That time Ephinea got hacked

Not open for further replies.


Staff member
Some may remember that back in August 2016 we published an announcement that one of our servers had been hacked via WordPress. At the time we couldn’t talk much more about it and unfortunately, parts of our source code had been obtained from the hack.

I'm glad to say that this has finally come to a close. So, now I'm free to talk about what had gone on. This will be quite a long post so settle in.

At the beginning of August 2016. We had received unusual alerts from one of our servers. After investigating Soda found multiple pages had been altered and logs filled with entries. It was soon apparent that someone had gained access to the files on the server. We took snapshots and quickly reverted the changes and secured the server and made an announcement on our forum.

We had our suspicions who was behind the hack, as this was someone known in the PSO community for causing disruption across all PSO servers even SEGAs. Hacking a game is one thing. Hacking into a system to steal data is a serious crime. So Sodaboy contacted the authorities in the US and I contacted the authorities in the UK. We had plenty of logs to hand over to the police.

All of the time that Soda and myself had put into Ephinea we couldn't allow this hacker to get away with this. We were pressing charges without question.

Within a few weeks warrants were obtained to obtain identification from the IP addresses we had logged. I received confirmation that the police were successful in obtaining the identification. At this point they weren't allowed to confirm whether it was who we had suspected.

It was a month or so later that I received official confirmation that it was who we had suspected and around the end of 2016 warrants were obtained and carried out to seize equipment from the suspect. The suspect agreed to go in for questioning.

With no admission via the interview, the suspect was released. The Police then started the process to recover data from the equipment seized. (Bear in mind at this point with the logs alone we had a good case to press charges but if we had proof of our source code on the systems it would put us in a very good position).

A few months pass, and I receive confirmation. Our source code had been found on the suspects computers. So now we just needed the case to be reviewed by the crown prosecution services (CPS) before we can continue with court proceedings.

Fast forward to around October 2017 I'm informed that the CPS would like to interview the suspect one last time before proceeding. So again, I wait to hear back and after a few weeks the CPS advise that after the interview they are happy for this case to go to court.

Here in the UK criminal offenses that go to court are largely subsidized by the court (as a victim I pay nothing). To hear that the CPS are letting this go to court lets me know that they felt that a conviction was likely. The CPS agreed to seek a charge of unlawful access to a computer system under the computer misuse act 1990. This means that if the suspect doesn't enter a guilty plea they face 2 - 5 years in prison if then found guilty in court. I'll be honest I was surprised to hear that prison was a possibility for the suspect. We have enough evidence at this point that the suspect would be silly to plead not guilty.

Before a court date could be set a hearing had to take place in court. This would be the last chance that the suspect can plead guilty before going to court. The hearing was scheduled for the 15th of February.

So, the hearing occurred last week. In short, the suspect pleaded guilty. The court was happy and sentenced him the same day.

It was finally agreed on a 12 month conditional discharge. All seized equipment to be destroyed, all court fees to be paid by the now guilty party and £200 in compensation to go to the victim (Us). Although that barely covers 6 weeks of running the servers. Also, with the time I personally took off of work and the time Sodaboy and myself put in to put in measures to mitigate such a thing from occurring again the cost is much higher than that. (The compensation will be going toward the running costs of Ephinea if anyone was wondering).

The 12 month conditional discharge essentially means that if they are to commit another related offense within the next 12 months they will be charged and face a prison sentence. Overall, I'm happy with the verdict. It was his first offense and I think a prison sentence (although it would most likely be suspended) would have been too harsh a punishment. The finacial costs and court case overall I hope is enough to have taught him a lesson.

We didn't go through this for compensation. As most of you know, we don't host Ephinea for compensation. It is a substantial cost that we are happy to pay to ensure players can continue to play PSOBB for free. We did this to teach this person a lesson. Actions have consequences. Something you may do as a teenager can get you in serious trouble as an adult. Hacking a game is one thing (more of a civil case) but hacking into a computer system and stealing data is a criminal offense and taken extremely serious in the UK.

I hope that any would be hackers that read this will think twice before doing something like this in the future. I'm not just talking about Ephinea. Doing such a thing can ruin your life and family. With a criminal conviction you will almost definitely lose any decent job you have (it will come up in routine CBS/Criminal Background checks) and make it a struggle to get your career back on track.

I hope you have found this post a good read. It's been a long 18 Months and educational. Overall I'm far more prepared should anything like this happen in the future.

Not open for further replies.