Teenager Stole GTA 6 From a Hotel Room

Added: 2026-05-17

[00:00:00]Grand Theft Auto 5 had sold 170 million copies.

[00:00:06]The marketing rollout for the sequel had been planned years in advance.

[00:00:11]And then, >> [music] >> somewhere in a one-star travel lodge off a roundabout in the English countryside, an 18-year-old kid plugged a $40 Amazon Fire TV stick into a hotel television and downloaded the entire [music] thing.

[00:00:25]90 videos, 50 minutes of unfinished gameplay, the source code for legacy franchises he hadn't even been hired to touch.

[00:00:34]He posted it all to a fan forum on a Sunday night, and the world's most secretive game studio woke up Monday morning to find its crown jewels sitting on the open internet.

[00:00:46]Here's the weird part. [music] Rockstar's security team hadn't been outmatched by a state actor. [music] They hadn't been hit with a billion-dollar zero-day exploit. They had been beaten by a teenager who, at that exact moment, was on bail, whose laptop had been confiscated, who was legally banned from accessing the internet, >> [music] >> who was, in fact, in police protection because the rival hackers he had betrayed [music] wanted him dead.

[00:01:14]They couldn't keep him offline.

[00:01:17]They couldn't predict what he would do next.

[00:01:20]And as it [music] would turn out, when they finally caught him, the British court system couldn't even legally convict him.

[00:01:27]This is the story of Arion Kurtaj, the autistic 18-year-old from Oxford who, between the ages of 16 and 18, broke seven of the most valuable companies on the planet, and then did it again from a budget hotel room.

[00:01:43]The closest thing the cybersecurity industry has ever seen to a teenager turning a TV remote into a corporate weapon.

[00:01:51]To understand how a streaming stick brought Rockstar to its knees, you first need to understand the world Kurtaj walked into >> [music] >> and why nobody in the industry saw him coming.

[00:02:03]In 2022, the cyber threat landscape was supposed to be settled.

[00:02:08]On one side, you had state-sponsored hacking units, >> [music] >> Russia's Sandworm, North Korea's Lazarus Group, running multi-million dollar operations against power grids and pharmaceutical companies.

[00:02:21]On the other, ransomware syndicates with HR departments and customer support hotlines.

[00:02:28]Microsoft Exchange had just been hammered by ProxyNotPetya.

[00:02:32]Researchers at Silk [music] Radar had uncovered BlueKeep, too.

[00:02:36]4 terabytes of corporate data exposed across 150,000 companies. The FBI was busy dismantling the Warzone remote access Trojan and seizing $53 million from a dark web marketplace called Monopoly.

[00:02:53]Into this [music] carefully tracked, heavily funded world, walked a group of teenagers from Oxford and Brazil who didn't follow a single one of the rules.

[00:03:03]They called themselves Lapsus dollar.

[00:03:05]They never numbered more than 11. They didn't bother with the dark web. They ran everything, recruitment, extortion, public bragging, on Telegram in plain [music] view.

[00:03:16]And in 18 months, they hit Microsoft, Nvidia, Samsung, Okta, Vodafone, BT, Brazilian Health Ministry, Mercado Libre, Ubisoft, LG, Uber, and Rockstar Games.

[00:03:28]Microsoft alone lost 37 GB of proprietary source code, the inner workings of Bing, Bing Maps, and Cortana, [music] dumped to Lapsus Telegram channel like a trophy.

[00:03:40]The industry initially wrote them off as script kiddies.

[00:03:44]That was the first mistake.

[00:03:46]So, how exactly did teenagers do this?

[00:03:48]The answer is almost embarrassing.

[00:03:51]Lapsus didn't write malware.

[00:03:53]They didn't find zero days. They didn't run multi-year intelligence operations.

[00:03:58][music] They did three things, and they did them very well.

[00:04:02]First, they bought SIM cards.

[00:04:04]Or rather, they bribed people who worked at phone companies to give them other people's SIM cards.

[00:04:11]This is called SIM swapping. You convince or pay an insider at >> [music] >> a carrier like EE or AT&T to port a target's mobile number to a SIM the attacker controls.

[00:04:22]From that moment on, every text message, every [music] one-time password, every two-factor authentication code intended for the victim lands in the attacker's hand [music] instead. Lapsus used this technique to drain nearly $100,000 in cryptocurrency from EE customers in Britain.

[00:04:42]At one point, they texted thousands of those same customers a ransom demand of $4 million from inside the network.

[00:04:50]Second, [music] they did something even more shameless. They went on to dark web forums and posted [music] job listings.

[00:04:57]Actual job listings asking employees at AT&T, T-Mobile, and Verizon [music] to flip on their employers.

[00:05:05]The offer was up to $20,000 per insider paid in cryptocurrency [music] in exchange for login credentials or approval of a single malicious authentication request.

[00:05:16]Think about that for a second.

[00:05:18]This is not James Bond espionage.

[00:05:20]This is Craigslist for treason, and it worked. Third, when bribery wasn't available, >> [music] >> they used what's called MFA fatigue. In plain English, that just means pummeling [music] a target employee's phone with authentication prompts. They just kept sending push notifications late at night, [music] during meetings, on weekends until the victim taps approve just [music] to make the buzzing stop.

[00:05:44]One careless tap, and Lapsus was inside the corporate network. This is exactly how on September 15th, 2022, Arion Kurtaj got into Uber.

[00:05:56]He didn't breach Uber directly.

[00:05:58]He bought a contractor's stolen credentials off the dark web, fatigued the contractor's phone with MFA prompts, >> [music] >> and walked through the front door.

[00:06:07]Within hours, he had administrative access to [music] G Suite, internal Slack, and the corporate VPN.

[00:06:14]And then, because he was Kurtaj, he posted in Uber's own internal Slack channel, and [music] I quote, "I announce I am a hacker, and Uber has suffered a data breach." [music] For the first hour, employees thought it was a prank. Three days later, he did it again, only worse, to Rockstar. But before we get to the Travelodge, you have to understand [music] why he was in the Travelodge in the first place.

[00:06:38]And for that, we have to back up to November 2021, and a website called Doxbin. [music] Doxbin is exactly what it sounds like.

[00:06:48]A clear web forum [music] where people publish other people's home addresses, phone numbers, and social security details [music] in retaliation for petty online grievances. It's a central institution of an underground subculture called the [music] Com, a loose, paranoid, mostly English-speaking community of teenage hackers, SIM swappers, and harassers that operate [music] somewhere between organized crime and middle school gossip.

[00:07:16]They dox each other. They swat each other.

[00:07:19]They call SWAT teams to each other's parents' houses for fun.

[00:07:23]In late 2021, Kurtaj, operating under the handle White, bought Doxbin.

[00:07:30]He immediately mismanaged it, and the previous administrators forced [music] him to sell it back.

[00:07:35]They kicked him from the Discord. They stripped his admin privileges.

[00:07:40]So, he leaked the entire back-end database. Every password, every private message, every docs of every hacker on the platform. Published to Telegram and a forum called RaidForums. [music] He set fire to every bridge in the comms simultaneously. The retaliation was immediate.

[00:07:58]Rival hackers, now exposed, pulled their resources [music] and doxxed him back.

[00:08:04]They published his real name, his parents address in Oxford, photographs of his family, even video footage of the inside of his own house.

[00:08:13]By accident, by sheer rage, they handed the City of London Police a complete intelligence dossier. He was arrested in January of 2022.

[00:08:23]He was 16 years old.

[00:08:25]By the time he was caught for good, intelligence sources estimated he had personally amassed $14 million from blackmail and SIM swapping. But, the threats of swatting didn't stop.

[00:08:37]So, when he was released on bail, >> [music] >> the British government did something unusual. To keep him alive, they moved him into a Travelodge, room M15, Bicester, a budget hotel off a roundabout in Oxfordshire.

[00:08:51]>> [music] >> The terms of his bail were strict and, in retrospect, devastatingly naive. No laptop, no personal computer of any kind, no internet access.

[00:09:02]The police had taken his hardware.

[00:09:04]They had taken his connection.

[00:09:07]They believed they had taken his ability to commit crimes.

[00:09:11]What they had not taken, what nobody thought to take, was the rest of the internet of things. Kurtaj went to a local shop. He bought, with cash, an Amazon Fire TV Stick, a cheap smartphone, a wireless keyboard and mouse.

[00:09:26]Total cost, maybe 120 pounds.

[00:09:30]The kind of stuff your aunt has stacked in a drawer behind the television.

[00:09:34]Here is what he did with it. The Fire Stick runs on a stripped-down version of Android called Fire OS, locked down, restricted.

[00:09:44]But underneath the consumer skin, it's still an Android device with an Android kernel. Kurtaj enabled developer mode, the same hidden menu any teenager can find by tapping a build number seven times.

[00:09:56]He side-loaded a utility called Downloader, which let him pull software from outside Amazon's official app store.

[00:10:04]Through Downloader, he reached F-Droid, the open-source Android repository.

[00:10:10]And from F-Droid, he installed the linchpin of the entire operation, Termux, a terminal emulator that turns any Android device into a full Linux command [music] line on a $40 streaming stick.

[00:10:24]But here's the thing, the Fire Stick doesn't have the processing power to actually run hacking tools. [music] It doesn't need to.

[00:10:31]Through Termux, Kurtaj ran OpenSSH, secure shell, and tunneled encrypted through his smartphone's cellular hotspot to a virtual private server he was renting in the cloud, likely Hostinger, possibly AWS. On that server, he had a full installation of Kali [music] Linux, the same penetration testing distribution used by professional security researchers.

[00:10:56]>> [music] >> The Fire Stick was not the weapon.

[00:10:59]The Fire Stick was the trigger. It was a dumb terminal piping keystrokes from a hotel television in Oxfordshire to a high-powered Linux server humming in a data center somewhere overseas.

[00:11:12]Physical confinement in a cloud-native world is meaningless.

[00:11:17]And from that setup, on September 18, 2022, he social engineered an employee of Rockstar Games who happened to be working remotely from India. He bombarded their phone with MFA prompts until they tapped approve.

[00:11:32]He walked into Rockstar's Okta identity platform. He pivoted from Okta into the company's internal Slack and Confluence, the internal wiki, where engineers casually leave API keys and architecture diagrams sitting around.

[00:11:48]And he scraped everything, the source code for Grand Theft Auto 5, the source [music] code for Red Dead Redemption 2, development data for the unreleased Red Dead Redemption 3, and the centerpiece, 90 videos, 50 minutes of raw GTA 6 gameplay. He posted it all to GTA forums under the username teapotuberhacker.

[00:12:10]Then, from inside Rockstar's own internal Slack, he sent the company a ransom note.

[00:12:16]Prosecution barristers later described his behavior, and I quote, as a juvenile desire to stick two fingers up to those they are attacking.

[00:12:25]That was the Cartuja signature, not the stealth of a foreign agent, the taunt of a kid telling his victims >> [music] >> to their faces exactly what he had done.

[00:12:35]Rockstar disabled his access on September 19th.

[00:12:39]They publicly tweeted the breach.

[00:12:41]They called the FBI. Take-Two Interactive would later disclose that the incident cost the company approximately $5 million in recovery, remediation, and operational disruption, to say nothing of the thousands of hours of engineering time diverted from actually building the game.

[00:13:02]Meanwhile, [music] the City of London police had been quietly watching Telegram traffic out of Bicester for weeks.

[00:13:09]They had a handle at Lily Haworth, >> [music] >> and a hotel room, and a pattern of cellular activity that did not match the conditions of his bail.

[00:13:18]At 9:00 at night on September 22nd, 2022, officers raided room M15.

[00:13:26]They caught Arion Kurtaj red-handed, still connected to his cloud infrastructure, the fire stick still plugged into the back of the television.

[00:13:35]The trial at Southwark Crown Court ran 7 weeks, 12 counts, blackmail, fraud, violations of the Computer Misuse Act. And then the medical reports landed. Kurtaj, >> [music] >> the psychiatrist concluded, had a severe autistic spectrum disorder. He had the cognitive [music] and emotional maturity of an 8-year-old child.

[00:13:57]Under British law, this meant he could not form the legal intent required to be convicted of a crime. The jury was not allowed to deliver a verdict. They were only allowed to deliver what's called a finding of fact, whether he had physically done the things he was accused of.

[00:14:16]They concluded quickly that he had.

[00:14:19]On December 21st, 2023, the court handed down an indefinite restricted hospital order under the Mental Health Act 1983, not a prison sentence, a psychiatric detention that lasts until medical authorities determine he is no longer a danger to society, which, given that he told evaluators he fully intended to return to cybercrime upon release, may turn out to be never.

[00:14:47]Detective [music] Chief Superintendent Amanda Horsburgh of the City of London Police framed the entire saga as a warning to parents that the same curiosity that pulls a kid into coding can, untended, derail their life permanently. [music] And remember, remember what made the Travelodge breach possible in the first place.

[00:15:08]It wasn't sophistication. It wasn't a zero-day. It was a $40 streaming stick acting as a remote terminal to a rented Linux server.

[00:15:17]The lesson the cybersecurity industry took from Kurtaj was structural, not tactical.

[00:15:23]SMS-based two-factor authentication, the standard for a decade, is now considered functionally dead.

[00:15:30]Push notification MFA is going the same way. Enterprises started pivoting hard toward FIDO2 hardware security keys.

[00:15:37][music] Physical tokens you cannot fatigue a human into approving.

[00:15:43]And every law enforcement agency dealing with cybercriminal suspects had to radically redefine what counts [music] as a computing device.

[00:15:52]Because in 2026 anything with a network connection is a potential terminal. Anything. In April 2026, almost 4 years to the month after Kurtaj's arrest, Rockstar Games was hacked again.

[00:16:07]The group called themselves Shiny Hunters.

[00:16:09]According to Aiden Synnott principal threat researcher at the security firm Sophos, [music] they were demographically indistinguishable from Lapsus.

[00:16:19]Native English speakers, 16 to 25 years old. They exploited a third-party analytics vendor called Anodot.

[00:16:28]Pivoted into Rockstar's cloud storage [music] and exfiltrated over 78 million records.

[00:16:34]Their public ransom note [music] read almost word for word like Kurtaj's.

[00:16:39]Rockstar Games, your data [music] was compromised. Pay or leak.

[00:16:43]The playbook had not changed. The infrastructure had barely changed.

[00:16:47][music] Only the names of the children running it. That $40 Fire TV Stick in a budget hotel room didn't just embarrass Rockstar. It didn't just leak GTA 6.

[00:16:57][music] It revealed something the most secure companies on the planet are still trying to come to terms with.

[00:17:05]That the modern enterprise has no perimeter. That the most dangerous adversary [music] they are going to face this decade is not a state.

[00:17:14]It's a kid with autism, a streaming stick, and a grudge.