A teenager became a legend in online communities by allegedly hacking into big companies, even after multiple arrests. He's part of a new breed of fearless young cybercriminals worrying authorities. WSJ reporter Robert McMillan tells the story of Arion Kurtaj and the Com. Zoe Thomas hosts.
Sign up for the WSJ's free Technology newsletter.
Learn more about your ad choices. Visit megaphone.fm/adchoices
[00:00:00] [SPEAKER_01]: Robert Haff research indicates 9 out of 10 hiring managers are having difficulty hiring.
[00:00:06] [SPEAKER_01]: Robert Haff is here to help.
[00:00:08] [SPEAKER_01]: Our recruiting professionals utilize our proprietary AI to connect businesses with highly skilled
[00:00:13] [SPEAKER_01]: talent.
[00:00:14] [SPEAKER_01]: At Robert Haff, we know talent.
[00:00:17] [SPEAKER_01]: Visit roberthaff.com today.
[00:00:23] [SPEAKER_02]: Welcome to Tech News Briefing.
[00:00:25] [SPEAKER_02]: It's Monday, October 7th.
[00:00:27] [SPEAKER_02]: I'm Zoe Thomas for the Wall Street Journal.
[00:00:30] [SPEAKER_02]: A new breed of fearless young cyber criminals is worrying authorities.
[00:00:35] [SPEAKER_02]: They are gamers, hackers and online con artists, teenagers who are native English speakers
[00:00:41] [SPEAKER_02]: and part of a sprawling set of online communities called the COM.
[00:00:46] [SPEAKER_02]: They've been able to talk their way into sensitive networks and members have broken
[00:00:51] [SPEAKER_02]: into systems of some of the top tech companies including Uber and NVIDIA.
[00:00:57] [SPEAKER_02]: Today, we're going to tell you the story of one of the most notorious hackers and explain
[00:01:02] [SPEAKER_02]: what makes them different from other cyber criminals.
[00:01:08] [SPEAKER_02]: In September 2022, UK police arrested 17-year-old Arianne Kurtage for his alleged role in a
[00:01:17] [SPEAKER_02]: prominent hacking group.
[00:01:19] [SPEAKER_02]: It wasn't the first time Kurtage had been arrested for offenses connected to cyber
[00:01:23] [SPEAKER_02]: attacks on major companies.
[00:01:25] [SPEAKER_02]: There are many surprising things about this story.
[00:01:28] [SPEAKER_02]: Kurtage's age, the scale of the hacks and the fact that he's part of an online community
[00:01:33] [SPEAKER_02]: of young people involved in cyber crime.
[00:01:35] [SPEAKER_02]: Here to tell us more is our reporter Robert McMillan.
[00:01:39] [SPEAKER_02]: And Bob, I just want to note that your reporting for this story is based on court records,
[00:01:43] [SPEAKER_02]: online chats and posts and interviews with police, cybersecurity inspectors and others
[00:01:48] [SPEAKER_02]: familiar with Kurtage and his case.
[00:01:51] [SPEAKER_02]: So Bob, tell us about Arianne Kurtage's background.
[00:01:54] [SPEAKER_00]: Arianne had a pretty tough childhood.
[00:01:56] [SPEAKER_00]: I mean, he's autistic.
[00:01:57] [SPEAKER_00]: He has a lot of behavior issues.
[00:01:59] [SPEAKER_00]: He grew up in Oxford, just sort of outside of London.
[00:02:03] [SPEAKER_00]: And, you know, his parents separated when he was young.
[00:02:06] [SPEAKER_00]: He never really fit in in school, but when he was pretty young, you know, through the
[00:02:11] [SPEAKER_00]: internet, he found a community where he seemed to excel.
[00:02:14] [SPEAKER_00]: So around age 11, he started getting into these hacking forums and video game related
[00:02:20] [SPEAKER_00]: hacking type things that he was doing.
[00:02:22] [SPEAKER_00]: And from there, he found a lot of success and he quickly advanced to the point where just
[00:02:29] [SPEAKER_00]: a few years later, he was taking on some of the best known companies in the world.
[00:02:38] [SPEAKER_00]: So he was part of this group called Lapsis, which for a while, just in 2021 to 22, they
[00:02:44] [SPEAKER_00]: just seemed to be able to hack anyone.
[00:02:46] [SPEAKER_00]: And they started by breaking into European telecom carriers and doing what's called
[00:02:51] [SPEAKER_00]: SIM swapping, so basically taking control of people's phones to reset their passwords
[00:02:57] [SPEAKER_00]: and ultimately steal cryptocurrency.
[00:03:00] [SPEAKER_00]: But Lapsis did a lot more than that.
[00:03:02] [SPEAKER_00]: There was a sort of Brazilian connection to Lapsis.
[00:03:05] [SPEAKER_00]: So they hacked a bunch of entities in Brazil, including the Ministry of Health there.
[00:03:09] [SPEAKER_00]: But they really caught my attention when they hit NVIDIA.
[00:03:14] [SPEAKER_00]: So NVIDIA, the massive chip maker associated with AI chips right now, is a pretty
[00:03:20] [SPEAKER_00]: formidable target.
[00:03:22] [SPEAKER_00]: You know, they understand cybersecurity.
[00:03:23] [SPEAKER_00]: They're hard to hack and Lapsis broke into NVIDIA, stole a bunch of their intellectual
[00:03:28] [SPEAKER_00]: property and they were very public about it.
[00:03:31] [SPEAKER_00]: You know, they're sort of making these very public threats.
[00:03:33] [SPEAKER_00]: They wanted NVIDIA to comply to a bunch of requests or they would dump data.
[00:03:38] [SPEAKER_00]: And NVIDIA was just the beginning.
[00:03:40] [SPEAKER_00]: During about a six month period, hackers associated with Lapsis just basically
[00:03:45] [SPEAKER_00]: broke into some of the best known names in tech companies like Microsoft,
[00:03:49] [SPEAKER_00]: Samsung, Uber, Rockstar Games, the makers of Grand Theft Auto.
[00:03:55] [SPEAKER_02]: I'm curious how the group allegedly pulled off the NVIDIA hack.
[00:03:59] [SPEAKER_00]: Well, it's funny, you know, when you think about cyber attacks,
[00:04:02] [SPEAKER_00]: traditionally people think of very scary techniques.
[00:04:06] [SPEAKER_00]: But these are teenagers.
[00:04:07] [SPEAKER_00]: And so they actually did something that was kind of obvious, but also just like
[00:04:12] [SPEAKER_00]: insanely effective.
[00:04:14] [SPEAKER_00]: Their classic technique for breaking into a company was they would buy
[00:04:17] [SPEAKER_00]: user names and passwords.
[00:04:19] [SPEAKER_00]: Like it turns out that in the age of remote working, there's sort of this
[00:04:22] [SPEAKER_00]: market for what are called password stealers.
[00:04:26] [SPEAKER_00]: And this is software that you might install unwittingly on your computer
[00:04:29] [SPEAKER_00]: that starts collecting data from your computer.
[00:04:32] [SPEAKER_00]: The Kurtage crew would get user names and passwords, but that's not enough
[00:04:36] [SPEAKER_00]: to get into a corporate network.
[00:04:37] [SPEAKER_00]: Often there's a second factor that has to be used to get in.
[00:04:41] [SPEAKER_00]: And so they used a technique called social engineering to get that
[00:04:45] [SPEAKER_00]: second factor of authentication.
[00:04:47] [SPEAKER_00]: And sometimes this could be something as simple as just sending a password reset.
[00:04:51] [SPEAKER_00]: You'll get a text message on your phone saying like, Hey, are you really trying
[00:04:55] [SPEAKER_00]: to do that? Click Yes, if you are.
[00:04:57] [SPEAKER_00]: They would just trick people into clicking Yes for that or they could call
[00:05:00] [SPEAKER_00]: up tech support and try and get the tech support people to help them.
[00:05:04] [SPEAKER_00]: So they did this combination of stolen user names and passwords
[00:05:08] [SPEAKER_00]: and then social engineering basically tricking people into doing
[00:05:12] [SPEAKER_00]: that second factor.
[00:05:13] [SPEAKER_00]: And it was like insanely effective.
[00:05:15] [SPEAKER_02]: Ariane Kurtage was arrested and then released after the Nvidia hack.
[00:05:20] [SPEAKER_02]: Why?
[00:05:21] [SPEAKER_00]: So he was arrested a total of three times.
[00:05:24] [SPEAKER_00]: The first time he was arrested, they suspected him in these telco hacks
[00:05:28] [SPEAKER_00]: in Europe. And the thing is, so he and a partner of his really didn't
[00:05:32] [SPEAKER_00]: seem to be phased by any of these arrests.
[00:05:35] [SPEAKER_00]: So they would get arrested.
[00:05:37] [SPEAKER_00]: The police would like take their devices, try to look for evidence on them.
[00:05:40] [SPEAKER_00]: And then within a matter of days, they would continue their hacking.
[00:05:43] [SPEAKER_00]: Now, the first time they were arrested, they were released on their
[00:05:48] [SPEAKER_00]: own reconnaissance. The second time the authorities in the UK tried
[00:05:53] [SPEAKER_00]: to find a place to put Kurtage.
[00:05:55] [SPEAKER_00]: But because he was a minor and because he's sort of in special circumstances,
[00:06:00] [SPEAKER_00]: they couldn't find a suitable accommodation form.
[00:06:03] [SPEAKER_00]: So they released him back to his family and he continued to hack
[00:06:07] [SPEAKER_00]: after both of those initial two arrests.
[00:06:09] [SPEAKER_02]: So tell us about the incident that led to his third arrest.
[00:06:12] [SPEAKER_00]: Well, it started with Uber.
[00:06:14] [SPEAKER_00]: This was on September 14th of 2022.
[00:06:18] [SPEAKER_00]: It must be like six months after his first arrest.
[00:06:21] [SPEAKER_00]: Uber people are on the internal slack and somebody pops up there
[00:06:25] [SPEAKER_00]: and says like, Hey, I'm the Uber hacker.
[00:06:28] [SPEAKER_00]: I've hacked you guys post like this link to this obscene image.
[00:06:32] [SPEAKER_00]: And it's very loud, very noisy, very public about the fact that
[00:06:36] [SPEAKER_00]: Uber has been hacked.
[00:06:37] [SPEAKER_00]: And then a couple of days later, the same person basically hacks
[00:06:40] [SPEAKER_00]: Rockstar Games, but pops up on some GTA forums saying like,
[00:06:45] [SPEAKER_00]: I'm going to dump like all these videos and this stolen
[00:06:48] [SPEAKER_00]: intellectual property related to the upcoming version of GTA.
[00:06:52] [SPEAKER_00]: So these are like super high profile incidents.
[00:06:55] [SPEAKER_00]: And ultimately right after the GTA thing happened,
[00:06:59] [SPEAKER_00]: Kurtage was what people in the online communities he frequented
[00:07:03] [SPEAKER_00]: fingered him as the person responsible for that hack.
[00:07:06] [SPEAKER_00]: And the London police were sent scrambling once again to go after their man.
[00:07:12] [SPEAKER_02]: Where was Kurtage at the time of this?
[00:07:15] [SPEAKER_00]: Kurtage was doxxed.
[00:07:17] [SPEAKER_00]: In other words, people published a document naming him his address,
[00:07:21] [SPEAKER_00]: his family members, their phone numbers, everything that they could
[00:07:24] [SPEAKER_00]: find out about him.
[00:07:25] [SPEAKER_00]: And this was very scary, I'm sure.
[00:07:28] [SPEAKER_00]: So the city of London police basically at a certain point
[00:07:33] [SPEAKER_00]: they arrested some people who had been driving around near his house
[00:07:36] [SPEAKER_00]: and they had a photo of Kurtage on one of their devices.
[00:07:40] [SPEAKER_00]: So the city of London police moved him out of his house
[00:07:42] [SPEAKER_00]: into a safe location and a travel lodge in Oxford.
[00:07:46] [SPEAKER_00]: And he was staying there with his mom when the Uber
[00:07:50] [SPEAKER_00]: and the Rockstar hacks occurred.
[00:07:53] [SPEAKER_00]: So when they had to arrest him for the third time,
[00:07:56] [SPEAKER_00]: they knew very well where he was living because he was living
[00:07:58] [SPEAKER_00]: under police protection in this motel.
[00:08:00] [SPEAKER_02]: After the break, Kurtage may be the most well-known teenage hacker,
[00:08:04] [SPEAKER_02]: but he's not alone.
[00:08:06] [SPEAKER_02]: We'll find out about the online communities that serve as an entry
[00:08:10] [SPEAKER_02]: point to cybercrime when we come back.
[00:08:19] [SPEAKER_01]: Robert Haff research indicates nine out of 10 hiring managers
[00:08:23] [SPEAKER_01]: are having difficulty hiring.
[00:08:25] [SPEAKER_01]: Robert Haff is here to help.
[00:08:27] [SPEAKER_01]: Our recruiting professionals utilize our proprietary AI
[00:08:30] [SPEAKER_01]: to connect businesses with highly skilled talent.
[00:08:33] [SPEAKER_01]: At Robert Haff, we know talent.
[00:08:35] [SPEAKER_01]: Visit Robert Haff dot com today.
[00:08:43] [SPEAKER_02]: We've been talking about Ariane Kurtage, a British teenager
[00:08:46] [SPEAKER_02]: who was arrested three times in one year for his alleged
[00:08:50] [SPEAKER_02]: role in a hacking group that stole data from major companies.
[00:08:55] [SPEAKER_02]: His alleged incursions cost companies millions of dollars
[00:08:58] [SPEAKER_02]: in cybersecurity and legal expenses.
[00:09:01] [SPEAKER_02]: And investigators say Kurtage and his partners made hundreds
[00:09:04] [SPEAKER_02]: of thousands of dollars in extortion demands,
[00:09:06] [SPEAKER_02]: as well as thefts from individuals.
[00:09:09] [SPEAKER_02]: Our reporter Robert McMillan is back with us.
[00:09:12] [SPEAKER_02]: Bob, you told us Kurtage's third arrest came after he hacked
[00:09:15] [SPEAKER_02]: Uber and Rockstar Games.
[00:09:17] [SPEAKER_02]: What was he charged with in the end?
[00:09:20] [SPEAKER_00]: So Kurtage was charged with hacking fraud and blackmail.
[00:09:24] [SPEAKER_02]: And what was the outcome of the trial?
[00:09:26] [SPEAKER_00]: There were some psychological assessments done of him
[00:09:29] [SPEAKER_00]: and he was determined to be unfit to stand trial.
[00:09:31] [SPEAKER_00]: They didn't make a determination about intent,
[00:09:33] [SPEAKER_00]: but they did determine that he was responsible for the crimes.
[00:09:37] [SPEAKER_00]: Basically, he got sentenced to what was called an indefinite
[00:09:41] [SPEAKER_00]: detention order.
[00:09:43] [SPEAKER_00]: And this is something that happens when they feel like
[00:09:47] [SPEAKER_00]: there is no way to rehabilitate the person without psychological help.
[00:09:54] [SPEAKER_00]: So he's in a mental health institution.
[00:09:57] [SPEAKER_00]: He is there indefinitely until the doctors basically
[00:10:00] [SPEAKER_00]: deem him fit to come back into society.
[00:10:04] [SPEAKER_00]: There's a concern that he's going to come back into society
[00:10:07] [SPEAKER_00]: and continue hacking.
[00:10:09] [SPEAKER_00]: So he's basically kept under this indefinite hospital order,
[00:10:12] [SPEAKER_00]: which keeps him incarcerated until the doctors determine
[00:10:15] [SPEAKER_00]: that he can go out and he has a variety of mental illnesses
[00:10:19] [SPEAKER_00]: that would need to be addressed before he could be released.
[00:10:23] [SPEAKER_02]: We should note Kurtage's family declined to be interviewed.
[00:10:26] [SPEAKER_02]: But what did his lawyer say about this sentence?
[00:10:29] [SPEAKER_00]: Well, they think it's pretty harsh because there's no release
[00:10:31] [SPEAKER_00]: state. Usually when you commit a crime, you get sentenced and
[00:10:34] [SPEAKER_00]: you kind of know when you're going to go out and he doesn't.
[00:10:37] [SPEAKER_00]: So they think it's excessive and they are appealing the sentencing
[00:10:42] [SPEAKER_02]: as well. Some of Kurtage's hacking associates were also arrested.
[00:10:46] [SPEAKER_02]: What happened to them?
[00:10:48] [SPEAKER_00]: Well, there's a guy arrested in Brazil who was part of this
[00:10:52] [SPEAKER_00]: lapsist group. We don't know what happened to him.
[00:10:54] [SPEAKER_00]: There's a press announcement of his arrest.
[00:10:57] [SPEAKER_00]: And then we reached out to authorities there and just
[00:11:00] [SPEAKER_00]: haven't heard if he got sentenced or released or what.
[00:11:04] [SPEAKER_00]: And then there was another minor that Kurtage was associated with.
[00:11:08] [SPEAKER_00]: And we'd only know his name as a syntax.
[00:11:11] [SPEAKER_00]: He was also convicted and sentenced.
[00:11:13] [SPEAKER_02]: Kurtage, though, is part of a wider set of online communities known as the calm.
[00:11:19] [SPEAKER_02]: So, Bob, what is the calm?
[00:11:21] [SPEAKER_00]: Essentially, the calm or the community is a collection of
[00:11:25] [SPEAKER_00]: hangout spots online where people talk in offensive ways.
[00:11:30] [SPEAKER_00]: It's young, often teenage boys, you know, just sort of trying to show
[00:11:34] [SPEAKER_00]: each other up and try and be offensive to each other.
[00:11:37] [SPEAKER_00]: And sometimes they get together and they'll engage in taking over
[00:11:41] [SPEAKER_00]: people's accounts or harassing people online or stealing cryptocurrency.
[00:11:45] [SPEAKER_00]: Or in the case of the really sophisticated and successful actors
[00:11:49] [SPEAKER_00]: breaking into NVIDIA and Uber and Rockstar Games.
[00:11:53] [SPEAKER_02]: What makes them different from other hacking groups?
[00:11:55] [SPEAKER_00]: There sort of was this idea that if you're engaged in hacking
[00:12:00] [SPEAKER_00]: and you are in the Western world, there's a real risk to hacking there
[00:12:04] [SPEAKER_00]: because the law enforcement can knock on your door and arrest you.
[00:12:08] [SPEAKER_00]: And so a lot of the really successful hackers of the last decade
[00:12:11] [SPEAKER_00]: and a half have been out of Russia or out of China,
[00:12:15] [SPEAKER_00]: places where there is really no way for law enforcement to arrest them.
[00:12:19] [SPEAKER_00]: They're very organized, they're very professionalized,
[00:12:22] [SPEAKER_00]: and they are also not native English speakers.
[00:12:26] [SPEAKER_00]: But these calm kids come from the Western world,
[00:12:30] [SPEAKER_00]: they understand our culture and they're often teenagers.
[00:12:33] [SPEAKER_00]: And so they've shown that by using this sort of cultural
[00:12:37] [SPEAKER_00]: familiarity that they can go a long way with these what are
[00:12:40] [SPEAKER_00]: called social engineering attacks.
[00:12:42] [SPEAKER_00]: And they've also shown that the law enforcement in the United States
[00:12:46] [SPEAKER_00]: has a hard time responding to these kinds of threats that they've
[00:12:51] [SPEAKER_00]: been slow to arrest these people.
[00:12:53] [SPEAKER_00]: You know, you look at Kurtage, he was in the United Kingdom,
[00:12:55] [SPEAKER_00]: but he took them three times to stop him.
[00:12:58] [SPEAKER_00]: It's tough to incarcerate children.
[00:13:02] [SPEAKER_00]: The calm uses a lot of minors and a lot of those kids really
[00:13:06] [SPEAKER_00]: are just pretty hard to stop.
[00:13:08] [SPEAKER_02]: That was our reporter Robert McMillan.
[00:13:10] [SPEAKER_02]: And that's it for tech news briefing.
[00:13:12] [SPEAKER_02]: Today's show was produced by Julie Chang
[00:13:14] [SPEAKER_02]: with supervising producer Catherine Millsop.
[00:13:17] [SPEAKER_02]: I'm Zoe Thomas for The Wall Street Journal.
[00:13:19] [SPEAKER_02]: We'll be back this afternoon with TNB Tech Minute.
[00:13:22] [SPEAKER_02]: Thanks for listening.