Man arrested for hacking League of Legends database, aiding gamer denial-of-service attacks

League of LegendsA suspected hacker has been arrested in connection with a serious security breach of servers belonging to the "League of Legends" video game.

According to media reports, 21-year-old Australian Shane Duffy has been charged by the Queensland Police Fraud and Cyber Crime Group with three counts of computer hacking and five counts of fraud.

At the time of the hack last August, Riot Games - makers of "League of Legends" - warned North American players that usernames and email addresses had been stolen, alongside salted password hashes.

Advisory for League of Legends players

In addition, the game company warned, approximately 120,000 transaction records containing hashed and salted credit card numbers were accessed from an old payment system that Riot Games used until July 2011.

But, if police allegations are true, it seems that there was an unusual motive for the hack.

Police say that Duffy used the stolen data to sell game players' IP addresses to opponents, who would then use the information to launch denial-of-service attacks against them.

Well, I guess that's one way to stop someone beating you at a video game...

According to the authorities, 880 separate payments for the data were made to Duffy in the last month alone.

Australian police believe that Duffy hacked the American video game's servers via a Dutch ISP, and then posted the stolen database information on a website based in Panama.

Australia, America, the Netherlands, Panama. Once again, it's made clear that cybercrime is a truly multinational.

Clearly the Australian authorities - who received assistance from the FBI and Riot Games during the six month investigation - have had an eye on this individual for a while, as his property was first searched in November 2013.

Australian media report

Duffy's mother Leah has come out fighting for her accused son, who she says has Asperger’s syndrome, claiming that although he has advanced computer skills he was not responsible for the hack.

Duffy is due to appear in the Maryborough Magistrates Court on April 8.

Tags: , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , ,

2 Responses

  1. Matt

    March 22, 2014 at 6:00 pm #

    This is exactly what happened in the Cambridge developed game RuneScape. And funnily enough one of the guys behind it was from Australia.

  2. Choco

    July 13, 2014 at 2:28 am #

    Media and police have it twisted. Sad that Shane will be judged by a system that barely understands much about this.

Leave a Reply