Hackers wage war on citizens of prosperous virtual worlds

Jupiter Stormshadow stares sadly at the remnants of his castle in one of the outlying fifes of Norrath. “All this used to be mine, then the serfs attacked.”

This is no real country and Norrath no real world. The Everquest online gaming world of Norrath has been overrun by computer generated characters that have turned on the ‘human’ players and destroyed their possessions and expensively-created characters.

Jupiter is a character played by Billy Hanson, a very human 22-year-old male and one of the programmers in the virtual world.

“About two weeks ago hackers turned the serfs into protestors. We thought it was a joke. They were demonstrating in the various town centers. We weren’t sure how to stop it, so we invited the gamers to simply kill protestors, like they’re a virus. We killed thousands of them. Then they rose together and slaughtered us en masse.”

After the carnage, Everquest, originally worth US$ 90 million a year in subscriptions from its 450,000 players, is worthless.

“Yesterday we received a message from a group identifying themselves only as The Quark,” says Gillian Sanders, legal counsel for Sony Online Entertainment, owners of Everquest. “We are being blackmailed. If we do not pay US$ 20 million directly to The Quark, they will attack our other online game worlds and destroy them – and our revenues.”

Subscription services on the more than 35,000 massively multiplayer online role-playing games (MMORPGs) make it a US$ 2 billion-a-year global industry. The trade in virtual goods in game worlds is worth US$ 5 billion per year.

“We have upgraded our security systems and don’t expect that these hackers will be able to disrupt our service,” says Rob Pardo, Executive Vice President of Game Design at Blizzard Entertainment, which operates World of Warcraft. With over 12 million subscribers and revenues of over US$ 300 million annually, Blizzard has much to lose.

Legal experts have been caught unprepared over virtual fraud cases. Is the loss of a virtual character or virtual property protected by physical law? “We just don’t know,” says Sanders. “Worse, though, is that for the moment, we don’t even know who is doing it.”

ANALYSIS >> SYNTHESIS: How this scenario came to be

Since the collapse of credit markets in 2008, bankers and business executives have had the sword of aggressive regulations hanging over them. The mere hint that investors may not have acted entirely in their clients’ best interests is being scrutinized and many face lengthy jail terms. However, there is another highly sophisticated and technology-based world that has the mores and morals of the 16th century. Where banks are set up with the express intention of defrauding depositors; where companies are pillaged by senior executives, and staff and investors left destitute.

Welcome to the modern world of massively-multiplayer online role-playing games.

In 2002 Blizzard Entertainment, who will go on to create World of Warcraft, is the site of the Internet’s first virtual massacre. Hackers used a loophole for the popular Diablo II game world to enter the virtual world and murder off many of the most powerful characters.

Players, who spent hundreds of hours creating these characters and paying for the time to do so, are left out-of-pocket and bereft. Despite this early set-back, virtual worlds continue to grow.

Edward Castronova, associate Professor of telecommunications at Indiana University, used Everquest to calculate in-game economic value back in 2002. In 2004 he released a study showing the value of the whole world of virtual games. Prof Castronova assumes, based on his earlier study, that the average gross domestic product of each of the two million or so permanent virtual world dwellers is US$ 2,000.

This figure measures the monetary value of the things, such as magic weapons and trade goods that users produce during the 20 hours per week they typically spend in the online worlds.

“The real world nation with an equivalent GDP per capita and population is Namibia, which has about two million people and, according to World Bank figures, a gross national income per capita of US$ 1,790.”

In 2002, a private initiative sets up an online exchange where players can trade the characters they develop and items they find,

2005: Corrupted Blood and Ponzi Schemes
In September 2005, Blizzard opens a new area in World of Warcraft featuring a new boss monster which attacks players with a disease that can be passed between both player and non-player characters. Originally the disease cannot leave the new area, but a few players work out how to get it into the rest of the player-world.

Low-level characters will be killed immediately by the disease and so are open to threats by the disease carrying players. Many players pay ‘healers’ to protect them from the disease. Blizzard’s more than 2 million players are incensed as the plague spreads rapidly. Epidemiologists are fascinated, comparing the way characters deliberately spread the disease as resembling behavior attributed to early AIDS patient Gaëtan Dugas and Typhoid patient Mary Mallon. Eventually Blizzard has to reset three servers and revert the game to a point prior to the disease outbreak.

Meanwhile, an elaborate fraud of truly epic proportions is taking place in the EVE Online player universe. This more open-ended universe sees players collaborating in guilds to mine planets and colonize the universe. A secretive guild of spies and assassins, the Guiding Hand Social Club, has spent 12 months infiltrating one of the largest and wealthiest guilds, the giant Ubiqua Seraph corporation.

Guiding Hand had been hired at a cost of one billion ISK (EVE’s currency) to murder Mirial, the CEO of Ubiqua Seraph. It took a mere 30 minutes to launch their attack. The simultaneous ambush and galaxy-wide hangar theft inflicted financial damage upwards of 30 billion ISK – US$ 16,500 dollars at’s prices. The value of the stolen assets utterly dwarfs the original fee for the job.

This is still strictly within game rules, but the gloves are off. What won’t players do to win?

2006-8: Virtual Banking Fraud
Players in virtual worlds like EVE and Second Life can use their virtual money much as one can in the real world. This includes lending it to others and earning interest. Both games naturally lead to fractional banking, where players accept deposits from some players and lend money at interest to others. The problem, though, is that virtual worlds have no central government or courts and rules of law.

In 2006, the EVE Intergalactic Bank folds as its director ‘Cally’ flees. He takes with him the virtual savings of thousands of players worth 790 billion ISK, or US$ 170,000 in real terms. Other game worlds note that the nature of EVE leaves it open to such abuse.

Darker dangers exist too. In 2007, security research group Symantec releases a report stating that a compromised World of Warcraft account is worth US$ 10 on the black market, compared to US$ 6-12 for a compromised computer.

In July 2007, a bank in Second Life, Ginko, evaporates. Money in Second Life is different from money in other games. Linden Labs, which operates the game, requires that players buy cash at a rate of 270 Linden Dollars to one US dollar. More than US$ 13 million worth of Lindens are in circulation, and 318,742 residents of Second Life participate in its internal economy. Ginko – operated by an avatar called Nicholas Portocarrero – persuaded hundreds of people to deposit their Linden dollars with him by offering Icelandic levels of interest. He fled with US$ 700,000 of real money. Linden Labs declared that it is not their responsibility to police the virtual world and players need to look after themselves.

In February 2008, phishing emails are distributed requesting that users validate their account information using a fake version of the World of Warcraft account management pages. The problem of theft of players’ credit card details becomes sufficiently troubling that Blizzard is forced to act. In June 2008, Blizzard announces the Blizzard Authenticator, a hardware security token that provides two-factor security. The token generates a one-time password-based code that the player supplies when logging on. The password is only valid for a limited time, thus providing extra security against key-logging malware.

2010: Gold Farming and vBlack Friday
Richard Heeks at Manchester University estimates that 400,000 Asian workers are employed in gold farming in a trade worth up to US$ 1 billion a year. ‘Gold farming’ is the act of building up virtual assets, such as rare items, in-game weapons or armor, or even high-level characters, and then selling them. Gold farmers can be paid as little as US$ 150 a month, but it can take months to create valuable artifacts. The highest price ever fetched on auction for a World of Warcraft character is US$ 7,000.

World of Warcraft is the most targeted for this type of farming but all the major game platforms suffer. Players complain that this cheating gives wealthy players an unfair advantage. There is also the potential for fraud. Players sometimes grant access to their characters so that a farmer can spend the necessary hours completing routine tasks necessary to gain levels. This access allows for later hacking.

In a coordinated effort, Blizzard, Linden Labs, CCP, Sony Online Entertainment and other major platforms act in what is known as vBlack Friday. On Friday the 13th of August 2010, some 1.5 million accounts are disabled across the top 30 online games. Some are those of legitimate players, but most belong to gold farmers.

At a single swoop, the entire gold-farming industry is destroyed.

“We think we had legitimate cause,” says Rob Pardo, Executive Vice President of Game Design at Blizzard Entertainment. Bloggers and gamers go wild at this assault on their liberties. Revenge is promised, as well as talks of boycotts. However, after a brief decline, online gaming continues as profitably as ever.

2012: Norrath Revolts
By 2012, gold-farming is worth US$ 1.5 billion a year.

“They came back,” says Gillian Sanders, legal counsel for Sony Online Entertainment. Using ‘Onion Layers’ – a system of information encryption and espionage developed during the Cold War – gold-farming companies have recreated themselves. They are now much harder to detect and auctions are much more distributed. “The problem we now have is that we made them angry.”

In early-January, security at one of Everquest’s servers is breached. “At first the hackers looked as if it was just a ‘normal’ phishing scam, you know, they were just looking to breach security and steal credit card details,” says Billy Hanson, a software engineer working at Everquest. The original Everquest still functions, but is considered a declining power in the world of virtual gaming. Sony has been wanting to shut it down for three years, but has still been working on ways to allow players to migrate to its other, more valuable, platforms.

In March, players visiting many of the main cities in the Everquest world of Norrath are surprised by non-player characters standing in the town centers and waving placards. They are demanding the right to vote and elect their own representatives. Most players think it is a joke.

Everquest programmers can’t figure out how to stop the protests and realize it is a virus that will affect all non-player characters. “We thought that the only way to stop it would be to kill the non-player characters,” says Hanson. “As players attempted to fight non-players, the non-players grouped and slaughtered them.”

24-hours later, a warning and a demand is received by Sony, Blizzard and other leading game platforms. “Everquest is a warning. We can hurt you far worse than you can hurt us. We can destroy your companies and your profits.”

The companies immediately approach their respective governments to ask for help. Help that is not available to in-game players.

“All we can do now is fortify our servers and warn our subscribers to be wary,” says Rob Pardo.

Warning: Hazardous thinking at work

Despite appearances to the contrary, Futureworld cannot and does not predict the future. Our Mindbullets scenarios are fictitious and designed purely to explore possible futures, challenge and stimulate strategic thinking. Use these at your own risk. Any reference to actual people, entities or events is entirely allegorical. Copyright Futureworld International Limited. Reproduction or distribution permitted only with recognition of Copyright and the inclusion of this disclaimer.