The Teen Who Hacked GTA 6 From a Hotel Room
In September 2022, over 90 clips of unreleased Grand Theft Auto VI appeared online. The source? An 18 year old in a UK hotel room using an Amazon Fire TV Stick, a hotel TV, and his phone.
This is the story of Arion Kurtaj.
Early Years
Kurtaj started hacking at age 11. He grew up in Oxford, England and attended a special needs school for autism. His father said he was “very good on computers.” That was an understatement.
By his mid teens, Kurtaj co founded Lapsus$, an international hacking group. They hit major tech companies for nearly $10 million in damages.
How Lapsus$ Operated
Lapsus$ ran a Telegram channel with 60,000 subscribers. They posted stolen data, taunted victims, and polled followers on which company to hack next.
Their weapon? Social engineering. They talked employees into handing over access. No sophisticated malware needed. Just manipulation.
Their motto: “log in, not hack in.”
The 2021-2022 Attack Spree
August 2021 – BT and EE: Kurtaj breached British telecom servers. Demanded $4 million. When refused, used stolen SIM data to drain nearly $100,000 from cryptocurrency accounts.
February 2022 – Nvidia: Stole one terabyte of data including source code and 71,000 employee credentials. Demanded unusual terms: remove mining limiters on graphics cards and open source GPU drivers. When Nvidia refused, Lapsus$ leaked 80 gigabytes.
Kurtaj was arrested January 22, 2022. Released under investigation.
March 2022 – Microsoft, Samsung, Others: Despite arrest, attacks continued. Microsoft lost 90% of Bing’s source code. Samsung, Vodafone, and others followed.
By March 2022, authorities arrested seven Lapsus$ members aged 16 to 21. A disgruntled community exposed their identities after the alleged leader bought and mismanaged a doxxing website.
The Hotel Room Hack
After his arrest, Kurtaj was banned from the internet. All devices confiscated. Moved to a Travelodge hotel in Bicester for protection.
He hacked anyway.
Using an Amazon Fire Stick connected to the hotel TV, plus a phone, keyboard, and mouse, Kurtaj built a basic hacking setup.
Within days in September 2022, he breached three companies:
Revolut (September 11): Social engineering attack exposed data from approximately 50,000 customers.
Uber (Days Later): Caused nearly $3 million in damages. Used MFA fatigue, bombarding employees with approval notifications until they accepted.
Rockstar Games (September 2022): The big one. Downloaded 90 clips of GTA VI plus source code. Posted them to GTAForums as “teapotuberhacker.” Sent a Slack message to all Rockstar employees: contact me via Telegram in 24 hours or I release everything.
Rockstar spent $5 million and thousands of staff hours recovering. Take Two Interactive’s stock dropped 6% initially.
The Psychology
What made Kurtaj dangerous? He never stopped.
While in custody awaiting trial, he was violent toward guards. Dozens of reports of injury and property damage.
Psychiatrists diagnosed severe autism. Deemed him unfit to stand trial, he could not understand the weight of his actions.
A mental health assessment found he “continued to express intent to return to cyber crime as soon as possible. He is highly motivated.”
Even knowing violence would bring severe punishment, he was violent anyway.
The Sentencing
August 2023: Seven week trial at Southwark Crown Court. Jury found Kurtaj committed 12 offenses including blackmail, fraud, and violating the Computer Misuse Act.
His 17 year old accomplice was convicted on charges related to Nvidia, BT, and the City of London Police hacks.
December 21, 2023: Judge Patricia Lees sentenced Kurtaj to indefinite detention in a secure psychiatric hospital.
The reason? “Continued determination to commit further serious offenses if given the chance.”
He stays there for life unless doctors declare him safe.
The 17 year old received an 18 month youth rehabilitation order with VPN ban.
Why This Matters
Kurtaj represents a new threat: teenage hackers with basic tools causing massive damage.
Key Techniques They Used
Vishing: Calling IT help desks while impersonating employees MFA Fatigue: Spamming authentication notifications until victims approve SIM Swapping: Convincing carriers to port numbers to attacker controlled SIMs Insider Recruitment: Openly paying employees for credentials on Telegram OAuth Abuse: Tricking employees into granting malicious app permissions
The Amazon Fire Stick Reality
A $40 device provided enough computing power to breach billion dollar companies. This is terrifying for security professionals.
Motivation Beyond Money
Groups like Lapsus$ want fame and notoriety. They are harder to deter through traditional law enforcement focused on disrupting financial incentives.
Lessons for Organizations
1. Train Your People: 82% of data breaches involve people. Your employees are the weakest link. Invest in security awareness training.
2. Ditch SMS-Based MFA: Move to hardware keys or biometric authentication. SMS and voice calls are vulnerable to SIM swapping and MFA fatigue.
3. Secure Help Desks: Verify identity beyond easily researched personal information. Train staff to recognize social engineering.
4. Limit Access: Use “least privilege.” Employees only access what they need for their specific role.
5. Watch for Insider Threats: Lapsus$ openly recruited insiders on Telegram. Monitor unusual access patterns.
6. Deploy Monitoring: Major corporations failed to detect intrusions until significant damage was done. Monitor continuously.
The Youth Question
The UK operates “cyber rehab” camps for young offenders. Residential weekends teaching responsible use of skills and cybersecurity career paths.
The average cybercriminal in the UK is 17 years old. Research shows the only difference between hackers who go legit versus criminal is intervention at a pivotal moment.
Guidance from parents, teachers, or mentors determines whether technical skills become productive careers or criminal enterprises.
But Kurtaj shows the limits. Not all young hackers respond to rehabilitation, especially when technical ability combines with severe mental health challenges and compulsive behavior.
Impact on Gaming
GTA V generated over $1 billion in three days. Over $7 billion total. The highest grossing entertainment product ever made.
GTA VI is expected to be even bigger. Possibly $2 billion total budget.
The leak of 90 raw, buggy alpha clips threatened carefully planned marketing. Developers noted leaks “impact marketing plans” which have “very specific, timed and targeted plans to maximize engagement.”
Beyond marketing, the breach raised questions about what else Kurtaj accessed. Prompted extensive security reviews costing $5 million and thousands of employee hours.
Despite the chaos, when the official GTA VI trailer released in December 2023, it garnered massive viewership. Long term damage to consumer interest appears limited.
The Takeaway
A single teenager from a hotel room with consumer grade tech caused millions in damage to billion dollar corporations.
Cybersecurity is fundamentally a human problem, not just technical. The most sophisticated defenses fail when people are manipulated psychologically.
Groups like Lapsus$ signal a new era. Youth, technical skill, and fearlessness combine to create threats traditional security approaches struggle to address.
Kurtaj’s compulsion to hack was so strong that arrest, prosecution, and violent incidents during custody could not stop him. His indefinite hospitalization acknowledges a difficult truth: some individuals pose such a persistent cyber threat that conventional justice responses are insufficient.
For organizations, this demands rethinking human centered security. Your greatest vulnerabilities lie not in your code, but in your people.
The most dangerous weapon in cybersecurity is not sophisticated malware. It is human determination paired with technical skill and an opportunity to exploit collective weaknesses.
Teen hackers are not the problem. They are the wake up call.
The question is whether organizations will listen before the next Arion Kurtaj emerges.
