A hacker says he turned finding and exploiting flaws in popular MMO video games into a lucrative, full-time, job.
Manfred’s character is standing still in the virtual world of the 2014 sci-fi online multiplayer game WildStar Online. Manfred, the real life person behind the character, is typing commands into a debugger. In a few seconds of what seems to be an extremely easy hack, Manfred’s virtual currency skyrockets up to more than 18,000,000,000,000,000,000, or 18 quintillion.
I’m watching this hack in a demo video recorded by Manfred as I stand next to him in a Las Vegas bar on Thursday. Manfred, who asked me not to reveal his real name, says he has been hacking several video games for 20 years, making a real-life living by using hacks like the one I just witnessed. His modus operandi has changed slightly from game to game, but, in essence, it consisted of tricking games into giving him items or currency he doesn’t have a right to have. He would then sell those items and currency to other players (for real money) or wholesales them to online gray markets, such as the Internet Game Exchange, that then would sell those goods to individual players.
At the current exchange rate, Manfred estimates he has $397 trillion worth of WildStar gold. This is obviously an outlandish number, but, essentially, his income was only limited by the real-life market for the in-game currency.
“The best hacks are the invisible ones because you change the rules without anyone knowing what’s going on.”
When I spoke to Manfred ahead of his talk at the Def Con hacking conference, he said he wanted go in, give his demo, and go out “as a ghost,” never to be seen or heard from again. He said he wanted to be “invisible,” just like he’s been for the past two decades. He said he’s found more than 100 publicly unknown vulnerabilities in more than 20 online video games, making hacking and trading virtual goods into his full time job.
Unlike most video game hackers, Manfred didn’t cheat to gain an advantage over his opponents. He hacked games because he made it his full-time job.
“The best hacks are the invisible ones because you change the rules without anyone knowing what’s going on,” Manfred told me. “When hacking online games, the main goal is to to be invisible. You don’t want to disrupt the players, you don’t want the game company to find out about your hacks. You don’t even want to them to know that what you’re doing is possible.”
On Saturday, Manfred came out of the shadows and told his story for the first time during his talk. Initially, his plan was to hack WildStar Online in front of the audience, abusing undisclosed vulnerabilities, or zero-days, without having his talk recorded. The conference organizers, however, told him that all talks have to be recorded, and so he didn’t do the hack live—much to the audience’s chagrin.
Starting with Ultima Online, one of the first online massive multiplayer games, Manfred said he’s been finding ways to hack the games in order to amass either virtual currency or goods that he would then sell wholesale first on eBay, and then later on Chinese online marketplaces.
Manfred, who declined to tell me or the audience how much money he made throughout his career, said he wasn’t cheating to beat other players anymore. Instead, he sees himself as providing a service: Offering in-app purchases before in-app purchases were a thing.
“I don’t like to call them hacks,” Manfred told me, laughing. “It’s more like finding unintended features in the protocol.”
The First Hack
Everything started in 1997, when he was playing Ultima Online. At the time, Manfred said, he had only a dial-up connection, and was routinely killed in fights with players with better broadband speeds. To compensate, he said, he found ways to cheat by hacking the game.
On a boring day, he discovered a bug that would change the course of his life. In Ultima Online there was a pre-set, finite number of houses that could be created within the game, so they were a scarce resource. Manfred says he found a way to delete people’s houses and take over their lots, allowing him to build more houses than he normally would be able to.
One day, Manfred told me, he had the idea of putting an Ultima Online castle on eBay to see if someone would buy it. He ended up selling it for almost $2,000, according to him (Manfred says he sold around 100 houses since then for an average price of around $2,000.)
“Hey this is real money!” Manfred recalls thinking. “That pretty much paid for my college. I pretty much sold houses and castles from Ultima Online for three or four years and paid my way through college.”
But Ultima Online was just the beginning. In the two decades since, Manfred says he found ways to hack and profit off of several games: Lineage 2, Shadowbane, Final Fantasy XI, Dark Age of Camelot, Lord of The Rings Online, RIFT, Age of Conan, Star Wars New Republic, Guild Wars 2, and others.
“I was a wholesale supplier on the backend for majority of these games,” Manfred says.
In Dark Age of Camelot, for example, Manfred says he found an exploit that allowed him to log out and log in again without the game noticing, allowing essentially to clone his own character and valuable items over and over.
“I could just create as much money as I wanted. This was invisible to other players and the game company,” Manfred says. “It was a revenue stream for twelve years.”
“I don’t like to call them hacks. It’s more like finding unintended features in the protocol.”
Most of the time, the hacks went largely unnoticed. The one exception was Shadowbane. That game, Manfred says, was so easy to hack—hackers could just send the game’s servers whatever data they wanted and the game trusted it—that the chaos created by him and other hackers was reported in a Wired story in 2003.
“That was my last malicious hack,” Manfred said. “Then I went totally underground and made sure my hacks weren’t noticed by anybody.”
Manfred says he is likely the only person who’s been living off hacking games for so long. But there’s a lot of other people who hack with the goal to cheat and win games. And there are probably others who do it for the money like he used to, given that some of the bugs he took advantage of were relatively easy to find for motivated hackers.
It’s a “wild west,” right now, he said. “There’s a lot of money to be made, and there’s a lot of people doing this every day.”
And it’s not just individual hackers. In 2011, a group of hackers got arrested in South Korea and were accused of working to hack video games and generate revenue for the North Korean government. The South Korean police said at the time that the team of hackers made $6 million in two years.
Coming Out For The Common Good
For Manfred, coming out now is a chance to show the world that video games need to take security more seriously. Most of the hacks he did over 20 years, he said, relied on very similar bugs.
“It’s kinda like groundhog day, you play a game, you find some exploits, you get banned and then you move on to the next game,” Manfred said during his talk.
Manfred says he’s now done hacking video games. He quit last year and got a job at a consulting firm.
“It’s been a good living,” he told me. But he quit because the business model of video games has changed. Now that many companies make their money using in-game purchases, he doesn’t think it’s fair to compete with their economic strategies.
“I wasn’t comfortable doing what I was doing,” he says.
Hacking WildStar Online on stage was going to be Manfred’s last video game hack. But he decided against doing it. After the talk, Manfred told me he’s going to report the flaw to NCSOFT, the maker of WildStar Online, and help get it fixed.
Video game hacking might still be a wild west, as he puts it, but Manfred is riding his horse into the sunset.