The GTA 6 Hacker: Arion Kurtaj and the Lapsus$ Breach That Shook Rockstar

In September 2022, Rockstar Games was deep into finishing what would become the most anticipated game in history. Internally, footage of a sun-soaked Leonida under construction was circulating on the studio’s Slack channels. Then, overnight, those same clips started appearing on GTAForums for anyone in the world to see. The culprit was not a sophisticated state actor or a well-funded cybercriminal syndicate. It was a 17-year-old from Oxford, England, sitting in a budget hotel room with an Amazon Fire TV Stick, a mobile phone, and a cheap wireless keyboard.

That teenager was Arion Kurtaj, a central figure in the hacker collective Lapsus$. What he pulled off that night became the single largest leak in gaming history, a watershed moment in cybersecurity, and the start of a legal saga that ended with him in a secure psychiatric hospital. For GTA fans, it was the first real look at GTA 6 in motion. For Rockstar, it was a nightmare that cost the studio roughly $5 million to recover from plus thousands of hours of staff time. This is the full story.

Arion Kurtaj did not fit any conventional criminal profile. Diagnosed with severe autism and ADHD, he was a teenager who spent most of his time gaming, coding, and cycling around Oxfordshire. But from an early age he was also pulling apart games to see how they worked, and that curiosity quickly pushed him toward darker territory online.

By his mid-teens he had moved from tinkering with Minecraft cheats to probing live websites for vulnerabilities. He drifted into underground forums where teenagers traded exploits, SIM-swap techniques, and stolen credentials. Around 2021, he linked up with another UK teenager online and the two began collaborating on increasingly bold attacks. They were eventually charged together, though the second individual remains unnamed in court records due to being a minor at the time of trial. Before Lapsus$ came into focus, Kurtaj was already involved in SIM-swapping scams and crypto theft, the kind of low-level financial crime that provided both income and a reputation inside underground hacking circles.

What made Lapsus$ unusual was the method. Most high-profile hacker groups rely on zero-day exploits, custom malware, or lengthy reconnaissance. Lapsus$ achieved its biggest wins through social engineering and phishing, techniques that exploit human psychology rather than software bugs. The group would impersonate IT staff, bombard employees with multi-factor authentication requests until someone accidentally approved one (a technique called MFA fatigue), or bribe insiders at telecoms to perform SIM swaps that bypassed account security entirely.

Between late 2021 and mid-2022 the group racked up an extraordinary target list. They hit BT and EE in the UK, attempted a $4 million ransom against BT/EE for stolen source code and user data, and then moved on to Brazil’s Ministry of Health, Nvidia, Samsung, Okta, Microsoft, Uber, Revolut, and finally Rockstar Games. The combined damage to all targeted firms approached $10 million. It was not nation-state-level technical wizardry. It was audacity, persistence, and a willingness to exploit the weakest link in any corporate security chain: the people inside it. Kurtaj and his unnamed co-conspirator were first arrested by City of London Police in January 2022, then re-arrested and charged in April 2022. Kurtaj was subsequently granted bail.

Here is where the story takes a turn that even seasoned cybersecurity professionals found remarkable. After being arrested and released on bail, Kurtaj was moved by police to a Travelodge hotel in Bicester, Oxfordshire, partly for his own protection after a rival faction had doxxed him online. Authorities confiscated his laptop. The internet access was meant to be restricted. None of that stopped him.

In September 2022, while still under police protection, Kurtaj plugged an Amazon Fire TV Stick into the hotel room television, connected his mobile phone, added a cheap keyboard and mouse, and used that setup to infiltrate Rockstar’s internal Slack workspace. He had breached Uber just three days earlier using a similar MFA fatigue approach. Now he turned his attention to Rockstar, accessing confidential development channels for GTA 6. He posted a message directly into Rockstar’s Slack: "If Rockstar does not contact me on Telegram within 24 hours I will start releasing the source code." When no contact came, he posted 90 clips of unreleased GTA 6 development footage to GTAForums under the username TeaPotUberHacker. The clips showed early builds of Lucia Caminos and Jason Duval, the game’s two protagonists, moving through a recognizable Vice City-inspired Florida landscape. Rockstar confirmed the breach the same day. The internet went into overdrive.

Kurtaj was rearrested shortly afterward and detained. He never saw freedom again before his case went to court. Rockstar estimated the hack cost the studio around $5 million to remediate plus thousands of hours of developer time, derailing internal schedules and forcing a comprehensive security overhaul. The carefully planned reveal strategy for GTA 6 was in ruins. For the record, the game’s first official trailer did not arrive until December 2023, more than a year later, and it racked up 128 million YouTube views in four days, suggesting the damage to the game itself was ultimately limited. GTA 6 is now confirmed for November 19, 2026, on PS5 and Xbox Series X|S.

Kurtaj’s case reached Southwark Crown Court in London in the summer of 2023 alongside his unnamed teenage co-defendant. The proceedings were unusual from the start. Psychiatrists assessed Kurtaj and determined he was unfit to stand trial in the conventional sense because of the severity of his autism. Under UK law this meant the jury was not asked to decide guilt in the normal criminal sense. Instead, jurors were asked a narrower question: did he actually carry out the alleged acts?

After a six-week trial, the jury found unanimously in August 2023 that Kurtaj had committed 12 offences, including six counts of unauthorized computer access, two counts of fraud, and three counts of blackmail, plus non-compliance with police requests to access his devices. His unnamed co-defendant was found to have committed three offences and was later sentenced to a youth rehabilitation order. Mental health reports presented during sentencing hearings described Kurtaj as violent in custody, having injured people and damaged property, and as expressing a clear desire to return to cybercrime at the first opportunity. One assessment noted he was "highly motivated" and intended to resume hacking as soon as he was able. His defense team argued the success of the GTA 6 trailer, which launched weeks before sentencing, showed that the gaming community’s excitement for the game was undimmed and that no lasting harm had been caused to Rockstar’s commercial prospects.

On December 21, 2023, at Guildford Crown Court, Her Honour Judge Lees handed down the sentence. Kurtaj received an indefinite hospital order under Sections 37 and 41 of the UK Mental Health Act 1983. He was sent to a secure psychiatric facility, with the order carrying no fixed release date. Under this provision, he will remain detained until medical professionals and the Ministry of Justice are satisfied he no longer poses a serious risk to the public. The judge was explicit: Kurtaj’s combination of technical skill and continued motivation to commit cybercrime made him a "high risk of serious harm to the public."

It is a remarkable outcome on multiple levels. Kurtaj never went to prison in the conventional sense, yet he faces a potentially longer period of detention than any fixed prison term he might have received. The judge acknowledged that real victims, including the individuals targeted in blackmail and fraud schemes beyond the Rockstar hack, suffered genuine harm. The defense’s argument that the GTA 6 trailer success minimized harm was rejected in relation to those other victims. As of mid-2026 there have been no reports of Kurtaj being released or of any change in his detention status. His case remains one of the most cited examples in UK cybersecurity law regarding the intersection of mental health and serious cybercrime.

The Lapsus$ story carries lessons that go well beyond any one company. Rockstar spent enormous resources on GTA 6’s development secrecy, and a teenager with a $30 Fire Stick still got in. The attack vector was not a flaw in Rockstar’s code. It was a Slack workspace, which is to say, it was people. Social engineering and phishing remain the most effective tools in a hacker’s toolkit because no firewall filters out a convincing impersonation. Every major company Lapsus$ hit, Uber, Nvidia, Microsoft, Samsung, Okta, all fell not because of technical exploits but because an employee somewhere trusted the wrong message or approved the wrong authentication prompt.

For GTA fans, the leaked clips offered a bittersweet first glimpse at Lucia and Jason in a game that still had years of development ahead of it. Rockstar tightened its internal security significantly after the breach, and the official December 2023 trailer arrived on Rockstar’s own terms, shattering YouTube records. With GTA 6 now confirmed for November 19, 2026 on PS5 and Xbox Series X|S, and two official trailers released, that chaotic September night in 2022 reads as a footnote to the game’s history rather than a defining wound. For a full picture of everything those leaked videos revealed and how community knowledge has evolved since, check out our GTA 6 Leaks guide and the Development guide, which covers how Rockstar rebuilt its security posture and kept production on track through the fallout.

The case also set a significant legal precedent. It showed that severe neurodiverse conditions can result in an individual being found to have committed serious criminal acts without a conventional guilty verdict, and that the UK courts are willing to impose effectively open-ended detention when they judge the risk to be real and ongoing. Kurtaj remains, as of 2026, in a secure hospital. The game he tried to hold for ransom is about to launch as the biggest entertainment release in history.