My dad always told me “Son, if you’re going to create a botnet farm to create bitcoins then don’t get caught.” It was sound advice then and sound advice now. I bet Eric Thunberg and Sean Hunczak wish they’d had similar advice before doing that very thing in April. Of course, they may have felt the advice didn’t apply to them, what with them also adding code that monitored users’ activities, too.
Well, for those crimes they’ve been forced by a court in New Jersey to pay $1 million to the state in a civil action suit.
Last April the ESEA updated their anti-cheat software with code that had their users computers collectively begin creating bitcoins. According to a release issued by the New Jersey attorney general, that the software affected 14,000 machines. The code was only active for two weeks but in that time it generated $3,500 worth of the digital currency. The code also monitored computers with ESEA anti-cheat client installed, even when they weren’t logged into the ESEA servers.
According to the court documents, from about the 3 April code uploaded to the client granted the ESEA “full administrative access to the end-users’ computers”. The code tracked what programs users were running and would reload the monitoring code “even if end-users attempted to ‘unload’ the driver.” A number of times “ESEA employees used the ESEA Software to copy files from ESEA end-users’ computers.”
The code itself was created by Hunczak, the ESEA’s lead coder, but it was approved by the company’s co-founder, Thunberg. The monitoring code was chiefly used to detect when a user was away from their computer, looking for mouse activity, and this in turn would boot up the bitcoin generation code.
The court say that Hunczak set up various bitcoin wallets in which the illegally generated coins were deposited. He then converted these into US dollars and transferred them to his own account. This links up with something Thunberg originally posted to a forum back in April, At the time he wrote that “towards the end of march, as btc was skyrocketing, jaguar [Hunczak] and i were talking about how cool it would be if we could use massive amounts of gpus logged into the client to mine.”
“We went back and forth about it, considered doing something for april fools, didn’t get it done in time, and eventually elected to put some test code in the client and try it on a few admin accounts, ours included.”
“We ran the test for a few days on our accounts, decided it wasn’t worth the potential drama, and pulled the plug, or so we thought.” He claimed that the code had later been activated accidentally by a client server restart. Later his position changed, he posted to the forums that the situation was “way more shady” than he originally thought.
For their efforts, the court has fined the ESEA $1 million. $325,000 goes to the state immediately. If the ESEA violates any rules of the settlement then they’ll be forced to pay the other $675,000. If they keep honest for 10 years then the rest of the settlement is waived. Hunczak’s been fined a separate payment of $60,000.
As well as the money, ESEA will create a dedicated page detailing what data it collects and how. They’ll also have to seek permission every time they deploy code to their users’ computers.