Slashdot Mirror

← Back to Stories (view on slashdot.org)

For 20 Years, This Man Has Survived Entirely By Hacking Online Games (vice.com)

Posted by msmash on from the to-each-his-own dept.

An anonymous reader writes: A hacker says he turned finding and exploiting flaws in popular MMO video games into a lucrative, full-time job. Manfred's character is standing still in the virtual world of the 2014 sci-fi online multiplayer game WildStar Online. Manfred, the real life person behind the character, is typing commands into a debugger. In a few seconds of what seems to be an extremely easy hack, Manfred's virtual currency skyrockets up to more than 18,000,000,000,000,000,000, or 18 quintillion. I'm watching this hack in a demo video recorded by Manfred as I stand next to him in a Las Vegas bar on Thursday. Manfred, who asked me not to reveal his real name, says he has been hacking several video games for 20 years, making a real-life living by using hacks like the one I just witnessed. His modus operandi has changed slightly from game to game, but, in essence, it consisted of tricking games into giving him items or currency he doesn't have a right to have. He would then sell those items and currency to other players (for real money) or wholesales them to online gray markets, such as the Internet Game Exchange, that then would sell those goods to individual players. At the current exchange rate, Manfred estimates he has $397 trillion worth of WildStar gold. This is obviously an outlandish number, but, essentially, his income was only limited by the real-life market for the in-game currency. When I spoke to Manfred ahead of his talk at the Def Con hacking conference, he said he wanted to go in, give his demo, and go out "as a ghost," never to be seen or heard from again. He said he wanted to be "invisible," just like he's been for the past two decades. He said he's found more than 100 publicly unknown vulnerabilities in more than 20 online video games, making hacking and trading virtual goods into his full time job.

8 of 114 comments (clear)

  1. Wildstar by Nidi62 · · Score: 3, Interesting

    It was actually a pretty fun game. Stopped playing it though because of hackers. Every time you tried to gather a resource a hacker would zoom in, immediately harvest it, and fly off. Just got too annoying.

    --
    The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
  2. Dumb to do a talk and interview by mattwarden · · Score: 4, Interesting

    Regardless of the ethics... This guy is risking his entire livelihood by doing a talk and interview. Amazing what people will risk for a little fame.

    1. Re:Dumb to do a talk and interview by barc0001 · · Score: 4, Interesting

      I would speculate he's doing the talk because he's probably already made all the money he thinks he needs and is retiring from it. It's entirely possible that he is also a hypocrite who was troubled that what he was doing was possible, but not troubled enough to stop doing it for his own benefit but now that (speculated) he is comfortable enough to retire he wants to shine a spotlight on the practice to encourage the affected game companies to close off the holes and prevent anyone else from doing what he did.

  3. Re:Mind-numbingly boing by James+Carnley · · Score: 4, Interesting

    Hacking is sort of like solving puzzles. You find the systems, analyze them, and look for loopholes and edge cases. It's mentally challenging and varied. Sure the hacks might follow a few standard techniques after a while but each specific instance is different and carries its own risks.

    I have a software engineering job that I would say is fairly challenging but I also do a whole bunch of grunt work and google pasting solutions for one off things. I wouldn't say my job is vastly better than his except for maybe the retirement plan. But even then if he got lucky he could out earn me quickly for finding a key exploit for a hot new game and milking it for a while.

  4. Rule #1: Never Trust The Client by nsxdavid · · Score: 3, Interesting

    I'm amazed that software engineers work on online games and do not understand that you can never trust the client.

    I get that mistakes can be made, but this is generally a software design and architecture problem.

    Having said that, today we found a flaw in our server that let someone sneak in number that caused an overflow in one of our APIs for our online mobile game. The net result was a huge positive value in virtual currency. Of course we found it because of rule #2: Make sure you have systems that detect anomalies on anything important. The easiest of which is something like virtual currency spikes, so that stood out like a sore thumb.

    Clever game hackers know to fly under the radar, but their impact (even if they get away with it) is therefore limited. But even then you can detect exploits with more mysterious mechanisms, which I will not name. :)

    --
    David Whatley
    1. Re:Rule #1: Never Trust The Client by Kaenneth · · Score: 4, Interesting

      Eh, I once played a dial-up days online game where you could bet currency for a 50/50 chance to return 1.8 times the currency.

      You couldn't bet more than you had.

      So I bet -10,000,000,000 and lost.

      Which meant I gained 10,000,000,000 currency.

      Which overflowed the currency counter.

      Which crashed the game instance.

      Which dumped me to a remote command prompt.

      Which allowed me to download the unencrypted user password file.

  5. Re:Something smells by EndlessNameless · · Score: 3, Interesting

    Or maybe he sent a bunch of garbage to the server to trick it into thinking he ought to have 18 quintillion gold, and the client was subsequently updated to reflect that value.

    I seriously doubt he could sell in-game goods if he couldn't convince the server that he had them.

    To be clear, the idea that the game is accepting a gold value directly from the client is laughable. Everyone would be exploiting it if it were that simple. But any MMO is just of series of transactions between the client and the server, and their protocols and daemons can be exploited just like web servers.

    If anything, the games are probably more vulnerable because web servers typically use standard protocols and libraries, which are audited and tested by security professionals. I doubt the net code on a random MMO is tested seriously for anything more than latency and reliability.

    --

    ---
    According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
  6. Re:Poster Child by magarity · · Score: 4, Interesting

    "and that game's internal economy has been completely wrecked by this behavior"

    Why is the central service unaware that the total game bucks in circulation suddenly jumped? The game needs routines that monitor the money supply.