The story of hacking the most popular game of the Runet in the 2000s — “Fight Club”

Andrey Nikishaev
5 min readFeb 3, 2024
“Fight Club”

Russian version

A friend of mine, who wished to remain anonymous, shared this story with me. Though nowadays, hardly anyone would criticize him for it.

For simplicity, I will narrate in the first person from here on.

As a child, I was deeply fascinated by computer games, just like any other kid. However, my interest in computers didn’t stop there; I was always curious to see what was “under the hood.” Initially, this curiosity manifested in simple manipulations with a HEX editor, but eventually, it evolved into a more serious hobby. I became engrossed in assembly language, writing patches, and modding games. Soft Ice became my best friend, aiding me in performing miracles more than once. Sometimes, I even managed to optimize game rendering because my computer couldn’t handle certain games, but I still wanted to play them.

In the summer of 2002 or 2003 (honestly, I’ve been taking memory pills, but they don’t seem to help), I dove headfirst into my first online game — “Fight Club.” Despite its simplicity, it captivated me. It was the first game where I could interact with a vast number of real, living people instead of computer algorithms. Initially, it was exciting as a game, but later, it became an intriguing target for hacking.

By then, I had already traveled a long journey in hacking just about anything possible. I wouldn’t say I was anything special, like a second Kevin Mitnick, or even the son of a friend of his mother’s sister, just a regular guy who loved to tinker with stuff. However, I always managed to find very elegant and simple solutions, earning the respect of more experienced colleagues.

My new target was this game. Initially, I considered following the standard approach: Searching for servers -> scanning ports and services -> searching for vulnerabilities in open sources -> searching for vulnerabilities among the community and colleagues -> fuzzing -> pain and suffering. But once again, my subconscious told me, “This feels like work, where’s the challenge and fun in that?” So, I decided to try social engineering.

I started with a phishing site, which, out of laziness, I created on a free hosting service with a URL nothing like combats.ru. My subconscious reassured me, “Relax, it’ll work,” even though I knew it was highly unprofessional. The site was an exact replica of the original and offered visitors a chance to dive into the wonderful world of lotteries, where they could win not just regular items and money but, more excitingly, artifacts. Artifacts in the game were very valuable, and not everything could be bought with money; transactions often required the admins’ personal willingness to sell. Therefore, the opportunity to obtain such items was akin to flying to Mars.

The system was simple: people would enter the site, input their login and password for combats.ru to authorize, and then a draw would take place, promising the delivery of won items within three days. I wasn’t too greedy, so in a way, everyone won. Once people entered their data, it was sent to my email, for quick and convenient collection. At the time, it seemed like a good idea.. how mistaken I was)

After setting up the phishing site, it was time to lure people in. I brainstormed various ideas and approaches to present it to the public, ultimately deciding to exploit one of the deadly sins — greed, for a sort of social experiment.

It’s worth noting that hacking never interested me as a means of earning money, though I wasn’t averse to it. I pursued it because it was intriguing, a challenge, and a way to test the resilience of this world.

I created several fake accounts and started inviting people in different locations, something along the lines of, “To celebrate the birthday of one of the game’s developers, FC is holding a lottery among participants with a chance to win even artifacts. Don’t miss your chance, register now. I just won a couple of credits. [link to the site]”

Meanwhile, my phone rang. It was a friend inviting me to play soccer. So, after posting just a couple of these messages, I turned off my computer and ran outside.

Returning in the evening, the first thing I did was check my email, and that’s when I realized how bad an idea it was to have the data sent there. When I launched the email client and saw the number of emails waiting to download, I was shocked. There were over 70K+ emails. Back then, the internet wasn’t exactly fast. I had a 36k baud modem, and downloading the full list took quite some time. While it was downloading, I quickly updated the script to write to a file on the server instead.

At first, I thought everyone had quickly figured out my scheme and just filled it with nonsense. But no, I manually checked about a dozen accounts, and all were valid.

That same day, I wrote a couple of bots that checked the entered data, recorded heroes’ stats, and their inventory. Later, these scripts were improved for mass control over accounts (transferring inventory, credits, sending messages in chats).

After gaining control over many high-ranking heroes, things escalated even faster. Now, high-level characters and clan members were doing the inviting. Within a week, several hundred thousand accounts were hacked, an unreal number.

Later, the FC administration began devising additional security measures. The first was the introduction of a 4-digit pin code, which unfortunately had a small vulnerability and was easily bypassed by brute force in just a minute.

Curious about people’s behavior, I later created a couple more versions of phishing sites: one with an online store and another with a new mega-location only for the chosen few. But as expected, they weren’t as popular.

Overall, this experiment confirmed my expectations about society but, let’s say, lowered its bottom even further. Sadly, manipulating a large number of people using their base instincts is very easy, which is evident today in the tactics used by politicians of all nations.

Interestingly, thanks to me, developers’ paranoia about security reached an unreal peak. Half a year later, when I logged into the game out of curiosity, it had about 5–8 levels of protection, which looked quite amusing.

That was the last time I engaged in any significant hacking. My path then took a slightly different direction. Though I won’t deny, sometimes I feel nostalgic for those times; there was a certain magic in them, a feeling that anything in life was possible. That’s something sorely missing today.

I hope you enjoyed the story. But most importantly, what I, who also dedicated a lot of time to social engineering, want to emphasize is that the ability to break the system through understanding human behavior psychology is a much more powerful and frightening tool than any trojans or viruses. The most secure locks will easily fall if there’s even one person inside who can be controlled from the outside.

And if you look at the history of the biggest hacks of the 21st century, you’ll notice that most of them were carried out using social engineering.

As a token of appreciation for this story, I would be grateful for your donation to the fund for helping homeless animals in Ukraine https://uah.fund/donate

Next story:

--

--