The Journal. - How One Teenager Became a Legendary Hacker
Episode Date: October 16, 2024Investigators say that Arion Kurtaj’s life in cybercrime began at age 11, and ultimately led to his participation in the hacks of major companies like Nvidia, Microsoft, and Uber. WSJ’s Robert McM...illan explains how Kurtaj’s case has brought worries about a new breed of fearless young hackers. Further Reading: -This Teenage Hacker Became a Legend Attacking Companies. Then His Rivals Attacked Him. -Hackers Leaked ‘Grand Theft Auto’ Footage, Rockstar Games Says Further Listening: -Hack Me If You Can, Part 1: The Making of a Russian Hacker -How North Korea’s Hacker Army Stole $3 Billion in Crypto Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
About two years ago, NVIDIA, the world's most valuable chip company, was the victim of a major hack.
Well, developing news tonight on a mysterious overseas hacking group targeting major tech companies.
NVIDIA, one of the biggest chip makers around the world, got hacked last Friday.
And a massive trove of data was leaked onto the internet.
Our colleague Bob McMillan was following the story.
I learned of this attack via Twitter,
and it was not like anything I'd really ever seen before.
So there was a hacking group that not a lot of people had heard about,
and they showed up one day and said that they had broken into NVIDIA.
And they were like super loud about it, like bragging about it.
They claimed to have all kinds of source code and schematics and basically proprietary data
that would be of great interest to like a rival chip maker.
But then ultimately these hackers dumped a bunch of data
and at that point it was very clear that they had broken into NVIDIA.
Pulling off a hack on a company as big and secure as NVIDIA is already a feat.
But Bob was even more surprised when he learned who was behind the attack.
It turns out that one of the people behind the hack was Arian Kirtaj,
who was a 17-year-old hacker.
And cybersecurity investigators say that Kurtage
has been involved in illegal online activity
since he was 11.
Bob McMillan, what were you doing when you were 11?
Oh, I was playing D&D,
and I was definitely playing video games big time.
Ha ha ha.
Unlike Bob, Arian Kurtage was taking his gaming
to a more advanced level, because he was also
apparently starting to hack.
By 17, Kurtage had become one of the most infamous hackers in the world, breaking into
major multinational companies.
We're talking about Microsoft, Samsung, Uber, Nvidia.
He caused millions and millions of dollars worth of economic damage.
And it's just fascinating that somebody so young could be so successful.
And he's part of what seems to be a growing phenomenon and one that really has law enforcement
authorities flummoxed.
Kurtage's family declined to be interviewed.
His lawyers have acknowledged that there was evidence Kurtage was associated with hackers
in some of their activities.
But they also said that the evidence failed to prove he committed many of the offenses
alleged by prosecutors or that he was the central player.
Cybercrime experts say that hackers are getting younger and younger.
And some of those teenage hackers have gotten very good at what they do.
It used to be we were worried about the Russians, the Chinese, the Iranians, and the North Koreans.
And these teenagers are definitely up there with all those actors,
just in terms of the impact that they're having.
So it's a big problem.
Welcome to The Journal,
our show about money, business, and power.
I'm Jessica Mendoza.
It's Wednesday, October 16th.
Coming up on the show, the teenager who became a hacking legend and the race to catch him.
How do airplanes fly?
What's in this box?
What does this thing do?
Kids are curious about everything, including guns.
Learn how to store your gun securely
and make your home safer at nfamilyfire.org.
Brought to you by N Family Fire, Brady, NEI Council.
Today, Aryan Kirtage is 19 years old.
He grew up in the UK, and as a kid, he had trouble in school.
He was born autistic.
He was a very difficult kid to raise.
And his behavioral problems, as he got older,
they became increasingly unmanageable.
I think he was a kid from a family without a ton of means who basically was not thriving in any way in the real world
and who turned to the virtual world, you know, for his identity, his whole identity.
Kurtage spent a lot of time online playing video games.
According to Bob's reporting, as Kurtage got deeper into gaming, he started finding
out about techniques on how to win, including
hacking his opponents.
Soon, Kurtage moved beyond trying to win
video games to committing major cybercrimes.
So that was in June of 2021.
Kurtage would have been 16 at this time.
And a video game maker, Electronic Arts, gets broken into.
These people had their intellectual property stolen,
videos of games and source code are taken.
There was a demand for money, for $28 million,
but it almost seemed like it wasn't serious.
Electronic Arts didn't send over any money.
In retaliation, the group of hackers, which included Kurtage,
dumped company data online.
Soon after, Kurtage joined forces with another teenager
and several Brazilian hackers.
They called themselves Lapsys,
and they started targeting some big companies.
Everybody on the team has a different set of skills, and together they're kind of more
powerful than they are individually.
So by August, Kurtage and his associates have broken into a British telecom company,
and when they had access, Kurtirtaj and his associates were basically selling SIM swaps to other people.
SIM swapping is a hacking technique.
It was pioneered by teenage hackers who
use it to take over online accounts.
Here's how it works. A hacker calls up
a cell phone provider and tricks
the customer service person into
transferring a phone number to a new SIM card.
Whoever has that SIM card then has access to other accounts linked to that phone number.
SIM swapping is key to taking over gaming accounts, taking over coveted Twitter accounts
or Instagram accounts and then selling them.
Taking over cryptocurrency accounts like Coinbase accounts and making some real money.
And SIM swapping is good for that.
Through sim swapping, Kurtage and the hacker group Lapsys made a lot of money.
And in late 2021, Kurtage made a big purchase.
He bought this website called Docs Bin.
It's kind of a social network really.
It's a site that's devoted to publishing doxists of people. In
other words, publishing private information that they probably wouldn't want disclosed.
This can be like phone numbers, relatives' phone numbers, online account names, addresses,
things like that. And so when you dock somebody, especially if you dock a hacker,
you're destroying their anonymity, you're
showing where they live, and you're also providing law enforcement investigators with valuable
information that they can use to pursue their investigations.
So if you're doxing another hacker, it can really lead to their arrest.
So he bought Docsbin.
He bought Docsbin.
Yeah, he paid $75,000 and took over the site.
Do we know why?
Well, I mean, my guess is that it would be
the ultimate power move, right?
In this community, Docsmen is at the center,
and so it's a position of prestige within the community
that Kurtage is rapidly becoming very well known in.
But according to Bob's reporting,
Kurtage's community of fellow hackers and Doxers didn't like the way he was running the site.
Eventually, the previous owners pressured
Kurtage to sell the site back to them.
His parting gesture to the doxman community was to
basically dump all the private information
that he had access to as the owner,
and essentially dox all the doxers, you know.
So he published a lot of information that people wish he hadn't published and he angered people even more.
And so that pisses off a lot of people. What are the consequences for Kurtage?
Well, ultimately, Kurtage got doxed and he got doxed in what has been described as like the most complete doxx of all time. It had and I've seen this document it's got like every alias
that he ever used it's got his home address it's got his mom's address it's
got his father's address family other you know extended family members.
It wasn't only Kurtage's private information that went public it was also what he
looked like. The doxx included personal photos of went public. It was also what he looked like.
The docs included personal photos of Kirtaj.
In one of them, he's on a boat holding a big brown fish that looks like it was just
pulled out of the water.
The docs happened in January of 2022.
That same month, authorities, who had been tracking Kirtaj for some time, arrested him
on suspicion of the SIM card telecom hack.
But because they were still early in their investigation, after seizing his digital devices,
they released him.
They're like, we know who you are, we're investigating you, beware.
Charges could be coming.
And so, roll back to like teenage me, like I would be scared to death by the cops showing up at my house
and I would definitely have stopped my hacking at that point.
But, um, Kurtage did not.
Not only did Kurtage continue hacking, but his biggest and most ambitious attacks were yet to come.
That's next. ["Skyfall", by K.O.D.A.N.]
In February, 2022,
Kurtage and the hacking group Lapsys broke into the behemoth chipmaker,
NVIDIA.
And why was the NVIDIA hack in particular, why was that a big deal?
Well NVIDIA, I mean their market value today I think is three trillion dollars.
You know, they're incredibly important company, They're well-heeled. They have intellectual property that's like extremely valuable.
And the fact that a couple of teenagers could break into this company is, you know,
no matter who did it, like a hack of Nvidia would be noteworthy.
Right.
But the fact that it was just these lapses kids doing it was even more remarkable.
A month later, the police arrested Kirtaj again.
But because Kirtaj has severe autism and other developmental issues,
authorities couldn't find an appropriate facility to hold him.
So he was released again, this time on the condition that he stayed off the internet.
Even though he wasn't under arrest anymore, Kirtaj, whose private information was still
public, had other problems to deal with.
Over the next few months, according to the police, Kirtaj started to get harassed.
Someone threw bricks at the windows of his family's home.
His mom's car was smashed up.
And authorities found evidence of a plot to steal cryptocurrency from him.
So the police came up with a plan to keep him safe.
By September, they moved Kirtaj and his mom
into a travelodge, a hotel just outside of Oxford.
The police had this system where when they knocked
on the door to let Kirtaj know it was really them,
the code word that they used was lucky lucky.
But even with all this going on in his life
and in order to stay offline, that didn't
stop Krataj.
Are there any big hacks that happen while he is at this hotel?
Yeah, there are a couple of big hacks that happen while he was at this hotel.
The first one was Uber, and then even more remarkably, he breaks into Rockstar, which
as all good gamers know is developing Grand Theft Auto 6.
And he starts releasing like unreleased video clips from Grand Theft Auto and code from it.
The Rockstar Games hack was a big deal in the gaming and hacker community.
And it wasn't long before a rival hacker posted that it was Kurtage who had done it.
Now, police suspected he wasn't just sitting around doing nothing at the Travelodge Hotel.
So how do police try and stop him?
So they go to the Travelodge.
They're supposed to say, lucky,
lucky when they knock on the door so that he knows it's the cops.
So they come up to his door,
get into the room, and there he is.
He's got this Amazon fire stick with internet access.
He's got an iPhone as well, so he's got like two devices that can connect to the internet.
He's not supposed to have any.
And he appeared to be in the process of like bragging about these hacks,
like just right up to the minute that he was arrested.
like just right up to the minute that he was arrested. Kirtaj was arrested and charged with 12 counts of hacking, fraud, and blackmail.
But due to his autism and developmental issues, psychiatrists deemed him unfit to stand trial
for the question of criminal intent.
So the judge told the jury to only determine whether or not Kertaj had done the alleged
acts.
And the court found that, yes, indeed, he did them.
And they said, we're going to basically convict him of all this, but we're going to sentence
him to a mental facility, not a criminal detention center. And he's going to stay there until the doctors decide
he is fit to come back into society.
He's no longer a threat to society.
Kirtaj and his lawyers are seeking to appeal.
They argued at trial that while there
was evidence of Kirtaj's association with hackers
and the offenses, it failed to prove
he committed many of the offenses
or was the central player.
His lawyers have also said that a potential lifetime of incarceration is not appropriate
for a teenager like Kurtage.
What is the takeaway here, Bob?
What does this story tell us about this moment in cybercrime?
Here in the United States, the Department of Justice
typically doesn't even pursue cases
against teenage hackers, right?
So typically, if the feds find out that the subject
of their investigation is a teenager, they'll stop.
They just won't prosecute.
So bottom line, law enforcement has a really hard time
prosecuting teenagers and in particular,
teenagers with special needs.
And so what is the next step here, if this is something that needs to be prevented moving
forward?
Well, the FBI is taking an interest in addressing this problem.
Since Lapses, there have been other groups that have popped up.
You can almost look at Lapsys like these kind of like teenagers, you know, pioneering the
playbook and then other groups like going to bank with it.
And they're not the only entities that are engaged in this type of activity.
So there's like a real worry that the professionalized criminals are going to ally themselves with these super capable
teenagers and young people and just create an unholy alliance
that really is going to be very difficult to stop
and is going to be responsible for an increasing
level of economic damage.
And I think probably the consensus
is that there needs to be some kind of intervention program, right?
There needs to be some kind of way of taking these kids at an early stage and
directing them into something that is less harmful than stealing cryptocurrency or sim swapping or breaking into Nvidia and
It's gonna be hard
Well, thanks for coming on the show, Bob.
We really appreciate it.
Next time, I promise it'll be about something fun.
Something uplifting, you know?
Something that'll make you optimistic about the human condition.
It's like, oh no, we're all gonna get hacked and it's gonna be my teenager.
It's all getting worse.
It's teens.
It's just... getting worse. That's teens. That's all for today, Wednesday, October 16th. The Journal
is a co-production of Spotify and the Wall Street Journal. Additional reporting in this
episode by Jenny Strasburg.
Thanks for listening.
See you tomorrow.