When Arion Kurtaj walked out of Southwark Crown Court in December 2023 with an indefinite hospital order under the Mental Health Act 1983, he carried no civil judgement on his shoulders. Rockstar Games and its parent Take-Two Interactive had spent millions recovering from the September 2022 breach, and the company stated in open court that the incident cost it roughly $5 million plus thousands of staff hours (Tidy, 2023). Yet there is no Take-Two v. Kurtaj on any docket in England, Wales or anywhere else. The publisher pursued the matter exclusively through the Crown Prosecution Service under the Computer Misuse Act 1990, lent its loss figures to the sentencing hearing, and then walked away. That choice was not an oversight. It was the only rational outcome once the defendant's age, neurodevelopmental condition, indigence and detention status were stacked against the realities of English civil procedure. The contrast with how a US-based perpetrator such as Gary Bowser of Team Xecuter was treated, by parallel criminal indictment and civil suit from Nintendo, illustrates how the geography of an attacker can dictate the entire remedial architecture available to a games publisher.
In England and Wales a corporate victim of a cyber-intrusion has, in principle, two non-exclusive avenues. The first is the criminal route: report the matter to the National Crime Agency or City of London Police, who refer to the CPS, who if charging the offence will prosecute under the Computer Misuse Act 1990 (CMA). The second is the civil route: issue a claim in the Business and Property Courts, typically pleaded as breach of confidence, trespass to chattels by way of unauthorised access, copyright infringement under the Copyright, Designs and Patents Act 1988, and conversion of intangible property where pleadable. In a fraud-adjacent matter the claimant would normally seek an asset-freezing injunction (a Mareva or worldwide freezing order) and a search order (an Anton Piller order) on a without-notice basis at the outset, then proceed to summary judgement once the criminal proceedings have established the basic facts.
The two routes are not, in principle, mutually exclusive. There is no English equivalent to a strict double-jeopardy bar on civil claims following criminal conviction. Indeed, section 11 of the Civil Evidence Act 1968 makes a criminal conviction admissible as evidence in subsequent civil proceedings, shifting the burden onto the defendant to disprove the underlying facts. A claimant who waits for a criminal conviction can therefore expect a near-automatic finding of liability in any civil follow-on, with the only contested issue being quantum.
What restrains the routes from operating together is practical, not doctrinal. A criminal court has only a narrow restitutionary remit under the Powers of Criminal Courts (Sentencing) Act 2000 and the Sentencing Act 2020: it can impose a compensation order, but that order is constrained by the offender's means and is rarely used for losses in the millions. Anything beyond a token compensation order has to be chased in the civil courts. And civil proceedings cost money, take years, and presuppose that the defendant has, or will one day have, assets worth attaching.
Kurtaj's circumstances made every limb of the civil calculus collapse simultaneously. He was seventeen at the time of the Rockstar intrusion, was diagnosed with severe autism, was found unfit to plead under the Criminal Procedure (Insanity) Act 1964, and is now detained at His Majesty's pleasure under a section 37 hospital order with a section 41 restriction (Tidy, 2023). Each of those facts alone would have given Take-Two's general counsel pause; together they make litigation pointless and reputationally radioactive.
First, capacity. Under Part 21 of the Civil Procedure Rules a "protected party" lacking mental capacity to conduct litigation must act through a litigation friend. Any settlement requires court approval. A defendant who has been adjudged unfit even to participate in his own criminal trial will, in the ordinary course, also lack capacity for civil litigation, with all the procedural friction that implies.
Second, indigence and judgement-proofing. The BBC's reporting indicates the family lived in modest circumstances in Oxford, that Kurtaj's cryptocurrency wallets were never unlocked for the authorities, and that no realised proceeds have been publicly identified (Tidy, 2023). A money judgement against a detained autistic teenager with no traceable assets is a piece of paper. Enforcement options under the Civil Procedure Rules - charging orders, third-party debt orders, attachment of earnings - require something to attach to. A patient under a restricted hospital order has neither earnings nor reachable property.
Third, age and capacity at the time of the act. The Limitation Act 1980 does not bar the action, but the fact that Kurtaj was a minor at the time of the breach exposes any civil claimant to a parade of awkward arguments about parental supervision, foreseeability, and the policy reluctance of English courts to enter ruinous money judgements against children. Even where children are sued, awards are routinely deferred or scaled.
Fourth, and decisive, public relations. Suing a detained autistic teenager for source-code leakage of a video game would produce the worst headline cycle Take-Two could possibly engineer for itself. The trailer for Grand Theft Auto VI subsequently drew 128 million YouTube views in its first four days (Tidy, 2023), undermining any "we were ruined" narrative the company would have had to advance. Kurtaj's own defence counsel made precisely that argument in mitigation at sentencing. A civil claim would have transferred that argument from a sentencing hearing, where it failed to move the judge, to a public quantum trial where it would have been front-page material for months.
The CMA 1990 was enacted in direct response to the failed prosecution in R v Gold & Schifreen [1988] AC 1063, in which two hackers who had penetrated BT's Prestel system were acquitted on appeal because the Forgery and Counterfeiting Act 1981 could not be stretched to cover their conduct (Wikipedia, 2026a). Sections 1 to 3 created three discrete offences: unauthorised access, unauthorised access with intent to commit further offences, and unauthorised acts impairing operation (originally framed as "unauthorised modification"). The Serious Crime Act 2015 added section 3ZA for unauthorised acts causing or risking serious damage, with sentences up to fourteen years and life imprisonment where human welfare or national security is endangered (Wikipedia, 2026a).
Kurtaj's Rockstar intrusion sat squarely within sections 1 and 2: unauthorised access via social engineering against Slack, with intent to facilitate further offences (blackmail, by his "if Rockstar does not contact me on Telegram within 24 hours I will start releasing the source code" message, Tidy, 2023). What the CMA does not provide, and never has, is a statutory civil right of action. Unlike the US Computer Fraud and Abuse Act, 18 U.S.C. ยง 1030(g), which expressly grants any person who suffers damage or loss of at least $5,000 a private cause of action for compensatory damages and injunctive relief, the CMA is purely criminal. A UK victim wishing to recover money has to graft a separate civil claim onto common-law and statutory causes of action that pre-date the CMA, principally breach of confidence and copyright infringement.
The CFAA's civil hook is what makes the US the natural forum for a private hacker suit. A US-domiciled Kurtaj could have faced a Take-Two complaint in the Southern District of New York invoking both the CFAA and the Digital Millennium Copyright Act's anti-circumvention provisions at 17 U.S.C. ยง 1201, with statutory damages of up to $150,000 per infringed work, plus injunctive relief, expedited discovery, and the very real prospect of a default judgement enforceable against future earnings. The DMCA's statutory damages structure also avoids the actual-damages calculation problem that bedevils English copyright claims for unreleased material whose market value is conjectural.
The Nintendo response to Team Xecuter member Gary Bowser is the clearest available illustration of how a games publisher behaves when the defendant is reachable in a US-style legal system. Bowser, a Canadian national arrested in the Dominican Republic in September 2020, faced a federal indictment in the Western District of Washington with eleven felony counts including conspiracy to commit wire fraud and trafficking in circumvention devices under the DMCA (Wikipedia, 2026b). In October 2021 he pleaded guilty, agreed to pay a $4.5 million penalty, and in February 2022 was sentenced to forty months in prison (Wikipedia, 2026b).
Crucially, that was not the end. Nintendo separately filed a civil lawsuit against Bowser in April 2021, pleading three counts of copyright infringement and seeking $2,500 per trafficked device plus $150,000 per copyright violation under the DMCA's statutory damages provisions (Wikipedia, 2026b). In December 2021 he was ordered to pay a further $10 million to Nintendo on top of the criminal $4.5 million penalty. The Guardian later reported that Bowser, granted early release on health grounds, will pay Nintendo 25 to 30 per cent of his gross income each month for the rest of his life (Hernandez, 2024). The civil judgement functions not as a one-off recovery but as a perpetual garnishment.
What Nintendo had that Take-Two did not is a defendant in a jurisdiction whose statute provides automatic, scheduled damages, a court system willing to enter eye-watering judgements against modestly resourced individuals, and a legal culture that treats the parallel criminal-and-civil pincer as routine. Even then, Nintendo's actual cash recovery is trivial relative to the judgement: it is the message, and the lifetime garnishment, that matter.
In Kurtaj's case the only mechanism by which any money found its way back to Take-Two was the sentencing-stage figure of $5 million in recovery costs, cited by the prosecution in aggravation (Tidy, 2023). Whether any compensation order was made is not reported, and given Kurtaj's hospital-order status it would have been nominal at best. A compensation order under section 134 of the Sentencing Act 2020 is means-tested; a detained patient with no income receives no meaningful order.
The Proceeds of Crime Act 2002 provides a parallel confiscation regime, but it depends on identifying realisable assets representing the benefit of the criminal conduct. The cryptocurrency wallets associated with Lapsus$ were never opened, and the BBC reports the hackers did not provide the passwords (Tidy, 2023). Whatever sits inside those wallets is, for practical purposes, beyond confiscation.
So Take-Two's $5 million remains an accounting line. The $5 million figure functions principally as a sentencing argument, an insurance claim, and a regulatory disclosure, not as a sum to be recovered.
The signal sent by the December 2023 disposition is mixed and arguably perverse from a deterrence standpoint. On one hand, an indefinite hospital order is, in a sense, the most severe outcome available short of a determinate prison sentence of comparable length: Kurtaj will remain detained for as long as clinicians and the Ministry of Justice agree he is a danger, which the sentencing judge said was likely to be life unless circumstances change (Tidy, 2023). For a young hacker contemplating a similar attack, the message is that the UK will incapacitate you, perhaps indefinitely, even where it cannot try you in the ordinary way.
On the other hand, the absence of any civil judgement and the absence of any meaningful financial restitution invites a particular reading among young, judgement-proof actors: the worst-case scenario is loss of liberty, not financial ruin. Compare Bowser, who will pay Nintendo for the rest of his life. The deterrent profile for an adult, asset-bearing US perpetrator is qualitatively different from that for a UK juvenile under mental-health detention.
The deeper signal goes to publishers' own behaviour. The Kurtaj outcome demonstrates that, for a UK-based attacker, the publisher's leverage runs out at the criminal sentencing hearing. The publisher cannot expect to recover costs, cannot expect to control the narrative through a civil discovery process, and cannot use the threat of perpetual garnishment as in terrorem leverage. The rational publisher response is therefore to invest more heavily in pre-incident controls and incident-response insurance, and to lobby for CMA reform of the kind the CyberUp Campaign and the Criminal Law Reform Now Network have proposed (Wikipedia, 2026a), rather than to expect post-incident recoveries.
Hernandez, P. (2024) 'The man who owes Nintendo $14m: Gary Bowser and gaming's most infamous piracy case', The Guardian, 1 February. Available at: https://www.theguardian.com/games/2024/feb/01/the-man-who-owes-nintendo-14m-gary-bowser-and-gamings-most-infamous-piracy-case (Accessed: 14 May 2026).
Tidy, J. (2023) 'Lapsus$: GTA 6 hacker handed indefinite hospital order', BBC News, 21 December. Available at: https://www.bbc.co.uk/news/technology-67663128 (Accessed: 14 May 2026).
Wikipedia (2026a) Computer Misuse Act 1990. Available at: https://en.wikipedia.org/wiki/Computer_Misuse_Act_1990 (Accessed: 14 May 2026).
Wikipedia (2026b) Team Xecuter. Available at: https://en.wikipedia.org/wiki/Team_Xecuter (Accessed: 14 May 2026).