This teenage hacker became a legend attacking companies. Then his rivals attacked him.

Then they grew suspicious.

The teen had a history with the police. It was September 2022, and 17-year-old Arion Kurtaj had been arrested twice earlier that year for his alleged role in a hacking group that stole data and demanded ransoms from some of the world’s biggest tech companies. Kurtaj, who is autistic, was released both times. The second time, that March, he had been let go under the condition that he stay offline.

Over the next few months, someone threw bricks at the windows of his family’s home, police said, and his mother’s car was smashed up. A bag of chicken was mysteriously delivered to the house. Online rivals had doxxed him, posting his personal information online, and police found evidence of a plot to steal cryptocurrency from him. Officers decided he needed protection.

That left Kurtaj in Room M15 of a Travelodge outside Oxford, where he was still supposed to be computer-free, with his mom in a room on another floor.

Roughly two weeks into his stay, just after 9 p.m., officers entered Kurtaj’s room. An Amazon Fire Stick—a small streaming device with internet access—was plugged into the hotel room TV. There was a keyboard and mouse, and a gold-toned iPhone on the bed, just under the duvet. Police had been monitoring online messages they believed could be coming from Kurtaj almost until the moment they knocked on the door.

Kurtaj was arrested a third time and charged with hacking, fraud and blackmail. Authorities said that while at the Travelodge, he broke into Uber and taunted the company by posting a link to a photo of an erect penis on the company’s internal Slack messaging system, then stole software and videos from Rockstar Games. Stolen clips had popped up in a “Grand Theft Auto" discussion forum from a user named teapotuberhacker and stirred a frenzy.

As officers collected evidence, the teen stood by, emotionless, police say. During his stay, he was polite and shy, said Susanne Langford, the hotel manager. “He was very quiet, didn’t interact with people much," she said. Langford, who has a son with autism, said she recognized traits of it in Kurtaj.

Police knocked on his mother’s door to tell her that they’d just arrested her son again. For years, according to court records, she had struggled to keep her son on a path that provided schooling and other support. He had limited social skills and trouble developing relationships, records say—and ultimately looked for approval in the booming world of cybercrime.

Arion Kurtaj, now 19 years old, is the most notorious name that has emerged from a sprawling set of online communities called the Com. They are gamers and hackers and online con artists who are native English speakers, able to talk their way into sensitive networks—social engineers in cybersecurity parlance. They have become one of the top cybersecurity threats in the world, and they are mostly boys and young men.

Their youthful inventiveness and tenacity, as well as their status as minors that make prosecution more complicated, have made the Com especially dangerous, according to law-enforcement officials and cybersecurity investigators. Some kids, they say, are recruited from popular online spaces like Minecraft or Roblox.

“Across the country we’re seeing increasingly sophisticated cybercrime being conducted by people who are younger and younger and younger," said William McKeen, a supervisory special agent with the FBI’s Cyber Division, at a security conference in San Francisco in May. “It is terrifying."

He said the average age of anyone arrested for a crime in the U.S. is 37, while the average age of someone arrested for cybercrime is 19.

Cybersecurity investigators have found posts they say suggest Kurtaj has been involved in online attacks since he was 11. He was tried in court in part for his role in the hacking group Lapsus$, which posted publicly about its operations and successes, giving investigators a window into its activities.

The judge ultimately handed Kurtaj a sentence that his lawyers have called out of proportion with the crimes he stood accused of. The family declined to be interviewed.

The Cyber Safety Review Board, formed two years ago by the White House to analyze cybersecurity threats, said in a major report about Lapsus$ that the group “was unique for its effectiveness, speed, creativity, and boldness."

The backdrop, the report noted, was “the vast global for-profit online criminal landscape that curious young people are now encountering."

This article is based on court records, online chats and posts, and interviews with police, cybersecurity inspectors and others familiar with Kurtaj and his case.

The Com kid

Born in 2005, Arion Kurtaj grew up in a largely middle-class neighborhood north of Oxford. Investigators say he lived modestly. One real-world activity he appeared to enjoy, based on social-media photos, was family fishing outings.

Most of the time, though, he lived online, according to Michael O’Sullivan, a detective inspector who oversees the City of London Police’s cybercrime unit.

Kurtaj started his education at his neighborhood primary school, but went on to attend a series of schools for children with complex educational needs and behavioral issues. By around age 11, he was partly home-schooled by a tutor.

At that same age, he made his first known post about illegal activity, according to the online intelligence firm Flashpoint. It was a request for information in a cybercrime marketplace about how to hack into a server used by Minecraft players.

Kurtaj’s parents separated. Social services had long-term interactions with the family, according to O’Sullivan, and at one point Kurtaj threatened family members.

When he was 14, the British state took over his care under a law requiring the government to provide housing for certain young people deemed unable to remain in the care of their parents, according to court records. He landed in a residential school serving children with severe emotional and behavioral needs.

By 2020, when he was 15, he was offering more than $10,000 for hacking tools in online forums, according to Chainalysis, a blockchain analytics company.

In early 2021, a poster using an alias prosecutors have linked to Kurtaj offered $2,500 to an Iranian hacker to help build attack software that would crush websites under a flood of traffic, according to online chat sessions viewed by the Journal. A few months later, the poster offered to sell these services on Telegram.

“It was his alternative existence," said Kevin Barry, the British lawyer who prosecuted Kurtaj last year. “He was living a very empty offline life with all sorts of difficulties, challenges and limitations, whereas online he could be a bit of a superhero."

Kurtaj’s psychiatrist described him as striving to fit in with his peers, according to court records.

Kurtaj was physically assaulted by a staff member at his school who was later convicted as a result, according to a person familiar with the case. In early 2021, his mother brought him home and removed him from government care, court records say. He never returned to school. He was 16.

A month after his mother pulled him out of school, investigators say that Kurtaj was part of a hacking group called Recursion Team that broke into the videogame firm Electronic Arts and stole 780 gigabytes of data. When Electronic Arts refused to engage, they dumped the stolen data online. Within a week of that hack, investigators had identified Kurtaj and provided his name to the FBI.

Crypto heist

Later in that summer of 2021, according to court records, Kurtaj partnered with another teenager, known as ASyntax, and several Brazilian hackers, and started calling themselves Lapsus$. The group hacked into the British telecommunications giant BT in an effort to steal money using a technique called SIM swapping, where someone seizes control of a victim’s phone number and then uses it to reset online passwords.

Daniel Shenton, a customer of mobile network EE, owned by BT, was one of the victims. He had just landed at London Heathrow Airport in January 2022 after a vacation in Mexico, and his phone wouldn’t connect to the network. He got a new SIM card, but that didn’t work either.

He logged on to his Coinbase cryptocurrency account, which had totaled almost £34,000 (then more than $45,000) the last time he’d checked.

The balance: 52 pence. The hackers had reset his Coinbase password and emptied his account.

Shenton, 30, had been saving money for four years, working for his family’s company manufacturing storage tanks. “That was like a house deposit," he said. “I thought, where the hell am I going to find this money again?" Coinbase eventually said it would reimburse him nearly £24,000, which it determined to be the market value of the holdings.

The hacks weren’t always for money. In late 2021, Lapsus$ hacked into a website operated by Brazil’s Ministry of Health and deleted the country’s database of Covid vaccinations, according to law enforcement.

People who identify as part of the Com tend to hang out in unmonitored discussion forums and online gaming communities. They like to provoke and taunt. Chats are filled with offensive language.​

If the Com has a social center, it’s a website called Doxbin, where users publish personal details, such as home addresses and phone numbers, of their online rivals in an attempt to intimidate each other.

Kurtaj bought Doxbin in November 2021 for $75,000, according to Chainalysis. But after a few months, the previous owners accused Kurtaj of mismanaging the site and pressured him to sell it back.

He relented. Then in January 2022, cybersecurity investigators say, he doxxed the entire site, publishing a database that included usernames, passwords and email addresses that he’d downloaded when he was the owner.

For cybersecurity experts, it was a gold mine. “It helped investigators piece together which crimes were done by who," said Allison Nixon, chief research officer at Unit 221B, an online investigations firm.

Doxbin’s owners responded with a dox of Kurtaj and his family, including his home address and photos of him, investigators say—setting up the chain of events that would put Kurtaj in the Travelodge.

Lapsus$ mayhem

In January 2022, police arrested Kurtaj and ASyntax for the BT hack, after connecting a computer used by Kurtaj to the hacks. Officers seized their phones but then released the teens under investigation. It’s unusual to remand a teenager in the U.K., Detective Inspector O’Sullivan said.

The next month, Lapsus$ was taking credit for a hack into Nvidia.

To get in, the Lapsus$ crew got stolen usernames and passwords for at least two contractors, according to court records. Many companies require a second layer of authentication, such as a code sent to a mobile phone, to get into corporate networks. Lapsus$ talked their way past the second layer.

They started off by dumping 80 gigabytes of data they’d stolen from the company, and then threatened to release even more unless they were paid a ransom. Then came other bizarre demands, including one that Nvidia make its software more easily available to cryptocurrency miners.

“When you’re dealing with professional hackers there’s a rationality to all of their actions. There’s a motivation that you can clearly point to. Maybe it’s espionage, maybe it’s economic gain," said Heather Adkins, a Google security executive who co-wrote the Cyber Safety Review Board’s report about Lapsus$. “The interesting thing about Lapsus$ is that you cannot apply the same rationality to them. It seems baffling."

Lapsus$ took credit for hacks into other tech companies, including Microsoft and Samsung.

At the end of March 2022, the City of London police arrested Kurtaj and ASyntax again. Social services couldn’t find suitable accommodations for Kurtaj, and he was released on the condition that he stayed off computers.

Room M15

By mid-September 2022, Kurtaj had checked into the Travelodge.

On Sept. 14, Uber was hacked. The hacker posted a note and an obscene link to the company’s internal Slack system, where every employee could see it.

On Sept. 17, teapotuberhacker popped up in a gaming discussion forum to announce a hack into Rockstar Games. The hacker began leaking clips for the company’s highly anticipated “Grand Theft Auto VI." Gamers on the forum were skeptical at first, but they quickly realized the dump, which disclosed that the game would feature its first-ever female protagonist, was legitimate.

“Ok so this has gone unexpectedly viral," teapotuberhacker posted in another message on Sept. 18. “Woke up to 3,000 Telegram DMs." On the GTA discussion forum, there were even more comments—about 6,000. “This day is legendary," said one of them.

Later that day, a post on a criminal marketplace forum appeared, titled: “The Person Who Hacked GTA 6 and Uber Is Arion."

The pressure was building on O’Sullivan and British authorities to put a stop to the hacks, but O’Sullivan had another issue. Sept. 19 was the state funeral of Queen Elizabeth II. About half of his nine-member cyber team was in uniform, working the event.

On Sept. 22, they were ready to surprise Kurtaj in Room M15 of the Travelodge.

Kurtaj was sent to the Feltham Prison and Young Offender Institution in West London, recently described by a U.K. government watchdog as “the most violent prison in the country." He was charged with 12 counts related to fraud, blackmail and violations of the U.K.’s Computer Misuse Act, for hacks dating back to August 2020.

His alleged incursions cost companies millions of dollars in cybersecurity and legal expenses, and investigators say he and his partners made hundreds of thousands of dollars in extortion demands as well as thefts from individuals.

Psychiatrists deemed Kurtaj unfit to stand trial due to his severe autism and other developmental issues. The court instructed the jury to set aside any question of criminal intent and just determine whether he had committed the acts alleged by prosecutors.

The trial lasted seven weeks. In August 2023, jurors found Kurtaj had committed the hacks.

He called in via videoconference for his December sentencing, but said little. The judge heard reports that he was violent and destructive at Feltham, and that a mental-health assessment found he wanted to return to cybercrime as soon as possible.

The judge gave Kurtaj an indefinite hospital order—a sentence confining him to a secure mental-health ward until doctors and U.K. officials decide he is no longer a danger to the public. He was 18 years old.

People in Kurtaj’s situation can apply for a review of their detention once a year. Otherwise, their detention is subject to government review once every three years, according to the Ministry of Justice.

The court tried charges against ASyntax at the same time. He was found guilty of two counts of fraud, two violations of the misuse act and one count of blackmail. ASyntax, who was then 17, was sentenced to a youth rehabilitation order, including 18 months of supervision.

The principal Brazilian suspect in Lapsus$ was arrested in October 2022, according to a press release from the Brazilian federal police.

Kurtaj and his lawyers are seeking to appeal. They argued at trial that while there was evidence of Kurtaj’s association with hackers and the offenses, the evidence failed to prove he committed many of the offenses or was the central player.

Kurtaj’s lawyers and some experts on autism have said a potential lifetime of incarceration isn’t appropriate for a teenager like Kurtaj.

“There has to be a better system that enables the skills of such individuals to be utilized in a more positive way that protects corporations, acknowledges and supports the medical needs of vulnerable perpetrators and offers a more mutually beneficial outcome for all stakeholders in these situations," his lawyers said in a statement after the jury’s findings.

Prosecutors have struggled to curtail crimes while knowing that some of the young people behind them are pursuing the respect and acceptance online that they struggle to find in the face-to-face world, said Barry, the prosecutor. And the role of cryptocurrencies in making hacking pay off has boosted the incentives, he said.

It’s up to his doctors whether Kurtaj can access the internet. He was sent to a medium-security hospital ward, where in the common areas shared with other patients, he was surrounded by tablets, phones and computers.

Write to Robert McMillan at robert.mcmillan@wsj.com and Jenny Strasburg at jenny.strasburg@wsj.com