For 20 Years, This Man Has Survived Entirely By Hacking Online Games (vice.com) 114
An anonymous reader writes: A hacker says he turned finding and exploiting flaws in popular MMO video games into a lucrative, full-time job. Manfred's character is standing still in the virtual world of the 2014 sci-fi online multiplayer game WildStar Online. Manfred, the real life person behind the character, is typing commands into a debugger. In a few seconds of what seems to be an extremely easy hack, Manfred's virtual currency skyrockets up to more than 18,000,000,000,000,000,000, or 18 quintillion. I'm watching this hack in a demo video recorded by Manfred as I stand next to him in a Las Vegas bar on Thursday. Manfred, who asked me not to reveal his real name, says he has been hacking several video games for 20 years, making a real-life living by using hacks like the one I just witnessed. His modus operandi has changed slightly from game to game, but, in essence, it consisted of tricking games into giving him items or currency he doesn't have a right to have. He would then sell those items and currency to other players (for real money) or wholesales them to online gray markets, such as the Internet Game Exchange, that then would sell those goods to individual players. At the current exchange rate, Manfred estimates he has $397 trillion worth of WildStar gold. This is obviously an outlandish number, but, essentially, his income was only limited by the real-life market for the in-game currency. When I spoke to Manfred ahead of his talk at the Def Con hacking conference, he said he wanted to go in, give his demo, and go out "as a ghost," never to be seen or heard from again. He said he wanted to be "invisible," just like he's been for the past two decades. He said he's found more than 100 publicly unknown vulnerabilities in more than 20 online video games, making hacking and trading virtual goods into his full time job.
Re: (Score:3, Funny)
We should breed this guy in case we go to "nuclear war with Russia" and dust him off when all the cockroaches like Miss Mash and BeauHD scurry around in the nuclear war threatening the remaining regular humans with their mutated airborne cockroach AIDS spores. This hacker can carry his own.
Re: (Score:2)
That's nothing. This Indian man survived 70 years without food, water or going to the bathroom.
http://nationalpost.com/g00/ne... [nationalpost.com]
Re: (Score:1)
I don't care how much you clean it, I'm not going to even touch his seat. Either of them.
Re: (Score:2)
Wildstar (Score:4, Interesting)
Re: (Score:1)
I would say there is a point where hacking really becomes a responsibility of the developers of the game to address. Lineage 2, Darkfall, and many other MMOs bit the dust when the devs wouldn't deal with the spammers and hackers. (Lineage 2, you would get ganked before even fully loading as a new player, and Darkfall only banned people who complained about how crappy the game was.)
It all started with Everquest, where at first with ShowEQ, it was a few people who discovered how to easily watch for mob spaw
Re: (Score:1)
So now instead of spending coding hours on adding interesting game play and content, the developers have to spend the time on making it hack proof with bank-level security. Even then, banks still get hacked - so having to add ever increasing levels of security to prevent hacks hurt the game performance and game play experience, and is still not a guarantee of success of preventing hacks.
This makes the games less fun and more expensive for all players.
The guy should be sued into oblivion or possibly even ser
Re: (Score:1)
So now instead of spending coding hours on adding interesting game play and content, the developers have to spend the time on making it hack proof with bank-level security.
Yes. Otherwise you won't play the game, as others have said. It's why I quit playing GTA online. It was ridiculous when literally half the player were cheating in some way.
The guy should be sued into oblivion or possibly even serve jail time for having ripped off so many players and companies from the game experience they have paid for
LOL! Are you serious? You sound like the idiots that call me at work (webhosting company) about their wordpress site that got hacked by "TuRkiSH HaCKerZ" that ask if we can pursue legal action against them. I'm like, you want us (who don't care obviously) to sue an IP address in the Netherlands, that looks like a cPanel box which was undo
Re: (Score:2)
Re:Wildstar (Score:4, Insightful)
You have missed my point.
Game developers do spend time and effort to make the game secure. However, security is a trade off - you want to have end to end encryption of the messages and in-memory encryption of all variables? That's going to cost you lots of extra CPU cycles and reduce your framerate.
No software is hack proof - this has been demonstrated time and time again.
This arsehole has boasted that he has spent 20 years doing nothing but hacking and ripping off other game players. If there are no repecussions for that, it's going to only encourage a lot more doing the same.
This is not a victimless crime. It denies honest game players enjoyment of the game, it increases development costs substantially to have to devote resources to patching hackable flaws, and it most importantly deprives the game company of customers when they get dissapointed in the game and leave.
I have no problem with someone hacking a single player game and giving themselves a bazillion HP and max gold - it's only affecting their own game play. What I have a problem with is when they go on to ruin the game for other players, without penalty to them whatsoever.
A car analogy: You lock your car and take reasonable precautions to secure it. If someone throws a brick through the window and steals it, you don't say "oh well - should have installed brick proof windows" - you expect that there are laws that will deter this behavior and prosecute the perps when they are caught.
If someone boasted they have been tossing bricks through car windows for 20 years and living off the stolen cars, you'd expect some action to be taken against them.
Re: (Score:2)
Re: (Score:1)
so what (Score:1)
did he get 4/4/4/4 guardian jedi on swg before the village?
no he didnt, he is a punk bitch
Dumb to do a talk and interview (Score:5, Interesting)
Regardless of the ethics... This guy is risking his entire livelihood by doing a talk and interview. Amazing what people will risk for a little fame.
Re:Dumb to do a talk and interview (Score:5, Interesting)
I would speculate he's doing the talk because he's probably already made all the money he thinks he needs and is retiring from it. It's entirely possible that he is also a hypocrite who was troubled that what he was doing was possible, but not troubled enough to stop doing it for his own benefit but now that (speculated) he is comfortable enough to retire he wants to shine a spotlight on the practice to encourage the affected game companies to close off the holes and prevent anyone else from doing what he did.
Re:Dumb to do a talk and interview (Score:5, Insightful)
Re: (Score:2)
> there's more to be gained from talking than the actual doing.
Except DefCon is where he's talking and last I looked presenters don't really get paid. And he's planning on ghosting after the one talk so it's not like he's setting up a lecture circuit with this appearance, so I doubt that.
Re: (Score:2)
Except DefCon is where he's talking and last I looked presenters don't really get paid. And he's planning on ghosting after the one talk so it's not like he's setting up a lecture circuit with this appearance, so I doubt that.
I think you misunderstood the AC GP. It is about human nature. Why would he all of the sudden want to disclose the things he had been (illegally) doing for 20 years? There must be something changed in his life recently that makes him decide to come out to DefCon. If he is a bragger, he would have disclosed this long time ago because bragger can't resist to brag. Though, this isn't the case because he had kept the secret for 20 years (per what he said).
Now he wants to brag about what he had been doing, so
Re: (Score:2)
Re:Dumb to do a talk and interview (Score:4, Informative)
Re: (Score:3)
0.o How? Do you think companies are going to magically start finally getting rid of the hackers? Or somehow suddenly become omni-competent at doing so?
Mind-numbingly boing (Score:3)
There are so many software engineering jobs that offer more mental challenge, more reward in terms of mental stimulation. And when he gets older...I doubt he is even saving for retirement.
Re:Mind-numbingly boing (Score:5, Interesting)
Hacking is sort of like solving puzzles. You find the systems, analyze them, and look for loopholes and edge cases. It's mentally challenging and varied. Sure the hacks might follow a few standard techniques after a while but each specific instance is different and carries its own risks.
I have a software engineering job that I would say is fairly challenging but I also do a whole bunch of grunt work and google pasting solutions for one off things. I wouldn't say my job is vastly better than his except for maybe the retirement plan. But even then if he got lucky he could out earn me quickly for finding a key exploit for a hot new game and milking it for a while.
Re: Mind-numbingly boing (Score:1)
Because while he declined in the article to say how he's made total over the years, he does mention one specific revenue stream. He said that in Everquest, he's sold around 100 player houses-apparently a rare thing with a limit on how many can be owned-in all, with am average price of $200000. So 200k from one single game, even if it
Re: Mind-numbingly boing (Score:1)
Or like Diablo 2. Best in slot items for the closed, not widely hacked servers could sell for $150-200 easy, and there were a lot of them. It was definitely possible to make good money, if
Re: (Score:1)
Nope. It's the same crap you do at work (debugging, critical thinking, etc) with a much, much higher upside. Sure there are boring parts (e.g. purchasing items from the ill gotten funds) but I see no reason why this part can't be outsourced after the hard work is done.
ok (Score:2)
No shit, Sherlock.
Poster Child (Score:5, Insightful)
...For everything wrong with MMO's these days. This guy is it. Good job, you and your kind have ruined most MMO's for everyone to make a buck.
The really sad part is they are destroying the very thing they're making money off.
No one likes to play an MMO that obviously been hacked numerous times and that game's internal economy has been completely wrecked by this behavior.
Re:Poster Child (Score:5, Funny)
MMOs ruin more lives than crack so this man is doing gods work and your anger pleases me.
Re: (Score:1)
He's providing a public service really. If the only thing attractive about an MMO is a fake-economy and/or the grind for equipment or resources it should die.
Re:Poster Child (Score:5, Interesting)
"and that game's internal economy has been completely wrecked by this behavior"
Why is the central service unaware that the total game bucks in circulation suddenly jumped? The game needs routines that monitor the money supply.
Re: (Score:2)
Why is the central service not doling out and approving money?
If you get a dollar, or gold, or credit, it should be because the server handed it to you.- for doing whatever you did to earn it.
This sort of thing is supposed to be moderated by the server. If you do 10HP damage to an enemy, the server should tell you that you did 10HP damage and account for it prope
Re: (Score:2)
I think you've just explained how this guy does it. For every game, this guy gets on the dev team. He spends months, tirelessly persuading them to do it wrong. He doesn't shut up. Eventually, the other devs give in, often with the rationalization, "well, at least this'll fix the performance and scaling problems." H4XX K0MPL337!
Re: (Score:2)
So, emulating James T. Kirk (Score:1)
In defeating the Kobayashi Maru simulation.
Abandoned (Score:2)
Manfred's virtual currency skyrockets up to more than 18,000,000,000,000,000,000, or 18 quintillion
Yes, and any game that doesn't have the most basic anti-cheat mechanisms in place to detect such a thing should be summarily abandoned by it's player base.
Something smells (Score:2)
Re: (Score:2)
In Everquest, there was a brief bug where one bank somewhere in the world, exchanged iirc 10 coins for 1 coin of the next highest denomination, when the official exchange rate is supposed to be 100:1. A programmer forgot the exchange rate, and miscoded that bank. People took advantage of it until the developers figured out their mistake and fixed the bank.
Re: (Score:2)
EverQuest (1) is 10:1 from copper:silver:gold:plat, always has been.
Re: (Score:2)
Blah, knew I was right the first time. I couldn't remember, or find a reference easily which specified.
Re:Something smells (Score:4, Interesting)
Or maybe he sent a bunch of garbage to the server to trick it into thinking he ought to have 18 quintillion gold, and the client was subsequently updated to reflect that value.
I seriously doubt he could sell in-game goods if he couldn't convince the server that he had them.
To be clear, the idea that the game is accepting a gold value directly from the client is laughable. Everyone would be exploiting it if it were that simple. But any MMO is just of series of transactions between the client and the server, and their protocols and daemons can be exploited just like web servers.
If anything, the games are probably more vulnerable because web servers typically use standard protocols and libraries, which are audited and tested by security professionals. I doubt the net code on a random MMO is tested seriously for anything more than latency and reliability.
Business Card: (Score:1)
"Cheatalogist"
..and why not? (Score:5, Insightful)
So there are loads of people who seem to find his exploits bad or wrong. But I think - great, go for it. Those MMOs are either overtly or covertly encouraging many people to spend huge amounts of time (and often, hard cash) for a meager award. The games companies are not much more than modern parasites - and 'Manfred' is merely a parasite's parasite.
Who, actually, gets harmed. The gamers want the cash - he can supply it at market rates - and the publishers are already horrendously bloated and fattened on the continual streams of micropayments.
Maybe because his name is a reference to the Prantagonist of Accelerando, but I, for one, am in favour of Manfred's profession.
Re:..and why not? (Score:5, Insightful)
Who, actually, gets harmed
Maybe now, but if you RTA, he started out by "deleting" people's houses in Ultima Online. That would be pretty frustrating if you were one of the people who owned the scarcely available and highly in-demand house.
Re: (Score:2)
Who, actually, gets harmed. . . . the publishers are already horrendously bloated and fattened on the continual streams of micropayments.
Wow -- way to rationalize. There are an awful lot of people in the world who make a lot less money than you do. I take it you wouldn't have a problem with them helping themselves to some of yours since, in their eyes, you have way more than you need?
Re: (Score:2)
Those MMOs are either overtly or covertly encouraging many people to spend huge amounts of time (and often, hard cash) for a meager award.
Yeah, that's the whole reason a market for gold farmers exists in the first place. Because huge sections of the game are very, very boring.
Re: (Score:2)
He is actually doing less harm to the game than the publishers.
The publishers put in sections that are designed to be painful enough to make you pay to avoid them. All he does is provide the means.
Re: (Score:2)
Who, actually, gets harmed.
Do you actually play MMOs? These guys tend to spam their godl sales any which way they can, flooding your inbox and every chat they can access. Pretty damn annoying.
Made $$... until he mentioned it. (Score:1)
Survived 20 years hacking online games (Score:2)
Whether he makes it to 21st depends mostly on whether there are MMORPG players in the audience.
Comment removed (Score:5, Informative)
Re:Never trust the client? (Score:4, Informative)
Why is anything in a MMO except maybe basic movement done client-side?
Maybe movement and basic actions are all that is supposed to happen client-side.
How is it that a debugger can affect the currency attached to an account?
The client must interact with the server in some way to increment/decrement the currency in certain accounts. The server-side code that controls those interactions is probably riddled with security vulnerabilities. It's almost entirely custom code.
Think of how often Apache/IIS/PHP/etc vulnerabilities are discovered, and then recall that these products have been hammered by security professionals for years. And, most of the time, those professionals disclose their findings to the developer---something which I doubt is happening with MMO developers.
Shouldn't every transaction be started and logged serverside?
Gold is not the basis of all transactions. Spells use resources, crafting professions use resources, and health pools fluctuate.
Lots of things are happening 24/7, and it can be very difficult to determine what needs to be logged.
You'd think an account that suddenly increases in value by several billion, with no account receiving a similar decrease, would trigger an internal flag of some sort...
I would expect that from a real-world bank. In a random MMO, they have no reason to bother unless there is a noticeable problem.
In most MMOs, you can loot gold from dead NPCs, and you can spend gold to buy things from NPCs. You can often sell useless items to NPCs as well. In those cases, there are probably no accounts to send/receive money. The player's balance is simply credited/debited directly for the value of the transaction.
If Manfred found an exploit in the NPC shop protocol that allowed him to process sales for items he didn't actually have, then he could easily generate a lot of in-game money very quickly.
Banks have rigorous controls to detect this sort of thing, but no one is going to develop SOX-level controls on a whim. That level of auditing is seriously burdensome---in terms of both compute and personnel.
Re: (Score:2)
Re: (Score:2)
That sounds like he's just using something like Cheat Engine to change the clientside display
If the developer is really stupid, then maybe this is the case.
Or he could be using it to tamper with the client communication in order to exploit the underlying protocols.
Given those two options, I assume the latter. My assumption ascribes the developers a modicum of competence, and therefore imples a greater degree of respect for the attacker's skill.
It should be trivial to write the client to never really even understand transactions, just requests.
I use the term transaction loosely, not necessarily in reference to SQL. I.e., a client submits an action, the server processes that action, and then server
Re: (Score:2)
If Manfred found an exploit in the NPC shop protocol that allowed him to process sales for items he didn't actually have, then he could easily generate a lot of in-game money very quickly.
This point is a possible case. If he somehow edited the value of an item which could be sold back to a NPC, then the NPC will give the money to the client and this could be done on the client side. The information of selling and gaining money would then be sent to update on the server data.
I agree with you that the server usually does not monitor every transaction from clients because it is MMO. If a server has to verify every transaction, the game server could be easily overloaded which could cause lags an
Re: (Score:2)
...something which I doubt is happening with MMO developers.
If the MMO is even paying developers any more, and if they have some bug reporting mechanism. Lots are largely abandonware, with a small core of players religiously still playing, trying to reach whatever goal they've set for themselves. Doesn't mean that those players wouldn't be willing to shell out some $$ to achieve that goal. And even if there are active developers, there's a good chance that they're being asked to develop more DLC/microtransaction stuff ahead of bug-fixes, because that's where the mo
Re: (Score:2)
Re: (Score:2)
Simple. Bad/lazy/desperate programming. Most game houses are sweatshops, especially the so-called "free-to-play" games. Pushing out the next big money maker is much more important than fixing/designing solid code. Something seems to be slowing the server down? Push it on the client. After all, how many people know how to...wait, how did that guy manage to get a gajillion gold?
And it's not just the Asian trash MMO's either. Home grown MMOs have this problem as well. For example, Elder Scrolls Online at one p
Re: (Score:2)
He was probably exploiting some item dupe bug. Most mmo's are server apps that sit on relatively slow databases so a lot of caching is involved. The exploit fools the app server into depositing some amount into a bank while retaining your existing currency or whatever.
Probably an easier way to handle this long term is simply run reports on how much currency people actually have in game and where its going and close accounts based on that.
Re: (Score:2)
Rule #1: Never Trust The Client (Score:4, Interesting)
I'm amazed that software engineers work on online games and do not understand that you can never trust the client.
I get that mistakes can be made, but this is generally a software design and architecture problem.
Having said that, today we found a flaw in our server that let someone sneak in number that caused an overflow in one of our APIs for our online mobile game. The net result was a huge positive value in virtual currency. Of course we found it because of rule #2: Make sure you have systems that detect anomalies on anything important. The easiest of which is something like virtual currency spikes, so that stood out like a sore thumb.
Clever game hackers know to fly under the radar, but their impact (even if they get away with it) is therefore limited. But even then you can detect exploits with more mysterious mechanisms, which I will not name. :)
Re: (Score:1)
It's simple. Games are not security critical applications.
Low latency is more important to attract lots of players than making an unhackable game.
Re: (Score:2)
The source of your paycheck should always be considered a security critical application.
Re: (Score:2)
Re:Rule #1: Never Trust The Client (Score:5, Interesting)
Eh, I once played a dial-up days online game where you could bet currency for a 50/50 chance to return 1.8 times the currency.
You couldn't bet more than you had.
So I bet -10,000,000,000 and lost.
Which meant I gained 10,000,000,000 currency.
Which overflowed the currency counter.
Which crashed the game instance.
Which dumped me to a remote command prompt.
Which allowed me to download the unencrypted user password file.
Just wait for the IRS edit and maybe CFAA changrs (Score:2)
Just wait for the IRS edit and maybe CFAA changes. Each one can lead to hard fed time but at the doctors + room + board are free.
Re: (Score:1)
As long as he reported the income then the IRS doesn't care about illegality.
Taxation of illegal income [wikipedia.org]
This brings me back (Score:3)
Back in 2003 (or sometime before WoW) I was part of a hacking community that wrote RuneScape bots. I remember the day someone found an item dupe hack. This was actually the opposite, if you attempted to trade 0 of an item that wasn't stackable and you didn't actually have, your recipient would receive the item. Combine this with a spell that turned items into currency and you have a serious problem.
Someone decided to be a complete idiot/ass and did their best to ruin the economy. The devs put a bounty of a lifetime premium subscription on anyone who could tell them of how the hack worked. The person who tried to ruin the economy was the first and only instance I know of that got an IP ban.
Sheesh (Score:2)
Capitalism (Score:2)