For 20 Years, This Man Has Survived Entirely By Hacking Online Games

An anonymous reader writes: A hacker says he turned finding and exploiting flaws in popular MMO video games into a lucrative, full-time job. Manfred's character is standing still in the virtual world of the 2014 sci-fi online multiplayer game WildStar Online. Manfred, the real life person behind the character, is typing commands into a debugger. In a few seconds of what seems to be an extremely easy hack, Manfred's virtual currency skyrockets up to more than 18,000,000,000,000,000,000, or 18 quintillion. I'm watching this hack in a demo video recorded by Manfred as I stand next to him in a Las Vegas bar on Thursday. Manfred, who asked me not to reveal his real name, says he has been hacking several video games for 20 years, making a real-life living by using hacks like the one I just witnessed. His modus operandi has changed slightly from game to game, but, in essence, it consisted of tricking games into giving him items or currency he doesn't have a right to have. He would then sell those items and currency to other players (for real money) or wholesales them to online gray markets, such as the Internet Game Exchange, that then would sell those goods to individual players. At the current exchange rate, Manfred estimates he has $397 trillion worth of WildStar gold. This is obviously an outlandish number, but, essentially, his income was only limited by the real-life market for the in-game currency. When I spoke to Manfred ahead of his talk at the Def Con hacking conference, he said he wanted to go in, give his demo, and go out "as a ghost," never to be seen or heard from again. He said he wanted to be "invisible," just like he's been for the past two decades. He said he's found more than 100 publicly unknown vulnerabilities in more than 20 online video games, making hacking and trading virtual goods into his full time job.

Wildstar

[Nidi62]

It was actually a pretty fun game. Stopped playing it though because of hackers. Every time you tried to gather a resource a hacker would zoom in, immediately harvest it, and fly off. Just got too annoying.

Re:Wildstar

[vivian]

You have missed my point.
Game developers do spend time and effort to make the game secure. However, security is a trade off - you want to have end to end encryption of the messages and in-memory encryption of all variables? That's going to cost you lots of extra CPU cycles and reduce your framerate.
No software is hack proof - this has been demonstrated time and time again.
This arsehole has boasted that he has spent 20 years doing nothing but hacking and ripping off other game players. If there are no repecussions for that, it's going to only encourage a lot more doing the same.
This is not a victimless crime. It denies honest game players enjoyment of the game, it increases development costs substantially to have to devote resources to patching hackable flaws, and it most importantly deprives the game company of customers when they get dissapointed in the game and leave.
I have no problem with someone hacking a single player game and giving themselves a bazillion HP and max gold - it's only affecting their own game play. What I have a problem with is when they go on to ruin the game for other players, without penalty to them whatsoever.

A car analogy: You lock your car and take reasonable precautions to secure it. If someone throws a brick through the window and steals it, you don't say "oh well - should have installed brick proof windows" - you expect that there are laws that will deter this behavior and prosecute the perps when they are caught.
If someone boasted they have been tossing bricks through car windows for 20 years and living off the stolen cars, you'd expect some action to be taken against them.

Dumb to do a talk and interview

[mattwarden]

Regardless of the ethics... This guy is risking his entire livelihood by doing a talk and interview. Amazing what people will risk for a little fame.

Re:Dumb to do a talk and interview

[barc0001]

I would speculate he's doing the talk because he's probably already made all the money he thinks he needs and is retiring from it. It's entirely possible that he is also a hypocrite who was troubled that what he was doing was possible, but not troubled enough to stop doing it for his own benefit but now that (speculated) he is comfortable enough to retire he wants to shine a spotlight on the practice to encourage the affected game companies to close off the holes and prevent anyone else from doing what he did.

Re:Dumb to do a talk and interview

Almost certainly wrong. Humans don't work like that. Typically when someone decides to reveal their E-Z money secrets it's because it's dried up and now there's more to be gained from talking than the actual doing. Or it's total bullshit and never did work. A well known "motivational" speaker or two come to mind.

Re:Dumb to do a talk and interview

[avandesande]

If you RTFA it says he is going legit.

Re:Dumb to do a talk and interview

[DerekLyons]

Regardless of the ethics... This guy is risking his entire livelihood by doing a talk and interview.

0.o How? Do you think companies are going to magically start finally getting rid of the hackers? Or somehow suddenly become omni-competent at doing so?

Mind-numbingly boing

[tgibson]

There are so many software engineering jobs that offer more mental challenge, more reward in terms of mental stimulation. And when he gets older...I doubt he is even saving for retirement.

Re:Mind-numbingly boing

[James+Carnley]

Hacking is sort of like solving puzzles. You find the systems, analyze them, and look for loopholes and edge cases. It's mentally challenging and varied. Sure the hacks might follow a few standard techniques after a while but each specific instance is different and carries its own risks.

I have a software engineering job that I would say is fairly challenging but I also do a whole bunch of grunt work and google pasting solutions for one off things. I wouldn't say my job is vastly better than his except for maybe the retirement plan. But even then if he got lucky he could out earn me quickly for finding a key exploit for a hot new game and milking it for a while.

Poster Child

[duke_cheetah2003]

...For everything wrong with MMO's these days. This guy is it. Good job, you and your kind have ruined most MMO's for everyone to make a buck.

The really sad part is they are destroying the very thing they're making money off.

No one likes to play an MMO that obviously been hacked numerous times and that game's internal economy has been completely wrecked by this behavior.

Re:Poster Child

MMOs ruin more lives than crack so this man is doing gods work and your anger pleases me.

Re:Poster Child

[magarity]

"and that game's internal economy has been completely wrecked by this behavior"

Why is the central service unaware that the total game bucks in circulation suddenly jumped? The game needs routines that monitor the money supply.

Re:Invisible?

[Gay+Boner+Sex]

What is more astonishing is that he has actually SURVIVED entirely on hacking. No food, no water, not even any air or light.

We should breed this guy in case we go to "nuclear war with Russia" and dust him off when all the cockroaches like Miss Mash and BeauHD scurry around in the nuclear war threatening the remaining regular humans with their mutated airborne cockroach AIDS spores. This hacker can carry his own.

..and why not?

[mrthoughtful]

So there are loads of people who seem to find his exploits bad or wrong. But I think - great, go for it. Those MMOs are either overtly or covertly encouraging many people to spend huge amounts of time (and often, hard cash) for a meager award. The games companies are not much more than modern parasites - and 'Manfred' is merely a parasite's parasite.

Who, actually, gets harmed. The gamers want the cash - he can supply it at market rates - and the publishers are already horrendously bloated and fattened on the continual streams of micropayments.

Maybe because his name is a reference to the Prantagonist of Accelerando, but I, for one, am in favour of Manfred's profession.

Re:..and why not?

[CannonballHead]

Who, actually, gets harmed

Maybe now, but if you RTA, he started out by "deleting" people's houses in Ultima Online. That would be pretty frustrating if you were one of the people who owned the scarcely available and highly in-demand house.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Rule #1: Never Trust The Client

[nsxdavid]

I'm amazed that software engineers work on online games and do not understand that you can never trust the client.

I get that mistakes can be made, but this is generally a software design and architecture problem.

Having said that, today we found a flaw in our server that let someone sneak in number that caused an overflow in one of our APIs for our online mobile game. The net result was a huge positive value in virtual currency. Of course we found it because of rule #2: Make sure you have systems that detect anomalies on anything important. The easiest of which is something like virtual currency spikes, so that stood out like a sore thumb.

Clever game hackers know to fly under the radar, but their impact (even if they get away with it) is therefore limited. But even then you can detect exploits with more mysterious mechanisms, which I will not name. :)

Re:Rule #1: Never Trust The Client

[Kaenneth]

Eh, I once played a dial-up days online game where you could bet currency for a 50/50 chance to return 1.8 times the currency.

You couldn't bet more than you had.

So I bet -10,000,000,000 and lost.

Which meant I gained 10,000,000,000 currency.

Which overflowed the currency counter.

Which crashed the game instance.

Which dumped me to a remote command prompt.

Which allowed me to download the unencrypted user password file.

This brings me back

[subanark]

Back in 2003 (or sometime before WoW) I was part of a hacking community that wrote RuneScape bots. I remember the day someone found an item dupe hack. This was actually the opposite, if you attempted to trade 0 of an item that wasn't stackable and you didn't actually have, your recipient would receive the item. Combine this with a spell that turned items into currency and you have a serious problem.

Someone decided to be a complete idiot/ass and did their best to ruin the economy. The devs put a bounty of a lifetime premium subscription on anyone who could tell them of how the hack worked. The person who tried to ruin the economy was the first and only instance I know of that got an IP ban.

Re:Something smells

[EndlessNameless]

Or maybe he sent a bunch of garbage to the server to trick it into thinking he ought to have 18 quintillion gold, and the client was subsequently updated to reflect that value.

I seriously doubt he could sell in-game goods if he couldn't convince the server that he had them.

To be clear, the idea that the game is accepting a gold value directly from the client is laughable. Everyone would be exploiting it if it were that simple. But any MMO is just of series of transactions between the client and the server, and their protocols and daemons can be exploited just like web servers.

If anything, the games are probably more vulnerable because web servers typically use standard protocols and libraries, which are audited and tested by security professionals. I doubt the net code on a random MMO is tested seriously for anything more than latency and reliability.

Re:Never trust the client?

[EndlessNameless]

Why is anything in a MMO except maybe basic movement done client-side?

Maybe movement and basic actions are all that is supposed to happen client-side.

How is it that a debugger can affect the currency attached to an account?

The client must interact with the server in some way to increment/decrement the currency in certain accounts. The server-side code that controls those interactions is probably riddled with security vulnerabilities. It's almost entirely custom code.

Think of how often Apache/IIS/PHP/etc vulnerabilities are discovered, and then recall that these products have been hammered by security professionals for years. And, most of the time, those professionals disclose their findings to the developer---something which I doubt is happening with MMO developers.

Shouldn't every transaction be started and logged serverside?

Gold is not the basis of all transactions. Spells use resources, crafting professions use resources, and health pools fluctuate.

Lots of things are happening 24/7, and it can be very difficult to determine what needs to be logged.

You'd think an account that suddenly increases in value by several billion, with no account receiving a similar decrease, would trigger an internal flag of some sort...

I would expect that from a real-world bank. In a random MMO, they have no reason to bother unless there is a noticeable problem.

In most MMOs, you can loot gold from dead NPCs, and you can spend gold to buy things from NPCs. You can often sell useless items to NPCs as well. In those cases, there are probably no accounts to send/receive money. The player's balance is simply credited/debited directly for the value of the transaction.

If Manfred found an exploit in the NPC shop protocol that allowed him to process sales for items he didn't actually have, then he could easily generate a lot of in-game money very quickly.

Banks have rigorous controls to detect this sort of thing, but no one is going to develop SOX-level controls on a whim. That level of auditing is seriously burdensome---in terms of both compute and personnel.