Transcript of How One Teenager Became a Legendary Hacker

About two years ago, NVIDIA, the world's most valuable chip company, was the victim of a major hack.

Well, developing news tonight on a mysterious overseas hacking group targeting major tech companies.

Nvidia, one of the biggest chip makers around the world, got hacked last Friday. And a massive trove of data was leaked onto the Internet.

Our colleague Bob MacMillon, was following the I learned of this attack via Twitter, and it was not like anything I had really ever seen before.

There was a hacking group that not a lot of people had heard about. They showed up one day and said that they had broken into NVIDIA, and they were super loud about it, like bragging about it. They claimed to have all kinds of source code and schematics and basically proprietary data that would be of great to like a rival chipmaker. But then ultimately, these hackers dumped a bunch of data. At that point, it was very clear that they had broken into NVIDIA.

Pulling off a hack on a company as big and secure as NVIDIA is already a feat. But Bob was even more surprised when he learned who was behind the attack.

It turns out that one of the people behind the hack was Arian Kirtash, who was a 17-year-old hacker. And cybersecurity investigators say that Kirtash has been involved in a legal online activity activity since he was 11.

Bob MacMillan, what were you doing when you were 11?

I was playing D&D, and I was definitely playing video games big time.

Unlike Bob, Aaron Kertaj was taking his gaming to a more advanced level because he was also apparently starting to hack. By 17, Kertaj had become one of the most infamous hackers in the world, breaking into major multinational companies.

We're talking about Microsoft, Samsung, Uber, NVIDIA. He caused millions and millions of dollars worth of economic damage. It's just fascinating that somebody so young could be so successful, and he's part of what seems to be a growing phenomenon and one that really has law enforcement authorities flummoxed.

Kirtaj's family declined to be interviewed. His lawyers have acknowledged acknowledged that there was evidence Kirtaj was associated with hackers in some of their activities. But they also said that the evidence failed to prove he committed many of the offenses alleged by prosecutors or that he was the central player. Cybercrime experts say that hackers are getting younger and younger, and some of those teenage hackers have gotten very good at what they do.

It used to be we were worried about the Russians, the Chinese, the Iranians, and the North Koreans. And these teenagers are definitely up there with all those actors, just in terms of the impact that they're having. So it's a big problem.

Welcome to The Journal, our show about money, business, and power. I'm Jessica Mendoza. It's Wednesday, October 16th. Coming up on the show, The Teenager Who became a Hacking Legend and the Race to Catch Him.

Snakes, zombies, public speaking, the list of fears is endless. But the real danger is in your hand when you're behind the wheel. Distracted driving is what's really scary and even deadly. Eyes forward. Don't drive distracted. Brought to you by Nitza and the Ad Council.

Today, Erian Kertaj is 19 years old. He grew up in the UK, and as a kid, he had trouble in school.

He was born autistic. He was a very difficult kid to raise. His behavioral problems, as he got older, they became increasingly unmanageable. I think he was a kid from a family without a ton of means who basically was not thriving in any way in the real world and who turned to the virtual world for his identity, his whole identity.

Kertaj spent a lot of time online playing video games. According to Bob's reporting, as Kertaj got deeper into gaming, he started finding out about techniques on how to win, including hacking his opponents. Soon, Kertaj moved beyond trying to win video games to committing major cyber crimes.

So that was in June of 2021. Kertaj would have been 16 at this time. And a video game maker, Electronic Arts, gets broken into. These people had their intellectual property stolen. Videos of games and source code are taken. There was a demand for money for $28 million, but it almost seemed like it wasn't serious.

Electronic arts didn't send over any money. In retaliation, the group of hackers, which included Kertaj, dumped company data online. Soon after, Kertaj joined forces with another teenager and several Brazilian hackers. They called themselves Lapsus, and they started targeting some big companies.

Everybody on the team has a different set of skills, and together, they're more powerful than they are individually. By August, Kertaj and his associates have broken into a British telecom company. When they had access, Kirtaj and his associates were basically selling SIM swaps to other people.

Sim swapping is a hacking technique. It was pioneered by teenage hackers who use it to take over online accounts. Here's how it works. A hacker calls up a cell phone provider and tricks the customer service person into transferring a phone number to a new SIM card. Whoever has that SIM card then has access to other accounts linked to that phone number.

Sim swapping is key to taking over gaming accounts, taking over coveted Twitter accounts or Instagram accounts, and then selling them, taking over cryptocurrency accounts like Coinbase accounts and making some real money. And SIM swapping It was good for that.

Through sim swapping, Kertaj and the hacker group Lapsus made a lot of money. And in late 2021, Kertaj made a big purchase.

He bought this website called DocSpan. It's It's a social network, really. It's a site that's devoted to publishing doxis of people. In other words, publishing private information that they probably wouldn't want disclosed. This can be phone numbers, relatives' phone numbers, online account names, addresses, things like that. When you dox somebody, especially if you dox a hacker, you're destroying their anonymity, you're showing where they live, and you're also providing law enforcement investigations investigators with valuable information that they can use to pursue their investigation. So if you're doxing another hacker, it can really lead to their arrest.

So he bought Doxben?

He bought Doxben. Yeah, he paid $75,000 and took over the site.

Do we know why Well, I mean, my guess is that it would be the ultimate power move, right?

In this community, Doxben is at the center. And so it's a position of prestige within the community that Kirtaj is rapidly becoming very well known in.

But according to Bob's reporting, Kertaj's community of fellow hackers and doxers didn't like the way he was running the site. Eventually, the previous owners pressured Kertaj to sell the site back to them.

His parting gesture to the doxman community was to basically dump all the private information that he had access to as the owner and essentially dox all the doxers. He published a lot of information that people wish he hadn't have published, and he angered people even more.

That pisses off a lot of people. What are the consequences for Kirtaj?

Well, ultimately, Kirtash got doxed, and he got doxed in what has been described as the most complete dox of all time. I've seen this document. It's got every alias that he ever used. It's got his home address, it's got his mom's address, it's got his father's address, family, other extended family members.

It It wasn't only Kertaj's private information that went public, it was also what he looked like. The docs included personal photos of Kertaj. In one of them, he's on a boat holding a big brown fish that looks like it was just pulled out of the water. The docs happened in January of 2022. That same month, authorities who had been tracking Kertaj for some time arrested him on suspicion of the SIM card telecom hack. But because they were still early in their investigation, after seizing his digital devices, they released him.

They're like, We know who you are. We're investigating you. Beware, charges could be coming. And so we'll roll back to teenage me. I would be scared to death, but by the cops showing up at my house, and I would definitely have stopped my hacking at that point. But Kirtaj did not.

Not only did Kertaj continue hacking, but his biggest and most ambitious attacks were yet to come. That's next. In February 2022, Kertaj and the hacking group Lapsus broke into the behemoth chipmaker, NVIDIA. And why was the NVIDIA hack in particular? Why was that a big deal?

Well, NVIDIA, I mean, their market value today, I think, is three trillion dollars. They're incredibly important company. They're well-healed. They have intellectual property that's extremely valuable. And the fact that a couple of teenagers could break into this company is... No matter who did it, a hack of NVIDIA would be noteworthy. But the fact that it was just these perhaps his kids doing it was even more remarkable.

A month later, the police arrested Kirtash again. But because Kirtash has severe autism and other developmental issues, authorities couldn't find an appropriate facility to hold him. So he was released again, this time on the condition that he stayed off the internet. Even though he wasn't under arrest anymore, Kertaj, whose private information was still public, had other problems to deal with. Over the next few months, according to the police, Kertaj started to get harassed. Someone threw bricks at the windows of his family's home. His mom's car was smashed up, and authorities found evidence of a plot to steal cryptocurrency from him. So the police came up with a plan to keep him safe.

By September, they moved Kirtaj and his mom into a travel lodge, a hotel just outside of Oxford. The police had this system where when they knocked on the door to let Kirtaj know it was really them, the code word that they used was lucky-lucky.

But even with all this going on in his life and in order to stay offline, that didn't stop Kirtaj. Are there any big hacks that happened while he is at this hotel?

Yeah, there were a couple of big hacks that happened while he was at this hotel. The first one was Uber, and then even more remarkably, he breaks into Rockstar, which, as all good gamers know, is developing Grand Theft Auto 6. He starts releasing unreleased video clips from Grand Theft Auto and code from it.

The Rockstar Games hack was a big deal in the gaming and hacker community. It wasn't long before a rival hacker posted that it was Kirtash who had done it. Now, police suspected he wasn't just sitting around doing nothing at the Travel Lodge Hotel. So how do police try and stop him?

So they go to the Travel Lodge. They're supposed to say, Lucky, lucky, when they knock on the door so that he knows it's the cops. So they come up to his door, get into the room, and there he is. He's got this Amazon Fire Stick with Internet access. He's got an iPhone as well. So he's got two devices that can connect to the Internet. He's not supposed to have any He appeared to be in the process of bragging about these hacks, just right up to the minute that he was arrested.

Kirtash Kirtaj was arrested and charged with 12 counts of hacking, fraud, and blackmail. But due to his autism and developmental issues, psychiatrists deemed him unfit to stand trial for the question of criminal intent. So the judge told the jury to only determine whether or not Kirtaj had done the alleged acts.

The court found that, yes, indeed, he did them. They said, We're going to basically convict him of all this, but we're going to sentence him to a mental facility, not a criminal detention center. He's going to stay there until the doctors decide he is fit to come back into society. He's no longer a threat to society.

Kertaj and his lawyers are seeking to appear deal. They argued at trial that while there was evidence of Kertaj's association with hackers and the offenses, it failed to prove he committed many of the offenses or was the central player. His lawyers have also said that a potential lifetime of incarceration is not appropriate for a teenager like Kertaj.

What is the takeaway here, Bob?

What does this story tell us about this moment in cybercrime?

Here in the United States, the Department of Justice typically doesn't even pursue cases against teenage hackers. Typically, if the feds find out that the subject of their investigation is a teenager, they'll stop. They just won't prosecute. So Bottom line, law enforcement has a really hard time prosecuting teenagers, and in particular, teenagers with special needs.

What is the next step here? If this is something that needs to be prevented moving forward.

Well, the FBI is taking an interest in addressing this problem. Since Lapsus, there have been other groups that have popped up. You can almost look at Lapsus like these teenagers pioneering the playbook, and then other groups like going to bank with it. They're not the only entities that are engaged in this type of activity. There's a real worry that the professionalized criminals are going to ally themselves with these super capable teenagers and young people and just create an unholy alliance that really is going to be very difficult to stop and is going to be responsible for an increasing level of economic damage. I think probably the consensus is that there needs to be some intervention program. There needs to be some way of taking these kids at an early stage and directing them into something that is less harmful than stealing cryptocurrency or SIM swapping or breaking into NVIDIA. And it's going to be hard.

Well, thanks for coming on the show, Bob.

We really appreciate it. Next time, I promise it'll be about Something fun. Something uplifting. Something that'll make you optimistic about the human condition.

It's like, Oh, no, we're all going to get hacked and it's going to be my teenager. It's all getting worse.

It's getting worse. That's teens.

The teens.

It's just That's all for today, Wednesday, October 16th.

The Journal is a coproduction of Spotify and the Wall Street Journal. Additional reporting in this episode by Jenny Strasberg. Thanks for listening. See you tomorrow.