Neopets tweetstorm exposes 9-year-old’s pet-trading ‘crime ring’

Inside this user's rare trading ring.


Onaje McDowelle

Internet Culture

Posted on Aug 25, 2020

In a viral Twitter thread, one user shared the story of how an organized virtual pet-trading ring led them to be booted from Neopets. It’s the story of a 9-year-old “drunk on power,” and how a past operation to flip rare pets backfired before their eyes, coming to a head this week with the help of a massive 2012 data breach.

The Neopets leak

The thread begins with Everest (@everestpipkin), who did not respond to a request for comment, explaining that every so often, they check back on their old Neopets account to see if they can possibly salvage access to it. Neopets is a virtual community that allows users to own and care for fantasy pets online. Similarly to platforms like Club Penguin or Webkinz, the site contained minigames and was eventually marketed as physical memorabilia such as plush toys, stickers, jewelry, and other merchandise. While the website’s heyday has come and gone with the 2010s, Neopets is set to launch a rebooted mobile experience in the near future.

“Every few years I email Neopets support asking if they can help me log into my childhood account,” they began. “and (unsurprisingly, tiny team, millions of old accounts) I’ve never heard back.”

The user goes on to explain that they originally considered the Neopets account completely lost, being that it was linked to their dad’s long-gone America Online account in addition to having a fake birthday on file (in order to bypass age restrictions). It wasn’t until they recently had the idea of digging around for data breaches and security leaks from the site that the possibility of regaining access was restored.

A hack on Neopets occurred in 2012, before the site’s acquisition by its new ownership, Jumpstart, in 2014. According to one Reddit user’s Have I Been Pwn’d notification, the data leak included extensive user information with 27 million unique emails, passwords, IP addresses, names, and geographic locations made available in plain text. The information was found to be traded at auction and allegedly stemmed from breaches on the site that had occurred years prior.

In a statement addressing the leak on Facebook, Neopets confirmed that increased security measures were put into place on the site following the incident. The site’s management strongly recommended password changes for anyone who has not reset theirs since 2012 or uses a similar password on other accounts online.

It was this very vulnerability that Everest took advantage of by accessing leaked files and cross-referencing back to their own throwback credentials. They finally identified the password, only to find that someone had beat them to the punch and switched it out before they got the chance to retrieve their old trove of pets and virtual assets. No dice.

The Neopets ‘crime ring’

But, why do they care about accessing such an old account in the first place, nostalgia notwithstanding? Well, Everest in the viral thread confesses to a mind-boggling, potentially lucrative plot: They stopped using Neopets after their “organized crime ring” was taken down by the site, they say. Crime being: rare pet adoptions in exchange for virtual currency, and eventually PayPal compensation.

“Neopets had a ‘pound’ where you could drop unwanted pets for adoption,” they explained. “So me and party two would get on [AOL Instant Messenger], they’d buy some overpriced item in my shop, then I’d put the pet up for adoption, they’d search its name at the exact moment, adopt it, done.”

As for how they handled customizations, Everest details that the method came to fruition by way of Neopets’ “lab ray” treasure hunt. Once completed by assembling pieces of a map, users could access a button which would apply completely random color and pattern designs to the pet. They’d apparently take pets, zap them until they turned into something fit for profit, then make a new pet to replace them, and repeat the entire process.

Eventually, Everest staffed the operation through Neopets social guilds, a group system that had ranks, conditions, and an invite-only forum customized with HTML, where business logistics were to be handled. A portion of the profits was given to those on their team providing help. As the currency continued to add up and the group strengthened its influence, they explain that they resorted to burner accounts, babysitting forum users’ accounts, and recruiting Neopets operatives at school to sustain the hustle. That was satisfactory until the business outgrew itself and it was time to raise the stakes.

With the help of a little guesswork, they had allegedly found their way into an all-new account that did not belong to them. And like clockwork, they began using the account to bolster the original business. Finally, with time they worked up the strength to go through with a new customization zap on the intercepted account.

After successfully customizing on an all-new account, the operation was up and running at an even more blistering pace. “Over the course of 6 months, my guild /transformed/. We had a process. We had a hit list of accounts. We collated thousands of probable passwords… we grew exponentially.” As smoothly as the operation was going, Everest eventually turned control over to their second in command out of “boredom” and being “lonely at the top.”

By then it was 2002 and Everest was 11 years old, they said. Enter, PayPal.

That’s when things got ugly. After their general absence for nearly half a year, Everest’s new leadership had overrun the operation by their own accord, promoting new workers and establishing a rulebook and culture of their own independently. They ended up kicking Everest out.

“I had plenty of power on my own… I set up my first transfer using my personal shop, and it went – flawlessly. some small portion of all my accumulated Neopets empire turned into $10 USD in my unverified Paypal account,” they say, regarding the next steps after branching away from the guild. “Within a few weeks, I’d repeated the transfer dozens of times with different Neopians. I’d never seen so much money in my life.”

In response, their second in command took measures into her own hands, vilifying Everest and the entire original operation with the help of Neopets support. “… she took two and half years of internal conversations, forum posts, text documents, and AIM chats to Neopets support and got them to freeze every single account I had ever touched, including my Paypal account which I never successfully recovered,” they wrote.

By then, there was just one account left. An offshoot account that Everest had made at some point along the journey. One that they only used to play games and host other pets.

But despite the work to restore their login, as of press time Everest remains locked out. The viral tweetstorm has been faved almost 7,000 times.

Today’s top stories

‘Fill her up’: Bartender gives woman a glass of water when the man she’s with orders tequila shot
‘I don’t think my store has even sold one’: Whataburger employees take picture with first customer who bought a burger box
‘It was a template used by anyone in the company’: Travel agent’s ‘condescending’ out-of-office email reply sparks debate
Sign up to receive the Daily Dot’s Internet Insider newsletter for urgent news from the frontline of online.
Share this article
*First Published: Aug 25, 2020, 5:20 pm CDT