Games

Read the FBI’s Damning Case Against the Recently Arrested Nintendo Hacker

The hacker who stole from Nintendo for years bragged about it online, and didn’t even try to hide his real name or activities.
Read the FBI's damning case against the recently arrested Nintendo hacker.
Image courtesy of Nintendo

Ryan Hernandez spent years hacking into Nintendo servers to steal games and other pieces of software. When the FBI caught him and seized his computers, it found child pornography on his hard drives, and Hernandez pleaded guilty to the crimes on January 31. According to the FBI’s affidavit and application for a search warrant, obtained by VICE, Hernandez spent the last few years bragging about stealing from Nintendo publicly across multiple social media platforms, including Twitter and Discord.

Advertisement

According to the affidavit—which VICE obtained from Deputy Director of the Program on Extremism at George Washington University and court watcher Seamus Hughes—Hernandez first crossed Nintendo’s radar in 2016 when he registered for developer access through the company—and Nintendo said yes. “Hernandez then accessed confidential and proprietary information, including material for the Wii U console and Nintendo 3DS system, through Nintendo’s developer sites,” court documents said.

Court documents didn’t reveal what, specifically, Hernandez leaked. But his story mirrors that of a Nintendo leaker who had information about the company's E3 announcements ahead of time. Sabi, the E3 leaker, said that Nintendo’s lawyers reached out and told him to stop.

Once Hernandez had information, he shared it online publicly. Because Nintendo knew exactly who Hernandez was, he made no effort to hide his identity, and so Nintendo reached out to his family through a representative and asked him to stop. In September 2016, Hernandez was still a minor, and he and his family agreed to stop releasing the private material he'd acquired.

But only one month later, in October 2016, Hernandez phished a Nintendo employee through its online developer portal, a place where developers officially interact with Nintendo to develop and list their game on Nintendo’s online store. Hernandez “persuaded a Nintendo employee to respond to a help request posted on a Nintendo online forum,” the affidavit said. “The threat actor used the stolen account credentials to upload malware onto the site, which logged the tokens of legitimate users logging onto the site, and later to gain administrator access to the Developer Portal and download proprietary Nintendo data.”

Advertisement

Nintendo launched its own investigation of the incident and quickly figured out it was Hernandez. “The identification was made in part by matching the IP address used for attack with the IP address legitimately used by Hernandez on the Nintendo network,” the affidavit said.

Along with the IP address, Nintendo also noticed the stolen data showing up on Twitter under the account named @ryanrocks462, which has since been suspended. Hernandez also ran a Discord server called “Ryan’s Underground Hideout” under the username ryanrocks462 and shared his personal IP address on the Discord server. Hernandez was so bad at covering his tracks that, when the IP address changed because his father switched the family’s service provider, Hernandez complained about it on Discord, giving law enforcement an exact timeline of the IP change.

After Hernandez phished his way inside Nintendo’s developer portal, the company launched an investigation and gathered evidence. In March 2017, it reached out the FBI and turned over all the information it had gathered.

In October 2017, the FBI went to the home Hernandez shared with his parents, in which "Hernandez promised to stop any further malicious activity against Nintendo and indicated an understanding of potential consequences of future criminal activity.”

1580849372784-Idiot

Image: FBI affidavit

After the FBI visited him, Hernandez bragged about getting away with his crimes on his Discord server. “It’s OK the FBI came to my house before they can say hello :3,” he posted.

Advertisement

“They will say, ‘hello famed Splatoon 2 modder and YouTuber Ryan West, we have some reports that you are keeping 37 childrein against their will in your basement, is that correct?’” Someone else in the Discord responded.

“I will say, ‘Yes! But you will lose the case just liek [sic] last time!’” Hernadez posted.

According to the FBI affidavit, a few days after this conversation, Hernandez posted a meme on one of his Twitter accounts depicting Spongebob Squarepants as an FBI agent. He tagged Nintendo America’s official Twitter account in the post.

1580849410197-Lort

Around the same time that Super Mario Party hit the Switch in October 2018, Nintendo once again caught Hernandez snooping around using the same IP address. He was trying to get access to Nintendo’s development tools for unreleased games. It turned the information over to the FBI.

Hernandez used multiple email accounts from multiple providers, but they were often all variations of “ryanrocks,” followed by a random alphanumeric. Often, he used the alias "Ryan West" to register these accounts. For Nintendo and the FBI, it appears he was easy to track.

Hernandez also continued to brag about his hacks online. “Discord users ryanrocks462 claimed to have access to Nintendo servers and was actively downloading content, specifically related to the Nintendo Switch,” the affidavit said. Hernandez posted a screenshot of the Switch’s content delivery network (CDN)—a kind of map of the way Nintendo delivers games from the internet to an individual console. ‘2 more Terabytes and ill have all of nintendos cdn.”

Advertisement

A month later, the same account posted another screenshot in Discord. It was a similar image of the “Switch_CDN” file folders. “Just got the jap titles to go [oh my lord],” he posted.

Then, on December 16, 2018, Hernandez posted a screenshot of a file directory that implied he had access to Nintendo’s European file sharing network. “The image appears to be taken via a cellphone,” court documents said.

“This is Nintendo’s Internal Eshop AP testing,” ryanrocks462 said on Discord. “Hardly anyone knows about this actually. Server stuff has been my thing for the past 3/4 months. And I learned a lot about Nintendo uwu.” uwu is internet slang for being overwhelmed by cuteness, the uwu replicates the face of a cute anime animal.

The evidence the FBI gave the judges, most of it easily available to the public, was enough for the judge to issue a search warrant for Hernandez’s accounts and devices. “On those devices, they discovered thousands of confidential Nintendo files,” the Justice Department said in a press release about the case. “Forensic analysis of his devices also revealed that Hernandez had used the internet to collect more than one thousand videos and images of minors engaged in sexually explicit conduct, stored and sorted in a folder directory he labeled ‘Bad Stuff.’”

According to the Justice Department, Hernandez faces up to three years in prison as part of a plea agreement. His ultimate fate, however, is in the hands of the judge. Hernandez has also agreed to pay Nintendo $259,323 “for the remediation costs caused by his contact.”

Correction: This piece has been updated to reflect Hughes' correct title.