Gaming League Employee Turns 14,000 Users Into Bitcoin-Mining Zombies

A good Bitcoin mining rig is hard to find. They're expensive, they take up space, they wrack up huge energy bills. Not at all practical for your average ESEA gaming network employee. Nefarious code that turns 14,000 of your users into an unwitting personal bitcoin botnet? Totally doable.

Like so many great schemes, it must have seemed perfect at the start, like Richard Pryor pulling half cents out of thin air in Superman III. ESEA is one of the largest competitive gaming leagues in North America, if not the world, with cash prizes approaching $US100,000 each season. Its users are an elite breed, who use elite graphics cards -- the kinds that can slowly, surely, reliably churn out Bitcoins if given a gentle nudge in the right direction. Or in this case, were marched there at gunpoint.

The best/worst part? The as-yet-unnamed rogue employee didn't even have to come up with come up with any clever code himself. ESEA did that bit for him.

The Trojan Mine

Recently, ESEA decided to experiment with Bitcoin mining. Specifically, with building the feature into its product so that its users could, if they wanted to, harness their powerful GPUs for digital cash instead of digital kills. The company got deep enough into the testing phase that, according to an ESEA news release, ESEA even had it up and running on two of its administrators' rigs. And then, on April 13, it pulled the plug.

Or at least, they thought they did.

As the release goes on to describe, one of the employees involved in the test decided that the code was too good to just abandon. In fact, it could be incredibly useful if you were enterprising enough -- and immoral enough -- to figure out how to deploy to the rigs of 14,000 of your network's most valued members. Just hide it somewhere that they need but would never question. Somewhere like, say, ESEA's anti-cheat client, the pride of the company.

And that's where it hid, until a user -- not ESEA -- found out what was going on. Yesterday.

Quitting Time

At just after midnight yesterday, ESEA user unisolsz discovered that his GPU was being used for something other than, well, anything he intended. Specifically, that it was mining Bitcoins. He sent out a warning in the ESEA forums, and the company pulled the plug.

In just those two weeks though, the damage was done. The employee had racked up close to BTC30, which is $US3713.55 in dollars today (and either twice or half that tomorrow, given the viscosity of Bitcoin).

To help make things right, ESEA is donating twice that amount to the American Cancer society, and -- since it's still unsure exactly which users were affected, and how many, and to what degree -- increasing the prize pot by that much, as well. It's also offering free memberships to people who claim their graphics cards were damaged by being turned into digital drills.

Ultimately, it's not so much a victimless crime as an unquantifiable; it's not like the people affected lost money they already had, or were going to be mining their own Bitcoins anytime soon. But having your GPU manhandled remotely, and being indentured into botnet; these are wrongs that don't have a price attached to them, other than the anxiety of knowing how easy it was to be compromised. [ESEA, Kotaku, Wired]



    Isn't this an old Reddit story, or at least an old Gizmodo article? Something similar? No?

    Last edited 03/05/13 9:06 am

      The news release was posted yesterday so I assume not.

        There definitely was an article on it recently, but it might have been on Kotaku or Lifehacker.

    Would this be a perfectly legal thing to do if it was included in the ToS that everyone scrolls through and clicks OK without looking at? Probably get loads of people hating you, but still.

    Also I wonder why people who control botnets in the hundreds of thousands range don't do this as well.

    What this article doesn't point to is said employee's really stupid responses (ie - 'our dev should have hid it better, I'm sorry but I'm really not, etc), the way it ACTUALLY got found -> running on a single process which kind of crashed the software...

    And also that about 24 hours before this article was posted, all that money is already donated to cancer research.

      I was tempted to call bullshit on the apology when I first read about it, but not only was the amount donated to charity, he (the admin) also added twice that amount to the prize pool for the next tournament, AND offered all members a free month of subscription. Considering that probably makes him about $10,000 poorer than he was before, that's a pretty decent gesture and I'm willing to give him the benefit of the doubt.

    "and either twice or half that tomorrow, given the viscosity of Bitcoin"

    Bitcoins are known to be quite viscous...

Join the discussion!

Trending Stories Right Now