For 20 Years, This Man Has Survived Entirely By Hacking Online Games (vice.com) 91
An anonymous reader writes: A hacker says he turned finding and exploiting flaws in popular MMO video games into a lucrative, full-time job. Manfred's character is standing still in the virtual world of the 2014 sci-fi online multiplayer game WildStar Online. Manfred, the real life person behind the character, is typing commands into a debugger. In a few seconds of what seems to be an extremely easy hack, Manfred's virtual currency skyrockets up to more than 18,000,000,000,000,000,000, or 18 quintillion. I'm watching this hack in a demo video recorded by Manfred as I stand next to him in a Las Vegas bar on Thursday. Manfred, who asked me not to reveal his real name, says he has been hacking several video games for 20 years, making a real-life living by using hacks like the one I just witnessed. His modus operandi has changed slightly from game to game, but, in essence, it consisted of tricking games into giving him items or currency he doesn't have a right to have. He would then sell those items and currency to other players (for real money) or wholesales them to online gray markets, such as the Internet Game Exchange, that then would sell those goods to individual players. At the current exchange rate, Manfred estimates he has $397 trillion worth of WildStar gold. This is obviously an outlandish number, but, essentially, his income was only limited by the real-life market for the in-game currency. When I spoke to Manfred ahead of his talk at the Def Con hacking conference, he said he wanted to go in, give his demo, and go out "as a ghost," never to be seen or heard from again. He said he wanted to be "invisible," just like he's been for the past two decades. He said he's found more than 100 publicly unknown vulnerabilities in more than 20 online video games, making hacking and trading virtual goods into his full time job.
That's nothing. This Indian man survived 70 years without food, water or going to the bathroom.
http://nationalpost.com/g00/ne... [nationalpost.com]
Wildstar (Score:3)
I would say there is a point where hacking really becomes a responsibility of the developers of the game to address. Lineage 2, Darkfall, and many other MMOs bit the dust when the devs wouldn't deal with the spammers and hackers. (Lineage 2, you would get ganked before even fully loading as a new player, and Darkfall only banned people who complained about how crappy the game was.)
It all started with Everquest, where at first with ShowEQ, it was a few people who discovered how to easily watch for mob spawns
So now instead of spending coding hours on adding interesting game play and content, the developers have to spend the time on making it hack proof with bank-level security. Even then, banks still get hacked - so having to add ever increasing levels of security to prevent hacks hurt the game performance and game play experience, and is still not a guarantee of success of preventing hacks.
This makes the games less fun and more expensive for all players.
The guy should be sued into oblivion or possibly even sentenced
did he get 4/4/4/4 guardian jedi on swg before the village?
no he didnt, he is a punk bitch
Dumb to do a talk and interview (Score:5, Interesting)
Regardless of the ethics... This guy is risking his entire livelihood by doing a talk and interview. Amazing what people will risk for a little fame.
Re:Dumb to do a talk and interview (Score:5, Interesting)
I would speculate he's doing the talk because he's probably already made all the money he thinks he needs and is retiring from it. It's entirely possible that he is also a hypocrite who was troubled that what he was doing was possible, but not troubled enough to stop doing it for his own benefit but now that (speculated) he is comfortable enough to retire he wants to shine a spotlight on the practice to encourage the affected game companies to close off the holes and prevent anyone else from doing what he did.
> there's more to be gained from talking than the actual doing.
Except DefCon is where he's talking and last I looked presenters don't really get paid. And he's planning on ghosting after the one talk so it's not like he's setting up a lecture circuit with this appearance, so I doubt that.
0.o How? Do you think companies are going to magically start finally getting rid of the hackers? Or somehow suddenly become omni-competent at doing so?
Mind-numbingly boing (Score:3)
There are so many software engineering jobs that offer more mental challenge, more reward in terms of mental stimulation. And when he gets older...I doubt he is even saving for retirement.
Re:Mind-numbingly boing (Score:4, Interesting)
Hacking is sort of like solving puzzles. You find the systems, analyze them, and look for loopholes and edge cases. It's mentally challenging and varied. Sure the hacks might follow a few standard techniques after a while but each specific instance is different and carries its own risks.
I have a software engineering job that I would say is fairly challenging but I also do a whole bunch of grunt work and google pasting solutions for one off things. I wouldn't say my job is vastly better than his except for maybe the retirement plan. But even then if he got lucky he could out earn me quickly for finding a key exploit for a hot new game and milking it for a while.
Because while he declined in the article to say how he's made total over the years, he does mention one specific revenue stream. He said that in Everquest, he's sold around 100 player houses-apparently a rare thing with a limit on how many can be owned-in all, with an average price of $200000. So 200k from one single game, even if it
Or like Diablo 2. Best in slot items for the closed, not widely hacked servers could sell for $150-200 easy, and there were a lot of them. It was definitely possible to make good money, if
Nope. It's the same crap you do at work (debugging, critical thinking, etc) with a much, much higher upside. Sure there are boring parts (e.g. purchasing items from the ill gotten funds) but I see no reason why this part can't be outsourced after the hard work is done.
ok (Score:2)
No shit, Sherlock.
Poster Child (Score:5, Insightful)
...For everything wrong with MMO's these days. This guy is it. Good job, you and your kind have ruined most MMO's for everyone to make a buck.
The really sad part is they are destroying the very thing they're making money off.
No one likes to play an MMO that obviously been hacked numerous times and that game's internal economy has been completely wrecked by this behavior.
MMOs ruin more lives than crack so this man is doing gods work and your anger pleases me.
He's providing a public service really. If the only thing attractive about an MMO is a fake-economy and/or the grind for equipment or resources it should die.
Re:Poster Child (Score:4, Interesting)
"and that game's internal economy has been completely wrecked by this behavior"
Why is the central service unaware that the total game bucks in circulation suddenly jumped? The game needs routines that monitor the money supply.
Why is the central service not doling out and approving money?
If you get a dollar, or gold, or credit, it should be because the server handed it to you.- for doing whatever you did to earn it.
This sort of thing is supposed to be moderated by the server. If you do 10HP damage to an enemy, the server should tell you that you did 10HP damage and account for it properly
I think you've just explained how this guy does it. For every game, this guy gets on the dev team. He spends months, tirelessly persuading them to do it wrong. He doesn't shut up. Eventually, the other devs give in, often with the rationalization, "well, at least this'll fix the performance and scaling problems." H4XX K0MPL337!
So, emulating James T. Kirk (Score:1)
In defeating the Kobayashi Maru simulation.
Abandoned (Score:2)
Manfred's virtual currency skyrockets up to more than 18,000,000,000,000,000,000, or 18 quintillion
Yes, and any game that doesn't have the most basic anti-cheat mechanisms in place to detect such a thing should be summarily abandoned by it's player base.
Something smells (Score:2)
In Everquest, there was a brief bug where one bank somewhere in the world, exchanged iirc 10 coins for 1 coin of the next highest denomination, when the official exchange rate is supposed to be 100:1. A programmer forgot the exchange rate, and miscoded that bank. People took advantage of it until the developers figured out their mistake and fixed the bank.
EverQuest (1) is 10:1 from copper:silver:gold:plat, always has been.
Re: (Score:3)
Or maybe he sent a bunch of garbage to the server to trick it into thinking he ought to have 18 quintillion gold, and the client was subsequently updated to reflect that value.
I seriously doubt he could sell in-game goods if he couldn't convince the server that he had them.
To be clear, the idea that the game is accepting a gold value directly from the client is laughable. Everyone would be exploiting it if it were that simple. But any MMO is just a series of transactions between the client and the server,
Business Card: (Score:1)
"Cheatalogist"
..and why not? (Score:4, Insightful)
So there are loads of people who seem to find his exploits bad or wrong. But I think - great, go for it. Those MMOs are either overtly or covertly encouraging many people to spend huge amounts of time (and often, hard cash) for a meager award. The games companies are not much more than modern parasites - and 'Manfred' is merely a parasite's parasite.
Who, actually, gets harmed. The gamers want the cash - he can supply it at market rates - and the publishers are already horrendously bloated and fattened on the continual streams of micropayments.
Maybe because his name is a reference to the Prantagonist of Accelerando, but I, for one, am in favour of Manfred's profession.
Re:..and why not? (Score:5, Insightful)
Who, actually, gets harmed
Maybe now, but if you RTA, he started out by "deleting" people's houses in Ultima Online. That would be pretty frustrating if you were one of the people who owned the scarcely available and highly in-demand house.
Who, actually, gets harmed. . . . the publishers are already horrendously bloated and fattened on the continual streams of micropayments.
Wow -- way to rationalize. There are an awful lot of people in the world who make a lot less money than you do. I take it you wouldn't have a problem with them helping themselves to some of yours since, in their eyes, you have way more than you need?
Those MMOs are either overtly or covertly encouraging many people to spend huge amounts of time (and often, hard cash) for a meager award.
Yeah, that's the whole reason a market for gold farmers exists in the first place. Because huge sections of the game are very, very boring.
He is actually doing less harm to the game than the publishers.
The publishers put in sections that are designed to be painful enough to make you pay to avoid them. All he does is provide the means.
Made $$... until he mentioned it. (Score:1)
Survived 20 years hacking online games (Score:2)
Whether he makes it to 21st depends mostly on whether there are MMORPG players in the audience.
Never trust the client? (Score:4, Informative)
Why is anything in a MMO except maybe basic movement done client-side? How is it that a debugger can affect the currency attached to an account? Shouldn't every transaction be started and logged serverside? You'd think an account that suddenly increases in value by several billion, with no account receiving a similar decrease, would trigger an internal flag of some sort...
Why is anything in a MMO except maybe basic movement done client-side?
Maybe movement and basic actions are all that is supposed to happen client-side.
How is it that a debugger can affect the currency attached to an account?
The client must interact with the server in some way to increment/decrement the currency in certain accounts. The server-side code that controls those interactions is probably riddled with security vulnerabilities. It's almost entirely custom code.
Think of how often Apache/IIS/PHP/etc vulnerabilities are discovered, and then recall that these products have been hammered by security professionals for years. And, most of the time,
I don't know... I'm not convinced. The article doesn't have much detail. The login & dupe desync hack sounds believable, but using a debugger to up your currency? That sounds like he's just using something like Cheat Engine to change the clientside display, and the server should just reset it to the right amount the next sync... even movement often works that way, resulting in rubberbanding when you run faster than the server thinks you ought to be able to.
MMOs are a huge market, and there is often real
I've certainly tried breaking MMOs. Much of the UI stuff is handled clientside, but you'd expect transactions to happen on the server.
The article isn't talking about wallhacks or resource maps or teleportation or overlays, but conjuring billions of credits out of nowhere. I find it hard to believe there's no transaction integrity checking for that...
Simple. Bad/lazy/desperate programming. Most game houses are sweatshops, especially the so-called "free-to-play" games. Pushing out the next big money maker is much more important than fixing/designing solid code. Something seems to be slowing the server down? Push it on the client. After all, how many people know how to...wait, how did that guy manage to get a gajillion gold?
And it's not just the Asian trash MMO's either. Home grown MMOs have this problem as well. For example, Elder Scrolls Online at one point
Rule #1: Never Trust The Client (Score:3)
I'm amazed that software engineers work on online games and do not understand that you can never trust the client.
I get that mistakes can be made, but this is generally a software design and architecture problem.
Having said that, today we found a flaw in our server that let someone sneak in number that caused an overflow in one of our APIs for our online mobile game. The net result was a huge positive value in virtual currency. Of course we found it because of rule #2: Make sure you have systems that detect anomalies on anything important. The easiest of which is something like virtual currency spikes, so that stood out like a sore thumb.
Clever game hackers know to fly under the radar, but their impact (even if they get away with it) is therefore limited. But even then you can detect exploits with more mysterious mechanisms, which I will not name.
:)
It's simple. Games are not security critical applications.
Low latency is more important to attract lots of players than making an unhackable game.
The source of your paycheck should always be considered a security critical application.
Re: (Score:3)
Eh, I once played a dial-up days online game where you could bet currency for a 50/50 chance to return 1.8 times the currency.
You couldn't bet more than you had.
So I bet -10,000,000,000 and lost.
Which meant I gained 10,000,000,000 currency.
Which overflowed the currency counter.
Which crashed the game instance.
Which dumped me to a remote command prompt.
Which allowed me to download the unencrypted user password file.
Just wait for the IRS edit and maybe CFAA changrs (Score:2)
Just wait for the IRS edit and maybe CFAA changes. Each one can lead to hard fed time but at the doctors + room + board are free.
As long as he reported the income then the IRS doesn't care about illegality.
Taxation of illegal income [wikipedia.org]
This brings me back (Score:2)
Back in 2003 (or sometime before WoW) I was part of a hacking community that wrote RuneScape bots. I remember the day someone found an item dupe hack. This was actually the opposite, if you attempted to trade 0 of an item that wasn't stackable and you didn't actually have, your recipient would receive the item. Combine this with a spell that turned items into currency and you have a serious problem.
Someone decided to be a complete idiot/ass and did their best to ruin the economy. The devs put a bounty of a
Sheesh (Score:2)