The hacker who went to war with Riot Games
In August 2012, League of Legends was the most popular PC game in the world. More than 12 million players across Europe and North America played the game daily, and after nearly three years on the market, into its U.S.-based developer, Riot Games, was looking to expand into Asia.
As the game continued to grow, so did the value of a user account. Players would spend hours unlocking new characters and in-game enhancements called “runes.” They'd also spend real money customizing accounts with things like cosmetic enhancements for their favorite champions. This gave a League of Legends account real value, which in turn spawned a rapidly growing sideline in hacking and selling.
Early on, this was mostly the work of a few small-timers dealing in a dozens of accounts at most. But that month, something on a much grander scale happened. Somehow, a perpetrator gained access to Riot Games' North American servers. The company never revealed how many accounts were affected.
It appeared that Riot had suffered its first major security breach. It hadn't.
Almost exactly one year prior, hackers compromised the company's European server, accessing 120,000 transaction records that contained account information, including encrypted credit and debit card numbers. Riot didn't disclose the full details of the incident until the end of 2012.
At first, nothing arose from the stolen records. People mostly forgot about the security breaches. Certainly no-one put together that both of the attacks had stemmed from the same group and, largely, one person.
This is the story of a 21-year-old hacker from Queensland, Australia, who pulled off the two biggest hacks in League of Legends history. His detailed account of the events, if true, calls into question Riot’s official accounts—and suggests the attacks were far larger than anyone previously imagined.
By August 2013, League of Legends had continued its extraordinary growth. It had taken the Asian market by storm, becoming most popular played game in South Korea—long considered the "mecca of esports" thanks to the mainstream popularity of pro gaming there. Riot was preparing to host a world championship in October that would pay out $1 million to the winners and be held in a sold-out Staples Center, home of the Los Angeles Lakers.
It was against this backdrop that the hacker, known at the time only by the alias Jason, used information from his security breaches to fire the first of many salvos against Riot.
He revealed himself to the public on Aug. 12. In the middle of a streaming session on Twitch, popular League of Legends streamer James “Phantoml0rd” Varga was suddenly kicked out of his account, unable to log back in.
Someone then transferred all of his League of Legends account information to servers based in Brazil, which would mean Varga would both suffer a lot of lag and be forced to play with Brazilian players. Varga, an experienced streamer, was at a loss to explain how it had happened. He'd always been very careful with his personal information. News of the strange hack quickly spread to Reddit's popular League of Legends forum.
It turned out Varga had good reason to be surprised. He hadn't inadvertently handed his information over to anyone. Instead, it had been in the original batch of account info stolen in 2012. And he wasn’t alone. Jason was just getting started.
Over the next few days, other high-profile players saw their accounts transferred to Brazil. Then, an account named “Devil,” which hadn’t been active in over four years, began posting to a popular chat room in the game and threatening to reveal personal details from other users' accounts on forums. Each of the brief missives was signed “Jason.”
Jason also somehow obtained admin rights on the forums, which he used to edit user posts and sow confusion. Hundreds of people started to post about compromised accounts. One thread, from a user named GOPGangster, detailed how it happened.
On Aug. 20, Jason contacted him and threatened to take over his account. "I didn't believe him until my account was taken," GOPGangster wrote. He knew he "was screwed," he said, when his friend asked him why he left his ranked team. His account then wrote "I am God, Jason," and transferred to Riot's Oceania server.
The password to the account was long and included "lots of random things that would be very difficult to grab,” GOP Gangster recalled. “Worst of all my account had my credit card info saved."
Stories like this spawned a growing sense of unease among users, many of whom accused Riot of not taking the situation seriously. On Aug. 13, a poster who appeared to be a Riot staffer responded to one of the critiques. He dismissed the attacks as an elaborate “troll." There had been no breach, he said, and urged people to “put down the pitchforks.”
Another supposed Riot staffer added that Jason had been the "the subject of an ongoing investigation.”
"We have found him/her to have been brute-forcing accounts at very high speeds," the staffer wrote. "Bruteforcing" refers to systematically checking all possible keys or passwords until the correct one is found. "There has not been any type of data leak, nor breach.”
But according to Riot, those staffers who were so dismissive of the breach weren't staffers at all. Their accounts had been hacked—by Jason himself.
From the gloating he was doing online, it was clear Jason was having a lot of fun with the hacks. They were also proving to be quite lucrative.
Jason sold the legacy skins—cosmetic enhancements that were valuable because they'd been discontinued by Riot—for between $200 and $800 on various forums. Riot forced players to change their passwords and promised a security overhaul.
The company never stated how many accounts were compromised. Jason told the Daily Dot in November he had access to 24.5 million accounts, a number that can't be independently verified. Riot Games did not respond to a request to comment on this article.
According to Jason, the sheer volume of accounts was part of why he waited nearly two years before using the information. A database of a few thousand people’s personal information is worth a significant amount on the black market, but one with tens of millions could be worth millions. The plan was to sell as much as he could before showing his hand.
In fact, Jason probably could have just kept selling off the skins. Perhaps out of boredom, the self-proclaimed "god" began exploring other hacking targets. Not content with finally forcing Riot's public and embarrassing statement on the 2011 hack, Jason turned his attention to the company's staff.
In October 2013, Riot President Marc Merrill’s Twitter account suddenly took on a very different tone: It began leaking information from Jason's earlier hacks, specifically about a project that Riot had stopped working on.
Called League of Legends: Supremacy, the project was a card game similar to Blizzard's hit Hearthstone. Riot had registered a trademark for a year previously.
“Well I think this would be a good time to show off Riot’s card game, who wants to see pictures? 50 re-tweets for pictures,” the tweet read. It was signed “Jason (God).”
“Did I mention this game was fully completed but never released?" Jason wrote after tweeting out an image of the game's loading screen. "Riot doesn’t want you to play this game. Take it up with them.”
He went on to leak an Imgur gallery of card templates, which has since been mostly scrubbed from the Internet, and threatened to release 200 megabytes of artwork into the public domain unless Merrill contacted him directly.
Within an hour of that tweet, Jason relinquished control of the account back to Merrill. The details of what was discussed between the two has never been revealed. Merrill was left with the awkward task of explaining the game away as just an “experiment” that wasn’t ever likely to see the light of day. Once again, Jason had given Riot a very public black eye.
The same night, Oct. 13, two subpoenas were filed against Google and Yahoo for the email accounts “Jking” and “Jasonking999” respectively, both of which had been linked to earlier instances of account-selling. Jason was still dabbling in compromising the accounts of high-profile streamers and professional players, not knowing that the law was hot on his heels.
In November, police in Queensland, Australia, issued a search warrant on Shane Duffy, a 21-year-old with Asperger Syndrome who had been homeschooled since the age of 9 because the educational system couldn’t meet his requirements.
Then in March, the Australian Cybercrime Unit raided Duffy’s home in the small agricultural town of Kingaroy and seized his computer equipment. Police would shortly reveal that Duffy was, in fact, Jason. Riot finally knew the name of its tormenter.
According to police, the League of Legends attacks weren't Duffy's only forays into hacking. His group—whose other members are still mostly unknown—had also hacked sites like virtual pet community Neopets. Sources close to the group also claimed he had been involved in the compromise of several esports sites, including the Curse Network forums and the SoloMid Networks.
Duffy seemed somewhat nonplussed about the whole thing when we spoke to him. Released on bail pending further investigation, he laughed about how easy it had been to compromise the North American servers. He said it wasn’t "hacking" at all. While he needed hacking skills for his first attack in 2012, he said, it was only Riot's ineptitude that was to blame for the 2013 attack.
Here's how he claimed it happened: During their first bout of bruteforcing passwords in the 2012 North America attack, Duffy's group obtained details for a senior staff member. Aware of the breach, Riot told its employees to change their passwords, but Duffy claims this one employee did not. Through this account, the group was able to access Riot’s servers. Once inside, they dropped in backdoor software that gave them ongoing access to the servers. Riot didn’t detect the backdoor until one of his colleagues got "sloppy," Duffy said.
By then, the group had access to the first 24.5 million accounts, in chronological order of creation.
Given his predilection for making Riot look bad, it’s hard to know if Duffy’s telling the truth. It’s clear, however, that he hadn't learned his lesson and was looking to antagonize the company even further. While still on bail, he created a website that was dedicated to wreaking havoc on the game.
Called LoLip-op.com, the website advertised itself as an “IP resolver" for League of Legends. The service was simple: A paying customer could input the name of a player on the opposite team and, provided he was one of those 24.5 million compromised accounts, it could generate an IP address—the unique number that identifies the network you're using to connect to the Internet—that was linked to that account. Using this, the service would knock the player out of the game.
Another section of the site offered a “stresser,” where users could put in any IP and perform a “stress test” against it, in other words a distributed denial-of-service (DDoS) attack. This would then cause the affected player to be unable to play and, in turn, allow the person using Duffy’s service to easily win the game.
Within a month, Reddit forum posts and esports journalists drew attention to the service. It had proven to be popular, reportedly receiving 880 separate payments in a single month, all of varying amounts. Duffy was allegedly clearing upwards of $1,000 a day.
Unable to resist the limelight once more, Duffy popped up on the League of Legends Reddit forum, answering questions, antagonizing people who objected, and talking about some of his earlier escapades. Duffy's DDoS tools became a huge source of controversy in the League of Legends community. So it's perhaps not surprising that, shortly after this decision to resurface, police again arrested him. His equipment was once more seized, along with $110,000 worth of the virtual currency Bitcoin.
Since being caught, the man who called himself a “king” and a “god” has looked anything but, with his mother coming to his defense. She told The Australian that her son is no criminal mastermind, regardless of his public persona.
“Shane’s capable,” she said. “But then the information he had and accessed was freely available on the Internet. Somebody else has thrown the database out there.”
Duffy appeared in court on April 23, where the judge prohibited him from going online before and during the trial. He faces nine charges related to hacking Riot servers, including five counts of fraud.
On July 24, Duffy's three-year war against Riot Games will finally end in a Queensland courtroom. League of Legends continues to grow. Its slick esports competitions, featuring the most structured professional league format in North America and Europe, have drawn the curious attention of mainstream media, including ABC and HBO. Around 30 million people play the game daily. Duffy's war may have ended, but he surely isn't the last Jason.
Correction: This article originally did not include Riot's allegations that its staffers' accounts, which posted dismissive comments about the breach in 2013, had been hacked by Duffy. Additionally, it misattributed a pair of official statements on the hacks, which led to an inaccurate timeline. We regret the errors.
Image via Riot Games (remix by Fernando Alfonso III)