Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Businesses The Almighty Buck

For 20 Years, This Man Has Survived Entirely By Hacking Online Games (vice.com) 114

An anonymous reader writes: A hacker says he turned finding and exploiting flaws in popular MMO video games into a lucrative, full-time job. Manfred's character is standing still in the virtual world of the 2014 sci-fi online multiplayer game WildStar Online. Manfred, the real life person behind the character, is typing commands into a debugger. In a few seconds of what seems to be an extremely easy hack, Manfred's virtual currency skyrockets up to more than 18,000,000,000,000,000,000, or 18 quintillion. I'm watching this hack in a demo video recorded by Manfred as I stand next to him in a Las Vegas bar on Thursday. Manfred, who asked me not to reveal his real name, says he has been hacking several video games for 20 years, making a real-life living by using hacks like the one I just witnessed. His modus operandi has changed slightly from game to game, but, in essence, it consisted of tricking games into giving him items or currency he doesn't have a right to have. He would then sell those items and currency to other players (for real money) or wholesales them to online gray markets, such as the Internet Game Exchange, that then would sell those goods to individual players. At the current exchange rate, Manfred estimates he has $397 trillion worth of WildStar gold. This is obviously an outlandish number, but, essentially, his income was only limited by the real-life market for the in-game currency. When I spoke to Manfred ahead of his talk at the Def Con hacking conference, he said he wanted to go in, give his demo, and go out "as a ghost," never to be seen or heard from again. He said he wanted to be "invisible," just like he's been for the past two decades. He said he's found more than 100 publicly unknown vulnerabilities in more than 20 online video games, making hacking and trading virtual goods into his full time job.
This discussion has been archived. No new comments can be posted.

For 20 Years, This Man Has Survived Entirely By Hacking Online Games

Comments Filter:
  • Wildstar (Score:4, Interesting)

    by Nidi62 ( 1525137 ) on Thursday August 03, 2017 @02:26PM (#54935429)
    It was actually a pretty fun game. Stopped playing it though because of hackers. Every time you tried to gather a resource a hacker would zoom in, immediately harvest it, and fly off. Just got too annoying.
    • by umghhh ( 965931 )
      Seems like it was real life simulation or?
  • by Anonymous Coward

    did he get 4/4/4/4 guardian jedi on swg before the village?
    no he didnt, he is a punk bitch

  • by mattwarden ( 699984 ) on Thursday August 03, 2017 @02:27PM (#54935437)

    Regardless of the ethics... This guy is risking his entire livelihood by doing a talk and interview. Amazing what people will risk for a little fame.

    • by barc0001 ( 173002 ) on Thursday August 03, 2017 @02:33PM (#54935493)

      I would speculate he's doing the talk because he's probably already made all the money he thinks he needs and is retiring from it. It's entirely possible that he is also a hypocrite who was troubled that what he was doing was possible, but not troubled enough to stop doing it for his own benefit but now that (speculated) he is comfortable enough to retire he wants to shine a spotlight on the practice to encourage the affected game companies to close off the holes and prevent anyone else from doing what he did.

      • by Anonymous Coward on Thursday August 03, 2017 @02:50PM (#54935625)
        Almost certainly wrong. Humans don't work like that. Typically when someone decides to reveal their E-Z money secrets it's because it's dried up and now there's more to be gained from talking than the actual doing. Or it's total bullshit and never did work. A well known "motivational" speaker or two come to mind.
        • > there's more to be gained from talking than the actual doing.

          Except DefCon is where he's talking and last I looked presenters don't really get paid. And he's planning on ghosting after the one talk so it's not like he's setting up a lecture circuit with this appearance, so I doubt that.

          • Except DefCon is where he's talking and last I looked presenters don't really get paid. And he's planning on ghosting after the one talk so it's not like he's setting up a lecture circuit with this appearance, so I doubt that.

            I think you misunderstood the AC GP. It is about human nature. Why would he all of the sudden want to disclose the things he had been (illegally) doing for 20 years? There must be something changed in his life recently that makes him decide to come out to DefCon. If he is a bragger, he would have disclosed this long time ago because bragger can't resist to brag. Though, this isn't the case because he had kept the secret for 20 years (per what he said).

            Now he wants to brag about what he had been doing, so

    • He's been banned over and over from multiple games. If he gets banned from a few more, he doesn't care.
    • by avandesande ( 143899 ) on Thursday August 03, 2017 @04:58PM (#54936665) Journal
      If you RTFA it says he is going legit.
    • Regardless of the ethics... This guy is risking his entire livelihood by doing a talk and interview.

      0.o How? Do you think companies are going to magically start finally getting rid of the hackers? Or somehow suddenly become omni-competent at doing so?

  • by tgibson ( 131396 ) on Thursday August 03, 2017 @02:34PM (#54935511) Homepage

    There are so many software engineering jobs that offer more mental challenge, more reward in terms of mental stimulation. And when he gets older...I doubt he is even saving for retirement.

    • by James Carnley ( 789899 ) on Thursday August 03, 2017 @02:51PM (#54935637) Homepage

      Hacking is sort of like solving puzzles. You find the systems, analyze them, and look for loopholes and edge cases. It's mentally challenging and varied. Sure the hacks might follow a few standard techniques after a while but each specific instance is different and carries its own risks.

      I have a software engineering job that I would say is fairly challenging but I also do a whole bunch of grunt work and google pasting solutions for one off things. I wouldn't say my job is vastly better than his except for maybe the retirement plan. But even then if he got lucky he could out earn me quickly for finding a key exploit for a hot new game and milking it for a while.

      • Yeah he could have definitely earned enough over 20 years to be able to save a sizeable enough amount to have some kind of "retirement" funds, if he was smart with his money.

        Because while he declined in the article to say how he's made total over the years, he does mention one specific revenue stream. He said that in Everquest, he's sold around 100 player houses-apparently a rare thing with a limit on how many can be owned-in all, with am average price of $200000. So 200k from one single game, even if it
      • Oh and also, you're definitely right about the potential for big bucks if he was doing it with whatever game was hottest at the time. I played WoW from launch until like 4 or 5 after, and during the heydays, good characters EASILY went for well over 1k, some closer to 2k. Not to mention gold farming was very profitable.

        Or like Diablo 2. Best in slot items for the closed, not widely hacked servers could sell for $150-200 easy, and there were a lot of them. It was definitely possible to make good money, if
    • by Anonymous Coward

      Nope. It's the same crap you do at work (debugging, critical thinking, etc) with a much, much higher upside. Sure there are boring parts (e.g. purchasing items from the ill gotten funds) but I see no reason why this part can't be outsourced after the hard work is done.

  • by bigdavex ( 155746 )

    This is obviously an outlandish number, but, essentially, his income was only limited by the real-life market for the in-game currency.

    No shit, Sherlock.

  • Poster Child (Score:5, Insightful)

    by duke_cheetah2003 ( 862933 ) on Thursday August 03, 2017 @02:44PM (#54935581) Homepage

    ...For everything wrong with MMO's these days. This guy is it. Good job, you and your kind have ruined most MMO's for everyone to make a buck.

    The really sad part is they are destroying the very thing they're making money off.

    No one likes to play an MMO that obviously been hacked numerous times and that game's internal economy has been completely wrecked by this behavior.

    • by Anonymous Coward on Thursday August 03, 2017 @03:01PM (#54935725)

      MMOs ruin more lives than crack so this man is doing gods work and your anger pleases me.

    • by crafoo ( 591629 )

      He's providing a public service really. If the only thing attractive about an MMO is a fake-economy and/or the grind for equipment or resources it should die.

    • Re:Poster Child (Score:5, Interesting)

      by magarity ( 164372 ) on Thursday August 03, 2017 @03:52PM (#54936191)

      "and that game's internal economy has been completely wrecked by this behavior"

      Why is the central service unaware that the total game bucks in circulation suddenly jumped? The game needs routines that monitor the money supply.

      • by tlhIngan ( 30335 )

        Why is the central service unaware that the total game bucks in circulation suddenly jumped? The game needs routines that monitor the money supply.

        Why is the central service not doling out and approving money?

        If you get a dollar, or gold, or credit, it should be because the server handed it to you.- for doing whatever you did to earn it.

        This sort of thing is supposed to be moderated by the server. If you do 10HP damage to an enemy, the server should tell you that you did 10HP damage and account for it prope

        • If you're trusting the client, you're hacked, period.

          I think you've just explained how this guy does it. For every game, this guy gets on the dev team. He spends months, tirelessly persuading them to do it wrong. He doesn't shut up. Eventually, the other devs give in, often with the rationalization, "well, at least this'll fix the performance and scaling problems." H4XX K0MPL337!

    • How about blaming the game developers with the rotten security? If someone hacked into the federal reserve and was sending themselves money, would you blame the hackers for ruining money?
  • by Anonymous Coward

    In defeating the Kobayashi Maru simulation.

  • Manfred's virtual currency skyrockets up to more than 18,000,000,000,000,000,000, or 18 quintillion

    Yes, and any game that doesn't have the most basic anti-cheat mechanisms in place to detect such a thing should be summarily abandoned by it's player base.

  • I can also make the client THINK it got from the server I got 18 quintillion gold, but normally for all sane MMO, the server does not trust the client, and all data are calculated server side then sent to the client. So you may change values in the client like appearing to have lot of gold with cheat engine, but the server still sees you as poor as job. I seriously doubt a MMO as old as wildstar would still have such a flaw, as this is the first thing which get exploited : trusted client data (in today's wo
    • by mentil ( 1748130 )

      In Everquest, there was a brief bug where one bank somewhere in the world, exchanged iirc 10 coins for 1 coin of the next highest denomination, when the official exchange rate is supposed to be 100:1. A programmer forgot the exchange rate, and miscoded that bank. People took advantage of it until the developers figured out their mistake and fixed the bank.

    • Re:Something smells (Score:4, Interesting)

      by EndlessNameless ( 673105 ) on Thursday August 03, 2017 @03:49PM (#54936173)

      Or maybe he sent a bunch of garbage to the server to trick it into thinking he ought to have 18 quintillion gold, and the client was subsequently updated to reflect that value.

      I seriously doubt he could sell in-game goods if he couldn't convince the server that he had them.

      To be clear, the idea that the game is accepting a gold value directly from the client is laughable. Everyone would be exploiting it if it were that simple. But any MMO is just of series of transactions between the client and the server, and their protocols and daemons can be exploited just like web servers.

      If anything, the games are probably more vulnerable because web servers typically use standard protocols and libraries, which are audited and tested by security professionals. I doubt the net code on a random MMO is tested seriously for anything more than latency and reliability.

  • "Cheatalogist"

  • ..and why not? (Score:5, Insightful)

    by mrthoughtful ( 466814 ) on Thursday August 03, 2017 @02:56PM (#54935685) Journal

    So there are loads of people who seem to find his exploits bad or wrong. But I think - great, go for it. Those MMOs are either overtly or covertly encouraging many people to spend huge amounts of time (and often, hard cash) for a meager award. The games companies are not much more than modern parasites - and 'Manfred' is merely a parasite's parasite.

    Who, actually, gets harmed. The gamers want the cash - he can supply it at market rates - and the publishers are already horrendously bloated and fattened on the continual streams of micropayments.

    Maybe because his name is a reference to the Prantagonist of Accelerando, but I, for one, am in favour of Manfred's profession.

    • Re:..and why not? (Score:5, Insightful)

      by CannonballHead ( 842625 ) on Thursday August 03, 2017 @03:08PM (#54935805)

      Who, actually, gets harmed

      Maybe now, but if you RTA, he started out by "deleting" people's houses in Ultima Online. That would be pretty frustrating if you were one of the people who owned the scarcely available and highly in-demand house.

    • Who, actually, gets harmed. . . . the publishers are already horrendously bloated and fattened on the continual streams of micropayments.

      Wow -- way to rationalize. There are an awful lot of people in the world who make a lot less money than you do. I take it you wouldn't have a problem with them helping themselves to some of yours since, in their eyes, you have way more than you need?

    • Those MMOs are either overtly or covertly encouraging many people to spend huge amounts of time (and often, hard cash) for a meager award.

      Yeah, that's the whole reason a market for gold farmers exists in the first place. Because huge sections of the game are very, very boring.

    • He is actually doing less harm to the game than the publishers.

      The publishers put in sections that are designed to be painful enough to make you pay to avoid them. All he does is provide the means.

    • Who, actually, gets harmed.

      Do you actually play MMOs? These guys tend to spam their godl sales any which way they can, flooding your inbox and every chat they can access. Pretty damn annoying.

  • Its sometimes tough to keep your mouth shut.
  • Whether he makes it to 21st depends mostly on whether there are MMORPG players in the audience.

  • by 404 Clue Not Found ( 763556 ) * on Thursday August 03, 2017 @03:08PM (#54935809)

    Why is anything in a MMO except maybe basic movement done client-side? How is it that a debugger can affect the currency attached to an account? Shouldn't every transaction be started and logged serverside? You'd think an account that suddenly increases in value by several billion, with no account receiving a similar decrease, would trigger an internal flag of some sort...

    • by EndlessNameless ( 673105 ) on Thursday August 03, 2017 @04:04PM (#54936293)

      Why is anything in a MMO except maybe basic movement done client-side?

      Maybe movement and basic actions are all that is supposed to happen client-side.

      How is it that a debugger can affect the currency attached to an account?

      The client must interact with the server in some way to increment/decrement the currency in certain accounts. The server-side code that controls those interactions is probably riddled with security vulnerabilities. It's almost entirely custom code.

      Think of how often Apache/IIS/PHP/etc vulnerabilities are discovered, and then recall that these products have been hammered by security professionals for years. And, most of the time, those professionals disclose their findings to the developer---something which I doubt is happening with MMO developers.

      Shouldn't every transaction be started and logged serverside?

      Gold is not the basis of all transactions. Spells use resources, crafting professions use resources, and health pools fluctuate.

      Lots of things are happening 24/7, and it can be very difficult to determine what needs to be logged.

      You'd think an account that suddenly increases in value by several billion, with no account receiving a similar decrease, would trigger an internal flag of some sort...

      I would expect that from a real-world bank. In a random MMO, they have no reason to bother unless there is a noticeable problem.

      In most MMOs, you can loot gold from dead NPCs, and you can spend gold to buy things from NPCs. You can often sell useless items to NPCs as well. In those cases, there are probably no accounts to send/receive money. The player's balance is simply credited/debited directly for the value of the transaction.

      If Manfred found an exploit in the NPC shop protocol that allowed him to process sales for items he didn't actually have, then he could easily generate a lot of in-game money very quickly.

      Banks have rigorous controls to detect this sort of thing, but no one is going to develop SOX-level controls on a whim. That level of auditing is seriously burdensome---in terms of both compute and personnel.

      • I don't know... I'm not convinced. The article doesn't have much detail. The login & dupe desync hack sounds believable, but using a debugger to up your currency? That sounds like he's just using something like Cheat Engine to change the clientside display, and the server should just reset it to the right amount the next sync... even movement often works that way, resulting in rubberbanding when you run faster than the server thinks you ought to be able to.

        MMOs are a huge market, and there is often real

        • That sounds like he's just using something like Cheat Engine to change the clientside display

          If the developer is really stupid, then maybe this is the case.

          Or he could be using it to tamper with the client communication in order to exploit the underlying protocols.

          Given those two options, I assume the latter. My assumption ascribes the developers a modicum of competence, and therefore imples a greater degree of respect for the attacker's skill.

          It should be trivial to write the client to never really even understand transactions, just requests.

          I use the term transaction loosely, not necessarily in reference to SQL. I.e., a client submits an action, the server processes that action, and then server

      • If Manfred found an exploit in the NPC shop protocol that allowed him to process sales for items he didn't actually have, then he could easily generate a lot of in-game money very quickly.

        This point is a possible case. If he somehow edited the value of an item which could be sold back to a NPC, then the NPC will give the money to the client and this could be done on the client side. The information of selling and gaining money would then be sent to update on the server data.

        I agree with you that the server usually does not monitor every transaction from clients because it is MMO. If a server has to verify every transaction, the game server could be easily overloaded which could cause lags an

      • ...something which I doubt is happening with MMO developers.

        If the MMO is even paying developers any more, and if they have some bug reporting mechanism. Lots are largely abandonware, with a small core of players religiously still playing, trying to reach whatever goal they've set for themselves. Doesn't mean that those players wouldn't be willing to shell out some $$ to achieve that goal. And even if there are active developers, there's a good chance that they're being asked to develop more DLC/microtransaction stuff ahead of bug-fixes, because that's where the mo

    • by Xyrus ( 755017 )

      Simple. Bad/lazy/desperate programming. Most game houses are sweatshops, especially the so-called "free-to-play" games. Pushing out the next big money maker is much more important than fixing/designing solid code. Something seems to be slowing the server down? Push it on the client. After all, how many people know how to...wait, how did that guy manage to get a gajillion gold?

      And it's not just the Asian trash MMO's either. Home grown MMOs have this problem as well. For example, Elder Scrolls Online at one p

    • He was probably exploiting some item dupe bug. Most mmo's are server apps that sit on relatively slow databases so a lot of caching is involved. The exploit fools the app server into depositing some amount into a bank while retaining your existing currency or whatever.

      Probably an easier way to handle this long term is simply run reports on how much currency people actually have in game and where its going and close accounts based on that.

    • Well obviously things are different in the modern age, but I can share a story on this principle from the world of an ancient AOL game, CyberStrike. Your score was controlled server side, so modifying that in the client didn't do anything. But as a young teen, eventually I discovered that a variable that effected your score (multiplier) was indeed trusted from the client. Years and years into the game, the highest legitimate score was IIRC 800,000 something that took hours of play a day for like 5 years, bu
  • by nsxdavid ( 254126 ) <dw@@@play...net> on Thursday August 03, 2017 @03:09PM (#54935821) Homepage

    I'm amazed that software engineers work on online games and do not understand that you can never trust the client.

    I get that mistakes can be made, but this is generally a software design and architecture problem.

    Having said that, today we found a flaw in our server that let someone sneak in number that caused an overflow in one of our APIs for our online mobile game. The net result was a huge positive value in virtual currency. Of course we found it because of rule #2: Make sure you have systems that detect anomalies on anything important. The easiest of which is something like virtual currency spikes, so that stood out like a sore thumb.

    Clever game hackers know to fly under the radar, but their impact (even if they get away with it) is therefore limited. But even then you can detect exploits with more mysterious mechanisms, which I will not name. :)

    • by Anonymous Coward

      It's simple. Games are not security critical applications.
      Low latency is more important to attract lots of players than making an unhackable game.

      • by Calydor ( 739835 )

        The source of your paycheck should always be considered a security critical application.

      • Not really... yeah low latency is great and all, but when talking an online game... the average price of goods on the market suddenly spiking to 500x the amount you can earn via legitimate gameplay, or losing forms of PVP due to players that can see through walls, or move 4x the speed the game allows, or are just plain immortal etc... will pretty quickly scare off any players it attracted. In single player games it's pretty easy to shrug off cheating, because it doesn't effect non-cheating players, but onli
    • by Kaenneth ( 82978 ) on Thursday August 03, 2017 @06:28PM (#54937153) Homepage Journal

      Eh, I once played a dial-up days online game where you could bet currency for a 50/50 chance to return 1.8 times the currency.

      You couldn't bet more than you had.

      So I bet -10,000,000,000 and lost.

      Which meant I gained 10,000,000,000 currency.

      Which overflowed the currency counter.

      Which crashed the game instance.

      Which dumped me to a remote command prompt.

      Which allowed me to download the unencrypted user password file.

  • Just wait for the IRS edit and maybe CFAA changes. Each one can lead to hard fed time but at the doctors + room + board are free.

  • by subanark ( 937286 ) on Thursday August 03, 2017 @03:44PM (#54936117)

    Back in 2003 (or sometime before WoW) I was part of a hacking community that wrote RuneScape bots. I remember the day someone found an item dupe hack. This was actually the opposite, if you attempted to trade 0 of an item that wasn't stackable and you didn't actually have, your recipient would receive the item. Combine this with a spell that turned items into currency and you have a serious problem.

    Someone decided to be a complete idiot/ass and did their best to ruin the economy. The devs put a bounty of a lifetime premium subscription on anyone who could tell them of how the hack worked. The person who tried to ruin the economy was the first and only instance I know of that got an IP ban.

  • What's a sanity check? Must be part of some Lovecraft Mmo, no need for such things in my game.
  • Capitalism at work.

What hath Bob wrought?

Working...