Hacked - Adrian the Video Game Hacker and GDC 2023
Episode Date: March 31, 2023A chat + interview combo in which we talk with Adrian Bednarek, a man who has been hacking video games for profit for about as long as there has been any profit to be made hacking video games, and JB ...and Scott discuss Game Developers Conference 2023. Note: My (JB) apologies for the surname mispronunciation. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
I did some napkin math and the shadow markets that happened outside these games,
they are potentially at least two, but up to five times greater than the actual revenue of the underlying game.
So for the first time since the pandemic, 20 to 30,000 people converged on downtown San Francisco to talk tech and game design at GDC,
Game Developers Conference, 2023.
It was a lot of fun, learned a lot.
I got some fun stories to share.
Jordan was there, and I wasn't.
Upsettingly.
Scott was not there.
I was in the backcountry skiing.
It wasn't that bad,
but I was not in downtown San Francisco
and joined the Game Developers Conference.
Did you interview any hackers in the mountains?
No, no.
There were oddly a lot of engineers in the back country.
That tracks.
should come as very little surprise. Yeah, exactly.
So I got some fun stories to share about San Francisco.
But most importantly, I managed to track down and have a conversation with a guy named Adrian.
Adrian has had a very strange job for like 20 years.
He's a guy who if you listen to other shows about weird tech stuff, you might recognize him from back when he went by his alter ego, Manfred.
Adrian is a professional video game hacker.
He's been doing it for profit for about as long as there's been any profit to be made hacking video games.
So amidst all the craziness of GDC, I managed to track him down for an interview.
It was kind enough to sit down with me in a quiet corner of this giant place where it's very tough to find a quiet corner talking to our cell phones.
Game hacking has changed a lot over the last 20 years and how he's navigated the ethical boundaries
of a line of work where those boundaries are shifting and blurry was really, really interesting.
So this is that.
Adrian the Video Game Hacker and GDC 2023 recap here on Hacked.
You're back from the mountains.
How are you doing, Scott?
You're back from San Francisco.
How are you doing, Jordan?
I'm doing good.
I'm happy to be back.
I had a really good time.
But, you know, it is a busy time.
So it's nice to be back home.
You're back from the mountains.
You feeling recreationed up, rested up?
Yeah, I don't know if I'd say rested is the appropriate adjective,
but recreationed, definitely.
If that is an adjective, that is how I feel.
No, it was fun.
It's fun.
It's always good to get away.
It was spring skiing, so it was conditions were,
I thought they were going to be far more questionable than they were.
We ended up having really good snow,
and the hikes in and out.
We were touring, so we were hiking into the backcountry and skiing,
and then hiking back into a hut to sleep and dirty little packed cabins eating dehydrated food,
which is always fun.
Yeah, sounds awesome.
But it was a good time.
We got out of the backcountry, had a day off and went hot springing, which is always nice for rest of recovery.
And yeah, then we're back, endured the 12-hour drive home and got home last night,
just in time to make this lovely episode.
Just in time.
Just in time.
So wait, I need to know how in a conference of like, what, 20,000 people,
you managed to track down
down like this one person
who's super relevant.
Well, I'm just like an intrepid reporter.
I'm just like a gum shoe detective,
boots on the ground.
No, I found his contact information
on the internet like anybody would.
A buddy of mine, we'll talk about this later,
but a buddy in mine went to a talk that he gave at this event.
Oh, cool.
And I was like, oh, wow, we got to talk about that.
Very cool.
But before we get to that,
I've just been thinking about something
pretty much the whole time,
which is that I want to thank Zach
for supporting us on Patreon.
Really?
Yeah.
Just Zach?
Are there more people you'd like to think?
Well, I want to start with Zach.
Okay.
Who went to hackedpodcast.com
and supported us on Patreon.
Great way to support the show.
I want to thank Zach.
I want to thank Danzar.
Oh, that's a good point.
And Alan and Johan.
And Nalijjee.
and Darren.
Yeah, and Evan, Ryan, Jacob.
Sure.
But don't forget about Rob.
Oh, of course not.
And finally, drum roll,
Anders,
who are all kind enough to support the show
at hackedpodcast.com.
And many of whom have popped into our Discord.
Yeah, who have popped into Discord.
The Discord has been fun.
So we produced all the music for the show
and someone was asking,
kind of just about the music,
and then brought up the idea of sharing
some stuff they've been making.
So we created a channel
in the hacked Discord where you can share
cool stuff you made. It's called
Share Cool Stuff You Made.
It's great.
There's very talented people in there.
Funky tunes. Rapping that
easily puts Rousel Kahn to shame.
There's a lot of really talented folks in there.
They listen to us.
What's the best way to put this?
We lack the talent, so they must bring it.
Yeah, sure. There's an equilibrium of talent.
It's mostly
on them.
Exactly.
If you want to join
hackedpodcast.com.
Sweet.
Let's start with GDC.
Let's chat a little bit
about
game developers conference.
Like I said,
25,000 people
all converging on
downtown San Francisco.
It's a bit of a pressure cooker.
Talks themselves,
fantastic.
Learned a lot.
Game design,
game music,
everything from writing
like big AAA musical
themes,
sampling Kawasaki
motorcycle engines
to make
anti-gravity racing
sound design.
hiding Easter eggs and music with spectrograms.
Just cool, fun stuff.
Also a very funny experience.
Tell me more.
Yeah.
So San Francisco, kind of birthplace of the gig slash shared economy.
Wild how many times it just collapsed out from under our feet.
Question for you, Scott.
Shoot.
Have you ever wondered what happens if your Airbnb host dies?
While you're staying there?
Prior to your arrival, but too late for you to book something else.
Okay.
I've never thought about this.
See, I would assume if you've checked in that you could just claim, like, salvage rights almost
and just squat there as long as you want.
Squatters rights.
Yeah, squatters rights.
Yeah.
But prior to your arrival, I'm hoping that there was some form of property management company in the middle of that.
Right.
To facilitate.
This sounds like you have experience in this,
so why don't you share this lovely story?
Yeah.
I'll spare all the gritty details,
but when the guys I was traveling with got there,
it was a VRBO,
they got there before me,
there were people just living there.
If anyone has seen the film Barbarian,
it evoked that,
and those folks that were living there
had bought it a month before
from whoever inherited it,
from whoever owned it, who did die.
And our reservation, through some confusion,
over like two months, just sort of persisted through all of that.
Wow.
So we found ourselves trying to book a hotel on the first day of a massive conference
that sells out every hotel in the city for like a mid-sized group,
which was tricky.
And very expensive, I'm sure.
Not an affordable proposition, let me tell you.
We ended up in the last group Airbnb in San Francisco.
It was like the last one that could accommodate all of us that was available.
We managed to get it.
How far away from the venue had to be far?
Medium far, price, like value for what you got.
I'll just say it was the nicest concrete box I've ever stated.
See, I was thinking about this actually just yesterday on the drive home.
I was thinking about how, like, you know, you know, surge pricing in Uber.
Yep. It's truly based on supply and demand. I got a story about Uber.
It's truly based on supply and demand. I'm sure you do.
When 24,000 people try to get Uber's back to their Airbnbs, I'm sure the price of them goes wild.
But like airlines, it's funny how we've accepted.
Like when people hear about surge pricing, people still get mad about Uber, you know.
But the hotel market and the airline market have been running this model for years.
For, yeah, like since they existed.
Like if you buy a ticket,
especially on a discount airline,
the first 10 tickets on the plane are like free.
Like you're not even paying for the gas.
But the last 10 tickets
are like obnoxiously expensive,
like way more than they should be.
And it's like they've been working
that supply demand model forever.
So it's like I feel like
the hospitality and hotel thing, same thing.
So it's like if you're booking the last one,
if the person managing that listing is
halfway economically inclined,
you're probably paying
four times what you should be.
For sure. It was at the end of the
first day of the conference too.
So by that point you just ratched up
the price and see what you can get. It's like you're going
fishing. And maybe
someone is desperate enough to
do it and
we were
because we needed shelter.
So you literally like
Uber from the airport
to a house
that is full of people who were like
who are you and why are you here?
Or were they so used to this at this point because this guy had pre-sold out like months of bookings prior to passing away?
I wasn't there when my buddies, my buddies arrived before me so they got to have this interaction.
I just found out about it shortly after.
So I don't know how many times they had dealt with this, but I have to think it wasn't the first.
They've been living in this weird ghost Airbnb rental for the last month and a half waiting for these to sort of just like Peter.
out. And it would make sense that GDC, this giant event, would be the last spike of people saying,
do I live here tonight? And them having to say, no, I live here. Always. You don't get to stay here.
Oh, man. That's a very strange one. I've never, you're the first time I've heard a tale like that.
First time for everything. But the conference itself was great. Interestingly, and this comes up a bit in
our interview, so I think it's worth talking about. I went, say, five or six years ago.
This all happens in Moscone Center, Moscone, this big center, multiple city blocks in the middle
of downtown. It's the big venue for big tech shows in the city of big tech. So it's large.
And whether you're in the building with the talks or the big expo hall, there's always these
massive banners billowing from the roof, brands that have sponsored the event. Five or six years ago,
it was Ubisoft, Sony, Blizzard.
but now
Metaverse, Web 3,
crypto. Metaverse,
Web 3, crypto.
That is
I guess when you look at like developing markets,
right? Like the Metaverse is
like the... That's the one.
Yeah, it's the developing market
or the market that they hope develop.
They're trying to brute force it.
They're prospecting.
All the free talks, that's the stuff sponsoring them.
A lot of the parties.
that's what's sponsoring them.
A big audience that doesn't always love that stuff, gamers.
So there's this constant tension in the talks and on the floor and at these events
between people trying to very intensely sell a product to a targeted audience of people
that don't like that product.
We ended up at an evening event where the sponsor, a big cryptocurrency company, I will not name,
did want to speak to this live audience.
but didn't want to physically show up.
So we got to watch this MC of this in-person, kind of boozy event,
subject a large audience to a Zoom call with the sponsor projected on the wall.
Oh, my God.
And think what you will about that whole space,
but this dude just launched into like a crypto bullshit speed run.
Like he was just knocking down all the big hits.
People were not happy.
People walked up and left.
It looped all the way back around from being pretty irritating to the funniest thing I've ever seen.
Oh, man.
That's such a strange, like to spend all that money.
Like, we've been to some big, like, film and TV production events and stuff.
We've been to these big parties before it.
They cost a boatload of money.
And that did not even show up for it.
Let me zoom in.
Yeah, yeah, yeah.
What are you doing?
Was it Sam Bankman Fried live from his, like, penthouse prison?
I have a story about that.
But regardless.
It was.
I also met, no, it wasn't, but yeah, we'll talk about that.
I met someone, if we're just kind of going through the funny stories before we get to this long interview that's coming up.
I met someone, I mean, very discreet because he was a very nice, smart guy.
We spent the last, say, six months to a year working on what is probably going to be a very successful startup.
But he was doing the van life thing during all this.
He was living in a van working on his startup.
And he mentioned offhandedly that he'd ended up in a van commune,
like a proper commune, people doing pey in the woods type thing.
Okay.
Which like...
Checks out.
Yeah, like tell me more.
You've peaked my interest.
You've peaked my interest.
But it's San Francisco at GDC.
So I slowly started to read.
realize like it wasn't an old-fashioned peyote van commune. It was like a crypto peyote van commune.
I kept getting hints of like, oh, it's governed by a Dow, which for anyone that doesn't know is a
decentralized autonomous organization, like blockchain government basically.
Wait, the commune is governed by a Dow?
The peyote crypto van commune is governed by a Dow.
Oh, man.
And it costs a lot of money to park your van, which is a very van.
very Silicon Valley innovation of monetizing parking a van outside. And then I found the website.
And it's just, it's great. You got to be slacking that to me or putting that in the Discord.
I'm going to slack it to you. We're not going to say the name. Because I don't think they
recognize themselves as a peyote van commune. It sounds like people are doing peyote there.
But it's like a van commune where you can do peyote, but it has the website of like a
millennial meal prep kit startup.
So it's like Burning Man,
but brought to you by a drop shipping mattress company.
Oh, man.
I just don't think you and I live enough, Jordan.
Like, we aren't experiencing these things.
Like, when did we get old?
I want to go live in the woods governed by a Dow
doing drugs with crypto bros.
Is the gentleman you're speaking of,
was he starting a crypto startup?
or was it like a startup of something that provides utility?
No, he was starting like a real company that provides utility.
Really nice dude.
And I think the company is like, it's a cool company.
He was not of that cohort.
Let's just, well, we're hitting on crypto here.
Yeah, sure.
Did you see the Nvidia CEO?
No.
Like, Nvidia's record profits for the last like 10 years have been paid for by crypto miners, right?
Like their graphics cards.
Yeah, sure.
Cost us lowly gamers so much money because there's crypto bros that want to buy them and make crypto with them.
Sure.
Especially during the pandemic, it was this face-off between people that wanted to game at the highest quality level
and people that wanted to print cyberbucks.
Yeah, I'm familiar.
When Ethereum changed from, what was it, proof of work to proof of stake, it just collapsed the need to mine.
So, like, all of a sudden, InVidio was selling no graphics.
Anyway, so long story short, the NVIDIA CEO gave a speech the other day and essentially
came out and said that crypto is providing no utility to mankind and they need to pivot
away from it and that AI is the future. He essentially told people that they should just be
deserting crypto and walking away from it after like taking their money for like 10 years.
I was like, oh my God. The guy selling the gold picks was like gold is useless.
Yeah, this is actually all fools gold. But thanks for all.
Thanks for all the
so long and thanks for all the shoes.
Oh, wow.
Yeah.
So many of the things we saw that were weird.
There's a lot of money in games.
There's a lot of weird stuff.
But there's also a higher percentage
of really creative, talented, passionate people
that we met there than most other industries.
I know you do games work.
It's like there's just a lot of really cool people.
So for all the,
weird stuff you see when you're at a thing like this, it's kind of impossible not to also have a
pretty great time. Yeah, yeah, yeah. I'm very envious and I think next year I'm going to have to
pre-schedule it into my calendar. Yeah, man, come with. We'll all go down to San Francisco and
hope our Airbnb hosts make it. Well, I was watching a lot of the announcements. There is some
pretty cool tech that came out, you know, all the new changes to Unreal Engine. There was the
the path tracing and the ray tracing updates for
for Nvidia and a bunch of AMD graphics stuff.
There was just a bunch of cool things.
Really cool stuff.
The world of games and AI.
Well, we could talk about AI too, but we don't have to.
But we could save that for another episode.
But the, yeah, very, very cool stuff.
We're making a lot of leaps.
And also, as a strange shout-out,
the gentleman who Moore's Law is named after passed away.
Oh.
And it's very strange because you hear a lot of people talking.
Gordon Moore co-founded Intel, created Moore's Law.
You hear a lot of people talking now,
like the new Nvidia chipsets and the new AMD chipsets and stuff.
They're no longer, like they're revolutionary increases.
And they're breaking, like you hear a lot of chatter
about how Moore's law is being broken, and then Gordon Moore passes away.
Just such a strange coincidence, for me anyway, when I saw that happen.
Anyway, a shout out to Gordon Moore.
Thank you for all you did, and thank you for your law, and rest in peace.
Shout out to Gordon Moore.
Kind of changed the way we think about the way computers advance over time,
and I think did a lot more than just Moore's Law, like a very interesting human being.
Oh, for sure.
Well, like think about the world without Intel.
Completely.
Like love them or hate them.
Depends if your team red or team blue doesn't matter.
But like, think about the world without intel.
No denying the impact.
Exactly.
So I thought we weren't going to have an episode.
We were probably just going to want to do a rerun
because you were in the mountains.
And I was in San Francisco.
I was hanging out with crypto peyote people.
But as we discussed earlier, while we were there,
a buddy in mine went to a talk.
And I thought, oh, it seems like someone our audience
might really like to hear from for,
like the hour that is about to follow.
I'll read you the talk description.
This speaker, Adrian Bednarik,
will use his 20 plus years of experience
in exploiting online games to provide information
for current and upcoming developers
on common and advanced techniques
used to exploit online games.
Attendees will learn what happens
in the shadowy depths of online game hacking,
along with the threat actors and tools used
and be better equipped on how to protect their games
against emerging threats.
And I was like, I feel like hacked folks might really enjoy hearing from this guy.
I feel like I would have gone to that if I was there.
Yeah.
Our buddy Jeremy went and it sounded like a really great talk.
So pop on my intrepid reporter cap, see if I can get a hold of them.
Trouble.
It's a talk.
I didn't see it.
But I get the sense it was relatively technical.
So first step, contact and link up with Adrian the video game hacker.
Step two, get him to take me through this in terms I can understand.
And he did a really great job at both.
We recorded this on our cell phones, but AI voice cleanup has gotten pretty good over the last few months.
So there's a few moments here where it sounds a little garbled, especially on my microphone.
But I'd say his phone and the software working together did a pretty great job.
Chopped it up a little bit to condense things and remove some moments when the garble got bad, but it's relatively intact.
Adrian has been hacking games since Ultima Online.
You ever play that?
I never did actually.
I have friends that worked on it.
Oh, interesting.
But I never actually played it.
I know.
Huh.
So we sat down and we started there at the beginning of his story,
sitting down at the far end of a hallway,
off a hallway, off a hallway,
where it was quiet enough to talk under this weird lighting thing
that reminds you of kind of like a UFO.
We are in the equivalent of a back alley at GEC behind a purple velvet curtain, I guess.
Maybe Elvis performed here back in the day.
And there's an arrangement of lights above us in a circle that looks like a UFO that's about ready to beam us up.
We talked about his history.
20 years of Wild West games cheating.
How games get monetized today and how they'll be monetized in the future.
this idea that rather than fixed prices or even in-app purchases,
that maybe the future of games looks less like a store
and more like a government taxing transactions between players.
Fortnite just released the design of their player economy 2.0.
Something's changing in the way that works.
And really, a theme we kept looping around to,
this idea of digital scarcity that has had such a big impact on his career
and whether it is fundamentally an illusion.
Here's my interview with Adrian Bednerick, video game hacker.
Hope you enjoy.
Take care.
Who are you, and what is it you do?
So that's complicated.
Online, I'm known as Manfred, but my real name is Adrian Bednerick.
I tried to keep the two separate for a while, but people just figured things out.
You know, I didn't really care all that much.
So right now, I'm just, you know, I'm going as both, but, you know, I can call me Manfred or Adrian.
either way. Did you do other kinds of hacking? Was that really your identity in the world of video game hacking?
So Manfred is interesting because I got my start in cybersecurity. Well, my background in cybersecurity
and software engineering. And when I was a college student back in 1997, this game called Ultima Online
came out. And I was very much into PVP, like in that game. That game was pretty ruthless.
The Warner Roast was the Wild West. If you died to another player, you lost everything. Like, they just
take all your stuff off of your corpse.
So I was in a bunch of
PVP groups, guilds,
and
it was common
at the time to have very inappropriate
names. That was the
Wild West of video gaming back in the
mid-90s. And my name was
I went to run
P-K-K-G-C-C-H-H-O-P.
P-H-U-C-H-O-P.
I spelled it that way
to get past the profanity
felt her and naming your character right uh so one day a gm came up to me and he's like we're getting
a lot of complaints you're killing a lot of players in the game you're like looting their corpses and
what amounts to i guess what she'd call this day as as griefing like you know excessive uh pvp
honor ownership of of thing um so the gym was like that's all cool and everything you can kill other
players that's part of the game you're doing it a lot you know which is you know you must have a
spare time on your hands which i did like i was playing this game like eight hours a day uh but he's like
i can't have you running around with s fuck chop yeah and um so he just randomly renamed me to manfred
and i was like that's kind of a cool name it's it sounds fancy i'll go around pvping as manfred
and i just stuck with that name ever since so i was named by a game master in ultimate line was that the first
that you ever cheated in?
It was the first multiplayer game.
Was it the first game at all that you ever cheated in?
Cheating in games is interesting
because it differs greatly,
depending on if you're cheating in a single-player game
or a multiplayer game.
I mean, I'm sure everybody's played board games
and you cheat to troll or whatever.
If you're playing a monopoly,
you'll put some extra money out of somebody else's file.
So, I mean, I think everybody cheats, it's natural.
You know, anyway.
But Ultimate Online was the first.
pop-ser-m-r-pg that ever came out.
And that's what really got me interested
into the security aspects of it,
because I was like, how does this game work?
How does this client server architecture work?
Like, if I delete my game and, like,
reinstall Windows, I think it was Windows 95 back in the day,
I was like, if I reinstall the game,
will my character still be there,
will my house be there, will my items be there?
Everything was saved on the server.
So I just wanted to figure out how that stuff worked.
So I took apart the client,
and then I took apart the communications protocol
see how the communication between the client and the server work,
and then I just started finding exploits.
I know, create infinite amounts of money out of the thinner,
create items out of the thinner.
UO had an interesting thing because they had real estate that was scarce.
The map in Ultima Online was a 2D map,
and you could only place so many houses on there.
So there was a real estate boom,
and if you own the house, you were pretty rich in this game.
and I was researching the security around player housing
because there was a function in Ultima Online
where you could demolish your house
and you'll get the house deed back
so you can place your house somewhere else
so I was like, how does this work?
And then I was like, could somebody else delete my house?
So I did some investigative research
and I was like, let me try and demolish my house,
capture that data packet that the client
the sending to the server and let me change that ID of the house that's in a packet with my
neighbor's house surely that can't work right you wouldn't be able to grab their house kind of thing
yeah so so i sent this packet with their house ID and i demolished their house and i was like
oh shit found sultan yeah um that was definitely like my first huge exploit that got me thinking the
the delight bulb went off and I was like, interesting.
Interesting.
So you'd found something with scarcity in this system,
and you'd found a way to just sort of like pluck it out from in the like,
almost like the crawl space on the walls of the game.
You found a moment when it was vulnerable.
Yeah.
So, so I like to say there's always a bigger game behind a curtain.
And this illusion of scarcity that existed in Ultim Online by having items and currencies
and housing be scarce was, you know,
it's an illusion. And if you dig into how the game works and go under the hood,
you'll find the game behind the curtain and that you can play it in different ways.
Think about the last time you heard a breach story on this show. It always starts the same way.
Someone somewhere saw something too late. An alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up for a world where
attackers are already using AI. They created the Aurora superintelligence platform, a fully agentic
system powered by the swarm of experts. Instead of single-purpose bots or lucky-guess LLMs,
this swarm is full of deterministic agents that handle whole entire workflows. Humans stay in the loop
and on the loop to validate the critical decisions and keep everything trustworthy, and all of this
is just off running on their secure operations graph. A constantly updating intelligence engine fueled
by more than 9 trillion telemetry events every week and over a decade of real-world incident response.
The system reasons on real signals and real context, not synthetic training data.
And the result is the new Aurora Agent SOC.
It's the first SOC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven
decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and
proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations actually
looks like, go to arcticwolf.com slash hacked.
Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turn defenses on their head.
Organizations around the world saw headlines they never expected and cybersecurity teams
were tested like never before, but here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th, diving into the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened, but why these attacks succeeded.
And most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights into how threat actors are evolving, how defenders are responding, and what strategies can help you stay ahead of the next big breach.
It's not fearmongering.
It's practical, actionable, intelligence from experts in the trend.
which is register now at arctic wolf.com slash hacked.
What was your next step after that?
You figure out this way that you can grab a house deed or something.
Where do you go from there?
So when I discovered that, obviously I deleted my neighbor's house,
and I felt pretty bad about that because, like,
players in the ultimate line typically had around 20 to 40,000 items
that they stored in the house.
So when I demolished that house, everything fell to the ground.
and over time it just decayed and disappeared out of the game.
So I felt pretty bad about that.
And, you know, I didn't want to go around and delete other players' houses
because that's kind of an ethical line I didn't want to cross.
But then I continued on and investigated other features in the game
to see if there were exploits.
Being able to create gold out of thin air was interesting.
And I created bots to...
place houses when other players' houses would demolished. So ultimate line was interesting because
when you place the house, you had to log back in to refresh it. Otherwise, you know, you could have
a dormant account, you know, tie up real estate. So they implemented the cleanup system. Like,
if you didn't log into the game for two weeks, your house would automatically demolish. So I wrote
some scripts and bots to go around and find houses that are about to be demolished by the game.
and I placed other houses and castles in their place.
And I was a broke college student back in the day,
and I knew that people wanted houses in this game was very valuable.
And eBay was also a thing.
I think eBay came up in like 95-196,
and I was like, what would happen if I sold a castle on eBay?
So I listed the castle on eBay,
and I was expecting to get like 50 or 100 books,
because there was nothing most like it.
I didn't have anything to do market research on.
So I did a three-day auction, was expecting to get $50 or $100.
And then two days in, a bidding more started.
The cast was on, like, $500, $600, whenever I'd refresh the eBay page,
went up by like $100.
And then the auction closed at like $3,200.
So I was very happy.
Yeah, for a broke college kid, that's pretty wild.
Oh, yeah, that was a pretty good payday.
There was also a follow-up challenge to that
because the person that bought it for me
he was an airline pilot out of Alaska
and we had communications back and forth
and I was like
hey send me the money
I'll log into the game and I'll transfer my castle to you
and he was like no you log into the game first
and give me the castle and then I'll send you the money
because we didn't trust each other
Yeah why would you trust each other
We're on a trustless Wild West Metaverse of the 90s.
So we tried to use an escrow service out of New York that typically dealt with fine art.
Like if you want to sell painting, they'll take possession of the painting and they'll take money
and then transfer everything to the appropriate parties.
So we called them up and we were like, hey, can you guys install, well, do you guys have Windows 95?
Can you install Ultima online?
and then can I transfer a castle to you
and then you guys take a payment from this guy
and then like settle this deal
and long pause
a couple of ums
and we basically got hung up on
so by this point we kind of had
this was going on for a few days
we kind of developed a little bit of trust
we exchanged phone number
shatted on the phone
and he was like fine I'll just send you the money
give me the castle and we did that
we were both happy
And then I continued doing that, selling houses and gold and Ultima Online through my college days.
And I graduated in 2001 debt-free thanks to this video game called Ultima Online.
Whoa.
Where did most of that money come from?
Was most of it infungible stuff?
Was it mostly gold or was it mostly these houses?
This is a huge rabbit hole.
I sold many interesting things.
I sold some bugged items in the game that would give players an advantage.
it's a bit of a technical grab at all.
But I'd say 50-50.
Gold was in very high demand.
I think a million gold was selling for like $300 and like around 98.
Over time the value of gold went down.
As players quit the game, there was less demand for gold.
I think when I stopped selling gold in the ultimate line around 2002,
I was selling a million for like 50 bucks or something like that.
But the volume was great.
You know, you're making very good money every week.
and the payouts were good.
I mean, you list something on eBay, you get paid,
you log into the game, and you transfer to gold.
So, I mean, it was really quick, rapid transfers,
and then eBay banned the practice of selling virtual goods,
something around 2003.
Good.
But anyway, when I graduated in 2001,
I had a decision to make.
Do I want to go work for Microsoft in a cubicle
or some other big tech company,
or do I want to keep hacking games?
So I was like, you know, hacking games for profit in an ethical way, you know,
because the game companies weren't selling gold and castles and houses to the players directly.
I was filling in unmit demand.
So I was like, this really isn't a job.
I'm playing video games, figuring out puzzles, you know, hacky puzzles, cyber security puzzles.
Like, how does this game work and what are the security guarantees and can they be bypassed?
So I just continued doing that for about 20 years.
and my main source of income was from, you know, hacking online video games and their virtual economies
from 97 to 2017.
I mean, that marketplace has evolved so much since then, if you're talking about from when you would have graduated college,
when, you know, eBay was still selling digital goods.
That was so early in all of this.
Like, was there anybody looking for you as you were rummaging around doing all this stuff?
Was there anyone on the defensive side trying to stop you?
Were you just alone in the house with the lights off by yourself?
Yeah, so I mean, I was, when I was signing up from my accounts, I was using my real name.
I was using like a VPN.
I wasn't trying to hide.
There were really no efforts made by the game company back then to, like, monitor or have analytics on this sort of activity to identify, you know, people that are using accounts for real money transactions and things like that.
So it's pretty much free reign.
Ultimately, it had a lot of exploits.
Whenever an exploit would go public and there was an uproar from the community,
the game developers would fix it.
But if you found your own exploit and, you know, he didn't pass it around or make it public,
then it existed until, you know, you got bored of it.
After Ultima Online, you graduate.
Where do you go next?
What game do you kind of, like, move your operation to?
So there was a small game.
that most people don't know about.
It's called Anarchy Online from Funcom.
That was my technically
the second game.
Around the same time, this game called
Archagiavo Camelot came out.
That was my
major game.
I had an exploit in that game.
Well, that game had multiple exploits
where we could create infinite
on the other thing there in items.
But that game had one exploit
that lasted for 13 years before they discovered it.
And I think they discovered it by accident.
The exploit lasted from like year 2001 to 2014.
What was it?
Without getting too technical,
I was able to shortcut or, I guess abused the login system
is a bad phrase, but exploit the login workflows and logout workforce to basically log into the game,
pass a bunch of items and gold to a mule account,
and then cause the game to reload my character again before I got a chance to save my old character.
So I could log in again with everything I had five minutes ago
and just infinitely do that over and over again, like log in, pass all my stuff over to a meal account,
trigger another login event
that would act on stale data that was stored
in the database so I could just
reload an old safe state of my character
and just dump a bunch of golden items onto a meal character
and that lasted for 13 years
I mean that's such a long period of time
you're going so many different games and you'd be doing
some things where there's scarcity and some things where there isn't
when there is scarcity
did you ever
did you ever find some like ethical
red lines that you weren't really willing to cross
where you go yeah there's a way to make a buck here
but I'm not sure that I should.
My ethical red line that I never crossed was I never wanted to do anything
that would hurt the game company's profit or reputation.
There's an asterisk to that, because I did,
if you look up, hackers put the bane in shadow bane.
That was back in 2002,
and that was a game that had many security flaws,
and I kind of went wild with that one.
But it was interesting.
So in that game, I was able to basically have admin-like powers.
I was able to log into the game, look at other players' bank accounts,
teleport to other players, insta-kill other players,
summon NPCs or monsters.
So me and a few of my friends, we were like,
no, this game really isn't that great.
Probably doesn't have a future.
Let's have some fun with it.
We have all these cool exploits, so let's go in and troll some people.
So we logged in, we teleported entire cities of players under the water.
So they started slowly drowning, but they were drawing fast enough.
Like, we would have taken them a few minutes for their characters to die.
So we're like, this is kind of boring. They're just down there, you know,
kind of filing GM help tickets to help them get out of this, you know, drowning situation.
So we started spawning dragons and monsters under the water with them
to shoot fireballs at them and just create complete mayhem.
And the aftermath of that, we were looking at the forums of Shadow Bain,
and some of the players were like, what just happened?
That was insane.
And there was a bunch of players that said,
this is the most fun I ever had in this game.
So on the hand, kind of went overboard.
but on the other hand, everybody had fun
and it is just the game.
Nobody got hurt.
Yeah.
Something really funny, but we maybe went overboard
and then the visual of just like
a city underwater with dragons attaching.
Like, I should think so.
Yeah.
Okay, so where does it go from there?
You've been working at this for a while.
It sounds like you've really perfected your craft
at this point.
Yeah, so, you know,
hacking for profit sounds really bad,
but I knew I was doing it in an ethical way,
so I had no problem with it.
But you want to stay stealthy.
You don't want your exploits to get discovered.
So I pretty much stayed underground
for the longest time.
My job was to just target the game,
reverse engineer it, see how it works,
find some exploits in it,
and then provide
virtual currencies and items to play.
in games that didn't provide these items to the players directly.
And if there was a game that provided items and currencies to players directly,
that's a game I wouldn't target.
For example, around 2013, it was kind of a lull in the gaming industry.
There were not many new MMOs being released.
So I was talking with a person I was selling goods and items wholesale to,
wholesale too. They were based out of China and I was like, hey, what are some good games these days?
Like, there's not really much going on. And the guy told me, he's like, hey, can you do FIFA online?
And I was like, interesting. I've never like really looked into it. And then I was like, is it pretty
good? Is it worth my time? Like, how much could I make? And he's like, dude, demand is insane for this game.
Like, everybody loves trading, you know, FIFA Ultimate tokens. I guess they called them back then.
and he's like, I could buy like $500,000 worth of tokens per day from you.
And I was like, hmm, let me think about this one.
So I did some research, and it turns out EA was selling these tokens directly to players,
so I passed on that.
Right.
So definitely don't want to cross that line.
If people want to look into that story, just search for FIFA hackers.
There's a few people that went after FIFA.
They actually made millions off of it.
And the result was a set of sad stories.
So you developed this personal rule that if this game is willing to create marketplaces, sell products to players, allow them to sell to each other, you weren't interested in touching that.
You were only going to create those markets and games that weren't.
FIFA was on the far side of that line, so you said you weren't going to touch it, but some other people did.
Yeah, 100%.
And they got burned.
I knew that would happen.
That's why I didn't do it.
You know, it was unethical.
It was crossing a lot of red lines.
You opened you up for legal exposure.
and that's exactly what happened to, you know, the guys that went after FIFA.
You know, they did really well at first.
They made millions, but the law came down on them and, you know, it was a very sad outcome out of that.
Yeah, sure.
It sounds like a well-run rule in retrospect.
The half.
Like, don't, yeah, okay.
So you've gone from, I'm just a hacker.
Throw cities under the water, attack him with dragons.
You sort of refined what you're doing and you've moved into, okay.
if there's not a marketplace, I can create one using this skill set,
and I can facilitate these transactions and stuff.
Right, exactly.
Yeah, so early on was hacking for fun and profit,
then it became a business,
and then, you know, I tried to remain as ethical as possible
to make sure, you know, I wasn't stepping down on any toes,
hurting the company's profit or reputation.
So there's a lot of interesting rabbit holes we could follow on this
because, for example,
a game that had a very negative player experience due to people coming in and trying to cater to players, farmers.
For example, Final Fantasy 11 came out in 2003.
There were a ton of gold farmers logging in, hoarding resources, camping spawn spots,
camping spots for people with mine ore and minerals and gather plants and things like that.
So if you're like a legit player trying to play, you wouldn't be able to like, you'd have to compete with, you know, farmers, just completely camping and destroying the ecosystem of the game.
So when I came in and found a few exploits in that game and I was able to, like, create gold with out of thin air, those farmers went out of business.
So there's something interesting that happened.
They're like me finding an exploit and pricing the...
them out of the game, cleared up to the environment of that game, and, you know, made it a better
game for the players. But yeah, there's a few cases of that, or, you know, if you do something
in a way that's stealthy, that drives the farmers away, it's a net benefit for, you know,
the game company, the players, and, you know, for myself. Got to say the obvious.
Yeah, sure. Yeah, you're not going to complain about that part.
Right.
What are some of the strangest exploits in some of these systems you've ever seen?
Without getting too technical, there have been a few exploits that I've seen,
and I'm not going to name the game.
The exploits are really difficult to find, but once you know what you're looking for,
they're very obvious, if that makes sense.
There were a few exploits I've seen that were very obscure,
and it seemed like the exploit itself was, you know, was obfuscated.
Like, they knew somebody would find this exploit,
so they took an extra step to obiscape how it would work.
So it feels like there was a bit of an insider threat,
you know, programming exploits into the protocol
that they would then exploit themselves.
So this is putting on your tinfoil hat,
and, you know, maybe you had a game dev that, you know,
slipped in a few little Easter eggs or cheat codes,
whatever you want to call it.
then after they go back home and use these to their advantage.
So there's been a few weird ones like that where it feels like it was planted on purpose.
But I found in close to examining 30 games, I found over 200 exploits.
They mostly have a common theme.
Like the most common one is an integer overflow or underflow.
That's where you wrap your money value around.
Like sometimes you can subtract.
Like let's say you have zero gold and you find a way to,
to subtract one gold from your account balance,
that would roll over to the maximum value that data value could star,
which typically in the 32-bit integer land was $4 or $2 billion,
depending on how it was configured.
So that was very common.
I think that's the most common exploit class, even in 2023.
Oh, wow.
The other common exploit class was data race conditions,
where things weren't being checked and acted upon.
in a sequential manner.
So you could
sell two of a single item
very quickly, and you get
profits from two items
for selling one item,
right?
And then there's
just crazy logic bugs.
There was another game that
accidentally, and this is a huge
game company that had a really huge
game, probably the biggest
MMO that existed back in the day.
I'll try not to name him, but it
rhymes with buzzard.
You're
insecurity, you say.
They
had, they launched their game
and I was studying the protocol
and I noticed that the messages
were identified
in a way where
you could
the functionality of the system.
The messages to the server were sequential.
So, like, when you log in, the message started with number 16.
Like, when you rename your character, it started with 17.
Like, if you move around in the game, the message packet would start with 18.
So I was like, wait, what's going on with 0 through 15?
And then I started, you know, crafting packets and sending them to the server.
I was like, hey, server, process packet 0.
And the server came back to me.
And it's like, hey, error message in valid format, we need a player name that's in the string format.
I was like, what's going on here?
So after like some fuzzing and trying to go back and forth and trying to get rid of the error message, I was like, all right, here's packet zero, here's a player name, I think it's the right format, let me send it.
Server does nothing.
I was like, okay, that's interesting.
Then I put in my friend's name.
I was like, packet zero, here's my friend's name in the game, send it.
and I teleports to them.
They're like across the map in a different zone
and I just appear right on top of him.
So I was like, this is interesting.
This feels like a GM command that's like,
hey, teleport to player.
So I was able to teleport to anybody in the game
just by typing in your player name in this packet,
which was fun because if you teleport to the PVP area,
so you could like teleport onto somebody,
gang them and teleport back out.
So that was fun.
No money to be made, but good for ganking.
Oh, yeah.
So, you know, packets two through 16 were interesting.
But now this one was still deporting and ganking people for the lulls, as they called it back then.
What came between 6 and 15?
A lot of arrow messages.
I think one of them would, one of them also acted on a player name and would, like, give you their chat history, which was interesting.
I think so collect snoop on people.
Yeah.
A few of them seemed like they'd let you spawn items.
I was able to like spawn certain items, but not all the items.
Like I would be able to like spawn, let's say,
seasonal items, like snowballs or something.
I was able to spawn those without a problem,
but like if I tried to spawn gold, it wouldn't air out.
So there was some effort made to like guardrail dysfunctionality,
but it was baked into the game
and it was active and live
for like a year after the game were released.
So somebody realized, hey,
republished the game with debug commands
that the server was processing
and, you know, they're like,
oops, let's stick that out of the code base.
One of my favorites is Final Fantasy 11.
That game had about 5 to 10 exploits,
a lot of integer overflow,
pretty much any time you dealt with a stack of items
or selling an item to a vendor interacting with your bank.
You could roll things around and just create items out of thin air.
Final Fantasy 14 came out, I think, eight years later, 10 years later.
And they used, they forked the code base before they fixed all those exploits.
So they forked the code base and the exact same exploits worked in the game that they released almost 10 years later.
So that was fun.
I mean, that cut down my research and development time.
I was able to use all my old notes from Final Fantasy 11,
and so that was cool and strange.
I mean, I could see why they forked the old codebase.
It's probably easier to augment into whatever they want is coped out of it.
But it's, you know, when you're forking projects,
make sure you're forking a version that, you know, has exploits fixed.
They're sure.
Don't leave all the vulnerabilities and the thing for you.
Or do.
I don't know.
I mean, yeah, just yolo.
version one commit
really to have a little fun here if I'm going to say for it
okay
any others come to mud
I mean the dark edge of Canada one we went over
that lasted for 13 years
there were a few
stars all the public and
wilds were online were I think
the first games that used 64
bit values to store
player attributes like gold
so when I found an
integer overflow in that one
I ended up with
like 18 quintillion units worth of in-game currency.
And if you translate that into the market value,
I had about like a hundred trillion US dollars both of, you know, currency in this game.
So technically I was a trillioner on paper, which was pretty cool.
I mean, that brings up a really interesting question,
which is like, you know, when you started this was selling an Ultima online house
on eBay. That gets axed, obviously. How is the market, the secondary marketplace for digital assets,
like this changed over the 20 years you've been doing this? Like, how is it, where did it start,
where has it arrived, and, you know, how did it change along the way? That's a great question.
So at first, it started out with peer-to-peer, you know, you have to trust the other party,
and you, you know, you transfer money and then you transfer that item. So all of that was done
via mostly eBay or maybe some farms.
Then eBay banned the sale of virtual goods
because they didn't feel like enforcing,
there was a lot of opportunistic cameras
that would sell you stuff in the game
and they'd take the money and just disappear.
So eBay was getting way too many customer complaint,
tickets on that kind of stuff.
So they banned the sale of virtual goods period.
And that's when all these mostly out of Southeast Asia
sites popped up.
like eGpal, IGE, E, and they basically acted as a marketplace for players that were to buy
items and currencies from other players. So I went from, you know, selling or operating
by myself and just selling on eBay to supplying wholesale in bulk to, you know, people like
IGE. And, you know, my typical workflow was like I'd load up an account with, you know,
millions worth of gold, not millions worth of gold.
It would be in the thousands of the US dollars.
But, you know, and then I rolled up these accounts with money,
and I'd transfer, I'd give the login credentials to, you know, IG.com,
and they'd pay me a few hours later.
So it was very easy.
Every day I just log in, stuck up a bunch of accounts,
and sell them to IGE, and then they'd pay me later at night.
And this was done via PayPal, which was interesting,
because PayPal froze my account many, many times.
So, like, why are you getting money versus money coming from?
They're very nosy.
Imagine that.
So, yeah, that was challenging.
So, yeah, you had this huge underground chatter market.
And these days, I know people don't like NFTs and Web3.
Well, I won't generalize in that way, but it's a very controversial subject that's polarizing people, right?
Some people are like NFTs, no, go away.
And some people are like, yeah, NFTs are in the future.
But the cool thing is like, I mean, we're here at GEC and we see a lot of NFT-related companies down on the floor.
You know, they're trying to promote this sense of player ownership and giving players the power to, you know, control their assets
and giving them the ability to sell their assets to other players.
An interesting side note, like I did some napkin math and the shadow markets that happen outside of these games,
they are potentially at least two, but up to five times greater than the actual revenue of the underlying game.
So game developers in the past and currently aren't harnessing the full potential of, you know,
player-to-player trading.
And technically it's, you know, it's a form of user-driven.
content. Like if you're playing a game and you're mining or grinding for items, you know,
you're technically generating assets in that game that other players want. So I think the
collision of Web 3, the Web 3 ethos and mentality and Web 2 gaming is creating this interesting
area where it's recognized that players want to trade amongst each other. There's huge
economies that happen amongst players. And I think the next generation of monetization isn't going
to be in that purchases. It's going to be kind of mirroring a country where you tax, you know,
transactions and sales of items to support the game, its infrastructure, and its employees.
And it's going to be a symbiotic relationship between revenue of the players and the game
compiles. That's very interesting. Yeah, we're here walking around. I was here about five years ago,
all the banners were epic games, Blizzard, 4, 8.
Now it's Web 3, Web 3, Web 3, Web 3.
So much of it is tied up in blockchain, obviously.
Do you think that's essential for that cultural shift towards player transaction?
Do you think that could be done server-side where a game developer could facilitate those transactions,
or do you think there needs to be an external kind of infrastructure to allow that?
There are a few games that people forgot about, second life for one.
It had a player-to-player economy that was very much done in the Web 3 style away.
The blockchain is nice, but it is, for the most part, just the storage technology.
Player ownership can be done server-side and honored by the game company.
I think some fair name...
Well, let me take that back.
This is a huge rabbit hole.
Like, this is an emerging market, and nobody knows where it's going to go.
But I think in the end, what's going to emerge is the players will have the power to control their assets in whatever way they want.
As long as they comply with local regulations and loss, you know, losing a sword in a video game might become a taxable event.
Or, you know, getting your account hacked might be a taxable event.
There are companies popping up now.
I've seen like four or five of them pop up in the last six months where they're offering insurance for in-game assets.
So like if you're in the game and you have a very expensive legendary sword, that might be going for a few hundred bucks on like the gray market.
They'll insure it. And that's interesting. I think the future will be a blend of Web 3 ethos and technologies and Web 2 style centralization.
in the short run
who knows what things will look like
10 years out
but I think in the end
players will have ownership of other assets
the underlying technology that's going to make that happen
who knows what that's what that's going to look like
that's very very interesting
losing a sword in an online game
becomes a taxable event that is a wild
right I mean think of all the crazy stuff that could happen around that
because I mean you have insurance fraud now
but if you have insurance on virtual items
that there's no traceability on, things get very interesting.
It's a very, I mean, it's a brand new industry,
and there's a lot of sharp edges, you know,
but as it evolves, I think it'll be in the player's benefit.
I think about a bank account.
Something happens to my bank account,
the bank is probably going to help me out.
Something happens to the bank,
and the government's probably going to help me out.
What does it mean when my digital asset,
something happens to it?
Does it matter whether it's serve,
storage server side, in which case they'll help me like a bank.
Or if it's on the blockchain, they go, oh, that's not our problem.
It's this giant set of problems that we have no, like, cultural standard for how to solve.
Yeah.
Yeah.
The permanence of an item existing on the blockchain has, you know, pros and cons.
One, it's permanent.
Two, it's permanent.
So if you're involved in the fraudulent transaction, you can't really undo it.
There are no refunds on the blockchain.
I've seen solutions where they bacon backdoors into smart contracts
to maybe potentially give you a backdoor way in
for like 30 days somebody else could come in
if they have the right set of credentials
they could undo transactions
but then you're just creating web to technologies on the blockchain
which is sort of silly.
Sure. Someone steals my car.
They can either find my car or I don't have the car
but if I have insurance you can give me money
I can go use to go buy a new car
and scarcity and fungibility
in these digital assets becomes really, really important
because is it valuable
if they can just make another one and give it to me
or do they need to give me a currency
so I can go buy another one?
Yeah, all of that is just crazy.
I mean, if you take a big step back
and look at all these technologies,
they are trying to push the illusion of scarcity.
Sure.
It's all an illusion. On the blockchain, that illusion of ownership and scarcity is a little bit stronger,
because it is baked into the code a little bit and some of that code might be irreversible
up to a point until things get hacked and you forked a layer one and you create new things.
But it's all an illusion. I don't know. It's interesting. It's interesting to watch the evolve.
In some ways, it's like reinventing the problems of the 90s in a new way, using the use.
technologies but then again it's is really creating cool and useful features and they're being
used in ways that you know we we couldn't have envisioned you know 20 years ago I mean imagine
talking about you know NFTs 30 years ago and saying hey I made an NFT of a sketch on a
piece of tissue paper and it's sold for $30,000 you'd get committed to an insane asylum
and here we are in Starwall and it's right here on the GSIE
DC floor and people are promoting NFTs and video games.
Digital scarcity is an illusion, I think you've worked.
Scarcity is an illusion.
And yet there's such an extraordinary amount of human capital, capital,
just everything going into making that illusion feel real.
There's so much, there's so many things over right behind this giant curtain.
It only work if we accept the premise that that scarcity isn't an illusion.
Yeah, it definitely helps.
It's, it's, I mean, if you're an investor and you're an investor and you're
investing in the blockchain project that's promising scarcity you're going to see some pretty good
returns so it's like it's like this cycle that fuels itself and you know there's a lot of backlash
against web 3 right now and NFTs and all that stuff one because you know there's a lot of scams on it
two could just be seen as a money play to please investors um let me go back and and
There's one thing, so there's many positive things about Web3 and how it's evolving the landscape of ownership and how people and players own things in their names.
But I've noticed this one trend that's been bugging me for a while with Web3 is, you know, there's a site called, site called Web3's going great.
I don't know if you're familiar with it.
And it's interesting because it's like, I think Molly White runs it, right?
and it's a website that lists
all the greatest hacks that happen in Web 3
and it tallies up how many billions of dollars have been lost
and sometimes I'll research a specific hack
that happened on Web 3 that maybe
you know ends up in the loss of hundreds of millions of dollars
or people getting their wallets compromised
and I'll do some research
I'll go on forums
and people will
they'll defend the technology and they'll be like
oh no it was the user's fault
They were using their wallet incorrectly.
It's like the Steve Jobs thing.
Like, you know, our phone isn't broken.
You're just holding it wrong.
I'm not sure how prevalent this is or if I just like zoned in on it.
But there's a lot of victim, shaming, blaming it in Web3.
It's like you got hacked because it was your fault.
Don't blame the Web 3 technology.
It's perfect.
It's precious.
It's Godlike.
It's holy.
You shall not speak badly about Web 3.
What was your fault?
I mean, that's really interesting that that mindset of the technology is perfect.
That's your fault that you got hacked.
Do you ever reflect on that 20 years in the video game hacking industry?
Do you ever think back on users?
Did you ever hack users, or was it always the systems in the games?
It was always the system.
I never went after specific users.
I mean, I did use hacks to teleport to players and kill them, but that's part of the game-ish.
That's different.
Yeah, I never deprived the player of value.
of their items or their game count.
I forgot what's...
No, I think you answered that question pretty nicely.
It just seemed...
It's like an interesting parallel
when you think about video game hacking
as a precursor to a whole new kind of crime
that we're encounter for the first time
as people start trying to create more digital assets.
For years, it was just stealing some gold
in a video game, and now it's like, well, that...
You're trying to argue that's money.
This is digital money.
Web3 people are trying to argue that.
It evokes video game hacking, and it's interesting.
It does...
There are some parallels around.
it, you know, in the video game hacking days when I was creating items out of thin air,
it was really out of thin air.
You know, I was just telling the server, hey, give me a million gold and like a roundabout
away through a next point.
That was very technical.
But when you're talking about Web 3, the ownership lies with the custodian, which is the end user,
and it's their responsibility to be their own bank and be as secure as their own bank,
which I'm sure has never backfired.
Never.
Yeah, being a bank is easy.
Yeah, it's super-fishing.
Yeah, nothing bad ever happens to those.
Right, yeah.
So the technology of L3 is evolving.
I think systems and mechanisms will evolve in a way where, you know,
people can be the own bank,
but they're going to have to give up a sense of ownership.
Things will be a little bit more centralized.
I'm sure most people then to interact with three acts or interact with it through a centralized exchange,
which for the most part is great unless we happen to be unfortunate enough to do business with FTX.
Oh, bad.
So when did you go from being Manfred back to being Adrian?
So I quit hacking for a profit in 2017.
I went public as Manfred.
I tried to create the serpent persona that wasn't very easily trackable back to me.
Because I didn't know what the reception would have been,
and I don't know what the sentiment towards that will be 10, 15 years online.
I don't want people Googling my name going,
oh, this guy was hacking video games for a profit,
because that sounds bad, and it could be bad,
unless you know the backstory,
but people tend to read only the headlines,
and click headlines couldn't really cause some problems.
So I tried to be careful in the first few years,
but the response from people I've talked with were very positive.
When I went to public at DefCon,
I met people from a lot of the game companies.
You know, I've done, quote, unquote, business with.
And, you know, they were very cool.
They were like, how did you pull this off?
You know, we have a security team internally,
and, you know, we weren't able to cache these things.
Well, I sat down.
I opened up my laptop out of it.
Here's my notes.
Here's how I did it.
So they were very receptive, and I was very happy to hear that.
So just over time, the line is just blurred.
I didn't really care.
Sometimes I talk publicly as Manfred, sometimes it's Adrian.
Sometimes on my PowerPoint slides, you know, I have a picture from my UO days of like
Manfred riding a horse.
I kind of stopped caring.
The response has been super positive.
Developers are super nice.
They love learning.
You know, they love security.
and I love talking about it, so
I kind of just melded
into man, Adrian
that he is.
Mendrian.
I was talking with a buddy before I came up here,
and he listened to your talk
that you gave two days ago, I think.
And he just brought up that, you know,
he's a programmer now.
And the way he kind of first started
mucking around inside computers was
cracking video games and messing around with games.
And I think that that's such a common experience.
And so while maybe most people that end up in that space don't then have a 20-year intermediary career cracking games,
it's such a common experience to say, I love this piece of software.
I spend so much time and I want to understand what makes it tick and how to take it apart and put it back together.
Yeah.
100%.
Like, when you're curious and you're technical and you're interested in program or security or just how things work,
games are great because they're very interactive.
and you get that instant gratification.
It's like, let me spend a few hours
like hooking up a debugger, a memory viewer,
maybe a process tracer,
see how the game interacts with the operating system,
and then if you're doing like a single-player game,
you can be like, hey, this game loads a safe file
from this location on the file system.
Let me pop open the save file.
Oh, it's in clear text.
It's like a JSON file that says,
here's my level, here's how much goal I have
because it's a single-player game.
They don't really want to protect it.
sometimes the safe file will be encrypted, and that's in your rabbit hole.
It's like, how does this game load the safe file and how does it decrypt it?
So then you got to open up your debugger and put breakpoints on like file read and operating system, you know, operations that open files.
And then you just walk back and see how the code interacts with that file, find the decryption function.
After that file is decrypted and it's in memory, like what are the values there?
What can you modify?
So we learn a lot that way and it's it's entertainment because it's like you're messing with this game
and you're able to like give yourself infant lives or extra items in the game or extra health.
So it's definitely cool.
The word is pretty instant and just learning.
It helps you learn super quick about how operating systems work, how games are compiled.
how they interact with the file system.
And then when you move on to online games,
you know, it's a similar process,
but, you know, the game save file doesn't really exist on your computer.
It's on the server, and it's, you know,
you have to interact with it with APIs that the server handles.
And then you just fall down the rabbit hole,
slam a bunch of red bulls, and lose your suntan.
You know, you become that person that's in the basement,
just hacking away.
And it's a lot of fun.
Yeah.
Yeah, we're in a building with 20,000 people that are interested or actively make video games.
And I imagine a lot of them on some level.
There was a moment where they started taking those games apart.
And that's probably what sent them on a path towards being here and getting to make these things.
Yeah, 100%.
I remember my first computer was like a commas or 64 back in like 1984.
And there were magazines back then.
And the magazines had actual game code, like printed in the magazine.
So you'd type it from the magazine onto your terminal on your calendar on your calendar 64, hit run.
You know, it'll probably crash and not compile.
Then you've got to fix all the typos and stuff.
And then the game runs.
And it's like, oh, cool.
I just downloaded the game from a magazine, which is cool.
But then you can, like, study the code and see how it works.
Like, hey, there's like a physics function here where I can tweak it, maybe jump higher.
Or here's where my health is calculated so I can make myself take less damage.
And here's my attack function.
Maybe I can, like, multiply my attack by 10 and kill things in one hit.
So I definitely enjoyed when I was growing up, you know,
creating games from a magazine, basically tweaking them,
seeing how they work.
And then somehow it's not upholed into a 20-year career where I hacked games for a living,
which is crazy to think about.
Yeah, the line between taking things apart and making new things gets really blurry.
And that's pretty cool.
Yeah.
I mean, a lot of people say, like, you know, they were very curious growing up
and they'd take apart toasters, but video games are basically just really complicated
toasters.
Can I quote you on that?
Yeah, and they print money sometimes.
So what's next for you, man?
What's next for me?
I'm doing a lot of things now.
Mainly, I'm interested in cybersecurity still.
I think I always will be.
I've always had a curious nature, and that's never going away.
So right now I'm at GEC, and I'm interested in talking with game companies about game security.
I'm like, hey, I have spent 40 years hacking video games, and nothing is really changing.
So right now I'm trying to build a coalition of big-name game studios to back me on creating gaming security standards,
because there are no gaming security standards that exist out there.
So I'm drafting a document that will outline best practices and common attack factors in single-player games, online games, and web 3 games.
I'll be like, here's what you guys should look out for.
Here's all the boxes you need to check to make sure you know, you validate, you know, code was tested, things are running properly,
tested all the things around critical systems where players may or may not lose value on if those systems are exploited.
So I'm hoping to create security standards for the gaming industry,
which is a huge project, but I think it'll be fun.
30-second elevator pitch, what are those standards?
What are some of the big themes that you need to see in something like that for it to work?
Step one, don't get hacked.
Step two, see step one.
It's a short document.
That's it.
Spoiler alert here.
It's complicated.
Security is complicated.
So after I quit hacking games for a profit in 2017, I did.
security consulting for companies like Disney Netflix, Google.
I actually helped Disney craft
the Motion Picture Association of America
Security Standards for content distribution.
Because studios, you know, one of particular content,
they all want their movies to leak out prematurely
before they hit theaters.
There is no silver bullet when it comes to security.
If you Google the MPA security standards document,
it's about a zillion people.
There's a lot of some spreadsheet farms and a lot of boxes you need to check.
But you need to take care of application security, physical security.
You need to make sure that the people that working on the games
do I have too much authorization and access to critical systems
because inside of threats are a thing, especially as games evolve
and players have assets that are more valuable.
I'm a huge fan of Baltimore Online and a lot of Raff Coasters,
costers musings on his blogs and back in the ultimate online days game masters would go rogue and they'd
just try to write items out of thin air and sell them on eBay so insider threats are a huge thing
and they will be you know even a larger thing once you know these assets get more and more valuable
and especially when you type on some of the web three ethos of gaming players true ownership
which will boost the value of these assets and the legality of them because right now it's against the terms of service to sell items for for for money and when that's legitimized inside our threats will be will be more of a problem so you I'm going to cover all those fields and make sure that you know steps are outlined to make sure that you know you test your code you test your code against these specific functions
against these classes of vulnerability.
You follow these standards.
And it's a lot of hard work.
I mean, I wish I could say, like, you know,
check these 10 boxes and you'll be secure,
but it doesn't work that way.
Security is a process, and it needs to be
big sense into the workflow on a continuous basis.
It's not something we can just slap on once and call it done.
It's a continuous process.
Thank you for taking the time to chat with me.
I know you're running around. I really appreciate it.
Yeah, thank you for.
for having me. Anytime you want to chat games and hacking, I'm around.
Convene underneath this weird UFO again.
I don't know what's going on. I've had like six hours of sleep in the last three days,
and this seems very surreal. Thanks for take the time, man. Appreciate it. Thanks, man. See you.