Man arrested for hacking League of Legends database, aiding gamer denial-of-service attacks

League of LegendsA suspected hacker has been arrested in connection with a serious security breach of servers belonging to the “League of Legends” video game.

According to media reports, 21-year-old Australian Shane Duffy has been charged by the Queensland Police Fraud and Cyber Crime Group with three counts of computer hacking and five counts of fraud.

At the time of the hack last August, Riot Games – makers of “League of Legends” – warned North American players that usernames and email addresses had been stolen, alongside salted password hashes.

Advisory for League of Legends players

Sign up to our free newsletter.
Security news, advice, and tips.

In addition, the game company warned, approximately 120,000 transaction records containing hashed and salted credit card numbers were accessed from an old payment system that Riot Games used until July 2011.

But, if police allegations are true, it seems that there was an unusual motive for the hack.

Police say that Duffy used the stolen data to sell game players’ IP addresses to opponents, who would then use the information to launch denial-of-service attacks against them.

Well, I guess that’s one way to stop someone beating you at a video game…

According to the authorities, 880 separate payments for the data were made to Duffy in the last month alone.

Australian police believe that Duffy hacked the American video game’s servers via a Dutch ISP, and then posted the stolen database information on a website based in Panama.

Australia, America, the Netherlands, Panama. Once again, it’s made clear that cybercrime is a truly multinational.

Clearly the Australian authorities – who received assistance from the FBI and Riot Games during the six month investigation – have had an eye on this individual for a while, as his property was first searched in November 2013.

Australian media report

Duffy’s mother Leah has come out fighting for her accused son, who she says has Asperger’s syndrome, claiming that although he has advanced computer skills he was not responsible for the hack.

Duffy is due to appear in the Maryborough Magistrates Court on April 8.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “Man arrested for hacking League of Legends database, aiding gamer denial-of-service attacks”

  1. Matt

    This is exactly what happened in the Cambridge developed game RuneScape. And funnily enough one of the guys behind it was from Australia.

  2. Choco

    Media and police have it twisted. Sad that Shane will be judged by a system that barely understands much about this.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.