The first thing that ever puzzled me about the man I used to know as SuperDaE was that he didn't sound Australian.
I couldn't detect an accent.
SuperDaE told me back then, during our first long-distance call from New York to wherever he was in Australia, is that he got that a lot. He swore to me that he really was Australian. Over the next month he would tell me many, many things that were hard to believe. I'd eventually be able to confirm half of it. I was left to wonder about the rest.
He'd claimed to know about the next Xbox and PlayStation, claimed to really have two prototype versions of the next Xbox. He said he'd had access to next-gen games, that he had Homefront 2 and Sleeping Dogs 2, that he'd played Gears of War 3 a year before it came out and that — after he drunkenly told Epic about it — they'd sent him a poster. He could send me a photo, if I wanted to see it.
A month after we'd first talked, he'd convinced me he'd done many of the extraordinary things he'd said. I'd changed my impression of him from possibly being a disgruntled, anonymous game developer to being a hacker — a really good hacker. "I'm more than that," he told me with a laugh during one of our many calls. "I'm just an image."
Our most recent phone call happened on Saturday, February 16. We talked for two hours, me trying to confirm things he'd said before. He told me his wildest stories yet. I asked him if he expected to wind up in gaol. "Possibly," he told me.
At that moment, he sounded naive. Possibly?
"I try to be optimistic," he said. "But yes."
On Tuesday, February 19, members of the Western Australian computer crimes police force raided the home of SuperDaE, aka Dan Henry, aka Dylan. They had a warrant. Dylan — that's his real first name (he asked that his last name not be used) — said they had an FBI agent with them. They took his computers. They took piles of papers. They took a souvenir cup that was shaped like a penis. He says they took his phone, froze his assets.
"I've lost everything," he told me when I found him again on Twitter a couple of days later. He said his life was in ruins. "Was what I did wrong?" he asked me. "Did I really deserve it? As the saying goes, curiosity killed the cat."
Gears of War 3, A Year Or So Early
SuperDaE really does live in a suburb of Perth in Western Australia. He has declined to tell me how old he is and says he doesn't have a job. He blames chronic pain. I never met him in person and the only image I've seen of him is the one atop this story, which he says is from an old driver's licence photo. He says he travels a lot. Over the phone, he sounds young and up through our last conversation, before the cops came, carefree.
I first heard of him, of "SuperDaE", in the winter of 2012 when he seemed, quite ridiculously, to be trying to sell a development kit for the next Xbox — codenamed the "Durango" — on eBay. It seemed too brazen to be real, even after images appeared online of his supposed Durango with a piece of paper affixed to it. On the paper was the word "SuperDaE". I have good sources in the games industry, so even though Microsoft refuses to comment on any Durango questions I've ever asked them, my sources told me that, yes, the images were of the real thing.
I pegged SuperDaE as a disgruntled game developer or some other industry insider. Who else could get a Durango? Or at least how else could he know what a unit looked like in order to post a picture that made it seem like he had the real thing?
The eBay auction never went through. SuperDaE would tell me that Microsoft made a copyright claim on it. Microsoft wouldn't comment to me about the auction at all. Dylan now tells me that the eBay thing wasn't exactly what it seemed. Regardless, It wasn't his first strangely bold manoeuvre.
Back in early 2012, Dylan says, he drunkenly called someone at Epic Games. Epic is the North Carolina-based studio behind the Gears of War games and the Unreal graphics engine which top publishers and developers from around the world use to power their own games.
He spilled the beans and told them he'd had access to some part of their computer system for a long time — since early 2011, he would tell me. But he liked Epic and he was happy to tell them where their security holes were. In an email exchange, an Epic employee thanked him. Dylan asked if he could have a poster.
They sent him one.
"A hacker compromised our internal network a couple years ago," an Epic spokesperson told me recently, verifying the basics of Dylan's story. "We were able to start a conversation and work with him to make it more secure. As thanks, we sent him a signed poster from the team. No social security numbers, credit cards or other sensitive customer data was compromised during the breach." Epic notified their forum users and their licensees that there was a breach. All was taken care of.
But when I told Dylan about this, he displayed what I'd come to know as his penchant for icing one tale with a wilder one. He told me he got access to the computer of former Epic star game designer Cliff Bleszinski and found his social security number. He said he got access to usernames and passwords of Epic forum users and "to an extent, yes, credit card info". When I noted my surprise, he responded: "I had Epic's AmEx for a while." But he says he never charged anything to it. "That would have been a big red flag," he told me.
Dylan said he didn't do much with Gears of War 3. He has consistently maintained that he pirated nothing, that he never put a game on a torrent or tried to sell any as a side thing. "It's unethical," he said of piracy. "I like a lot of those studios. [Piracy] damages them. Developers don't want their games to go out early."
He said he never tried to profit from hacking, though, yes, he seemed to be trying to sell next-gen Xbox development kits on eBay. When I suggested, a couple of weeks ago, that there was an inconsistency there, he laughed. "You can say I was going to give the money away."
If Not Valve, Then Blizzard. If Not Blizzard, Then...
Dylan has maintained that he is merely curious. He says he's not even a huge gamer, that he just liked the challenge of seeing if he could poke around and find things out. That's why, he says, he tried to hack his way into Valve. He claims that a 2011 hack was his, but that Valve described it all wrong. There were no credit card numbers obtained, he said, offering me no proof he really did the hack. He said he was just looking for Half-Life 3 — and didn't manage to find anything about it. Valve declined to comment for this story.
Epic, Valve... there was more. He used to brag to me that a list of game companies that he hadn't gotten access to would be shorter than the ones he did.
There was Blizzard, the World of Warcraft people. "I poked around Blizzard because I actually love Blizzard as a company, and I'd imagine working at Blizzard would be a dream job," Dylan said to me in an email. "I accessed Blizzard, because it would have been awesome to play on my own World of Warcraft server or to own the source code — heck, to play their new MMO Titan, the possibilities are endless." He later told me that Blizzard, of all the companies he's tried to access, are the best at spotting intruders and changing their passwords.
A Blizzard rep confirmed to me that a hacker — presumably Dylan — had gained access to an employee's webmail account, as Dylan had told me he'd done, but that access was swiftly denied. No customer information was accessed, or accessible via the intrusion, the company says.
Reps for Square Enix and United Front Games, the presumed publisher and developer, respectively, for Sleeping Dogs 2 did not comment on Dylan's assertion that he had access to their unannounced game — or that it even exists.
As for THQ, that publisher just went out of business and is not around to confirm if he really got Homefront 2, a first-person shooter sequel Dylan maintained was being made for Durango. The game's studio Crytek did not reply to a request for comment.
To convince me he had Homefront 2, Dylan had sent me this, a supposed file directory for the game:
Easily faked or the real deal? Dylan used to talk about flying to the States and showing me next-gen games running on Durango. If he had a Durango up and running, he easily could have sent me a screenshot of this or any other game. He never did, and yet his access to game company's data, extraordinary as it often seemed, was backed up by proof a lot of the time.
Can You Really Order A Durango Online?
Dylan wanted to know about next-gen systems, and somehow he learned plenty. He got development documentation for the next PlayStation and Xbox. Long before I'd sized him up as a hacker, he'd sent me troves of PDFs and white papers describing the functionality of both the code-named Orbis and Durango. The documentation was loaded with programming code — and with details.
Earlier this week, Sony officially announced the PlayStation 4 (the former Orbis) and it turned out that everything in the documentation Dylan had sent me — the names of the controller's buttons, the specs of its new touchpad, the specs for the console itself — were entirely correct. Sony never commented to me about Dylan's supposed hack, but their PS4 press conference made a strong argument that what he said he'd done, he'd done. His info all checked out.
The stuff in Dylan's Durango and Orbis documentation was meant for game-makers and other insiders. I read through it. I checked with sources who were in the industry and could verify if this material was real. It was. Dylan had found a way to get to it. Did he gain access through usernames and logins he grabbed from Epic? Or some other company? It's not clear.
Gaining access to digital paperwork might be hard, but it's not hard to imagine a hacker doing it. The same goes for getting game code. But imagine this scenario: You access Microsoft's internal developer network. You pose as a game developer. You access a shopping page intended for developers, where you can tick off some boxes and, for 7500 Euros, order yourself a Durango development kit. Maybe yYu claim to be from Rockstar, makers of Grand Theft Auto. You put in any old banking info, to the extent it asks for that. And you put in the address of a "drop" location — some place other than where you live. You track the package, and then you just wait for the FedEx person to arrive, take the delivery and — voila! — you've got a development kit.
That's what SuperDaE says he did. Or at least that's what he told me he did when we were talking last Saturday.
Can you really trick Microsoft into sending something as sensitive as a development kit for their next Xbox to a random Australian address? Can you really trick the payment system since, presumably, you don't have the €15,000 for the two development kits you say you got?
Dylan never gave me a clear answer for any of that, but he did send me a screenshot of the supposed Microsoft developer online store. You or I can't get the URL to work, not without a game developers' password, something I don't have. Microsoft won't comment on any of this, so they're not confirming either. Judge for yourself:
After the police raided Dylan's house — and that event definitely did happen, according to Australian police — Dylan told me a somewhat different story. Or perhaps I had misunderstood him. He'd never had the Durangos. They'd been sent to his friend in the United States or at least to a drop location his friend had access to. He was just the face for the eBay sales. He hadn't sold them. It became less and less clear to me what role, if any, he played in accessing them — to the extent that he and the hackers he knew really managed to trick Microsoft into sending that sensitive hardware out.
"I never personally touched the Durango itself," he told me. "I've played through the Durango operating system, but not the original."
And was there a third Durango? Dylan told me he helped order and get it delivered to someone on an island. He says that one sold for $US5000 and that he has the bank receipt. I've never seen it.
As far-fetched as Dylan's Durango devkit tales seem, some things are for certain: the images of the devkit he put online showed the devkit — or at least the shell of one. If he or his friends were faking the sale and never really ordered a unit from Microsoft, they'd still managed to figure out what a Durango development PC looked like and were able to set up a unit that, at worst, resembled one.
Whether the sale was serious or not, Microsoft cared about it enough to send someone to Australia to see what the deal was with the mysterious SuperDaE. Dylan claims that a private eye tracked him down and then arrived at his door with a man named Miles Hawkes, a senior member of Microsoft's IP crimes team. As Microsoft doesn't comment on anything that involves the word Durango, it's only possible to look at Dylan's account of what happened next. Dylan shared his version of the story with me in an email:
Miles Hawkes and a Private investigator that MSFT hired to track me down came and knocked on my door, long story short, sitting in the living room table with them, Miles and I conversed about the Durango and other units, I did not admit to the legitimacy of the Durango, as that would mean I would have to return it. I did however reveal a list of accounts to access Microsoft's Xbox Developer Program, which they call 'GDNp' (Game Developer Network program). Microsoft also knows I'm not malicious, probably from their research into me and everyone else linked to me to do with Microsoft and Xbox. I however, didn't have much to show Microsoft as I zeroed my hard drives the minute Microsoft was at the door, I only had a Macbook Air with 64GB SSD that happened to have some information. I booted Durango on a Mac, his face, needless to say, was priceless. However, I had an Xbox 360 Development Kit in plain sight and was asked (or rather, threatened in a nice way) to "forfeit it, or they would come back tomorrow with a court order", I complied, funnily enough, Miles joked about how I could just buy a new one anyway since they don't cost much anymore anyway.
Miles invited me to lunch at the Hyatt in Perth, Western Australia, where he happened to be staying. I just ordered a Coke and he ordered a Diet Coke. He laid out and asked questions about everything, which I answered to. I mentioned how my "group" was organised, the group being, everyone in the Xbox Scene that I happen to know personally, most of whom seem to be scared about everything that happened recently to do with the FBI's ongoing investigation into me, and a recent seizure and raid that happened on a friend of mine. I mentioned how I was the main guy, how I was the guy behind most everything, and how everyone else simply helped me, etc. Microsoft didn't seem to [sic] phased about me having access to their files, however they didn't appreciate me having access.
Note the reference to an FBI investigation. Dylan told me he believed the FBI were trying to track him down as far back as the Epic breach. He believed they wanted to put heat on those in his hacker "scene" that were much more proficient at hacking Xboxes than he was. A hacker friend was raided in Newark in December. Dylan showed me the warrant as proof and suggested I call the Baltimore office of the Bureau to confirm that they were going after him as well. The national and Baltimore offices of the FBI did not return my requests for comment.
The extent to which Dylan's account of his meeting with Hawkes is accurate is impossible to ascertain. Dylan shared what he said were texts between him and Hawkes during and right after the visit. (I've included one here. Judge for yourself.)
At the time it was happening, Dylan Tweeted about a meeting with Microsoft. Beyond that, the facts are unclear.
What happened after the meeting with Miles Hawkes seemed similar to what went down with Epic. Dylan told me that he liked Microsoft, as he did Epic. He thought they were a cool company, and so, when faced with someone from the company. He liked Durango. It was better than Orbis, he thought. He figured he'd talk to Microsoft about how they could improve their security. So the hackers and Microsoft started e-mailing each other.
In an email exchange Dylan showed me that seemed to occur between a member of Microsoft's security team and Dylan and a fellow hacker, the Microsoft person seems to be trying to find a way to work together:
The apparent Microsoft person goes on to ask about vulnerabilities supposedly cited by Dylan or his associate, one of which involves the notion of a hacker being able to glean an Xbox user's "account" info only by knowing their Gamertag.
Dylan's fellow hacker replies in detail about issues with the security of content on the Xbox Live Marketplace — the Xbox 360's online store — but doesn't elaborate on the Gamertag issue. The e-mail ends with a request for the Microsoft person to maybe put in a good word for them. "I don't mean to ask anything of you, and if I denied, I'll still be more than willing to help," Dylan's apparent hacker friend writes, "but do you think it would be possible that me and Dylan, if proved to be useful, could possibly list someone we've spoken to on your end as a reference for resumes or something of the sort?"
I don't know where the conversation went from there nor if any proof for the supposed Gamertag hack was ever given. Dylan said that that kind of hack wasn't his thing. He also says he became disaffected with Microsoft.
"They don't fix security issues," he told me, complaining that he felt like the Microsoft people wanted him to do their work for them. "There's issues where I can log into a powerboard into Microsoft and can switch off 1000 servers..." He was telling me this last Saturday and I tried to get him to slow down.
Turn off servers? Really? He started typing, said that the trick was to sniff around and look for a certain range of Microsoft IP addresses, load them up, wind up at some server login prompts, type in the default passwords for those servers and... this is what he showed me he found, his mouse hovering over a deactivation option:
Real? A hoax? He says they wanted to know which IP addresses were involved in this. He says he thought they should be able to figure that out themselves. He also says he has no idea what the servers were tied to. Could have been Xbox Live. Could have been a bunch of coffee makers.
While avoiding addressing any of the "Durango"-related aspects of this saga, Microsoft did comment to me about three notions: that they were hacked, had security flaws exposed and that they had set the Feds loose on Dylan. "Microsoft did not initiate this FBI investigation with this individual, as has been asserted in some of the articles in the media," a Microsoft spokesperson told me. "We take security very seriously and have no evidence of any compromise of our corporate network. We have no further comment on this matter."
Dylan's back and forth with Microsoft was in spring. The attempted Blizzard breach was in January. He sent me the Orbis and Durango documents around the same time and put a Durango back up for sale on eBay. (That sale has been closed.) Dylan and I last spoke on the phone this past Saturday. And then, last Tuesday, anything Dylan says he was doing — anything he thought he was getting away with — ended.
The cops showed up and they took pretty much everything. Was it related to our most recent, most detailed call? He would later tell me he thought it was just a coincidence.
By this point, bear in mind, Dylan had his doubters. People who saw the eBay auctions or the tweets or even the stories we'd written about him — stories in which, admittedly, we said he had possession of Durango devkits that we're no longer so certain he did — wondered if anything this guy claimed was true.
Well something was true. He'd gotten someone's attention. Because it's not likely that the cops show up with a warrant for nothing.
"Technology Crime Investigation Unit is currently conducting a multi-jurisdictional investigation into computer related offences," the Western Australian police told Kotaku in a statement this week. "A search warrant was conducted Tuesday 19 February 2013, in relation to this investigation and items were seized."
According to an official warrant supplied to me by Dylan, the police showed up at 7:10AM and ended their search around 12:30 in the afternoon. The warrant called for a search for computers, gaming consoles, hard drives, and records related to Microsoft, Microsoft partners, PayPal and eBay. (eBay and PayPal, which are part of the same company, did not return a request for comment about this.)
Dylan told me that he was polite and helpful during the raid, but that "they didn't allow me a lawyer... that's probably the biggest right they took from me." He said that one of the cops told him he was a "pretty boy" who would "most likely be someone's bitch in gaol."
The police didn't address these allegations with us, nor has anyone confirmed that the American who Dylan says was present was an FBI agent. Dylan says he was and was told as much by the Australian police. "American accent," he told me over Twitter, "The other police told me he was FBI and well, he was."
Records of the raid list six pages' worth of items seized by the police. Here's just a sampling:
Dylan says the police took his phone. He told me he couldn't get to his money after the raid, that the police took his bank cards. The seizure documents list a Blackberry, a Visa and banking records, all confiscated. Shortly after the raid, Dylan hopped on Twitter, apparently from a nearby Apple store.
I tried calling him the next day. After two rings, his phone went to voicemail.
In the days since the raid, Dylan has only been in touch over Twitter and, briefly, over what he said was a borrowed phone. He swiftly sent me the warrant and seizure documents and decided, at that moment, that he was OK with me using his real first name.
"Feel free to use my real name in the article," he said. "At this stage I have nothing to lose, I've lost everything."
Over Twitter, privately, Dylan has seemed crushed, telling me a couple of days after the raid that he was "pretty down, flashbacks to the raid are frequent." Publicly on Twitter, he's become a little more animated, and has been retweeting anyone who uses the hashtag #FreeSuperDaE.
"I was treated like a criminal," he complained to me, looking back at the raid.
It seemed to me that it didn't matter if he really didn't pirate or if he really didn't use any stolen credit card numbers. He'd said that he got access to companies' computers by using others' logins. That alone might seem pretty bad.
"No one was hurt from what I did," he said to me. "So it's shocking that they want to ruin me like this."
Dylan says he hasn't been charged with anything yet. He says he's living with family.
"I am a hacker in the eyes of the law," he told me a couple of weeks ago. "However, how I see it is [that] I am someone curious with information and obsessed with owning everything that I otherwise shouldn't."
Some of the tales Dylan told seem too wild to be true, but those Orbis and Durango documents? Real. Epic and Blizzard? They say he got into them, however briefly.
What could he have known? What could he have done? What gaming secrets could SuperDaE have discovered? Whichever of his claims you choose to believe — whichever claims that, with the police cracking down, he may wish fewer people had believed in the first place.