Japanese couple arrested for robbing Lineage virtual characters

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Lineage
Japanese police have arrested two people suspected of stealing virtual characters and goods from players of one of the world’s most popular online games.

29-year-old Yu Nishimura, a company employee of Kawasaki, and Kaori Tanaka, 39, a medical claims processor of Adachi Ward, Tokyo, are alleged to have used spyware to steal usernames and passwords from players of the Lineage II Massively Multiplayer Online Role Playing Game (MMORPG).

According to local media reports, the two are said to have advertised a website that offered Lineage players free tools to boost their online characters’ combat characteristics.

However, in reality, the tool is alleged to have stolen players’ credentials and sent the information back to Nishimura’s PC.

Sign up to our free newsletter.
Security news, advice, and tips.

According to the claims brought against Nishimura and Tanaka, they were then able to illegally access the Lineage II game through other people’s user ids, and sell virtual belongings (such as swords and shields) for real money to other players.

In total, the pair are alleged to have made approximately 1 million yen (approximately US$ 12,000) through the scheme between April and June 2010. Over 100 people’s accounts are said to have been compromised.

NC Japan, the maker of “Lineage II – The Chaotic Throne”, which says it has lost about 100 million yen fighting hackers who try to break into players’ accounts, is reportedly planning to sue the two suspects for compensation.

Kanagawa police are treating the case as a violation of illegal access laws, but it’s possible it may be expanded to a more serious charge of business obstruction by fraud because of the financial impact on NC Japan.

Lineage II

This isn’t the first time that crime has taken place in a virtual world, of course. There have been many examples in the past.

For instance, in July 2009 the Australian Chief Executive of a virtual bank in a sci-fi online trading game stole 200 billion “kredits”, which he then used as a deposit on a real-world house, and British police arrested a 23-year-old man in connection with thefts from Runescape characters.

Japanese woman was arrested by police in 2008 after killing her virtual husband’s avatar in the virtual game MapleStory.

And earlier this year, Finnish police reported searched homes and confiscated computer equipment in their search for “virtual furniture” stolen from the virtual world of Habbo Hotel, a chat room and gaming website aimed at teenagers.

Online role-playing games first became popular in Asia, and so it’s no surprise that much of the malware we have seen which steals information from virtual gamers originated in that part of the world. In 2005, for instance, we reported on the arrest of a group of Korean men who made large amounts of money after stealing credentials from players of Lineage.

Some MMORPGs have responded to the growing problem by introducing hardware token devices (also sometimes distributed by real-world banks) to authenticate users are who they say they are. A solution which certainly makes it much trickier for a hacker to break into your online gaming account.

We shouldn’t treat cybercrimes like this any less seriously just because the items being stolen are “virtual”. They’re still have real value and are worth real money (clearly many people are prepared to pay for such stolen goods too).

If convicted, Nishimura and Tanaka could face a sentence of up to three years in prison, and a maximum fine of 500,000 yen (US$ 6,000).


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.