Hackers Demand $10M From Riot Games To Stop Leak of 'League of Legends' Source Code (vice.com) 53
An anonymous reader quotes a report from Motherboard: Hackers stole the source code for League of Legends, and now they're asking for $10 million from developer Riot Games. Motherboard has obtained a copy of a ransom email the hackers sent to Riot Games. "Dear Riot Games," it begins. "We have obtained your valuable data, including the precious anti-cheat source code and the entire game code for League of Legends and its tools, as well as Packman, your usermode anti-cheat. We understand the significance of these artifacts and the impact their release to the public would have on your major titles, Valorant and League of Legends. In light of this, we are making a small request for an exchange of $10,000,000."
As evidence, the hackers provided Riot Games with two large PDFs they said would prove they had access to Packman and the League of Legends source code. Motherboard also obtained these files; they appear to show directories related to the game's code. If paid, the hackers promised to scrub the code from their servers and "provide insight into how the breach occurred and offer advice on preventing future breaches," according to the ransom note. In the message, the hackers included a link to a Telegram chat where they said Riot Games could speak with them. Motherboard joined this channel. Its members included usernames that matched those of names of Riot Games employees. "We do not wish to harm your reputation or cause public disturbance. Our sole motivation is financial gain," the ransom note said. The message has a deadline of 12 hours. "Failure to do so will result in the hack being made public and the extent of the breach being known to more individuals."
Riot Games first announced news of a compromise last week in a series of tweets. The exact nature of the hack isn't known, but Riot Games referred to it as a "social engineering attack". It also said it had no indication that user data had been affected. On Tuesday, Riot Games said in a tweet it had confirmed hackers stole the source code for League of Legends, Teamfight Tactics, and its "legacy" anticheat platform. Another tweet said that on Tuesday "we received a ransom email. Needless to say, we won't pay." "We also want to remind you that it would be a shame to see your company publicly exposed, especially when you take great pride in your security measures," the hackers said in their ransom note. "It is alarming to know that you can be hacked within a matter of hours by an amateur-level hack." In response to a request for comment from Motherboard, Riot declined to add anything further beyond the already published tweets.
As evidence, the hackers provided Riot Games with two large PDFs they said would prove they had access to Packman and the League of Legends source code. Motherboard also obtained these files; they appear to show directories related to the game's code. If paid, the hackers promised to scrub the code from their servers and "provide insight into how the breach occurred and offer advice on preventing future breaches," according to the ransom note. In the message, the hackers included a link to a Telegram chat where they said Riot Games could speak with them. Motherboard joined this channel. Its members included usernames that matched those of names of Riot Games employees. "We do not wish to harm your reputation or cause public disturbance. Our sole motivation is financial gain," the ransom note said. The message has a deadline of 12 hours. "Failure to do so will result in the hack being made public and the extent of the breach being known to more individuals."
Riot Games first announced news of a compromise last week in a series of tweets. The exact nature of the hack isn't known, but Riot Games referred to it as a "social engineering attack". It also said it had no indication that user data had been affected. On Tuesday, Riot Games said in a tweet it had confirmed hackers stole the source code for League of Legends, Teamfight Tactics, and its "legacy" anticheat platform. Another tweet said that on Tuesday "we received a ransom email. Needless to say, we won't pay." "We also want to remind you that it would be a shame to see your company publicly exposed, especially when you take great pride in your security measures," the hackers said in their ransom note. "It is alarming to know that you can be hacked within a matter of hours by an amateur-level hack." In response to a request for comment from Motherboard, Riot declined to add anything further beyond the already published tweets.
Re: (Score:1)
Can someone translate?
Re: (Score:1)
Don't drop the soap is a prison rape reference.
The hackers think they can get away with extortion. If this gets escalated more and more governments WILL get involved. It is unknown if the hacker's being paid is untraceable but if successful the criminals could be be extradited to the US where they will show up in court.
Re: (Score:3)
Maybe try a firewall? (Score:2, Funny)
What is the worst that can happen? (Score:4, Insightful)
So they don't get paid and they release the source code. If it was that valuable why not use it directly?
Anyone who would take that source code and make their own game from it would never be able to sell it, they would get sued into oblivion.
If I would Riot Games, I would laugh in their face.
Re: (Score:2)
League of Legends isn't particularly revolutionary anyway.
Re: (Score:1)
it may reveal security issues which can be exploited or enable more advanced cheats which can drive players aka revenew away
Re:What is the worst that can happen? (Score:4, Interesting)
The anti-cheat and DRM loss might hamstring them, especially when the cheaters start marching in. In general (and I've not played LoL, so don't really now), the game companies want people to pay to win, not cheat to win, and someone cheating and getting the best armies, ships, tanks, or other stuff means that fewer people will pay thousands a month to keep buying upgrades.
Since cheating results in fewer whales spending big bucks, you bet the game companies have a lot to lose, because the people who are buying the expensive tanks are now going somewhere else to buy themselves a Titan ship or a top shelf, "S" tier anime warrior, and play the gacha until they get it.
Re: (Score:2)
This might introduce a market in LoL in game items, reducing their value to almost nothing. Hilarious.
Re: (Score:3)
Thanks, I can see that being a problem.
But it could also be a wake-up call to shore up their code. You know, treat it as if it will be released and audit/fix any holes that could allow cheating.
You can buy a lot of development and infrastructure with $10M I would think.
Re: (Score:2)
Thing is DRM can never be perfect. It's mathematically impossible. The best they can do is security by obscurity, and put a lot of effort into the obfuscation part.
The other worry is that typically they have a load of DRM layers ready to go, and as hackers find ways to cheat they release updates one by one so that cheaters only ever get a few days of use. That makes the cheat software far less valuable. If the source is leaked it might reveal potentially years worth of saved up ideas to block cheats.
Might a
Re: (Score:3)
It's probably easy enough for Riot to update their servers to not work with the stolen version of the DRM code. Everyone would have to update their client to be able to play again, but customers probably need to download updates regularly anyway.
Re: (Score:2)
If Riot were clever, things could be put into the API to find the older versions, and insta-ban people trying to use it. However, this does give a boost to the blackhats, because it will take a good amount of time and expense to re-code new DRM that is as good as warding off cheaters as the previous one.
Re:What is the worst that can happen? (Score:5, Interesting)
No, anti-cheat and DRM concepts dig quite deep into the code and aren't like a security key you can just revoke. Releasing the source code would fundamentally break both and require significant amount of re-work to get even remotely to within the ballpark of where they are now.
This is more like breaking a fundamental API, it's not an overnight patch job and blocking something on the server.
Re: (Score:2)
You can't see how the most popular game in esports having their source code released including that of the underlying anti-cheat engines would hurt Riot Games? Stevie Wonder is that you?
Re: (Score:3)
We already have lessons from history such as speed hacks when the Quake source was released. Here is what can happen with the source being public:
1. Cheaters can capitalize on existing bugs or develop new exploits that weren't previously detected.
2. Community becomes plagued with tons of new cheaters using cheat tools.
3. Majority of community slowly stops playing due to rampant cheaters.
4. Gamers move to another game and stop buying MTX.
Re:What is the worst that can happen? (Score:5, Informative)
I think you're dead right to point out the problems related to cheating & game ecosystem corruption. There's a lot of real-world money on the line and it's already a problem.
Riot has actually written some pretty interesting things on this subject in their dev blog. Even if you're not into games, there's plenty of data science in there to geek out on.
https://www.leagueoflegends.co... [leagueoflegends.com]
https://www.leagueoflegends.co... [leagueoflegends.com]
https://technology.riotgames.c... [riotgames.com]
As to the size of the ransom request, I think a lot of the people commenting on this news don't understand how big video games and esports have gotten. Here's some numbers
Hollywood, US box office
https://www.the-numbers.com/ma... [the-numbers.com]
worth 12 billion-ish in 2018.
All E-sports global
https://www.the-numbers.com/ma... [the-numbers.com]
https://www.statista.com/stati... [statista.com]
worth 1.4 billion-ish in 2022
So, it's less, but the fact that it's even in the same order of magnitude is incredible.
E-sports is just a fraction of the global video game market, but it's getting bigger.
Re: (Score:2)
It's of no use to them other than as a hostage. You think they want to run a gaming company, or code a cheating bot? No. They're out for blackmail, and that's that.
If I kidnap your kid, and send you a demand, asking why I don't raise it myself and send it to college doesn't make a lot of sense.
Re: (Score:2)
Sorry, I misinterpreted your post. My bad.
I agree with you.
Re: (Score:2)
If I kidnap your kid, and send you a demand, asking why I don't raise it myself and send it to college doesn't make a lot of sense.
It does if you want to call the bluff. Fine, keep the fucking kid!
Re: (Score:2)
sure you can, look at OnlyFans.
Re: (Score:2)
So they don't get paid and they release the source code. If it was that valuable why not use it directly?
You can't run a business on stolen code forever — unless you are very bad at it, and never become popular enough for anyone to notice. But releasing the code means that attackers get to study it, and cheaters get a leg up.
Re: (Score:2)
Re: (Score:3)
That makes sense, but is also absurd. How do they know the code won't be released anyway? Or that they won't receive another demand to pay next month?
Re: (Score:2)
It shouldn't be too difficult to change enough about the DRM to thwart anyone who wants to get free access.
Re: (Score:2)
Mostly it's the anti-cheat code. It's unclear how current that code is or if other measure can be put in or not.
Re: What is the worst that can happen? (Score:1)
Re: (Score:2)
If it was that valuable why not use it directly?
Do you understand the concept of value? What is valuable depends on the item and the parties involved. Just because something is valuable to Riot Games doesn't mean it's valuable to you.
I could kidnap your daughter an you may pull all stops to get together millions of dollars to get her back (or maybe you have a particular set of skills and will kill the entire drug underworld). But then back on the open market for human trafficking she's unlikely to be worth anywhere near as much as what you'd part with, w
Re: (Score:2)
People might be able to use it to find bugs and hacks slightly easier, but that's about it. Nobody else wants that code.
Re: (Score:2)
So they don't get paid and they release the source code. If it was that valuable why not use it directly?
Anyone who would take that source code and make their own game from it would never be able to sell it, they would get sued into oblivion.
If I would Riot Games, I would laugh in their face.
Erm, all they have to do is release it anonymously.
However the real risk for Riot is that people will find flaws in the code to publish cheats. As this is an online game, cheats will be popular, profitable (for the people who sell the cheat) and ruin the experience. It is also a threat to their business model of microtransactions as someone may figure out how to get skins and what not without paying.
That being said, the best course of action for Riot is to tell the hackers to go do one and deal with
As a software developer... (Score:4, Insightful)
Re: (Score:3)
Mod parent up. The magic is not in the source code. It takes an entire ecosystem, and a lot of people, to make that source code into a game people want to play.
Re: (Score:2)
Indeed. And as to the anti-cheat, cheat sellers will already have put that through a decompiler. Having the sources does not matter a lot.
Amateur (Score:3)
The most obvious sign this is an amateur is the price of $10M. If the hacker had asked for $50k or even $100k, they might have just quietly paid it to make this go away. Even if it costs them $9,900,000 to mitigate the damage caused by the leak and/or track down this little shit and sue them into eternal poverty, they'll still come out ahead.
Re: (Score:3)
The most obvious sign this is an amateur is the price of $10M. If the hacker had asked for $50k or even $100k, they might have just quietly paid it to make this go away.
You sound like you're talking about single player games that come and go without much care released by some small studios. LoL as much as many people don't give a shit is the world's most popular and one of the longest running e-sport games. It has been in the top highest revenue generating games year on year for .... as long as anyone can care to google. $10milion is a pittance of the revenue they generated last year alone. It's petty cash compared to how much LoL brings in for Riot.
Re: (Score:2)
That's not the argument at all. It's not that they can't afford it. It's that they can't just pay it quietly.
Re: (Score:2)
No that is my argument. A company that generates well over $1bn every year from a single game alone excluding all the additional IP money brought in by the title (pushing them closer to $2bn) absolutely can pay $10m quietly.
Re: (Score:2)
In that case, your argument is bullshit. Shock, amazement.
Riot games is publicly traded, so it would come out in the financials.
Re: (Score:2)
Ten.
Maybe open source it? (Score:2)
Perhaps Riot should beat them to the punch and release their source code as open source -- with the idea that others could help find bugs and make improvements. And they could provide official support and a platform for LoL clones to be created as well.
At least, I can dream, can't i?
Re: (Score:2)
At worst it might just be kind of embarrassing. Remember, this is the game that spawned the "coded as minion" meme
Can of worms (Score:2)
I can't believe this game is still around. It's always been unbearably toxic by design. That it survived this long is a miracle.
One more sign that Bitcoin is truly dead (Score:3)
Even the criminal hackers have abandoned it!
How to earn a new car (Score:1)
I had a long paper on how to earn money for a new car. A friend told me the Australian site gwcasino.bet [gwcasino.bet] and now I can afford any car.