Alleged Stolen League of Legends Code Auctioned

Riot Games, the video game developer behind the ever-popular League of Legends, announced on January 20 that it had been hacked. Following the hack, the company has received a ransom demand to return source code stolen during the hack and has the allegedly stolen source placed on auction by the threat actors.

Game developers have long been a favored target for several financially motivated threat actors with EA, Ubisoft, and CD Projekt Red, suffering cyberattacks, data breaches, and ransomware, in the case of CD Projekt Red’s case, in recent memory.

lol code auctioned by cyber criminals

Reports regarding the attack began being published shortly after the announcement by Riot Games on Twitter. The initial announcement read,

“Earlier this week, systems in our development environment were compromised via a social engineering attack. We don’t have all the answers right now, but we wanted to communicate early and let you know there is no indication that player data or personal information was obtained.”

It was further noted by Riot Games that the incident would have a significant impact on the upcoming releases the game developer had planned, also stating,

“Unfortunately, this has temporarily affected our ability to release content. While our teams are working hard on a fix, we expect this to impact our upcoming patch cadence across multiple games.”

Four days after Riot Games announced that it had been hacked, they announced that the threat actors were attempting to extort Riot Games for the source code allegedly stolen in the attack. Riot Games stated,

“Today, we received a ransom email. Needless to say, we won’t pay. While this attack disrupted our build environment and could cause issues in the future, most importantly we remain confident that no player data or player personal information was compromised.”

According to Motherboard, who have seen a copy of the ransom note, the threat actors are demanding 10 million USD not to release the stolen source code. According to the ransom note the threat actors claim they had stolen data about the anti-cheat software the company employs to prevent players from using malware to cheat.

Further, they claim that they have stolen the entire code base for the game League of Legends. The threat actors provided two large PDFs as proof they had the source code they claimed to have stolen. The threat actors also opened a Telegram channel to facilitate communications with Riot Games employees.

Threat Actors Try Auction of Allegedly Stolen Data

A day after Riot Games confirmed that they would not be paying the ransom demanded Bleeping Computer reported that the threat actors had put the stolen data up for auction on an underground hacker forum.

According to the post announcing that the data would be sold off to the highest bidder, it also stated that both the anti-cheat software, called Packman, and the League of Legends source code is up for sale.

The threat actor says they are selling the League of Legends source code and Packman for a minimum of 1 million USD. However, they told BleepingComputer that they would be willing to sell Packman by itself for 500,000 USD.

It is further claimed that the stolen data amounts to 72.4 GB. At the time of writing Bleeping Computer could not verify the veracity of the source code.

Moving to one side the question of the authenticity of the code, any potential buyer would have to ask themselves if the code is worth 1 million USD.  The main value of the source code would be for cheat creation.

A suitably skilled programmer could write code that would bypass the current anti-cheat software. These cheats could then be sold to less scrupulous gamers who believe in the pay-to-win mantra above all else.

The release of any kind of source code can result in threat actors developing exploits that can be used to gain access to an unknowing player's computer or device with the game installed on it.

This does pose a certain amount of risk to both player and company, but it still ultimately boils down to if the buyer can get more than a million dollars out of their purchase just to generate some profit. Even if the anti-cheat code is sold off at 500,000 dollars, it is a significant capital outlay and still requires a not significant amount of work to turn into something that can be sold.

Also, a question a state-sponsored threat actor will have to ask is how valuable the information they can steal from your average league of legends player is before they consider putting in an offer.

With that said it is felt that Riot Games should be commended for how they have responded to the data breach. While nobody wants a data breach to occur and no matter how secure the IT infrastructure is it still can occur, Riot Games had been forthright with informing their community as to what happened and what the impacts will be.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal