back to article Two teens were among those behind the Lapsus$ cyber-crime spree, jury finds

Two teenage members of the chaotic Lapsus$ cyber-crime gang helped compromise computer systems of Uber and Nvidia, and also blackmailed Grand Theft Auto maker Rockstar Games among other high-profile victims, a jury has decided. At Southwark Crown Court in London, England, on Wednesday, Arion Kurtaj, 18, and a 17-year-old male …

  1. Anonymous Coward
    Anonymous Coward

    Hold on...

    "...the jury was told not to find ... guilty or not guilty ... Instead, the panel was asked to decided whether or not he did the things he was accused of."

    ...and the difference between "been guilty" and "done the thing" is ?

    "The extortionists demanded a £3.1 million ($4 million) ransom"... "The teens' hacking spree showed a "juvenile desire to stick two finger"...

    Nope. Sorry. It showed that they wanted the money and that's all.

    1. Spazturtle Silver badge

      Re: Hold on...

      "...and the difference between "been guilty" and "done the thing" is ?"

      In the UK being found guilty requires that both your body is guilty (so you did the thing you are accused of) and that your mind is guilty.

      "Nope. Sorry. It showed that they wanted the money and that's all."

      Yeah it was all about the money, they are still refusing to hand over their crypo wallets. They should be detained indefinitely until they have over the money they have squirreled away.

    2. the reluctant commentard

      Re: Hold on...

      I think the article explains the difference quite clearly: a panel of experts has established that the defendant is mentally unfit to stand trial, which means he cannot be convicted.

      But at the same time, the jurors were asked to determine if he had done the things he was accused of. A "yes" means the case can be officially closed as the party responsible (not the "guilty party") has been established, it is just that said party will not have a conviction on their record.

      It also means the victims can be confident that the persons behind the attack were indeed identified and dealt with.

      1. J.G.Harston Silver badge

        Re: Hold on...

        If he's mentally unfit to stand trial, it strikes me that he's mentally unfit to be allowed to be independently part of society and be anywhere near sharp things such as computers and communication tools. What moron allowed this person access to them in the first place?

        1. MOV r0,r0

          Re: Hold on...

          I'm uncomfortable with this decision too. If autism is sufficient for someone to be unfit to stand trial, how about severe personality disorders (for example Allitt, Letby, the Wests)?

          People go up before the beak for what they've done, why they did it should only impact the sentencing.

          1. Doctor Syntax Silver badge

            Re: Hold on...

            Didn't the reports at the time say that their MO was social engineering. If that was the case then it must show an abbility to understand other people's minds in a way which doesn't fit with what I understand autism to be. I suppose that now I've written that somebody will be along to explain that autism is something else entirely but it's looking as if it's whatever the defence lawyers want it to be.

            1. Michael Wojcik Silver badge

              Re: Hold on...

              Autism is a whole bunch of things, which is why people refer to it as a "spectrum". I'm suspicious of the autism defense too, but without a lot more information I'm not going to comment on it.

              Social-engineering attacks are often carried out using scripts, which can be obtained from various malware vendors. Social engineering is sometimes customized for a specific target, but often attackers just use generic approaches against a number of targets, knowing there's a good probability that at least one attack will succeed.

              Jessica Clark's demonstration for Kevin Roose at DEFCON – you can find the video on YouTube – is a well-known example of a generic soc-eng attack. Clark's good, but even someone with poor social skills could learn to do it from resources like that video and some practice.

        2. phuzz Silver badge
          Headmaster

          Re: Hold on...

          If someone is found to be unfit to stand trial, but the court thinks they may be a danger to other people, they can be 'sectioned', and locked up in a secure psychiatric hospital. In some ways that's worse than prison, because there's no set sentence, or possibility of parol, they're locked up until the doctors think they're no longer a danger.

          See https://en.wikipedia.org/wiki/Mental_Health_Act_1983

          1. Anonymous Coward
            Anonymous Coward

            Re: Hold on...

            Personally I think that should come immediately on the table the moment someone uses autism or other conditions-that-aren't as a reason why they're not competent to stand trial or be held accountable for what they got up to so it doesn't act as a get out of jail card.

            I know plenty of people with light autism and Aspergers, and they all know right from wrong.

            As an aside, however, I do have to raise the question what sort of security the bigger companies had. If a couple of teenagers is able to piss all over it, maybe, just maybe you ought to do better?

  2. Pascal Monett Silver badge

    computer intrusion, blackmail, and fraud

    So, if I get this right, if you're under 18 in the UK you can wreak havoc and blackmail people and you're free until the trial ?

    No computer lockdown ? You can just carry on blackmailing people ?

    Is there something that is keeping that soon-to-be criminal from continuing to make other people's lives miserable ?

    1. the reluctant commentard

      Re: computer intrusion, blackmail, and fraud

      The article says he was released on bail, it makes no mention of whether or not that bail came with any conditions such as not being allowed to use computers etc. I'm pretty sure that conditions of that sort will have been imposed, that would make sense.

      Jailing an under 18 year old while awaiting trial is a very heavy measure and is only reserved for the most serious of crimes I expect.

      1. Boris the Cockroach Silver badge
        Facepalm

        Re: computer intrusion, blackmail, and fraud

        According to the beeb he was released on bail with conditions

        One of them being no unsupervised access to the internet.

        So he guessed the wifi password at the bail hostel, and logged right on in.....

        On the subject of him being metally ill, the judge should make out a nice sectioning order that hes detained in a secure unit for at least 12 months for assessment plus treatment...

    2. Version 1.0 Silver badge
      Childcatcher

      Re: computer intrusion, blackmail, and fraud

      So when this all gets cleared up, it would be a good start to hire these kids to start working on preventing hacking like that. The ability to do this kind of hacking means that they probably have developed a much better understanding than a lot of current users so maybe they can help us all be safer. Yes, you can say that they did some bad things but they are just slightly older kids - so us adults need to admit that we haven't been teaching them so much about what's good and bad in our lives.

      I can remember doing a few stupid dumb things as a kid (getting my grandfathers six shooter gun working in Oxfordshire when I was about 7 years old) but I've been very law abiding once I grew up.

      1. Michael Wojcik Silver badge

        Re: computer intrusion, blackmail, and fraud

        Lapsus$ didn't do anything sophisticated or novel. Their attacks were notable primarily because they used a relatively expensive approach1 and were a small, hands-on group rather than using a franchise / multi-level structure like most IT extortion groups. That made targeted attacks more economically feasible.

        They don't have anything to teach security experts, and what they have to teach ordinary users has already been known for decades. Ordinary users just aren't capable of maintaining that level of vigilance. It's not something people are good at.

        1Contacting victims in person is much more time- and labor-intensive than blasting out a million 419 emails, or scanning a million systems for a known vulnerability.

    3. Ideasource

      Re: computer intrusion, blackmail, and fraud

      Well now that he's caught, the fun game bubble is popped.

      He'll learn from his own experience that having a bunch of other people involved in your life and overseeing what you're doing is hell on earth

      Plenty of motivation by the time he's done to find a corner of the world and stay out of sight for the sake of his own peace.

      Normal people are extremely frustrating to deal with. Much more so to be managed by.

      Especially to an autistic.

  3. Yet Another Hierachial Anonynmous Coward

    In the dock?

    If a couple of 16 years olds can access BT/EE servers alongside other multinational tech companies, and help themselves to secure data, then surely someone else should be in the dock?

    Exactly who is in charge of security at those organisations?

    The article does not mention whether these kids did it alone, or whether they were just mules for some more sophisticated masterminds, though.

    1. chivo243 Silver badge
      FAIL

      Re: In the dock?

      If a couple of 16 years olds can access BT/EE servers alongside other multinational tech companies, and help themselves to secure data, then surely someone else should be in the dock?

      So much this^^^. If some skript kiddies can waltz into systems like this, somebody better call the engineers responsible on the carpet, stat!!

    2. Anonymous Coward
      Anonymous Coward

      Re: In the dock?

      Scripts is all it takes here as network latency is vastly slower than script interpreters since when doing anything across a WAN, the most time spent is on waiting. Now who wrote the core scripts is another matter and while most likely not these kids, I suspect the most masterminded was the one who payed for or found a toolkit.

  4. Winkypop Silver badge

    What next?

    Kindergartener sets up fake betting agency.

    Defence barrister insists his client be back home for 7:30 bed time.

  5. Jim Whitaker
    Facepalm

    Pretty tough comments but what about the companies?

    Most of the comments so far are pretty tough on the perpetrators and I get that. I too am not comfortable with a mental condition leaving someone free to re-offend. However, I think the elephant in the room is the lack of condemnation of the various companies for the incompetence shown by their IT teams. If they had not made it possible for these two to roam through their systems, then there would have been no (serious) crime committed. Pretty unimpressive.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like