Two hackers, one from the United States and one from Canada, have plead guilty to U.S. federal charges regarding an elaborate international scheme involving the infiltration of gaming companies Valve, Epic, and Zombie Studios as well as attempted sales of counterfeit Xbox One development kits well before the console was released to the public.
The Department of Justice trumpeted the guilty pleas today as part of the unsealing of an indictment against four of the alleged hackers (the full text of the indictment is embedded below). The four men are considered to have operated in concert with the Australian hacker SuperDaE, whose claims of having hacked the aforementioned gaming companies -- and others -- were chronicled here on Kotaku in February 2013.
The various hacking schemes stretched back to January 2011, according to the DoJ, and involve everything from the theft of the game Gears of War 3 nearly a year before its official release to the allegedly successful effort to sell a counterfeit pre-release Xbox One development kit on eBay for $US5,000.
Some of the charges square with the elaborate details that SuperDaE himself shared with Kotaku last year. Others are new. Some are covered in plea deals to conspiracy charges by two of the alleged hackers, Canadian David Pokora and American Sanadodeh Nesheiwat. Others are simply alleged at this moment, with the remaining suspects innocent until proven guilty. SuperDae, for his part, hasn't been charged by American authorities but is under investigation by Australian law enforcement.
A 65-page indictment outlines 18 counts ranging from conspiracy and wire fraud charges to mail fraud and identity theft against the four North American hackers and SuperDaE, whose real name was redacted from the indictment. The hackers, whose ages range from 18-28, are alleged to have used a combination of Structured Query Language "injection attacks" and stolen developer login credentials obtained from those attacks. They are said to have used the login info to gain early access to unreleased game and hardware code as well as credit card information and various login credentials for scores of game developers -- as many as 16,000 if one of the alleged hacker's boasts was true.
The infiltration of the game companies began around January of 2011, according to the DoJ, when Pokora, who has plead guilty to conspiracy charges regarding what is detailed in the indictment, is said to have obtained login credentials from an unindicted co-conspirator for the computer network of Epic Games. That access enabled Pokora to download an early copy of Gears of War 3, a game that Epic and Microsoft didn't officially release until September of that year. In an interview with Kotaku last year, SuperDaE said that he drunkenly called Epic some time in 2012 to point out the flaws in their computer security. In exchange, he said, they sent him a signed poster, a photo of which we featured in our article.
While an Epic spokesperson declined to comment on the indictment today, they did confirm details of the breach to Kotaku in early 2013. "A hacker compromised our internal network a couple years ago," an Epic rep told us then. "We were able to start a conversation and work with him to make it more secure. As thanks, we sent him a signed poster from the team. No social security numbers, credit cards or other sensitive customer data was compromised during the breach."
SuperDaE, who has long maintained he didn't participate in the hacks to make any money, had told Kotaku in early 2013 that "I had Epic's AmEx for a while," but that he didn't charge anything to it. "That would have been a big red flag." In the indictment, he is alleged to have provided an unnamed individual ("Person A") with credit card information for an Epic Games employee's corporate card.
Epic is just one gaming company that the hacker crew managed to get into, according to the indictment and signed statements of fact by Pokora and Nesheiwat.
The indictment also claims that Pokora obtained valid log-in credentials to Valve Software's computer network in September of 2011 and along with his fellow hackers and "Person A" used those credentials to "gain unauthorised access to Valve's network, and transferred a file named 'MW3_MP_BETA_1.rar,'" apparently part or all of Call of Duty: Modern Warfare 3, which was officially released in November of that year.
Representatives from Activision and Valve have not provided comments on the matter, but if they do, we'll note that.
According to the indictment, the hackers also digitally snooped their way into Zombie Studios, a Seattle-based indie development studio that made Blacklight Retribution and Daylight but, perhaps of greater concern to the Department of Justice, has also done contract work for the U.S. Army.
SuperDaE and two other alleged co-conspirators are alleged to have obtained access to Zombie's games and pre-release software as well as "personally identifying information" for employees, including "name, social security number home address and tax documents" for one of them. SuperDaE is alleged to have used that information to open up credit card applications in the name of two Zombie employees. He's also alleged to have used Zombie login info to access AH-64D Apache Simulator, software developed by Zombie for the U.S. military. According to the indictment, he shared the files with the person for whom he tried to obtain credit cards.
"Everyone had access to the Zombie and the US Army VPN tunnel, however the access level of the accounts where 'Unclassified,'" SuperDaE told Kotaku today over email. He said he had no idea what the credit card application claims were about.
A rep from Zombie studios declined to discuss specifics of the indictment but noted in a statement to Kotaku that "Zombie takes all matters of security serious and has, and will continue to monitor and evolve all of its security policies to be as progressive as possible."
The most elaborate allegations involve the apparent infiltration of Microsoft, which the DoJ says started as long ago as January 2011 and involves all four North American suspects and SuperDaE as well as others not named in the indictment. The Microsoft details intersect with a lot of what we've previously reported about SuperDaE but go in some extraordinary new directions as well.
The indictment has Pokora having boasted during on an "online electronic communication" in August 2011 that "I got a couple of GDN accounts," a reference to Microsoft's Game Developer Network Portal. "I actually have over 16,000," he continued, "just pure developer accounts from different studios."
In early 2013, SuperDaE had told Kotaku that he had used developer login credentials to access Microsoft development websites. This, he said, was how he'd been able to share with Kotaku reams of documentation related to the then-unannounced Xbox One console (codenamed "Durango" at the time).
SuperDaE had already come to our attention by appearing to attempt to sell a Durango development kit on eBay the year before. SuperDaE had told Kotaku in early 2013 that the eBay sale was intended for profit and that "you can say I was going to give the money away." He'd also claimed that another he'd helped get another Xbox One devkit sold to someone on an island for some $US5,000 and that he had a receipt for it.
According to the indictment, SuperDae, Pokora and a third hacker planned to assemble and sell Xbox One devkits using specs obtained from Microsoft's development site and parts from shops like NewEgg.com. The indictment describes a plan by hacker Nathan Leroux to assemble one such Xbox One devkit and deliver it, through an intermediary, to a person in the Republic of Seychelles, an archipelago of islands in the Pacific. An FBI agent is said to have intercepted that devkit in August of 2012. Of the attempted eBay sale, the DoJ claims that the unit listed there was sold for $US5,000.
"The FBI got hold of that unit because that was the unit that 'THEY' bought for $US5000," SuperDaE told Kotaku today. "The FBI internationally bank transferred me $US5000. However to my awareness, there was no software on the unit was it was solid merely for the hardware. I gave David [Pokora] and Nathan [Leroux] access to my credit card. David bought an Apple Macbook, which he sold for cash, and Nathan paid his uni/college with his half (what he paid for the hardware)."
Perhaps the most incredible allegation in the entire indictment involves an apparent robbery of Xbox One development kits from Microsoft headquarters. This alleged incident did not involve SuperDaE but, rather, a deal between Pokora and a hacker named Austin Alcala along with two alleged thieves referred to in the indictment as A.S. and E.A. They allegedly "brokered a physical theft" of Xbox One dev kits "from a secure building on Microsoft's Redmond Washington campus," according to the indictment. "Using stolen access credentials to a Microsoft building [the two alleged thieves] entered the building and stole three non-public versions of the Xbox One console."
The indictment is rife with descriptions of hacks and company breaches, but it also hints at how some of them may have planned to profit from the use or sale of stolen log-in info. The indictment quotes Pokora in an online conversation with SueprDaE in October of 2011, saying "if we do this right, we will make a million dollars each." In a separate "Internet audio call," Pokora is said to have stated, "I don't think you understand the plan that I had. I've already compromised a fuckton of PayPals from the those databases we have. Not that I logged into them, but I've compromised enough that we could have already sold them for Bitcoins which would have been untraceable if we did it right. It could have already been easily an easy 50 grand."
For his part, SuperDaE told Kotaku today that this group of hackers was "unorganized" and had different motivations. "There was a lot of lies that came out in the end. People conspiring against each other, and people doing completely illegal things on the side." He added, referring to the hacks of the game companies described in the indictment: "If we really wanted to be blackhat and make money, we could have, but we didn't. Otherwise I'd have left long ago, and would have moved to Belize or somewhere nice."
There are certainly allegations from the DoJ of the hackers' intent to obtain trade secrets, items of value and money and even sell Xbox One development hardware. There is little mention of intentions to, say, sell pirated games. SuperDaE himself had claimed to Kotaku in early 2013 that he considered piracy "unethical" and that he participated in company hacking because he was curious to see what game companies were up to. (SuperDaE's home was raided by Australian authorities in early 2013; he's facing criminal charges in that country while trying to get on with his college studies.)
Nevertheless, the Department of Justice claimed today in a news release that the U.S. "has seized over $US620,000 in cash and other proceeds related to the charged conduct" of the North American hackers. It estimates that "the value of the intellectual property and other data that the defendants stole, as well as the costs associated with the victims' responses to the conduct, is estimated to range between $US100 million and $US200 million."
Pokora and Nesheiwat, the two hackers in the group who both plead guilty to conspiracy to commit fraud today, face up to five years in prison and a potential fine of at least $US250,000.
The Department of Justice's full indictment against the hackers is embedded below.