Man arrested for hacking League of Legends database, aiding gamer denial-of-service attacks

Graham Cluley

League of LegendsA suspected hacker has been arrested in connection with a serious security breach of servers belonging to the “League of Legends” video game.

According to media reports, 21-year-old Australian Shane Duffy has been charged by the Queensland Police Fraud and Cyber Crime Group with three counts of computer hacking and five counts of fraud.

At the time of the hack last August, Riot Games – makers of “League of Legends” – warned North American players that usernames and email addresses had been stolen, alongside salted password hashes.

Advisory for League of Legends players

In addition, the game company warned, approximately 120,000 transaction records containing hashed and salted credit card numbers were accessed from an old payment system that Riot Games used until July 2011.

But, if police allegations are true, it seems that there was an unusual motive for the hack.

Police say that Duffy used the stolen data to sell game players’ IP addresses to opponents, who would then use the information to launch denial-of-service attacks against them.

Well, I guess that’s one way to stop someone beating you at a video game…

According to the authorities, 880 separate payments for the data were made to Duffy in the last month alone.

Australian police believe that Duffy hacked the American video game’s servers via a Dutch ISP, and then posted the stolen database information on a website based in Panama.

Australia, America, the Netherlands, Panama. Once again, it’s made clear that cybercrime is a truly multinational.

Clearly the Australian authorities – who received assistance from the FBI and Riot Games during the six month investigation – have had an eye on this individual for a while, as his property was first searched in November 2013.

Australian media report

Duffy’s mother Leah has come out fighting for her accused son, who she says has Asperger’s syndrome, claiming that although he has advanced computer skills he was not responsible for the hack.

Duffy is due to appear in the Maryborough Magistrates Court on April 8.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

2 Replies to “Man arrested for hacking League of Legends database, aiding gamer denial-of-service attacks”

  1. This is exactly what happened in the Cambridge developed game RuneScape. And funnily enough one of the guys behind it was from Australia.

  2. Media and police have it twisted. Sad that Shane will be judged by a system that barely understands much about this.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES