Rockstar Games GTA VI leak (Lapsus$)

On 18 September 2022, a forum user calling themselves "teapotuberhacker" posted roughly 90 video clips of the unreleased Grand Theft Auto VI to GTAForums, alongside claims of access to Rockstar Games' internal source code and Slack workspace. It was one of the largest unauthorized leaks in video-game history, and it was carried out not through a sophisticated exploit chain but through social engineering by a teenage member of the extortion group Lapsus$.

What happened

The same actor — later identified as Arion Kurtaj — had days earlier breached Uber using MFA-fatigue and social-engineering techniques characteristic of Lapsus$. Against Rockstar, the intruder obtained access to internal communications (Slack) and development systems, then exfiltrated early build footage of the in-development GTA VI.

Rockstar confirmed the intrusion on 19 September 2022, describing it as a "network intrusion in which an unauthorized third party illegally accessed and downloaded confidential information from our systems." The company stressed that it did not anticipate any disruption to its live services or long-term development of the game.

Remarkably, court evidence later established that Kurtaj carried out part of the Rockstar attack while on bail for earlier offences — with his laptop confiscated — using an Amazon Fire TV Stick, a hotel television, and a mobile phone. He breached the company's internal messaging system and issued a 24-hour ultimatum demanding contact or he would release source code and assets.

Impact

• ~90 clips and associated assets of the unreleased GTA VI were leaked publicly, spreading rapidly across social media before takedowns.
• Rockstar told the court the incident cost the company approximately US$5 million plus substantial staff time in remediation.
• No customer data breach or financial-records compromise was reported; the damage was confidential intellectual property and reputational.
• Rockstar locked down social-media comments and worked with platforms to remove the leaked material; GTA VI development continued, with the game's first official trailer released in December 2023.

Attribution

The leak was the work of Lapsus$, a loosely-organized group of mostly teenage actors responsible in 2021–2022 for intrusions at Nvidia, Microsoft, Samsung, Okta, BT/EE, Revolut and Uber. Arion Kurtaj, a teenager from Oxfordshire, England, was arrested on 23 September 2022. In August 2023 a London jury found him responsible for the Rockstar, Uber, Nvidia and Revolut intrusions; because he was deemed unfit to stand trial due to severe autism, the jury ruled on the facts of the case rather than returning a conventional verdict. On 21 December 2023 he received an indefinite hospital order.

Why it matters

The Rockstar leak is a defining case study in human-factor security. No zero-day was required: the breach hinged on social engineering, abuse of internal collaboration tools, and weaknesses in identity and access controls. It underscored that MFA-fatigue, help-desk manipulation, and over-trusting internal Slack/Teams environments are sufficient to penetrate even well-resourced technology firms — the same playbook Lapsus$ used against Okta and Uber in the same period. For the games industry specifically, it forced a hard look at how pre-release intellectual property is segmented, monitored, and protected inside developer environments.