On Sunday, the world of video games was shaken by a hacking and cheating scandal.
During a competitive esports tournament of Apex Legends, a free-to-play shooter video game played by hundreds of thousands of players daily, hackers appeared to insert cheats into the games of two well-known streamers — effectively hacking the players midgame.
“Wait, what the fuck? I’m getting hacked, I’m getting hacked bro, I’m getting hacked,” said one of the players allegedly compromised during a livestream of the gameplay.
The incidents forced the organizers of the Apex Legends Global Series tournament, which has a $5 million total prize pool, to postpone the event indefinitely “due to the competitive integrity of this series being compromised.”
As the midgame hacks were underway, the game’s chatbot displayed messages on-screen that appeared to come from the hackers: “Apex hacking global series, by Destroyer2009 &R4andom,” the messages read.
In an interview with TechCrunch, the hacker Destroyer2009 took credit for the hacks, saying that he did it “just for fun,” and with the goal of forcing the Apex Legends’ developers to fix the vulnerability he exploited.
The hacks sent the Apex Legends community into a frenzy, with countless streamers reacting to the incidents. Some players suggested that Apex Legends is not safe to play and that every player could could potentially be at risk; that could apply to not only in-game, but having their computers hacked, too.
Destroyer2009 declined to provide details of how he allegedly pulled off hacking the two players midgame or which specific vulnerabilities he exploited.
“I really don’t want to go into the details until everything is fully patched and everything goes back to normal,” the hacker said. The only thing Destroyer2009 said regarding the technique he used was that the vulnerability “has nothing to do with the server and I’ve never touched anything outside of the Apex process,” and that he did not hack the two players’ computers directly.
The hacks “never went outside of the game,” he said.
Destroyer2009 said he did not report the vulnerability to Respawn, the video game developer that makes Apex Legends, because neither the company nor the game’s publisher, Electronic Arts, offer a bug bounty program that financially rewards hackers and researchers for privately reporting security flaws.
“They know how to patch it without anyone reporting it to them,” he said.
Talking about the hacks he did during the tournament, Destroyer2009 said that he “went viral, but not many people would have used an exploit like that in an absolutely innocent way for players.”
“Just imagine if it wasn’t a joke and we didn’t put any memes in the cheat, I’m pretty sure you can ruin someone’s career if they had a cheat pop up on a tournament,” said Destroyer2009, defending his actions in an attempt to show that he never had malicious intentions.
When Destroyer2009 allegedly hacked one of the players and inserted cheats into their game, a window appeared on the player’s screen showing a menu for a tool that can be used to enable different cheats in the game. One of the options in the cheat window was “VOTE PUTIN.”
Destroyer2009 said that the window is part of a real cheat software, but not one that is public, and whose menu was slightly modified for the hacks on Sunday. The hacker also said he targeted those specific players, who go by Genburten and ImperialHal, because “they’re just nice guys.”
“Free attention and views for them,” he added. (The two players did not respond to multiple requests for comment.)
On Tuesday, Respawn, the studio that develops Apex Legends, posted a statement on X (formerly Twitter), addressing the incidents.
“Our teams have deployed the first of a layered series of updates to protect the Apex Legends player community and create a secure experience for everyone,” said the statement, which did not provide any details on what was this first update, nor any details on what happened Sunday.
Conor Ford, who works on Apex Legends security team, wrote on X that he and his colleagues are working to address the issues. “The team on this are some of the most talented I’ve ever had the pleasure of working with. All I can say is, the care and love shown from parties involved makes me thankful for the coworkers and devs on this game,” wrote Ford.
Contact Us
Do you know more about this hack? Or other video game hacking incidents? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
Neither Respawn nor Electronic Arts responded to requests for comment by TechCrunch about the hacker’s claims or disputed them.
Easy Anti-Cheat, the developers of the anti-cheat engine used in Apex Legends (and several other games), said in a statement on Monday that it was “confident that there is no RCE vulnerability within EAC being exploited.” An RCE, or remote code execution, is a security flaw that allows a hacker to run malicious code on a target’s device remotely, such as over the internet. It’s one of the worst kinds of vulnerabilities as it can give the hacker direct access to the target’s computer.
At this point, there is no public evidence that points in that direction.
Despite the attention that his hacks caused, Destroyer2009 said that “players shouldn’t worry about it” because he doubts others will figure out what vulnerability he used, and how to exploit it, before it gets patched.