this post was submitted on 05 Aug 2023
260 points (100.0% liked)

Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ

1440 readers
56 users here now

⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.

Rules • Full Version

1. Posts must be related to the discussion of digital piracy

2. Don't request invites, trade, sell, or self-promote

3. Don't request or link to specific pirated titles, including DMs

4. Don't submit low-quality posts, be entitled, or harass others

Loot, Pillage, & Plunder

💰 Please help cover server costs.

Ko-FiLiberapay

founded 1 year ago
MODERATORS
db0@lemmy.dbzer0.com
sunbrothersco@lemmy.dbzer0.com
dataprolet@lemmy.dbzer0.com
Flatworm7591@lemmy.dbzer0.com
RandomLegend@lemmy.dbzer0.com
260
Anyone who downloaded the GOG Baldur's Gate 3 release from 1337x, scan with Malwarebytes asap! (kbin.social)
submitted 1 year ago by GeekFTW@kbin.social to c/piracy@lemmy.dbzer0.com
50 comments fedilink hide all child comments
 

Originally posted over on /r/piracy (https://www.reddit.com/r/Piracy/comments/15itrip/1337x_admins_allowing_bg3_torrent_with_bitcoin/)

It looks like a bitcoin miner was included in the installer, and the admins on 1337x may or may not give a shit apparently. Scanned my pc and my wifes and found the same stuff the others mentioned.

According to the other comments, don't feel the need to uninstall as the miner was installed separate to the game, just give a Malwarebytes scan to get rid of the junk.

top 50 comments
sorted by: hot top controversial new old
[–] fourohfour@lemmy.fmhy.net 81 points 1 year ago (3 children)

It's even worse apparently. Apparently someone looked at where the coins are going, and the coins are going to the 1337x admins, and the uploader is just getting a cut of those coins. Which explains why the admins are unlikely to really care because they're profiting off their users.

I have severe trust issues with any kind of pirated software so I basically never download it as a result, and shit like this is why. Even private trackers and "trusted" groups aren't enough for me to download most software.

[–] Steeve@lemmy.ca 21 points 1 year ago (1 children)

Do you have any evidence of that?

[–] _comfortablyAverage_@lemmy.ml 20 points 1 year ago

can we get some proof? this is really interesting. I'd like to see how they're tracking stuff

[–] Pulp@lemmy.dbzer0.com 12 points 1 year ago (1 children)

How did they figure that out?

[–] Shere_Khan@lemmy.dbzer0.com 36 points 1 year ago (1 children)

Crytpo isn't inherently anonymous. you can easily follow coins.

[–] lemming007@lemm.ee 7 points 1 year ago

You can follow the wallet address , but unles you know who the address belongs to, you can't follow it. So we ask again, where the proof that the coins went to site admins?

[–] deluxeparrot@feddit.uk 74 points 1 year ago

For gog games you can check the digital signature on the installer to make sure it's legit. It should be signed by GOG.

[–] empireOfLove@lemmy.one 66 points 1 year ago (3 children)

If you aren't scanning every software you download, whether a pirate torrent or normal direct download, that's kinda your own fault

[–] teft@startrek.website 63 points 1 year ago (1 children)

Motherfuckers out here rawdogging the internet like it's 1998.

[–] crow 17 points 1 year ago

It just feels better… I can’t feel the bits otherwise.

[–] kniescherz@feddit.de 53 points 1 year ago (3 children)

To be fair, I cannot remember a software where no anti virus program turned red. Those cracks always look suspicous to the heuristics.

[–] empireOfLove@lemmy.one 13 points 1 year ago

Of course but it's usually pretty easy to filter out the false positives that always appear as a Trojan (because of the file modification payload) vs a crypto miner

[–] Pulp@lemmy.dbzer0.com 4 points 1 year ago

They usually say something generic like HackTool.

[–] boonhet@lemm.ee 1 points 1 year ago

Agreed, but if it's a GOG release it doesn't need a crack because it never had DRM in the first place.

[–] GeekFTW@kbin.social 14 points 1 year ago

Oh 100%. Was a dumb moment where I didn't expect it and didn't bother, and neither did a lot of other people from the looks of it. Good thing is it was something fixable in less than 5 mins and not a bigger problem.

[–] eagleeyedtiger@lemmy.nz 48 points 1 year ago (1 children)

You shouldn't trust anything uploaded there by IGGGames. They've been caught before adding miners to their files. I downloaded the rune release somewhere else seeing as they were the uploader on 1337x. I only really use 1337x for fitgirl repacks.

[–] Haveanicedayman@lemmy.ml 13 points 1 year ago (1 children)

Why not from fitgirl page directly?

[–] eagleeyedtiger@lemmy.nz 8 points 1 year ago

I mean I do grab the torrent link from the fitgirl site, but I find the torrent faster to download than the direct download links.

[–] HatchetHaro@lemmy.blahaj.zone 46 points 1 year ago (1 children)

Just popping in to say that if you enjoy the game and if you are financially able to, buy the game properly to support the developers, especially Larian Studios.

[–] posedexposed@kbin.social 15 points 1 year ago

If a dev studio should be financially incentivized to keep doing what they're doing, it's this one

[–] Madiator2011@lm.madiator.cloud 23 points 1 year ago

Dont be mad at me but I bought the game from GOG :)

[–] Flatworm7591@lemmy.dbzer0.com 19 points 1 year ago

I reported it on 1337x earlier today, but they aren't very responsive. Fitgirl has it listed as an upcoming repack, so hopefully not long to wait for a clean copy.

[–] tekeous@apollo.town 11 points 1 year ago (1 children)

Empress was right

[–] stappern@lemmy.one 10 points 1 year ago

Nah

[–] DrManhattan@lemmy.design 7 points 1 year ago (4 children)

Has anyone seen anything on the DODI release or is it clean?

[–] harmonea@kbin.social 10 points 1 year ago* (last edited 1 year ago) (2 children)

The DODI repack is based on the RUNE release which I believe is clean. Another commenter claims a found Trojan but there are others who found nothing, and imo it's probably just the usual crack shenanigans.

Edit: See replies! It seems there are tainted versions of the repack out there, but there are clean ones too. Remember to keep a critical eye on your sites and uploaders in addition to your release groups. There's a useful link in a reply to me below showing what you might see if you've downloaded a bad one.

[–] shottymcb@lemm.ee 8 points 1 year ago

There's no need for a crack on this game, it's available on GOG which is always DRM free.

[–] Makeshift@lemmy.dbzer0.com 2 points 1 year ago (1 children)

it seems like half the people I see who downloaded it say they got a tojan, and half didn't. Could it possibly be triggering only for certain people? perhaps if their specs are good enough for bitcoin mining or not? or maybe just at random? just spitballing here

[–] harmonea@kbin.social 2 points 1 year ago (1 children)

For the RUNE release, it probably has more to do with what AV they're using and how sensitive it is. Cracked games flag AVs all the time, you have to pay attention to what it's alerting you about. If you're being careful and clean about the sites, uploaders, and release groups you trust, that "trojan" is usually nothing more than an injected hook to defeat DRM.

[–] Makeshift@lemmy.dbzer0.com 9 points 1 year ago (1 children)

it's not a false positive people are finding. it's a bitcoin miner called integritycheck.exe

https://www.reddit.com/r/Piracy/comments/15itrip/1337x_admins_allowing_bg3_torrent_with_bitcoin/juxiobs/

[–] harmonea@kbin.social 4 points 1 year ago* (last edited 1 year ago) (1 children)

Hey, thanks for that link! I'm really glad to have the details so I can verify for myself.

However, with that, I can REALLY confirm this is not an issue inherent to the DODI repack. DODI's is what I'm using and I have none of that on my system -- I checked with that powershell command, then also followed along with the comments to check other files and scheduled tasks that were mentioned.

That said, I got my download from torrentleech. I suspect a tainted version of the repack got onto certain other sites. It wouldn't be the first time (which is why I specify trusted sites and uploaders in addition to release groups).

[–] Makeshift@lemmy.dbzer0.com 2 points 1 year ago

good to hear. dodi just officially denied the accusations as well:

https://www.reddit.com/r/Piracy/comments/15ivtzk/dodi_verified_release_on_tg_has_crypto_miner/juy98il/

although he claims integritycheck.exe is a windows process, when clearly it is also the name of that miner I linked above

my guess is the dodi account on torrent galaxy, although verified, could be a fake and is putting in these viruses, or maybe the people commenting saying they got the virus from dodi actually got it from that hogwarts legacy crack which originally had this miner.

either way, I always hope the community will take these sorts of claims seriously and investigate to ensure everyone's safety

[–] Makeshift@lemmy.dbzer0.com 4 points 1 year ago

There are claims from comments on torrent galaxy that dodis release has the same bitcoin miner:

https://www.reddit.com/r/Piracy/comments/15ivtzk/dodi_verified_release_on_tg_has_crypto_miner/

I hope someone can get to the bottom of this

[–] Leo@lemmy.dbzer0.com 1 points 1 year ago

Dodi also has the gog version below, it doesn't even require an installation

[–] SilentStorms@lemmy.ca 1 points 1 year ago (1 children)

I hope DODI is fine. I'm currently in the middle of installing it...

[–] DrManhattan@lemmy.design 2 points 1 year ago

I looked for this integrity check file and ran the power shell script and I don’t see it listed anywhere on my system’s roaming folder nor in the list of applications with cpu usage.

[–] altima_neo@lemmy.zip 6 points 1 year ago (3 children)

isnt malwarebytes kinda crap these days?

load more comments (2 replies)
[–] UntouchedWagons@lemmy.ca 5 points 1 year ago (4 children)

I downloaded the RUNE release from TorrentLeech and Windows Defender found a trojan so yeah I'll believe it. I guess I'll wait for a FitGirls repack.

[–] Elegast@lemmy.ca 4 points 1 year ago

Torrent galaxy rune release. However not seeing any issues? Malwarebytes scans coming up clean. No integritycheck folder in app data. No hidden process running when game running. 🤷‍♂️?

[–] KitsuneHaiku@ttrpg.network 4 points 1 year ago

I've had false positives from cracks on TL before, several times. I respect your carefulness with a known problem with another release, though.

[–] nimmo@lem.nimmog.uk 1 points 1 year ago (1 children)

Now that's not something I'd have expected. I've never encountered anything like that in the nearly 15-20 years I've been using TL.

[–] Pulp@lemmy.dbzer0.com 1 points 1 year ago (1 children)

20? Interesting.

[–] nimmo@lem.nimmog.uk 1 points 1 year ago

Just took a look at my profile, registered on 27 June 2006. So it's in my 15-20 year window that I mentioned

[–] hogart@feddit.nu 1 points 1 year ago (1 children)

From TL? Really? That's a surprise I didn't wanna hear! :/

[–] JelloBrains@kbin.social 3 points 1 year ago (1 children)

Sadly even with private sites a lot of things are taken from a public source and you occasionally run into this problem. Like some people up their ratios on these sites by using their VPN to get the public torrent and then seeding it back to the private one.

[–] Pulp@lemmy.dbzer0.com 1 points 1 year ago

As long as the first uploader didn't do it, then that won't cause other downloaders any issues. Torrents always verify the hash is correct and will discard bad data. And TorrentLeech has uploading torrents limited.

[–] Alextheacceptable@lemmy.dbzer0.com 4 points 1 year ago

Is DODI's repack safe?