Man arrested for hacking League of Legends database, aiding gamer denial-of-service attacks

Graham Cluley
@gcluley

A suspected hacker has been arrested in connection with a serious security breach of servers belonging to the “League of Legends” video game.

According to media reports, 21-year-old Australian Shane Duffy has been charged by the Queensland Police Fraud and Cyber Crime Group with three counts of computer hacking and five counts of fraud.

At the time of the hack last August, Riot Games – makers of “League of Legends” – warned North American players that usernames and email addresses had been stolen, alongside salted password hashes.

Sign up to our newsletter
Security news, advice, and tips.

In addition, the game company warned, approximately 120,000 transaction records containing hashed and salted credit card numbers were accessed from an old payment system that Riot Games used until July 2011.

But, if police allegations are true, it seems that there was an unusual motive for the hack.

Police say that Duffy used the stolen data to sell game players’ IP addresses to opponents, who would then use the information to launch denial-of-service attacks against them.

Well, I guess that’s one way to stop someone beating you at a video game…

According to the authorities, 880 separate payments for the data were made to Duffy in the last month alone.

Australian police believe that Duffy hacked the American video game’s servers via a Dutch ISP, and then posted the stolen database information on a website based in Panama.

Australia, America, the Netherlands, Panama. Once again, it’s made clear that cybercrime is a truly multinational.

Clearly the Australian authorities – who received assistance from the FBI and Riot Games during the six month investigation – have had an eye on this individual for a while, as his property was first searched in November 2013.

Duffy’s mother Leah has come out fighting for her accused son, who she says has Asperger’s syndrome, claiming that although he has advanced computer skills he was not responsible for the hack.

Duffy is due to appear in the Maryborough Magistrates Court on April 8.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

2 comments on “Man arrested for hacking League of Legends database, aiding gamer denial-of-service attacks”

  1. This is exactly what happened in the Cambridge developed game RuneScape. And funnily enough one of the guys behind it was from Australia.

  2. Media and police have it twisted. Sad that Shane will be judged by a system that barely understands much about this.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.