Originally posted over on /r/piracy (https://www.reddit.com/r/Piracy/comments/15itrip/1337x_admins_allowing_bg3_torrent_with_bitcoin/)

It looks like a bitcoin miner was included in the installer, and the admins on 1337x may or may not give a shit apparently. Scanned my pc and my wifes and found the same stuff the others mentioned.

According to the other comments, don’t feel the need to uninstall as the miner was installed separate to the game, just give a Malwarebytes scan to get rid of the junk.

  • fourohfour@lemmy.fmhy.net
    link
    fedilink
    English
    arrow-up
    127
    arrow-down
    13
    ·
    1 year ago

    It’s even worse apparently. Apparently someone looked at where the coins are going, and the coins are going to the 1337x admins, and the uploader is just getting a cut of those coins. Which explains why the admins are unlikely to really care because they’re profiting off their users.

    I have severe trust issues with any kind of pirated software so I basically never download it as a result, and shit like this is why. Even private trackers and “trusted” groups aren’t enough for me to download most software.

          • HelixDab2@lemm.ee
            link
            fedilink
            English
            arrow-up
            11
            arrow-down
            3
            ·
            1 year ago

            Obligatory plug for Monero.

            …Which is a huge fucking hassle to try and use, IMO.

              • HelixDab2@lemm.ee
                link
                fedilink
                English
                arrow-up
                3
                arrow-down
                1
                ·
                1 year ago

                First, the fact that I have to download the whole blockchain to use it. I’m not on a super fast connection, so that took like a day. The difficulty and expense of getting Monero was also an issue; I had to buy Bitcoins, then move Bitcoins to an exchange that would let me buy Monero, because the exchange I could buy Bitcoin on didn’t work with Monero (due to the perception that it’s only used for criminal activity). At every step, there’s a transaction fee, and that fee isn’t entirely transparent up front, so it’s harder to estimate what the final price (in fiat currency) will be.

                At the tiem I was trying to use it, there weren’t any user-friendly wallets, and I don’t think there was any capability to use it from a mobile phone; that makes it more difficult to use than other crypto.

                I’m not sure how well it plays with Tails of Qubes; I never got far enough to give it a shot.

                I’m not saying that any of these thigns are bad, but they do make it harder for a typical person to start using, and until more regular people are using privacy-focused crypto and operating systems, they’re always going to have the appearance of being used for crime only.

                • kklusz@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  1 year ago

                  Ah thanks for explaining! Yeah the inability to purchase it directly on local exchanges is a bummer, although if localmonero vendors are available in your area, you may be able to pay them using your local bank account too.

                  These days you definitely don’t have to download the entire blockchain to use it; you can just connect to someone else’s node. But if you want to restore an old wallet, you unfortunately do have to run through each blockchain transaction after the wallet was created, to see if any of those transactions belong to you. There’s also a mobile app nowadays called Cake Wallet.

                  All in all, I agree that it’s not the friendliest crypto to use, unfortunately. Its main selling point is privacy, and criminals are more incentivized than others to protect their privacy, so I’m not sure how it’ll ever shake off that image.

        • lemming007@lemm.ee
          link
          fedilink
          English
          arrow-up
          10
          arrow-down
          1
          ·
          1 year ago

          You can follow the wallet address , but unles you know who the address belongs to, you can’t follow it. So we ask again, where the proof that the coins went to site admins?

  • Deluxeparrot@feddit.uk
    link
    fedilink
    English
    arrow-up
    100
    ·
    1 year ago

    For gog games you can check the digital signature on the installer to make sure it’s legit. It should be signed by GOG.

  • empireOfLove@lemmy.one
    link
    fedilink
    English
    arrow-up
    94
    arrow-down
    13
    ·
    1 year ago

    If you aren’t scanning every software you download, whether a pirate torrent or normal direct download, that’s kinda your own fault

    • kniescherz@feddit.de
      link
      fedilink
      English
      arrow-up
      73
      arrow-down
      1
      ·
      1 year ago

      To be fair, I cannot remember a software where no anti virus program turned red. Those cracks always look suspicous to the heuristics.

      • empireOfLove@lemmy.one
        link
        fedilink
        English
        arrow-up
        24
        ·
        1 year ago

        Of course but it’s usually pretty easy to filter out the false positives that always appear as a Trojan (because of the file modification payload) vs a crypto miner

        • Graphy@lemmy.world
          link
          fedilink
          English
          arrow-up
          9
          ·
          1 year ago

          Do you have a guide or anything I can checkout? I usually google what flags show up and use big name uploaders but never know for sure.

      • boonhet@lemm.ee
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        Agreed, but if it’s a GOG release it doesn’t need a crack because it never had DRM in the first place.

    • GeekFTW@kbin.socialOP
      link
      fedilink
      arrow-up
      19
      arrow-down
      1
      ·
      1 year ago

      Oh 100%. Was a dumb moment where I didn’t expect it and didn’t bother, and neither did a lot of other people from the looks of it. Good thing is it was something fixable in less than 5 mins and not a bigger problem.

      • AceBonobo@lemmy.world
        link
        fedilink
        English
        arrow-up
        7
        ·
        1 year ago

        I would completely reformat all affected machines. AVs are not perfect. Yes it sucks, but imagine the consequences of doing any form of banking on an infected machine.

        • GeekFTW@kbin.socialOP
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          Amazingly enough this all happened on 2 machines with 2-week-old OS installs so, honestly not a huge hassle to do so lmao.`

    • realherald@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      No downloading much anyways, but if I were to start, how would I go about scanning the files properly? Could you recommend something to read up on the topic?

  • eagleeyedtiger@lemmy.nz
    link
    fedilink
    English
    arrow-up
    65
    arrow-down
    1
    ·
    1 year ago

    You shouldn’t trust anything uploaded there by IGGGames. They’ve been caught before adding miners to their files. I downloaded the rune release somewhere else seeing as they were the uploader on 1337x. I only really use 1337x for fitgirl repacks.

  • HatchetHaro@lemmy.blahaj.zone
    link
    fedilink
    arrow-up
    66
    arrow-down
    6
    ·
    1 year ago

    Just popping in to say that if you enjoy the game and if you are financially able to, buy the game properly to support the developers, especially Larian Studios.

  • Hextic@lemmy.world
    link
    fedilink
    English
    arrow-up
    53
    arrow-down
    4
    ·
    1 year ago

    LOL idiots BG3 is DRM Free just get the GOG installer, surely people mirror that shit, I’ve seent it before.

    • MonkCanatella@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      20
      ·
      1 year ago

      Yeah the thing is it installs programs that then give themselves access. You can block install.exe all you like, they’re way more advanced than that.

      • src@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        edit-2
        1 year ago

        If you have a firewall like Tinywall, you can set it to block all apps from accessing the Internet unless they’re explicitly allowed to. Problem solved?

    • mlg@lemmy.world
      link
      fedilink
      English
      arrow-up
      18
      ·
      1 year ago

      I mean

      He said it installed separately

      So blocking the network for the game or the installer wouldn’t achieve anything lol

        • mlg@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          I don’t run a whole ass DPS firewall for my home network lmao.

          Firewall won’t do anything if the mining software was made decently well and just hides every connection through outgoing HTTPS.

            • mlg@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              I’m talking about the firewall which is network handling only.

              Most host firewalls only block incoming traffic.

              All you have to do is get all mining data by making outgoing web connections to some random proxy, which can optionally have a domain to look more legit.

              Firewall won’t care, and unless you’re pouring over the logs or looking at active connections, you won’t find it either.

              Since it’s mining software, the fastest giveaway would be high usage or running an anti-virus to find sketchy executables.

              I’m assuming OP is on windows which means the installer asked for admin perms to install to program files which is a really easy way to hide your mining executable assuming it hasn’t been fingerprinted by popular anti virus yet.

    • hypna@lemmy.world
      link
      fedilink
      English
      arrow-up
      40
      ·
      edit-2
      1 year ago

      I mean, it’s an mtx-free, drm-free, full feature game. If BG3 isn’t worth paying for, I don’t know what is.

  • moosetwin@FMHY@lemmy.world
    link
    fedilink
    English
    arrow-up
    21
    ·
    1 year ago

    I opened this post all scared that I might’ve accidentally downloaded malware and my fuckin’ AV alerted

    yeah yeah I know piracy and AVs don’t generally mix

      • smpl@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        My guess is that it’s an instance of some federated platform talking to lemmy, which has once been used to serve malware by one of its users. AFAIK lemmy only fetch avatars directly from instances, but it’s a privacy nightmare which, admittedly easy to say for one who doesn’t pay for storage space, should be mitigated with a caching mediaproxy.

    • harmonea@kbin.social
      link
      fedilink
      arrow-up
      13
      ·
      edit-2
      1 year ago

      The DODI repack is based on the RUNE release which I believe is clean. Another commenter claims a found Trojan but there are others who found nothing, and imo it’s probably just the usual crack shenanigans.

      Edit: See replies! It seems there are tainted versions of the repack out there, but there are clean ones too. Remember to keep a critical eye on your sites and uploaders in addition to your release groups. There’s a useful link in a reply to me below showing what you might see if you’ve downloaded a bad one.

      • shottymcb@lemm.ee
        link
        fedilink
        English
        arrow-up
        8
        ·
        1 year ago

        There’s no need for a crack on this game, it’s available on GOG which is always DRM free.

      • Makeshift@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        it seems like half the people I see who downloaded it say they got a tojan, and half didn’t. Could it possibly be triggering only for certain people? perhaps if their specs are good enough for bitcoin mining or not? or maybe just at random? just spitballing here

        • harmonea@kbin.social
          link
          fedilink
          arrow-up
          3
          arrow-down
          1
          ·
          1 year ago

          For the RUNE release, it probably has more to do with what AV they’re using and how sensitive it is. Cracked games flag AVs all the time, you have to pay attention to what it’s alerting you about. If you’re being careful and clean about the sites, uploaders, and release groups you trust, that “trojan” is usually nothing more than an injected hook to defeat DRM.

            • harmonea@kbin.social
              link
              fedilink
              arrow-up
              6
              ·
              edit-2
              1 year ago

              Hey, thanks for that link! I’m really glad to have the details so I can verify for myself.

              However, with that, I can REALLY confirm this is not an issue inherent to the DODI repack. DODI’s is what I’m using and I have none of that on my system – I checked with that powershell command, then also followed along with the comments to check other files and scheduled tasks that were mentioned.

              That said, I got my download from torrentleech. I suspect a tainted version of the repack got onto certain other sites. It wouldn’t be the first time (which is why I specify trusted sites and uploaders in addition to release groups).

              • Makeshift@lemmy.dbzer0.com
                link
                fedilink
                English
                arrow-up
                3
                ·
                1 year ago

                good to hear. dodi just officially denied the accusations as well:

                https://www.reddit.com/r/Piracy/comments/15ivtzk/dodi_verified_release_on_tg_has_crypto_miner/juy98il/

                although he claims integritycheck.exe is a windows process, when clearly it is also the name of that miner I linked above

                my guess is the dodi account on torrent galaxy, although verified, could be a fake and is putting in these viruses, or maybe the people commenting saying they got the virus from dodi actually got it from that hogwarts legacy crack which originally had this miner.

                either way, I always hope the community will take these sorts of claims seriously and investigate to ensure everyone’s safety

      • DrManhattan@lemmy.design
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        I looked for this integrity check file and ran the power shell script and I don’t see it listed anywhere on my system’s roaming folder nor in the list of applications with cpu usage.

  • daninet@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    1
    ·
    1 year ago

    On the private tracker I’m at I have already seen a clean mirror uploaded

  • UntouchedWagons@lemmy.ca
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    3
    ·
    1 year ago

    I downloaded the RUNE release from TorrentLeech and Windows Defender found a trojan so yeah I’ll believe it. I guess I’ll wait for a FitGirls repack.

    • KitsuneHaiku@ttrpg.network
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 year ago

      I’ve had false positives from cracks on TL before, several times. I respect your carefulness with a known problem with another release, though.

    • Elegast@lemmy.ca
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 year ago

      Torrent galaxy rune release. However not seeing any issues? Malwarebytes scans coming up clean. No integritycheck folder in app data. No hidden process running when game running. 🤷‍♂️?

    • 5redie8@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      More than likely a false positive- they often show up as Trojans due to the payload. I saw a similar issue from the rune release off of my private tracker.

      • JelloBrains@kbin.social
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        Sadly even with private sites a lot of things are taken from a public source and you occasionally run into this problem. Like some people up their ratios on these sites by using their VPN to get the public torrent and then seeding it back to the private one.

        • Pulp@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          As long as the first uploader didn’t do it, then that won’t cause other downloaders any issues. Torrents always verify the hash is correct and will discard bad data. And TorrentLeech has uploading torrents limited.

    • Nimmo@lem.nimmog.uk
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      3
      ·
      1 year ago

      Now that’s not something I’d have expected. I’ve never encountered anything like that in the nearly 15-20 years I’ve been using TL.