Crazy Ivan – Russians Spying on Their Own Members

I don’t want to play into cliched preconceptions about the Wild East but Russians – and their “near abroad” – do seem to play Eve a little differently from the rest of us. This week, however, the Russian Eve forums are aflame with accusations over black-hat hacking of alliance members by its own leadership.

I’ve been director of the Goonfleet Intelligence Agency for almost four years, so I’m reasonably-well-placed to talk about this subject. Amongst Euro-Americans, the intel conflict is played out within certain bounds. Whether it is the GIA or N3’s Jean Leaner or PL’s very effective (if slightly more devolved) spying set-up, we all play the old-fashioned Cold War-era spying game. We attempt to insert agents into each other’s blocs and alliances.

We also all make strenuous efforts to burn hostile agents: we catch a great many and we no doubt execute more than our share of innocents on the precautionary principle, while attempting to cover our own agents by obliquely insinuating that patsies in hostile alliances are, in fact, working for us. So far, so reasonable.

There is a grey area, of course, in that we harvest character APIs for infiltrating enemy forums and communications, and we gather hostile IP addresses to check against our own databases, to detect careless enemy agents. But these activities, while strictly out-of-game, are effectively accepted as quasi-legitimate by custom and by CCP, for all that a court may take a dimmer view. I, myself, have steered clear of such activities for some time, preferring HumInt to SigInt.

The Wild East

Such niceties are not quite so rigorously observed by those in former members of the Soviet Union, especially Russia, Kazakhstan and the Ukraine.

One infamous example occurred when senior members of Red Alliance, about seven and a half years ago, requested that Goonswarm provide the address in the United Kingdom of a hostile titan pilot. Their plan was that they would get Russian expatriates in the UK to cut the power to the titan during a battle, and thereby kill his titan, which was at that point one of less than half a dozen in existence.  In case you need to be told, we made our excuses and declined.

This past week has seen a different sort of drama play out. On the Russian Eve Online forums, accusations are flying that Darkspawn alliance asked its own members to download a browser-plug-in, alleging it was necessary to connect to their Teamspeak server.

The plug-in was reasonably well obfuscated in form (using VMProtect Ultra), but an initial offer of a plex for anyone who could decompile it and explain its functionality grew to eight plexes and some ISK. Given the desire to be the one to unravel the mystery, this was no doubt more than enough to prompt one forum member to reverse-engineer the plug-in’s purpose.

After the use of obfuscation, the next worrying sign was that test_plugin.dll, normally a 30Kb dll, had bloated to a massive 500Kb. What was all this super-secret extra functionality?

Hack the Planet

It turns out that the plug-in was ostensibly aimed at stopping people recording Teamspeak, but that it also located and searched through their eve log folders, uploaded the results where required, It also communicated the user’s IP address to Darkspawn, which would be handy for spotting the real IP of people using a proxy to avoid detection. And it allegedly acted as a keylogger. There are other allegations (google translate version here), together with some sourcecode but I don’t have the language skills to reliably detail them.

The story is still developing, and I am not dumb enough to name the person that the thread alleges was behind the whole thing, but I might urge you to be cautious in your dealings and interactions with Darkspawn alliance.  Especially if you are invited onto their Teamspeak server.

  • Jean Leaner

    I’m ungodly curious as to what benefit they could have possibly expected to get by keylogging their membership. The rest of those functions I guess I can see how I’d use it in CI, but asking people to install malware so you can have a minor advantage in CI? Unbelievable.

  • Endie

    Yeah, on the surface you can see how it might catch a spy who’d successfully proxied in, and maybe even snatch some log that is a giveaway (though nobody does anything really worthwhile through eve chat, anyway), but the reputational damage is so huge it has to be some dumb kid in love with his own cleverness.

    It doesn’t help them that the Russian eve forums have been as quiet as ours for ages so everyone leapt on the drama like water in the desert.

  • Billy Hardcore

    Endie i love everything you post i really do! But this week had some typos…..but other than that content was fun to read!!


    You Smug Bastard.. how long has this site existed?

  • Endie

    I think I’ve posted at for ten years or so, but this is the third incarnation, thanks to hosting providers going out of business and the like.

  • Endie

    Thanks for the feedback. The only spelling error my spellchecke could find was “Kazakhstan” having the “h” in the wrong place, though, so it may be me using UK English?

  • CoreMag

    EVE is real

  • Nonnak Severin

    That’s pretty intense and a huge treasure trove of data.

    UserListToArray → List of Members in the array.
    SearchChatLogs → Search Chat Logs.
    DumpChatLogs → Dump Chat Logs.
    TransferToServer → send to the server.
    GetKbrdInput → Get input from the keyboard.
    SendInputContent → Send input.
    TraceLocation → Track locations.
    SendInfo → Submit Information.

  • Billy Hardcore

    “I don’t want to play into cliched preconceptions about the Wild East but Russians – and their “near abroad” –do seem to play Eve a little differently the rest of us.” or is this some uk slang term i’m not aware of? lol

  • Fieldgrey

    Lol, paranoia due to their previous disbandment? Great article as always Endie.

  • Endie

    Digi would kill for that info :V

  • Endie

    Fixed it, thanks!

  • Nonnak Severin

    inb4 CFC toolbar announcement at EVE Vegas.

  • Endie

    Passing that on right now n/j

  • wartzilla

    The brand new GARPABuddy – includes terrible pixel art of a dancing, singing bee stuck on your desktop at all times.

  • Pingback: Darkspawn hacking their member base()