Hacker Made $1,000 A Day from Stolen League of Legends Accounts

[Esmeralda Portillo]

Hacker Made $1,000 A Day from Stolen League of Legends Accounts

A hacker in Australia managed to make over $1,000 a day from accounts he stole from League of Legends databases.

With popularity comes potential vulnerability, as Riot Games continues to learn. this time on Riot's North American servers [http://forums.euw.leagueoflegends.com/board/showthread.php].

It looks like one person, Shane Duffy, was responsible for both intrusions.

Duffy, who went by the alias "Jason," was able to gain access to over 24.5 million accounts after obtaining password information through a James "Phantoml0rd" Varga [http://en.wikipedia.org/wiki/Brute-force_attack] during one of his Twitch streams. He even transferred Phantoml0rd's account to Brazil so Varga's games would lag.

Duffy continued to have fun with other players, going on streams and threatening to reveal people's personal information while also stating "I am God, Jason." He gained admin access to the League of Legends forums and edited moderators' posts to confuse the community. Duffy even managed to log into Riot President Marc Merrill's Twitter account one day to leak internal information on an unreleased game he found during his hacks.

He was arrested in March 2014 by the Australian Cybercrime Unit. Before his arrest, he would sell legacy skins that were discontinued--but he obtained illegally--for $200 to $800 each. After he was let out on bail, he created a website called LoLip-op.com where people could pay to kick any one of those 24.5 million accounts and even setup DDoS attacks on players to help the buyer win matches. The site netted Duffy $1,000 or more a day. He was arrested again soon after and the police managed to seize $110,000 of Bitcoin from his records.

Shane Duffy is 21-years-old and has been homeschooled since fourth grade because according to his mother "the education system did not want him" due to his Asperger condition. He allegedly worked with a group of hackers who are still unknown, and he says they're responsible for other hacks like ones on Neopets and the Curse Network forums. He's been charged with three counts of computer hacking and misuse as well as several counts of fraud [http://www.theaustralian.com.au/news/mother-of-accused-denies-hack-attack-on-riot-games-and-theft-of-player-information/story-e6frg6n6-1226860625835?nk=6fb5e7c5512ba983ee11d65b4ac06bfb]. He will have his day in court on July 24th.

Source: Polygon [http://www.dailydot.com/esports/jason-shane-duffy-league-of-legends-hacks/]

Permalink

 

[Kenjitsuka]

"Shane Duffy is 21-years-old, has Asperger Syndrome, "
Yes, that is very important information related to the case. Not at all helping stigmatising to proliferate!!

 

[RionP]

"Shane Duffy is 21-years-old, has Asperger Syndrome, "
Yes, that is very important information related to the case. Not at all helping stigmatising to proliferate!!

Don't you know? It's stating unbiased information. Like finding Call of Duty in the room of a school shooter is just stating unbiased information.

 

[Saulkar]

Spoilers not opening, not being able to quote, what is this website coming to... OOOOH, Shiny!

@Kenjitsuka It is surprising and depressing how ignorant people are about Asperger syndrome. Adding little tidbits like these are not doing the image of the condition any good when people automatically assume you are intrinsically a trouble maker. You have to hide it until the person knows you well enough that you can tell them but in the meantime they believe you to be either aloof or a sociopath because the registration and expression of emotions is a challenge that not everyone with Aspergers can overcome. It is exacerbated when you run the gamut of sensory defensiveness, one track mind that filters everything else out, the occasional ticks, and inconsistent swings between extroversion and introversion. This is not even touching upon cognitive social incompetence/mal-development. It is a trying experience, growing up with Aspergers and knowing you will never truly live it out.

I need to be extra thankful that there were people who fought for me, to ensure that I had the skills and motivation to make through all of school, no matter how hard, and get a job. For people like this, who fell through the cracks, it sorrows me. But it sorrows me just as well that journalistic discretion was ignored and an already inherent stigma is reinforced. What was added to the story by mentioning him to be a high functioning autistic?

Now preview no longer works, ergh!

 

[ron1n]

As soon as I saw this, all I could think of was:

I guess the only question left is:

'How can you imprison, that which has no life?'


Not sure which is more pathetic, his actions or the people who were actually paying him.

EDIT: in fact, I'm going to go out on a limb and say the latter -_-

 

[Scorpid]

What a loser. For real I have no respect for people like him. People that just think the best thing in the world is to make other peoples lives harder for no reason.

 

[Starke]

Isn't brute force attacking, the most basic way of hacking?

Pretty much. Which doesn't say very charitable things about Riot's security.

 

[Pinky's Brain]

Just that they don't use physical login tokens (which any big company should, but it's hardly standard practice) and that they probably don't have heuristics to detect anomalous logins (which any big company should, but it's hardly standard practice). Really login security is atrociously weak across the industry, internet is a hacker's heaven.

I suspect there are conspiracies to keep internet security weak by the security services ... there are so many things which would be trivially easy to introduce or to create official recommendations from government to do which could improve matters, but instead security has been at a stand still for decades.

He probably got the account database for some other forum the admin used and brute forced the key from that ... that's how passwords are usually cracked, since a lot of people reuse the same password.

 

[Rakschas]

Every Semi-Nerd has Aspergers according to the definition thats commonly known. It takes a professional psychologist or psychiatrist to deduce wether or not the behaviour of that person actualy stems from a form of autism or he/she is simply not conforming due to other reasons.

Still, LoL is a super high profile game, so I get why it gets lots of negative attention like that. Lots of instances mean that someone somewhere is bound to succeed at some point. I feel sorry for the part of the community that simply wants to enjoy a competitive game.

 

[Elfgore]

Who the fuck uses Jason as a code name? Jason doesn't sound cool at all, I should know. I've been stuck with the damn name for nearly twenty years.

To sum up my opinion, kudos to him for being so stealthy about it, I lack any sort of respect for him, and Asperger Syndrome has nothing to with this. This was just a human being greedy.

 

[NuclearKangaroo]

all things said thats an impressive résumé

 

[Glaice]

"Shane Duffy is 21-years-old, has Asperger Syndrome, "
Yes, that is very important information related to the case. Not at all helping stigmatising to proliferate!!

True, what point is giving this information out, especially the the Aspergers and home schooling tidbit?

 

[Buizel91]

Neopets is still a thing? Da fuq?

Anyway, this is quite scary, i have many friends who play this and i hope they didn't get affected.

 

[CriticalMiss]

He allegedly worked with a group of hackers who are still unknown, and he says they're responsible for other hacks like ones on Neopets

Neopets? Shit. We're dealing with a pro here! (I didn't even know Neopets was still a thing)

I kind of hope they will also be able to go after the people who were paying this guy for fucking around with other peoples accounts/matches. If you need to pay someone to hack a game and boot someone from a match you're kind of pathetic. Although I'm not sure what Riot could do. Reset their account so it has no wins?

 

[The Rogue Wolf]

I don't know what's more pathetic: This guy, or the people who paid so much for his "services".

I mean, seriously. Paying someone to DoS your opponent so you can win? Weak.

 

[XenoScifi]

Fat kid with glasses, home schooled....nerd hacker?! Grats to his mom for creating this monster.

Looks like the only thing he's hacking into is diabetes....am I right? Because he's overweight and probably just sucks down high fructose drinks and cheetos.

 

[Dr. Pepper Unlimited]

Whoa...whoa...whoa...someone took the time to actually hack Neopets? Why?

 

[Dragonbums]

Just reading this article it almost sounds like he would've gotten away with his attacks for a lot longer if he wasn't publicly acting like a colossal douche bag to people on the forums.

It almost seems like he was ASKING to get arrested with all the stunts he pulled. And it clearly does seem to be the case because immediately after bail he goes and makes a website where people can pay to get others kicked off of LoL.

This is amazing.