus$: GTA 6 hacker handed indefinite hospital order, 21 December. Available at: https://www.bbc.co.uk/news/technology-67663128 (Accessed: 14 May 2026).
BBC News (2023b) Lapsus$: Court finds teenagers carried out hacking spree, 23 August. Available at: https://www.bbc.co.uk/news/technology-66549159 (Accessed: 14 May 2026).
Cyber Safety Review Board (2023) Review of the Attacks Associated with Lapsus$ and Related Threat Groups. Washington, DC: US Department of Homeland Security / Cybersecurity and Infrastructure Security Agency. Available at: https://www.cisa.gov/sites/default/files/2023-08/CSRB_Lapsus%24_508c.pdf (Accessed: 14 May 2026).
Goodin, D. (2023) 'How fame-seeking teenagers hacked some of the world's biggest targets', Ars Technica, 10 August. Available at: https://arstechnica.com/security/2023/08/homeland-security-details-how-teen-hackers-breached-some-of-the-biggest-targets/ (Accessed: 14 May 2026).
Krebs, B. (2022) 'A Closer Look at the LAPSUS$ Data Extortion Group', Krebs on Security, 23 March. Available at: https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/ (Accessed: 14 May 2026).
Newman, L. H. (2022) 'Leaked Details of the Lapsus$ Hack Make Okta's Slow Response Look More Bizarre', Wired, 28 March. Available at: https://www.wired.com/story/lapsus-okta-hack-sitel-leak/ (Accessed: 14 May 2026).
Wikipedia (2026) Lapsus$. Available at: https://en.wikipedia.org/wiki/Lapsus%24 (Accessed: 14 May 2026).