Cybercriminals commit costly, heinous acts of digital theft and fraud. Yet, some attackers serve no time for crimes that objectively merit long prison terms.
According to Chris Roberts, principal security analyst at Chaucer Group, an international insurer, such was the case with Ming Han Ong, who recently received a suspended sentence for breaching more than 200,000 student records at the University of Western Australia (UWA). Ming was a UWA software engineering student. The incident happened in July 2022, according to Pelican Magazine, the university’s editorially independent student magazine.
There are challenges to sentencing. There are mitigating factors, such as the perpetrator’s age, intent, and state of mind. Legal hurdles such as finite sentencing options can frustrate sentencing.
The bizarre recent case of an autistic teen with an addiction to cybercrime offers a unique view into some of the challenges to the sentencing of convicted cybercriminals.
The Cybercrime Addict
“Arion’s hacking became increasingly sophisticated. Eventually, his hacks started making headlines, and his newfound attention (which he had lacked earlier in his life) was intoxicating. It pushed him to do more. It fed his self-esteem, so he became addicted,” said Dr. Carole Lieberman, MD, a forensic psychiatrist and expert witness, regarding Arion Kurtaj, a teen cybercriminal who made headlines by breaching Rockstar Games.
According to Business Insider, on December 21, 2023, a U.K. judge sentenced eighteen-year-old Kurtaj, a ranking member of the international Lapsus$ cybercrime group, to life in a secure hospital until doctors determine he is no longer a public threat.
As reported in the BBC, PC Gamer, and other publications, the jury in the trial heard that Kurtaj carried out his most infamous attack while out on bail for hacking Nvidia and BT/EE and under police protection at a Travelodge. Though authorities had confiscated his laptop and banned him from using the Internet, Kurtaj breached Rockstar Games and stole at least 90 clips from the unreleased Grand Theft Auto (GTA) 6 multiplayer video game. He orchestrated the attack using an Amazon Firestick, smartphone, keyboard, and mouse. Kurtaj blackmailed the game company, threatening public release of the clips unless his ransom was paid. (According to Kotaku, the hack happened in September 2022. An Amazon Firestick connects TVs to Wi-Fi and the Internet to access streaming media.)
According to the BBC, Kurtaj claimed in a Slack message to Rockstar Games employees that he had downloaded all the data for GTA6 and would start releasing the source code if the company didn’t contact him. Then, 90 clips from GTA6 appeared on a GTA fan forum as evidence of the theft. A user calling themselves TeaPotUberHacker posted the clips. Slack is a business messaging app.
Kurtaj’s attack on Rockstar Games cost the company $5 million and thousands of hours of human resources to recover from it. According to Reuters, Kurtaj breached 5,000 Revolut customers’ data records and caused almost $3 million in damage when he hacked Uber. Kurtaj committed all three crimes in September 2022, just days apart from each other.
The authorities had granted Kurtaj’s bail for his attacks on British Telecom (BT) and Nvidia. According to the BBC, Kurtaj blackmailed BT Group’s mobile network operator, EE, for a $4-million ransom in August 2021. He hacked Nvidia in February 2022 and demanded payment to not release its data publicly.
Determinations Before, During, and After Trial
Reuters, the BBC, and other sources reported that psychiatrists that examined Kurtaj found him mentally unfit to stand trial, due to severe autism and his inability to understand the weight of his actions.
The judge instructed the jury to determine whether Kurtaj committed the alleged acts, rather than to deliver a guilty or not guilty verdict.
Reuters reported the jury found Kurtaj committed 12 offenses, including three counts of blackmail, two counts of fraud, and six charges under the U.K.’s Computer Misuse Act of 1990.
According to Commsrisk, a website that “reports on the risks faced by electronic communications providers and their customers,” at sentencing, the judge gave Kurtaj indefinite detention in a psychiatric facility, stating that he continued to be a risk to the public. The judge cited a mental health assessment taken during Kurtaj’s incarceration, which found he wanted to return to cybercrime as soon as he could.
Dr. Lieberman said the judge sentenced Kurtaj to life in a psychiatric hospital unless and until doctors eventually agree he no longer is a threat to himself or others—not only a physical threat, but also a cyber threat.
Kurtaj was a danger to himself and others. While incarcerated, he was violent towards the guards, even though “He had to have known that this would result in severe punishment and retaliation,” said Dr. Lieberman.
There is precedent for the judge’s decision in the U.K. Mental Health Act of 1983, Sections 37 and 41, according to Mind in the U.K., a charitable organization for mental health. Under Section 37, a Crown Court judge can order one’s hospitalization for treatment. Under Section 41, the judge can restrict an individual to a mental hospital to protect the public from serious harm until the Ministry of Justice discharges them.
Age, Intent, State of Mind, and Sentencing Options
According to Dennis E. Boyle, a partner of the Washington D.C.-based law firm Boyle, and Jasari, LLP, there are cybercrime cases in which the judgments impose substantial sentences. Still, these sentences do not deter criminal activity because the authorities catch so few defendants. When they do catch them, they are frequently young people with no prior criminal records.
The criminal justice system wastes harsh sentences on juveniles who may not have the maturity or mental capacity to understand their acts and may not have intended any harm. In addition, it’s difficult to apply strong sentences to juveniles when they would respond better to rehabilitation with their records sealed once they become adults.
Chaucer Group’s Roberts said the challenge in sentencing cybercriminals lies in the complexities of the crimes. “If you rob a bank with a firearm, the case law is clear on what charges to bring against the criminals. A lack of case law makes complex cybercrime cases require legal experts versed in cybersecurity or data governance, which are rare, to say the least,” Roberts explained.
He added, “The case of Jonathan James, who hacked NASA and the DoD, is a good example. He was another gifted child hacking for fun, not out of malice. He did not cause any deliberate damage, but he was purposefully exploiting vulnerabilities to gain access and caused substantial financial damage.”
Roberts said there is “no legislation on how to sentence a minor for this crime, and only the juvenile delinquency charge could be used. This case raised many questions around how to treat [criminal] juvenile hackers, highlighting the necessity of updating legislation to address cybercrimes committed by these children.”
According to Cybernews, the breach happened in 1999, when James was 15. On May 18, 2008, James shot himself in the head in his bathroom, according to Blackhat Ethical Hacking, just after the U.S. Secret Service had raided his home because they suspected he was involved in a hack of American multinational company TJX. The Secret Service found nothing in the house to support the charges. James left a suicide note stating that he didn’t believe in the justice system, that he was innocent of the crimes, and that suicide was his only way to control the situation.
Said Roberts, in the case of Kurtaj, the challenge was dealing with a criminal with no intent of stopping their criminal activity in a world where the means to commit those crimes is ubiquitous. Kurtaj’s cybercrime damage made it clear that the judge had to do something drastic to protect people from harm, even while incorporating some aspect of rehabilitation in the sentencing, said Roberts.
In other cases, sentences can challenge an individual to remain on the right side of the law, said Roberts. He pointed to the case of Daniel Kelley, a blackmailing hacker who couldn’t even use a tablet to sign a mobile phone contract without facing five years in prison for breaching the terms of his release. Coincidental to the Kurtaj case, Kelley, who hacked the telecom company TalkTalk in 2016, had been diagnosed with Asperger’s syndrome, according to the BBC.
Cybercrime Sentencing Must Evolve
“When we sit back and think about what the case of Arion Kurtaj means, a lot should frighten us,” said Boyle. “Here, we have a young man who they cannot try because of some mental issue, and yet he can use a computer to disrupt the lives of many others. I think it shows us that one can have well-developed cybercrime skills and yet not have the maturity or judgment to understand criminal sanctions. There is much work to do.”
Kurtaj’s case is not rare but may ignite a search for solutions to teen cybercrime. According to Axios, the U.S. Department of Homeland Security (DHS) Cyber Safety Review Board recently asked Congress to explore funding for juvenile cybercrime prevention programs. The DHS made the recommendation partly due to a recent investigation into the Lapsus$ cybercrime group, Kurtaj’s cybercrime group.
David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.
Join the Discussion (0)
Become a Member or Sign In to Post a Comment