How a Silicon Valley teen made thousands of dollars hacking a wildly popular online game
High above the quiet Silicon Valley town of Saratoga, two high school seniors scrambled out of an SUV and into the cold night air of the Santa Cruz mountains. The view below them, studded with city lights, was gorgeous, but they weren’t here to smoke a joint and take it all in. Thousands of dollars were at stake. Justin Liu, a wiry Asian 18-year-old, and his friend Aurash Jalalian planned to hack MapleStory, a massive multiplayer online game. Using a method that would crash one of the game’s servers, they planned to duplicate expensive virtual items, some of which can go for $200 or more on online black markets.
If everything went well, they could make thousands overnight.
The two trampled into the Liu family home, a three-story fortress leaning over the mountainside. They ran through the basement and up a flight of dark stairs into a messy bedroom, crowded by a king-sized bed. They tossed Multivariable Calculus textbooks haphazardly on the ground and tore laptops out of backpacks. Frantically typing over Skype, Liu reached out to his online friends from across the globe. Soon enough, the team needed for the complicated duplication process had been assembled. This team, an unruly band of hackers in the game’s secret hacking community, are one of many such groups that have long plagued a corporation’s most successful and wildly popular game—and the company Nexon has sued in the past to punish hackers.
Just twenty minutes before, Liu had been studying for a Multivariable final when he received a message from a MapleStory friend. A vulnerability in the game’s programming had been discovered that could allow Liu and his friends to “dupe”—duplicate—hundreds of items, before Nexon, the South Korean company that publishes MapleStory, could catch on.
The bedroom was silent except for the constant beeping of Skype notifications, between Liu and someone who called himself Duke. Liu stared at his computer screen and typed rapid-fire.
“Who the f**k is playing music?” Liu asked Duke over Skype.
“My brother.”
“Well turn him off — break his strings or some sh*t.”
An hour passed in silence. The virtual world of MapleStory, where players fight monsters for virtual currency (Mesos), trade and barter with newly-made friends, buy the latest bling, and level curse after curse at each other, buzzed on.
“Shit!” Liu yelled, suddenly furious.
The vulnerability that the two had so furiously tried to exploit had been released to the public via a post on an unofficial MapleStory website, vastly increasing the chances that Nexon could and would trace and undo their work. Frantic, Liu searched for the leaker to get him to take down the post.
The leaker, it turned out, was a hacker friend named Miles, who had released the dupe in retaliation — another hacker had spread Miles’ dupe, and so Miles had released it to the public, essentially destroying any value the technique had once had.
“Dude, delete it,” Liu pleaded. I looked over his shoulder at the screen.
[9:35:58 PM] Miles: it's wayyy
[9:35:59 PM] Miles: too late
[9:36:00 PM] Miles: now
[9:36:00 PM] Miles: lol
[9:36:02 PM] Liu: DUDE JUST DELETE IT
[9:36:03 PM] Liu: SO NEXON
[9:36:05 PM] Liu: DOESN'T KNOW HOW TO
[9:36:05 PM] Liu: PATCH IT
...
[9:39:42 PM] Miles: I fk’d myself
[9:39:45 PM] Liu: why
[9:39:45 PM] Miles: by trusting
[9:39:49 PM] Miles: someone
[9:39:50 PM] Liu: so you did it
[9:39:51 PM] Miles: and then
[9:39:51 PM] Liu: out of ego
[9:39:52 PM] Liu: #shame
[9:39:55 PM] Miles: nono
[9:39:58 PM] Miles: then
[9:39:59 PM] Miles: it spread
...
[9:40:18 PM] Miles: this exploit
[9:40:20 PM] Miles: got out of hand
[9:40:23 PM] Miles: and everyone knows it
Liu sagged in his chair, exhausted. He knew that the chances of keeping his valuable virtual items had dropped drastically.
“Whatever,” he said. “It’s hit or miss; we might as well continue. We’ll just rinse, repeat and keep duping items.” More than occasionally, Nexon fails to correct a hack. With this Hail Mary in mind, Liu and Jalalian worked until 2 a.m., until they had built up a satisfactory cache of duplicate items.
“We’re in the I-have-a-headache-and-I’m-hungry stage,” Jalalian said, as we headed downstairs into a huge kitchen. Liu’s parents were long asleep, as were, Jalalian pointed out, most folks with finals the next day.
Liu made eggs, sunny side-up. This was his first time hacking Maplestory in a while, he told me, having quit for months. Still, he couldn’t resist the allure of another dupe. It hadn’t gone as well as planned: old connections had gone stale or completely dead, and because he couldn’t force his friend to remove the post, there was little chance of this dupe ever working.
“I came all the way back to MapleStory,” he said, spreading salt over the eggs. “And no one wants to talk to me.”
Maplestory
As long as there have been online games with virtual currencies, gamers have tried to take advantage of them. The most infamous exploit, and maybe the only one to ever break through to the public consciousness, was the phenomenon of the so-called “gold farmer”. In China, hunched over computers in crowded sweatshops and even prisons, workers mined World of Warcraft gold through menial tasks, to be resold for real money to wealthier players. The business boomed. In 2005, The New York Times reported that there were over 100,000 full-time gold farmers in China alone.
Other notable hacks came as early as 1997, when Ultima Online players figured out a way to kill “Lord British,” a supposedly invulnerable character sent in to do a server stress test. In 2005, EVE Online players stole $16,500 from another group through a targeted virtual assassination.
MapleStory presents rare opportunities for hackers with even a cursory knowledge of coding, like Liu. The game is huge and free-to-play, with over 35 million user-created characters, and, as a consequence, constitutes a huge market for cheap items. While you can’t sell items for real money in the game, third party services like Paypal provide an easy loophole. For-profit hacking is present in almost every massive multiplayer online game, but some hackers and programmers say MapleStory is remarkably easy to hack due to its “gaping vulnerabilities.”
Eos Parish is a programmer who owns southperry.net, a website that analyzes developments in MapleStory. He said that hackers are “subtly poisoning” the game, though the fault lies on the end of the publisher Nexon and game designer Wizet.
“Maple has by far the worst abuse I have seen,” he wrote in an email. “The combination of its popularity and openness and the severity of its design flaws made it a perfect storm for exploitation for profit.”
It’s hard to quantify just how harmful and prevalent these hacking networks are. Nexon has taken legal action against specific, particularly sophisticated hackers, but thousands and thousands of players use simple hacks on a daily basis. In MapleStory, mass duplication of the kind done by Liu and his friends is less common, and almost always leads to extreme deflation since the supply of goods becomes artificially inflated.
But, even more importantly, some of Liu’s hacks require crashing the game, which could constitute a denial of service attack, a federal crime under the Computer Fraud and Abuse Act. By this standard, even lesser, more common hacking could be considered potential fraud.
Parish doesn’t believe Nexon, which only gave a short statement for this story, will prosecute Liu or hackers of his ilk. “It makes more sense for them to target the suppliers than the users,” he wrote. “It'd be too time-consuming and expensive to bother targeting a hacker here or there while hundreds more are waiting to take their place.”
I asked Liu if he feared prosecution. He dismissed it, saying that he wasn’t doing anything illegal.
That’s assuming Nexon never goes after the mid-level hackers. If the company decided to take another tack, Parish said that it is “entirely possible for Nexon to go for 'low hanging fruit' if they see a highly visible, recognizable and easily prosecutable hacker ... to instill fear into the masses.”
Justin on his computer
I first met Justin when we were both freshmen, preparing to take the AP Chinese exam. I didn’t really get to know him until junior year, when we sat at the same table in AP Calculus, which he rarely attended. Like myself and many of my peers, he’s the son of Chinese immigrants turned engineers — the “silicon elite” as they’re known, though to us they’re mostly just awkward, visor-toting parents with irrepressible immigrant instincts.
In class, Liu was always That Guy Who Never Listens in Class; in-thought and quiet, he’d sit a few desks away from me, slumped over, staring idly at a pen, not even feigning attention. Outside of test prep, though, he struck me in many ways an average Saratoga teenager — prom, AP classes, girls and goofing-around. Except, of course, instead of doing homework, Liu spent his time exploiting MapleStory.
In the weeks following the night at Justin’s, I couldn’t help but wonder: who were the other hackers, this vast network of people who conspired with Justin? Duke, DOTcurrency, Kizaki — they seemed like a colorful bunch, but finding them turned out to be difficult. The ones I contacted mostly claimed to be “retired” and the few that weren’t feared legal ramifications.
Their fears weren’t without justification. In, 2012, Nexon sued a woman named Alexandria Anastasia Cornwall (and others) for providing hacks to other players, alleging the “insidious and harmful practice of developing, distributing, and selling, for a profit [hacks] that ... destroy the online experience of this game.” In other words, Nexon accused them of destroying the game by enabling thousands of players to hack.
I contacted Cornwall through a Skype video call. Going by the alias “Riu Kizaki” online, Cornall is a hacker turned “legitimate” — though not by choice. A programmer whose abilities Liu described as “godly,” Cornwall (who described Liu, in turn, as “small fish”) first started hacking in college — basically, because she could. However, her tuition at Baylor University was costly, so she turned to for-profit hacking. In a short period, Cornwall said she made $30,000 by selling hacks to others and — she confided with a bit of a smirk — by hiding ads in the programs her clients unwittingly downloaded. She said that rampant hacking occurs as a result of Nexon’s “incompetence.”
“Nexon is very, very bad at programming,” Cornwall said. “They have a ton of crashes in their game, players get disconnected, channels will crash ... it's like they don't understand as a programmer you're supposed to assume the client is always malicious, always wanting to destroy everything.”
Ultimately, Nexon settled with Cornwall, who said that the monetary damage to her was “not devastating.” [The settlement listed damages as $750,000 and stipulated that Cornwall was not to discuss her hacking activities, though she gave an interview previously to Maple.FM, a MapleStory website. Parish described the situation as “baffling.”]
Though the terms of her settlement prevent Cornwall from discussing the intricacies of her hacking, she was happy to describe the larger community. Secretive and largely aloof, many of the for-profit hackers don't actually play the game outside of “duping.” If Nexon bans their character, they make another one. If Nexon bans their IP address, they simply tunnel through with a Virtual Private Network. And if MapleStory gets boring or less profitable, they move onto other games.
“If Nexon hired me I could get the entire community banned and save them hundreds and thousands of dollars,” Liu told me. “Would I do it? Probably not — a lot of these people are my friends.”
The core hacker community, numbering perhaps a few dozen, is predominantly white and comprised of people in their late teens or early twenties. Over Skype and on message boards, stories run wild: Liu told me about groups bringing in thousands of dollars a day, and extremely profitable hacked currency generators. One hacker was rumored to have made $32,000 in two weeks before releasing his dupe to the public on New Years. He was, according to the story, a 16 year-old high school dropout.
Wilson* was once an extremely well-known hacker who, by his own admission, “polarized” the community. A 20 year-old who works in a non-tech job, Wilson claims to have left the game and hacking over a year ago.
He fears that other hackers try to glamorize the practice because many people in the hacking community, he said, are “stupid as all hell or extremely cocky — everyone thinks they’re extremely special. [They do it] for ego, for reputation ... They’re saying it because they know they’re going to be publicized, be recognized.”
Though he was reluctant to talk to me, Wilson agreed to go on the record because he was worried that “people will think that this is a luxurious way actual way to make money.”
“It's been too physically and mentally straining, not some sort of stupid cushy job,” he said. “I've made enough money to sustain myself [for a bit], but I can’t go out and buy a new fuckin’ Mercedes.”
Maplestory
2013 New Years’ Eve at noon — prime time for MMOs, which usually see high traffic on holidays — Liu was playing MapleStory when he found out about a new dupe. Coincidentally or not, this new dupe had been released publicly when most Nexon America employees were on vacation.
Initially, Liu didn’t think much of it, since a public dupe usually means a patched dupe. But he got his team together and went to work, anyway.
“The first rule of duping,” he said, “is to never count on Nexon to rollback, because it costs them a lot of money. The second rule of duping is to abuse the fuck out of it.”
Throughout the night, internal conflicts between Liu’s group of six broke out over the division of duplicated goods. They split into two groups of three; Liu watched as the other group disintegrated. One left for New Years’ dinner, the second guy went off to eat out of anger, and the third guy was “just sitting there, raging by himself.”
Liu and his team stayed up until 6 in the morning. By this time, Liu guessed that it was too costly for Nexon to rollback the economy, so the crew tried to figure out ways to outsmart Nexon’s response system. Nexon’s tactic involved banning accounts with certain duped items, so Liu and his group created several characters and gave them each a specific item — that way, if Nexon went after item A, the character holding A is banned and useless, but those holding items B, C, and D would still be around.
“If you never try you'll never profit,” he said. “100 times, 99 times it’s a rollback, [but the one time it’s not] you make bank, so you have to go for it.”
The next day, Nexon America CEO Min Kim addressed the New Years dupe, telling the community “I often compare a part of our work to the emergency room ... [Our employees] did come in and worked well into the night during their holiday to fix the hack.”
Nexon never rolled back the economy; the abuse had gone on undetected for too long, and was too wide-spread. Had a rollback occurred, thousands of players would have lost their activity for the past few days. Still, Kim promised to find the remaining exploiters, who “will lose their account, their connection to their friends, and all their invested time and money.”
Liu was buoyed by the news, as his multiple-character precautions had paid off. He sold $2000 worth of duped items in a few weeks, and estimated that he had $5000 worth of items left. Liu showed me his Paypal account, which had a balance of over $9000. In total, he said he had made roughly $12,000 in two years.
When I met Liu for coffee, recently, next to a Smashburger that had sprung up at a newly revamped mall, he was far calmer than he was on the day of the first dupe. He told me that MapleStory was something that filled up his free time, a hobby. When he started playing the game in 3rd grade, he never meant to play for profit, but eventually that became the main incentive.
I asked him if MapleStory ever really affected his schoolwork; Liu had a reputation for missing school. He told me that he planned to stop playing soon — for good. In the fall, he was off to UC Berkeley, where he planned on majoring in Economics and Computer Science. The choice was inspired, in part, by his work in MapleStory.
I asked him if he ever felt bad about hacking.
“It's hard to define what's ethical or not ethical,” he told me. “Who am I stealing from?”
“Nexon,” I suggested.
“I guess you could make that argument,” he said. “But I don’t think of it that way. I'm not taking their property and selling it anywhere else. I allow people access to parts of the game that Nexon blocks off to all but the richest. What Nexon tries to make rare I make common.”
When I asked him why he did it, other than the relatively small amount of money, Liu just shrugged. “Fun?”
We walked outside to a sunny day, with a few trees swaying in the wind. Crossing the parking lot, I asked Liu if he’s ever noticed any parallels between hacking and drug dealing, the way the product flows down a pyramid from the originator, to mid-level disseminators, to a huge user base. And that the authorities are always trying to prosecute the hydra-esque offenders, who peddle their goods by black market.
He was amused. At school, he explained, he had made friends with fellow “Maplers” and even made some sales of Mesos, the in-game currency.
“I've sold $300-400 worth of Mesos to a junior at my school,” he said. “He gave me the money right in front of a sheriff and I was like ‘dude...’ I mean what would we explain, that we’re selling Mesos and not drugs?"
He laughed at the thought.
How a Silicon Valley teen made thousands of dollars hacking a wildly popular online game
Reviewed by Unknown
on
4/04/2015
Rating:
No comments:
Post Your Comment Here Please