Season 3 / Episode 22
How far should a die-hard fan go, in order to bring closer to them the thing that they love? In one of the most interesting, yet relatively unknown cybersecurity stories, a young hacker attempts to steal his favorite game prior to its release and then attempts to blackmail his victims into hiring him. An evil mastermind or a petty thief (you decide), in a story that's all about passion, fandom, and out of control crime.
Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 10 million downloads as of Aug. 2017.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Have you ever been really, really excited about something? So excited that you just couldn’t help but commit an international felony just to get it?
As a 21 year-old gamer cut off a slice of bread for breakfast early in the morning of May 7th, 2004, a squad of German police officers raised their rifles at him. Everything was not right. He’d gotten a little too excited.
Hi, This is Malicisious Life, and I’m Ran Levi. Welcome to Season 3 of our podcast.
When Valve first became a registered corporation, Gabe Newell had little more than a small team and some big ideas.
In first pitching their first video game idea to publishers, he and co-founder Mike Harrington were mostly turned away: from a design perspective, the proposed concept–a 3D first-person shooter horror game–seemed too ambitious to reasonably expect of an upstart group with no track record. In one instance, Newell mentioned in a meeting with a publisher that his team was planning to use a skeletal animation system (animating the game’s characters by simulating bones and joints). Immediately, he was interrupted: “Okay, meeting’s over!” This was where Valve was at: a rookie hitter at the plate, calling his shot into the upper deck. Rudeness aside, that executive had reason to believe he was, at worst, the butt end of a joke, or at best, wasting his time.
But on November 19th, 1998, Valve Corporation released a video game called “Half-Life”. To some of you listening to me now, that name might not mean much. To others, old timers such as myself – it holds a lot of weight. The first game ever made by the Valve Corporation is now remembered as one of the greatest video games of all time. On three separate occasions, PC Gamer magazine has named Half Life the best video game ever made. Pac-Man, Grand Theft Auto, Super Mario: this is its class. For its advances in graphics, gameplay mechanics and narrative storytelling, it has to date sold around ten million copies. Suffice to say: Half Life was really good. For me, hearing the game’s signature soundtrack still sends shivers down my spine.
So you can imagine why, half a decade after the release of the first game, fans were a little antsy for the second. In May of 2003 Valve announced the follow-up game would see release the following September, but by that, no signs pointed to it being ready. A large coalition of gamers were waiting on word–any word–about development.
I mention all this so you’ll have proper context for what that second game meant to those involved. For Gabe Newell and his team, Half Life was something of the company’s first born child. Valve wasn’t all that large a group, so there weren’t so many other eggs in their basket. Every month of work on its sequel was costing the company one million dollars. They’d been working on it for five years. Assuming all went to plan, the final product was going to be sold by the millions. I’m sure if you had millions and millions of dollars, your reputation, and five years worth of hard work on the line, you too wouldn’t be so happy about any threat to it.
On October 2nd, 2003, Gabe Newell woke up in his Seattle home to find his company’s masterwork posted, in full, online.
Where the leak came from nobody knew. Who committed the act could have been only the scariest, most malevolent of hackers–or worse, a traitor from the inside. Who would do such a thing? Newell notified the police, then his loyal followers, through a post on an online fan forum.
“Ever have one of those weeks?” he wrote. “This has just not been the best couple of days for me or for Valve.”
In his post to Valve’s forum, Gabe Newell outlined six points of reference for what he and his team knew about the hack as of the day his code was posted on the web. I quote:
1) Starting around 9/11 of this year, someone other than me was accessing my email account. This has been determined by looking at traffic on our email server versus my travel schedule.
2) Shortly afterwards my machine started acting weird (right-clicking on executables would crash explorer). I was unable to find a virus or trojan on my machine, I reformatted my hard drive, and reinstalled.
3) For the next week, there appears to have been suspicious activity on my webmail account.
4) Around 9/19 someone made a copy of the HL-2 source tree.
5) At some point, keystroke recorders got installed on several machines at Valve. Our speculation is that these were done via a buffer overflow in Outlook’s preview pane. This recorder is apparently a customized version of RemoteAnywhere created to infect Valve (at least it hasn’t been seen anywhere else, and isn’t detected by normal virus scanning tools).
6) Periodically for the last year we’ve been the subject of a variety of denial of service attacks targeted at our web servers and at Steam. We don’t know if these are related or independent.
He finished off: “Well, this sucks.”
Valve didn’t immediately find their culprit. One community member responded to Gabe’s post with the IP address of a suspect. Another person said they talked to someone who claimed responsibility for the hack, who went by the name “ef-Ago”.
It wasn’t enough. For months, in fact, as Valve continued to work on their now publicly divulged game code, they had to wake up every day knowing their computers were probably compromised.
To what extent no one knew. Their game data, personal information, the security of their systems were all up in the air, until they could find some answers.
Then one day, Gabe Newell woke up to an unsolicited email with a blank subject line…The sender had a suspicious address handle: ‘d[email protected]’. His note ran a couple of pages long.
“I’m very sorry about what happened with HL2. I want to explain a few things. I was in your network for ~6 months, watching your development process, which was very interesting. Yes, I am the hacker [. . .]”
Axel Gembe was one of those rabid Half Life fanboys. Living with his father in the small town of Schonau in Germany, it was his favorite game, and he was an active member in online fan forums. His and his peers’ excitement for any update on the sequel’s progress gave him an idea, of how to use his skill with computers to get an early look.
Gembe grew up a gamer, not a hacker. As he describes in his CV:
“I don’t really have any relevant education, in school I only learned really odd stuff, like how computers in the 80ies[sic] worked or Turbo Pascal, all I know is self-taught, from the web or from people I met.”
He became a bona fide hacker after attempting to run what he thought was a World of Warcraft 3 key generating program on his computer, which turned out instead to be a scam. The program was an sdbot–a common worm in its time that infected host computers by taking advantage of known security vulnerabilities in Windows operating systems. Now, most of us, when faced with this situation, would immediately do all we could to rid the bug and get our computer back to normal. Gembe didn’t do that at all. Instead, he carefully looked over the malware, then reverse-engineered its code to figure out how it worked.
Gembe then leveraged this newfound knowledge, but not to hack into other people’s computers, ruin their systems or steal money. Really, he was just a lonely, socially awkward kid, and a lot of his life revolved around gaming. He designed his program to steal CD keys for the PC games he wanted to play and didn’t have the money to buy.
So Axel Gembe’s a sort of enigma from the start. Honestly, on some level, I see some of myself in him. He had the same priorities as any other nerdy kid his age. He wasn’t really after money per se, only money so far as he needed it for the video games he wanted to play. With his computer intellect, he could have wrought a lot more havoc than he chose to in that moment. And yet, regular teenage kids don’t do the sorts of things he did: not just deleting malware but finding its creator, not just pirating video games but explicitly writing the code needed to obtain them for free. Whether he knew it or not, Axel Gembe was that person that goes too far, who does the things you might think about for a second but never actually end up acting on in real life. This, ultimately, would be his undoing.
Gembe began with a feeling. He was really excited about Half-Life 2, and so were the people he was talking to online. If only they could know what was going on within Valve’s headquarters…
Here’s where you and I stop, and Axel Gembe kept going. While the rest of the game’s fans waited–some patiently, some not–Axel had an idea: if he could use his hacking skill to breach Valve’s servers, he might learn a thing or two about what’s going on inside their black box. Of course, the notion that he would hack into a company’s servers–let alone a gaming company, whose employees tend to be computer-savvy–just to get early access information about an upcoming product seems like a terribly imbalanced risk-reward balance. But Gembe had another motivation, besides his burning anticipation for an exciting game. As someone who grew up without much, and lived only with his father, Axel had come to form a bond with his fellow Half Life fan forum contributors online. To be the guy who knows all the up-to-date, insider information on Half Life 2 would earn him big points within the community.
So he came up with a plan. Here it is, in his own words, as described to Eurogamer magazine back in 2014:
“I was scanning Valve’s network to check for accessible web servers where I thought information about the game might have been held. Valve’s network was reasonably secure from the outside, but the weakness was that their name server allows anonymous [queries], which gave me quite a bit of information. In the […] scan logs, I found an interesting server which was in Valve’s network range from another corporation named Tangis that specialised in wearable computing devices. This server had a publicly writable [folder] where I could upload […] scripts and execute them via the web server.”
Gembe used the scripts to retrieve a dump of hashed passwords for the system, cracked the hashs – and than, as he himself put it –
“Well, basically I had the keys to the kingdom.”
Axel now had his access: an unblocked tunnel into Valve’s network. He parked himself on a proxy server–to use as cover in case anyone were to notice a foreign presence–then began his search.
Perhaps a little sooner than expected, Axel hit his target, gaining access to documents and notes on the game’s development. Success, achieved.
Then again, this is Axel Gembe. After some time he noticed nobody at Valve had yet detected his presence within their network. So, as is his tendency, he began to take things further. I quote him again:
“Getting the source code was easy, […] [but] The game didn’t run on my computer. I made some code changes to get it to run in a basic form without shaders or anything, but it wasn’t fun. Also, I only had the main development trunk of the game. They had so many development branches that I couldn’t even begin to check them all out.”
What he’s referring to here, of course, is his greatest discovery. For the game he was so waiting on in the years since he finished Half-Life one, finally, here was its code: not necessarily the game in polished form, but all its skin, bone and veins. This wasn’t destined to be Gembe’s moment of revelation–that he’d gone too far, that he was playing with fire and needed to exercise some restraint. To do so would’ve been totally out of character.
Axel Gembe clicked download. He now had, in his sole possession, the most anticipated video game of the millennium.
If you’ve been listening carefully, you may have noticed a key fact to Axel Gembe’s story that I conveniently left out just now. He didn’t just download the Half Life 2 code for his own curiosity. He published it online.
Frankly, it’s hard to tell how this part of the story went down. In the time since, to authorities and the public, Gembe has consistently denied having been the one who leaked to the public. He states that members of the gamer group myg0t eavesdropped on an IRC chat session he had with a friend, obtaining information that allowed them access to Gembe’s channel into Valve, where they found and published the employee emails and game code on various internet channels. You can decide for yourself whether you think he’s telling the truth or not.
Before making that decision, though, I should warn you: when I first told you about Axel and his hack, I went a bit easy on him. There are alleged events that, depending on who’s telling it, may or may not make it into the story. Who really is Axel Gembe?
Media reports on the matter generally include but are limited to the information about Axel I’ve given you already. Here we’d have you think he’s an innocent teenage gamer with a hacking tick and a restless personality. Shenanigans! A kid who needs a girlfriend to take up some of his free time.
And yet, the portrait Gabe Newell and others paint looks very different: a malicious agent, specifically targeting him and his company and negatively manipulating most every corner of their operation. Looking through personal emails. Keystroke loggers, monitoring every inch of Valve’s employees’ work. It’s all…kind of creepy, or at least a little scary. So here you go: two portraits of a man. Keep these pictures in your head as we continue the story. It’s about to get a lot stranger from here.
Enter: the FBI.
When Valve reached out to the FBI to help catch their hacker, they emphasized that they were facing a projected loss of $250,000,000 from the leak of their upcoming game. This, of course, was an exaggeration: Valve wasn’t subject to losing 250 million unless just about every person who would’ve otherwise bought Half Life 2 instead downloaded the illegal leak. Still, the stakes were high. Despite what was on the line, though (or, at least, what some thought could’ve been on the line), a whole five months passed between the Half Life 2 leak and Gabe Newell’s email correspondence with [email protected] Nobody, in the interim, had even much of a lead on who this hacker was, even though he himself wasn’t doing all that much to cover up his tracks. Aside from channeling through proxy servers, the bulk of Gembe’s defense protocol came down to a software that auto-generated a new IP address during each session. This did give him an advantage, in that his pursuers couldn’t simply locate his IP to find his geographical location. From a technical standpoint, it would’ve looked like he was a different person entering into Valve’s infrastructure every time.
And yet, Gembe wasn’t using tools that weren’t already popular in hacking circles, and even if his IP changed every day, authorities could have gained at least some information by waiting for him to bite and then drawing out information as they tracked him through Valve’s systems. During these months, then, it’s tough to tell whether authorities really couldn’t help, or whether they just didn’t care enough to divert the resources and manpower necessary to finding their culprit. Really, you can’t blame them: the FBI isn’t so much in the business of helping private companies with their financial, or even computer security troubles. They have more important, national security concerns to deal with elsewhere.
That all changed, in one 180-degree swivel, when Gabe Newell and another Valve engineer, Alfred Reynolds, reported that they’d received word from the hacker himself. And sure, some of the FBI’s newfound interest had to do with the fact that they now had a real lead to go on. But there was another, big motivating factor: the identity of the suspected hacker himself. That’s right…
“Office of the Legal Attache
United States Consulate
March 16, 2004
Dear Herr Kreitlow,
The following information is in reference to a computer intrusion. The victim company is Valve Software. One of the main subjects involved is believed to be located in Germany [. . .]
Based on details in the e-mails, it is believed that the anonymous sender of these messages could be AXEL GEMBE a.k.a. AGO.
As you are aware, United States Secret Service (Case Agent Kevin Sandlin) also has an open and active case against GEMBE for various Denial of Service (DOS) attacks and the authoring of malicious code, namely the AGOBOT which is an IRC-controlled backdoor with network spreading capabilities. There are variants of this initial worm as well that he may be responsible for writing and distributing.”
Do you recall Gabe’s original description of the hack? In five bullet points he laid out the various email spying, keystroke logging and other computer misdoings his company had been dealing with. And then he added one more list item: “Periodically for the last year we’ve been the subject of a variety of denial of service attacks targeted at our web servers and at Steam. We don’t know if these are related or independent.” Why would someone interested only in observing the company’s game development also enact harm upon their ability to properly do so?
We can’t say for certain whether he was involved in any of those denial of service attacks on Valve, but when it comes to DoS, Axel Gembe is not some random German teenager. Because of course he isn’t! Random teenagers don’t just up and hack hundred-million-dollar companies. Axel Gembe, before any of this Half Lif e business started, was the author of the so-called “Agobot”. Agobot is simple: “bot” as in botnet, “Ago” as in the nickname, “Ago”, Axel goes by. It’s fairly standard-fare malware that requires little programming skill on behalf of users, which was part of why it became so successful. So successful that Axel, long before getting tangled up with Valve, had already been the subject of U.S. federal inquiry.
The FBI wasn’t just helping Valve with an annoying stalker now. Valve was helping the FBI track a wanted criminal.
Suddenly, this was an entirely new sort of investigation. The Bureau got in contact with German authorities, and began sharing intelligence. As Gabe and Axel began to trade emails, Gabe fed all of it directly to the FBI. After five long, dry months, both Valve and the FBI now had accumulated resources, shared knowledge and ongoing correspondence with their target. In other words, they had everything they needed to begin really getting to him, and then taking him down.
But before they could go any further, in yet another strange twist of fate, Axel up and gave the FBI the cheat codes they needed to crack his case. Halfway through an email describing the technicalities of the leak, Axel asked a question that must have struck Gabe as some sort of prank.
“Also I’d like to ask, you don’t happen to search a Programmer/Security specialist which recently lost his job? I program small games, in OpenGL/D3D which work on Linux and Win32.”
Do you see where this is going yet?
“I also code small utilities for my hacking/pentesting/network admin usage, and I’m pretty advanced when it comes to network security. Think about it, I’d really like to work for someone like you.”
Axel Gembe, after hacking into Valve’s computer systems, downloading their prized game, inadvertently causing them potentially millions of dollars in damages and scaring everyone in the company half to death, was now, genuinely, asking Gabe Newell for a job. He then offered to pen test Valve’s network, not even as a joke!
“Well, I really hope you hire me,” he added. “I’m no bad guy, just a little misguided,”
What would you do if someone stole 250 million dollars of yours and then asked you for a job?
“Were you kidding about working here?” Gabe replied. “You certainly impressed us with your skills. We’ve hired a lot of people from the community, and I guess in a funny way this would be more of the same. If you were teasing, ha ha, you got me.”
You may be asking yourself at this point: what in the world are you doing, Gabe? Don’t be so nice–curse him out, demand an apology!
What he was doing, it turns out, wasn’t what it seemed. Gabe was trying to figure out whether Axel was serious about a job request, but he w asn’t being serious in his intentions, or polite just because he’s a nice guy.
Allow me to rephrase my question from a second ago. Someone steals 250 million dollars from you, then asks you for a job. They also happen to still be sitting in your computer, with continuing access to all the information they need to steal more of what’s yours, manipulate or destroy your computer and generally wreak havoc on everything you have to your name.
Gabe didn’t have the ability, in that moment, to deny Gembe much of anything, let alone tell him off. Honestly, reading their emails back and forth, he sounds like a little kid talking to his bully–being nice and avoiding any missteps not because he doesn’t hate the guy’s guts, but because ticking him off could mean taking a beating himself. So as Gembe sent more emails about the hack and the leak–much of it unsolicited, just to show off his skill to a potential employer–Newell smiled and waved. As Gembe was receiving innocuous email replies back, though, something much deeper was being planned under the hood: a plan, between Valve and the FBI, to finally arrest him.
Finally the pieces were fitting together. But the FBI needed time to set up their plan, and information necessary to enact it. There was the issue of getting Gembe a visa for travel, for instance. They would also need a means to extract an on-the-record confession, in order to make an arrest.
Gembe, on the other hand, was not so lax about time. Aside from just being impatient, it turns out he had another motivation for speeding up his “job interview” process. “So, in any case, when could I expect this to happen? I might have to go to the army else, if I don’t move out of the country, and having to go to the army sucks. Well, I probably can’t shake hands in office with you tomorrow, but I’d like to get this done ASAP if possible, because of the army issue.”
Whether conscription was truly his main concern or not, Gembe began pressing Newell harder. “In case you’re too busy to answer my stuff, direct me to someone else,” he wrote. “Please try to answer some of my questions, I try to answer yours, too.”
To give his team time to set up their plan, Newell stalled the conversation using excuses. “Aagh. Crazy week. We’re going through planning for E3,” he wrote, after a few days without replying. “I’ll try to be more prompt in my replies.”
After a few more days again without hearing back from Newell, Gembe began to get more aggressive. “May I ask what your definition of prompt is?” he wrote back. “If my intents weren’t to clear this thing up, I could already have taken over your FTP server. [. . .] I understand that you had problems with Steam and that you are probably very busy, but you should really get someone to patch this hole, cause it’s only a matter of time until the exploit goes public, and Rhinosoft [that’s the software company who create the FTP server software] hasn’t released a patch for this.
Maybe I should break in and patch your FTP?”
In not-so-subtly threatening further malicious action, Axel Gembe was beginning to sound a lot less like an innocent fan, and a lot more like that malicious hacker Gabe Newell so feared for his company. “GEMBE’s email discussions with Valve Software have progressed to the point where some law enforcement intervention is critical,” the American Consulate General’s office wrote to authorities in Frankfurt, Germany at the time.
Valve and the U.S. government knew now they had to work fast. So they devised their plan: offer Axel Gembe a job interview…
…with a catch.
Valve had no interest in hiring Axel Gembe, obviously. However, they did notice he had a loose tongue in describing his hack. So they set up a phone “interview”.
At 11:13 A.M. Pacific Time, on March 26th, 2004, Axel Gembe called Valve. At the other end of the line were four representatives of the company, not including Gabe Newell. The conversation would last half an hour. In order to settle Gembe in and not appear suspicious, the session began with a pretense of technical programming discussion, until it came to Alfred Reynolds. In a summary of the phone call provided to the FBI, Reynolds wrote: “I quickly introduced myself and asked him if he would like to talk about some generic technical questions I had prepared or whether he wanted to go straight to talking about how he hacked us. He was eager to talk about the hacking event. My first question was simply how he did it. He then went on to describe how he infiltrated our network and the various programs and exploits he used.”
Here was their smoking gun: Axel Gembe, on record, admitting to the hack, and providing a series of facts in line with the evidence Valve already had accumulated, proving he was for real. And as if they needed any more information than they already had, they’d also now confirmed his name and phone number. The Valve employees thanked Axel for his time, and asked when he could fly into the States for an in-person interview. All expenses paid.
When Axel Gembe woke up early that morning of May 7th, 2004, he was surrounded by a squadron of police officers, rifles raised at his head, shouting at him to get out of bed. He probably didn’t realize, in the moment, how lucky he was.
Through the halls of his father’s small town German home, Axel got dressed and was carefully escorted downstairs. More than running away, they kept a close eye to make sure he didn’t near his keyboard. The police waited patiently as he had a cigarette and a bite to eat before getting into their van, headed for the station.
It turned out the FBI alerted German authorities to their plan to arrest Axel Gembe, at which point the Germans decided to beat them to the punch. This was great news for Axel, as their concern wasn’t as much with an American video game company. At the police station, Axel was questioned for three hours. They began by asking him, though, not about Valve or even Agobot.
Evidently, at the same time as they arrested Axel, German police raided the house of another prominent hacker–Sven Jaschan–the creator of a different malware called “Sasser”. Sasser was a particularly nagging worm that was spreading throughout the Western hemisphere, with targets ranging from Delta Airlines and Goldman Sachs to the British Coast Guard. What German police didn’t know, of course, was that not only was Axel not involved with Sasser, but he didn’t even know Jaschan. It turns out their malwares happened to exploit the same vulnerability in Windows, and police mistook this fact to mean that they were working together.
Being arrested for the wrong crime turned out to be great news for Axel. Once they’d admitted to their gaff, the police turned to questioning him about the Valve hack, and everything went much more smoothly. As is his nature, Axel was very open to talking. He was kept in custody for two weeks, then released on the condition that he check in with police three times per week, every week, until his trial. Suffice to say, in comparison with how he would’ve been handled by U.S. authorities, Axel got released back home with barely a scratch.
In an interview with Eurogamer in 2014, Axel Gembe finally got the chance to speak publicly about the Valve incident, and reflect on his past doings.
“I was naive and did things that I should never have done,” he told reporter Simon Parkin. “There were so many better uses of my time. I regret having caused Valve Software trouble and financial loss. […] Basically I regret all the illegal things I did at that time… And I regret not doing anything worthwhile with my life before I got busted.”
He also had a message for Gabe Newell, his hero and somewhat-nemesis.
“I would say this: I am so very sorry for what I did to you. I never intended to cause you harm. If I could undo it, I would. It still makes me sad thinking about it. I would have loved to just stay and watch you do your thing, but in the end I screwed it up. You are my favourite developer, and I will always buy your games.”
Nobody from Valve was present at Axel Gembe’s seven-hour-long trial. During the hearing, he admitted to the hack, and no evidence presented connected him to its leaking onto the internet. The judge presiding over his case granted Axel leniency: two years’ probation, no jail time. As reason for his decision, the judge considered Axel’s compliance with authorities, his difficult childhood and his efforts to become a better citizen.
In the time leading up to his trial, Axel finished an apprenticeship and earned a job…
…in information security.
As for Valve?
Today, Gabe Newell is revered as one of the great game developers of all time. His company is considered an industry leader in innovative, artful game design, and has published titles like Counter-Strike, Left 4 Dead and Portal that have all gone on to wide, mainstream success.
Half Life 2 apparently took no financial hit from its leak, outperforming its predecessor and selling over 12 million copies worldwide. It was named best game of the decade by IGN, Spike and The Guardian, and is considered one of the most successful video games ever made.