Skip to main content

The boy who stole Half-Life 2

From the archive: the story behind the $250m robbery.

At 6am on 7th May 2004, Axel Gembe awoke in the small German town of Schönau im Schwarzwald to find his bed surrounded by police officers. Automatic weapons were pointing at his head and the words, "Get out of bed. Do not touch the keyboard," were ringing in his ears.

Gembe knew why they were there. But, bleary-eyed, he asked anyway.

"You are being charged with hacking into Valve Corporation's network, stealing the video game Half-Life 2, leaking it onto the internet and causing damages in excess of $250 million," came the reply. "Get dressed."

Seven months earlier, on 2nd October 2003, Valve Corporation director Gabe Newell awoke in the large American city of Seattle to find the source code for the game his company had been working on for almost five years had leaked onto the internet.

The town of Schönau im Schwarzwald, where Gembe was living with his father in 2003.

The game had been due for release a couple of weeks earlier but the development team was behind. 12 months behind. Half-Life 2 was going to be late, and Newell had yet to admit how late. Such a leak was not only financially threatening but deeply embarrassing.

After a few moments pondering these immediate concerns, an avalanche of questions tumbled through Newell's mind. How had this happened? Had the leak come from within Valve? Which member of his team, having given years of their life to building the game, would jeopardise the project in the final hour?

If it wasn't an inside job, how the hell did it happen? Did someone have access to Valve's internal server?

But the question which rang out loudest of all was the one anyone who has ever had something stolen from them cannot push from their mind: who did this?

Anticitizen One

"I got into hacking by being infected myself," Gembe says today. "It was a program that pretended to be a Warcraft 3 key generator and I was stupid enough to run it. It was an sdbot, a popular general purpose malware at the time."

The young German soon realised what he had installed on his PC. But instead of scrubbing the malware and forgetting about it, he reverse-engineered the program to see how it worked and what it did.

This led him to an IRC server from which the malware was being controlled. By following the trail back, Gembe was able to track down its operator. Rather than confronting the man, Gembe began asking him questions about the malware. He had a plan.

"While I have a €2000 Steam account nowadays, at the time I couldn't afford to buy games," he explains.

"So I coded my own malware to steal CD keys in order to unlock the titles I wanted to play. It grew quickly to one of the most prominent malwares at the time, mostly because I started writing exploits for some unpatched vulnerabilities in Windows."

At the time the source code leaked, most of us still only had a small suite of screenshots to lust after.

"Follow Freeman!"

On discovering the breach, Newell's first thought was to go to the police. His second was to go to the players.

At 11pm on 2nd October 2003, Newell posted a thread on the official Half-Life 2 forum titled, "I need the assistance of the community."

"Yes, the source code that has been posted is the HL-2 source code," he admitted in the post. Newell went on to outline the facts Valve had been able to piece together so far.

He explained that someone had gained access to his email account around three weeks earlier. Not only that, but keystroke recorders had been installed on various machines at the company. According to Newell, these had been created specifically to target Valve as they were not recognised by any virus-scanning applications.

Whoever had done this was smart, capable and specifically interested in his company. But why?

Point Insertion

Gembe's malware crimes, while undeniably exploitative and damaging, were crimes driven by a passion for games rather than profits.

His favourite game of all was Half-Life. In 2002, like so many fans of the series, Gembe was hungry for details about the forthcoming sequel. That's when he had the idea. If Gembe could hack into Valve's network, he might be able to find something out about the game nobody else knew yet.

A socially awkward loner who had endured a tough upbringing, he would gain status in the community of gamers he had adopted as his family by offering up such insider information. It was worth a try.

By July 2003 Newell knew the team wasn't going to make the 30th September release date, but he had yet to tell the community that.

"I wasn't really expecting to get anywhere," Gembe says. "But the first entry was easy. In fact, it happened by accident.

"I was scanning Valve's network to check for accessible web servers where I thought information about the game might have been held. Valve's network was reasonably secure from the outside, but the weakness was that their name server allowed anonymous AXFRs, which gave me quite a bit of information."

AXFR stands for Asynchronous Full Zone Transfer, a tool used to synchronise backup DNS servers with the same data as the primary server. But it's also a protocol used by hackers to sneak a peek at a website's data. By transferring this data, Gembe was able to discover the names of all the subdomains of ValveSoftware.com.

"In the port scan logs, I found an interesting server which was in Valve's network range from another corporation named Tangis that specialised in wearable computing devices," he says.

"This server had a publically writable web root where I could upload ASP scripts and execute them via the web server. Valve didn't firewall this server from its internal network."

Gembe had found an unguarded tunnel into the network on his first attempt.

"The Valve PDC had an username 'build' with a blank password," he explains. "This allowed me to dump the hashed passwords for the system. At the time the Eidgenössische Technische Hochschule Zürich offered an online cracker for hashes, so I was able to crack the passwords in no time."

"Once I had done that... Well, basically I had the keys to the kingdom."

Entanglement

At this point, Gembe wasn't bothered about covering his tracks. So far he had nothing to hide. But he wanted to ensure he would remain undetected as he explored further.

"All I cared about at that point was not being thrown out," he says. "But I had access to an almost unlimited amount of proxy servers, so I wasn't worried. My first job was to find a host where I could set up some sort of hideout."

Gembe began poking around for information about the game. He found various design documents and notes about the game's creation. This was what he had come looking for. This was why he was here.

As the weeks rolled by, Gembe realised nobody at Valve had noticed he was inside the company's network. He began to push a little harder.

Soon after the leak, images of the characters in compromising positions were distributed online, much to Newell's dismay.

That's when he hit the payload: the source code for the game he had been waiting to play for so many years.

The temptation was too great. On 19th September 2003, Gembe hit the download button and made off with Valve's crown jewels.

"Getting the source code was easy, thanks to the network performance of the Perforce client, but the SourceSafe client for the game data was horrible," he explains.

"Because of this I coded my own client that basically had its own transfer mechanism over TCP, detected changed files by hashing them and transferred the changes.

"The game didn't run on my computer. I made some code changes to get it to run in a basic form without shaders or anything, but it wasn't fun. Also, I only had the main development trunk of the game. They had so many development branches that I couldn't even begin to check them all out."

To this day, Gembe maintains he was not the person who uploaded the source code to the internet. But there's no denying he handed it over to whoever did.

"I didn't think it through," he says. "There was, of course, an element of bragging going on. But the person I shared the source with assured me he would keep it to himself. He didn't."

Once the game was on BitTorrent, there was no containing it.

"The cat was out of the bag," says Gembe. "You cannot stop the internet."

"A Red Letter Day"

The response of the community to Newell's plea for help was mixed. While many expressed their sympathy at the theft, others felt betrayed by Valve for being led to believe the game would be ready for its scheduled launch in late 2003.

Despite a few leads, nobody was able to provide information about who might have perpetrated the crime. The FBI became involved in the investigation but also drew blanks.

Gembe had access to Hammer, Half-Life 2's level editor.

Meanwhile, the team at Valve, which had been in crunch mode for months, was left reeling by the leak. The game was costing the company $1 million a month to build and the end was still far from sight. The leak had not only caused financial damage but had demotivated a tired team. One young designer asked Newell, "Is this going to destroy the company?"

At 6:18am on 15th February 2004, Valve's MD received an email with a blank subject line from sender 'Da Guy'.

"Hello Gabe," the author began, before going on to claim responsibility for infiltrating Valve's network months earlier.

Newell was unsure whether to believe the story at first. But two attached documents, both of which could only have been obtained by someone with access to private areas of Valve's server, proved the sender's claims were valid.

Five months after Half-Life 2 was released onto the internet, long after all leads had gone cold, Newell's man had turned up on his doorstep.

Sandtraps

Why did Gembe send that email? "Because I was sorry for what happened," he says. "I wanted them to know who did this thing, and that my intention was never for things to work out the way they did."

But that wasn't all that Gembe was after. The young man saw a way he could create a positive outcome from his crime, both for Valve and himself. In a separate email, he asked if Newell would consider giving him a job.

"I was very naïve back then," he says. "It was and still is my dream to work for a game development company, so I just asked. I hoped that they could forgive what I had done, mostly because it wasn't intentional."

To Gembe's surprise, Newell wrote back a few days later saying yes, Valve was interested. He asked if Gembe would agree to a phone interview.

It's not obvious whether Valve would ever have traced Gembe if he hadn't gotten in touch with Newell directly.

The real motivation behind the suggestion was not to discover whether Gembe would be a strong candidate for a position within the company. It was to obtain an on-the-record admission from Gembe that he had been responsible for the leak. It's an old FBI trick, designed to gain a confession by appealing to a person's sense of pride.

Gembe had his suspicions but he pushed them to the back of his mind. "I hoped for the best," he says. "I was not the brightest kid back then."

He recalls the phone interview being conducted by Alfred Reynolds, developer on Counter-Strike and Steam, and Portal writer Erik Wolpaw, but says he could be wrong. (In fact, Wolpaw says he had yet to join the company at this point.)

"At first they wanted to know how I hacked into the network. I told them in full detail. Then they asked me about my experience and skills. I still remember they were surprised that I spoke fluent English without much of an accent."

The trio talked for 40 minutes. Any sense of guilt dissipated for Gembe in the presence of his heroes. But that was nothing compared to the adrenaline rush he felt when he received an invitation to a second interview. This one would be face-to-face at Valve's headquarters in Seattle, on American soil.

Having set the trap, Valve and the FBI needed to obtain a visa for Gembe (and his father and brother, as he had asked if they could accompany him to the US). But there were concerns about the ongoing access Gembe had to Valve's servers and the potential damage he could still cause. So the FBI contacted the German police, alerting them to the plan.

Highway 17

It was soon after this that Gembe awoke to find himself staring down the barrel of a gun. He got dressed and headed downstairs, escorted by the armed policemen squeezed into the small hallways of his father's house.

"Can I get something to eat before we leave?" asked Gembe.

"No problem," said one of the policemen.

The initial level of Half-Life 2 open in Hammer.

Gembe reached for a kitchen knife to cut some bread. "Every policeman in the room raised his rifle at me," he says.

After drinking a cup of coffee and smoking a cigarette, Gembe climbed into the back of a van and was driven to the local police station. There he was greeted by the police chief. He walked up to Gembe, looked him in the eye and said, "Have you any idea how lucky you are that we got to you before you got on that plane?"

Gembe was interrogated by the police for three hours. "Most of the questions they asked me were about the Sasser-Worm," he says, referring to a particularly vicious malware that affects computers running vulnerable versions of Windows XP and Windows 2000.

"For some reason they thought there was a connection between me and Sasser, which I denied. Sasser was big news back then and its author, Sven Jaschan, was raided the same day as me in a co-ordinated operation, because they thought I could warn him.

"My bot used the same vulnerability in the LSASS service that his did, except it didn't crash the host system, so I guess they thought I gave him the exploit code. Of course I denied this and told them that I never write such shoddy code."

After the police began to realise there was no link between Gembe and the Sasser-Worm, they moved on to asking him about Valve.

"I could have refused to answer and demanded an attorney, but I chose to tell them everything I knew honestly and completely, which I guess they appreciated," he says. "The guy questioning me liked me because, he said, 'You are not an asshole like most of the other guys.' That department has to deal mostly with child porn.

"I guess I was so open with them because I didn't believe I did much wrong, at the time."

Gembe was remanded in custody for two weeks. He was released once the police were determined he wasn't about to flee, with the proviso that he check-in with them three times a week, every week, for three years, until his trial.

Our Benefactors

While waiting for his day in court, Gembe worked hard to change his life. He finished an apprenticeship and got a job in the security sector, writing Windows applications to manage security systems and performing database and server administration work.

Axel Gembe's trial lasted for seven hours. No one from Valve was present, though someone from the Wall Street Journal turned up. Security breach aside, there was no evidence to suggest Gembe had been responsible for pushing the Half-Life 2 source code on the internet.

However, Gembe admitted to hacking into Valve's network. The judge sentenced him to two years' probation, citing his rough childhood and the way he had worked to turn his life around as considerations when it came to deciding on the relatively lenient punishment.

By the time of the trial 8.6 million copies of Half-Life 2 had been sold, its success seemingly unaffected by the leak of 4th October 2003.

Half-Life 2 did well, then. Although apparently not well enough to warrant a sequel...

Today Gembe is 28. Nearly a decade on, he is remorseful about the Half-Life 2 episode.

"I was naive and did things that I should never have done," he says. "There were so many better uses of my time. I regret having caused Valve Software trouble and financial loss. I also regret having caused some universities financial harm by using them as speed tests for my malware.

"Basically I regret all the illegal things I did at that time... And I regret not doing anything worthwhile with my life before I got busted."

What of the man he stole a game from? What would Axel Gembe say to Gabe Newell today?

"I would say this: I am so very sorry for what I did to you. I never intended to cause you harm. If I could undo it, I would. It still makes me sad thinking about it. I would have loved to just stay and watch you do your thing, but in the end I screwed it up.

"You are my favourite developer, and I will always buy your games."

This article was originally published on 21st February 2011.

Read this next

seductrice.net
universo-virtual.com
buytrendz.net
thisforall.net
benchpressgains.com
qthzb.com
mindhunter9.com
dwjqp1.com
secure-signup.net
ahaayy.com
tressesindia.com
puresybian.com
krpano-chs.com
cre8workshop.com
hdkino.org
peixun021.com
qz786.com
utahperformingartscenter.org
worldqrmconference.com
shangyuwh.com
eejssdfsdfdfjsd.com
playminecraftfreeonline.com
trekvietnamtour.com
your-business-articles.com
essaywritingservice10.com
hindusamaaj.com
joggingvideo.com
wandercoups.com
wormblaster.net
tongchengchuyange0004.com
internetknowing.com
breachurch.com
peachesnginburlesque.com
dataarchitectoo.com
clientfunnelformula.com
30pps.com
cherylroll.com
ks2252.com
prowp.net
webmanicura.com
sofietsshotel.com
facetorch.com
nylawyerreview.com
apapromotions.com
shareparelli.com
goeaglepointe.com
thegreenmanpubphuket.com
karotorossian.com
publicsensor.com
taiwandefence.com
epcsur.com
southstills.com
tvtv98.com
thewellington-hotel.com
bccaipiao.com
colectoresindustrialesgs.com
shenanddcg.com
capriartfilmfestival.com
replicabreitlingsale.com
thaiamarinnewtoncorner.com
gkmcww.com
mbnkbj.com
andrewbrennandesign.com
cod54.com
luobinzhang.com
faithfirst.net
zjyc28.com
tongchengjinyeyouyue0004.com
nhuan6.com
kftz5k.com
oldgardensflowers.com
lightupthefloor.com
bahamamamas-stjohns.com
ly2818.com
905onthebay.com
fonemenu.com
notanothermovie.com
ukrainehighclassescort.com
meincmagazine.com
av-5858.com
yallerdawg.com
donkeythemovie.com
corporatehospitalitygroup.com
boboyy88.com
miteinander-lernen.com
dannayconsulting.com
officialtomsshoesoutletstore.com
forsale-amoxil-amoxicillin.net
generictadalafil-canada.net
guitarlessonseastlondon.com
lesliesrestaurants.com
mattyno9.com
nri-homeloans.com
rtgvisas-qatar.com
salbutamolventolinonline.net
sportsinjuries.info
wedsna.com
rgkntk.com
bkkmarketplace.com
zxqcwx.com
breakupprogram.com
boxcardc.com
unblockyoutubeindonesia.com
fabulousbookmark.com
beat-the.com
guatemala-sailfishing-vacations-charters.com
magie-marketing.com
kingstonliteracy.com
guitaraffinity.com
eurelookinggoodapparel.com
howtolosecheekfat.net
marioncma.org
oliviadavismusic.com
shantelcampbellrealestate.com
shopleborn13.com
topindiafree.com
v-visitors.net
djjky.com
053hh.com
originbluei.com
baucishotel.com
33kkn.com
intrinsiqresearch.com
mariaescort-kiev.com
mymaguk.com
sponsored4u.com
crimsonclass.com
bataillenavale.com
searchtile.com
ze-stribrnych-struh.com
zenithalhype.com
modalpkv.com
bouisset-lafforgue.com
useupload.com
37r.net
autoankauf-muenster.com
bantinbongda.net
bilgius.com
brabustermagazine.com
indigrow.org
miicrosofts.net
mysmiletravel.com
selinasims.com
spellcubesapp.com
usa-faction.com
hypoallergenicdogsnames.com
dailyupdatez.com
foodphotographyreviews.com
cricutcom-setup.com
chprowebdesign.com
katyrealty-kanepa.com
tasramar.com
bilgipinari.org
four-am.com
indiarepublicday.com
inquick-enbooks.com
iracmpi.com
kakaschoenen.com
lsm99flash.com
nana1255.com
ngen-niagara.com
technwzs.com
virtualonlinecasino1345.com
wallpapertop.net
casino-natali.com
iprofit-internet.com
denochemexicana.com
eventhalfkg.com
medcon-taiwan.com
life-himawari.com
myriamshomes.com
nightmarevue.com
healthandfitnesslives.com
androidnews-jp.com
allstarsru.com
bestofthebuckeyestate.com
bestofthefirststate.com
bestwireless7.com
britsmile.com
declarationintermittent.com
findhereall.com
jingyou888.com
lsm99deal.com
lsm99galaxy.com
moozatech.com
nuagh.com
patliyo.com
philomenamagikz.net
rckouba.net
saturnunipessoallda.com
tallahasseefrolics.com
thematurehardcore.net
totalenvironment-inthatquietearth.com
velislavakaymakanova.com
vermontenergetic.com
kakakpintar.com
begorgeouslady.com
1800birks4u.com
2wheelstogo.com
6strip4you.com
bigdata-world.net
emailandco.net
gacapal.com
jharpost.com
krishnaastro.com
lsm99credit.com
mascalzonicampani.com
sitemapxml.org
thecityslums.net
topagh.com
flairnetwebdesign.com
rajasthancarservices.com
bangkaeair.com
beneventocoupon.com
noternet.org
oqtive.com
smilebrightrx.com
decollage-etiquette.com
1millionbestdownloads.com
7658.info
bidbass.com
devlopworldtech.com
digitalmarketingrajkot.com
fluginfo.net
naqlafshk.com
passion-decouverte.com
playsirius.com
spacceleratorintl.com
stikyballs.com
top10way.com
yokidsyogurt.com
zszyhl.com
16firthcrescent.com
abogadolaboralistamd.com
apk2wap.com
aromacremeria.com
banparacard.com
bosmanraws.com
businessproviderblog.com
caltonosa.com
calvaryrevivalchurch.org
chastenedsoulwithabrokenheart.com
cheminotsgardcevennes.com
cooksspot.com
cqxzpt.com
deesywig.com
deltacartoonmaps.com
despixelsetdeshommes.com
duocoracaobrasileiro.com
fareshopbd.com
goodpainspills.com
hemendekor.com
kobisitecdn.com
makaigoods.com
mgs1454.com
piccadillyresidences.com
radiolaondafresca.com
rubendorf.com
searchengineimprov.com
sellmyhrvahome.com
shugahouseessentials.com
sonihullquad.com
subtractkilos.com
valeriekelmansky.com
vipasdigitalmarketing.com
voolivrerj.com
zeelonggroup.com
1015southrockhill.com
10x10b.com
111-online-casinos.com
191cb.com
3665arpentunitd.com
aitesonics.com
bag-shokunin.com
brightotech.com
communication-digitale-services.com
covoakland.org
dariaprimapack.com
freefortniteaccountss.com
gatebizglobal.com
global1entertainmentnews.com
greatytene.com
hiroshiwakita.com
iktodaypk.com
jahatsakong.com
meadowbrookgolfgroup.com
newsbharati.net
platinumstudiosdesign.com
slotxogamesplay.com
strikestaruk.com
trucosdefortnite.com
ufabetrune.com
weddedtowhitmore.com
12940brycecanyonunitb.com
1311dietrichoaks.com
2monarchtraceunit303.com
601legendhill.com
850elaine.com
adieusolasomade.com
andora-ke.com
bestslotxogames.com
cannagomcallen.com
endlesslyhot.com
iestpjva.com
ouqprint.com
pwmaplefest.com
qtylmr.com
rb88betting.com
buscadogues.com
1007macfm.com
born-wild.com
growthinvests.com
promocode-casino.com
proyectogalgoargentina.com
wbthompson-art.com
whitemountainwheels.com
7thavehvl.com
developmethis.com
funkydogbowties.com
travelodgegrandjunction.com
gao-town.com
globalmarketsuite.com
blogshippo.com
hdbka.com
proboards67.com
outletonline-michaelkors.com
kalkis-research.com
thuthuatit.net
buckcash.com
hollistercanada.com
docterror.com
asadart.com
vmayke.org
erwincomputers.com
dirimart.org
okkii.com
loteriasdecehegin.com
mountanalog.com
healingtaobritain.com
ttxmonitor.com
nwordpress.com
11bolabonanza.com