For 20 Years, This Man Has Survived Entirely By Hacking Online Games

An anonymous reader writes: A hacker says he turned finding and exploiting flaws in popular MMO video games into a lucrative, full-time job. Manfred's character is standing still in the virtual world of the 2014 sci-fi online multiplayer game WildStar Online. Manfred, the real life person behind the character, is typing commands into a debugger. In a few seconds of what seems to be an extremely easy hack, Manfred's virtual currency skyrockets up to more than 18,000,000,000,000,000,000, or 18 quintillion. I'm watching this hack in a demo video recorded by Manfred as I stand next to him in a Las Vegas bar on Thursday. Manfred, who asked me not to reveal his real name, says he has been hacking several video games for 20 years, making a real-life living by using hacks like the one I just witnessed. His modus operandi has changed slightly from game to game, but, in essence, it consisted of tricking games into giving him items or currency he doesn't have a right to have. He would then sell those items and currency to other players (for real money) or wholesales them to online gray markets, such as the Internet Game Exchange, that then would sell those goods to individual players. At the current exchange rate, Manfred estimates he has $397 trillion worth of WildStar gold. This is obviously an outlandish number, but, essentially, his income was only limited by the real-life market for the in-game currency. When I spoke to Manfred ahead of his talk at the Def Con hacking conference, he said he wanted to go in, give his demo, and go out "as a ghost," never to be seen or heard from again. He said he wanted to be "invisible," just like he's been for the past two decades. He said he's found more than 100 publicly unknown vulnerabilities in more than 20 online video games, making hacking and trading virtual goods into his full time job.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Never trust the client?

[EndlessNameless]

Why is anything in a MMO except maybe basic movement done client-side?

Maybe movement and basic actions are all that is supposed to happen client-side.

How is it that a debugger can affect the currency attached to an account?

The client must interact with the server in some way to increment/decrement the currency in certain accounts. The server-side code that controls those interactions is probably riddled with security vulnerabilities. It's almost entirely custom code.

Think of how often Apache/IIS/PHP/etc vulnerabilities are discovered, and then recall that these products have been hammered by security professionals for years. And, most of the time, those professionals disclose their findings to the developer---something which I doubt is happening with MMO developers.

Shouldn't every transaction be started and logged serverside?

Gold is not the basis of all transactions. Spells use resources, crafting professions use resources, and health pools fluctuate.

Lots of things are happening 24/7, and it can be very difficult to determine what needs to be logged.

You'd think an account that suddenly increases in value by several billion, with no account receiving a similar decrease, would trigger an internal flag of some sort...

I would expect that from a real-world bank. In a random MMO, they have no reason to bother unless there is a noticeable problem.

In most MMOs, you can loot gold from dead NPCs, and you can spend gold to buy things from NPCs. You can often sell useless items to NPCs as well. In those cases, there are probably no accounts to send/receive money. The player's balance is simply credited/debited directly for the value of the transaction.

If Manfred found an exploit in the NPC shop protocol that allowed him to process sales for items he didn't actually have, then he could easily generate a lot of in-game money very quickly.

Banks have rigorous controls to detect this sort of thing, but no one is going to develop SOX-level controls on a whim. That level of auditing is seriously burdensome---in terms of both compute and personnel.

Re:Dumb to do a talk and interview

[avandesande]

If you RTFA it says he is going legit.