Rainbow Six Siege Hacked as Players Get Billions of Credits and Random Bans
Key topics
A massive hack has shaken the Rainbow Six Siege gaming community, with hackers flooding the game with fake bans and awarding players billions of credits. As commenters dug into the chaos, they uncovered a humorous twist: the "random" bans were actually lyrics from popular songs, including Shaggy's "It Wasn't Me" and Michael Jackson's "Billie Jean". Some speculated that the hack might be linked to an exposed API key or a database vulnerability, with one commenter pointing to a potential Postgres dump as a possible entry point. The lighthearted memes and references to classic gaming humor have added a dash of nostalgia to the discussion.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
3h
Peak period
27
3-6h
Avg / period
11.7
Based on 152 loaded comments
Key moments
- 01Story posted
Dec 27, 2025 at 2:45 PM EST
10 days ago
Step 01 - 02First comment
Dec 27, 2025 at 5:20 PM EST
3h after posting
Step 02 - 03Peak activity
27 comments in 3-6h
Hottest window of the conversation
Step 03 - 04Latest activity
Dec 29, 2025 at 6:04 AM EST
9 days ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
https://x.com/KingGeorge/status/2004902566434668686
>@KingGeorge
>Seems like R6 is completely fucked. It’s unreal how bad.
>Hackers have done the following.
>1. Banned + unbanned thousands of people.
>2. Taken over the ban feed can put anything.
>3. Gave everyone 2 billion credits + renown.
>4. Gave everyone every skin including dev skins.
>5:09 AM · Dec 27, 2025
https://x.com/vxunderground/status/2005008887234048091
>@vxunderground
>Clarification post, previous post about Ubisoft lead to some confusion. That's my fault. I'll be more verbose. I was trying to compress the information into 1 singular post without it exceeding the word limit.
>Here's the word on the internet streets:
>- THE FIRST GROUP of individuals exploited a Rainbow 6 Siege service allowing them ban players, modify inventory, etc. These individuals did not touch user data (unsure if they even could). They gifted roughly $339,960,000,000,000 worth of in-game currency to players. Ubisoft will perform a roll back to undo the damages. They're probably annoyed. I cannot go into full details at this time how it was achieved.
>- A SECOND GROUP of individuals, unrelated to the FIRST GROUP of individuals, exploited a MongoDB instance from Ubisoft, using MongoBleed, which allowed them (in some capacity) to pivot to an internal Git repository. They exfiltrated a large portion of Ubisoft's internal source code. They assert it is data from the 90's - present, including software development kits, multiplayer services, etc. I have medium to high confidence this true. I've confirmed this with multiple parties.
>- A THIRD GROUP of individuals claim to have compromised Ubisoft and exfiltrated user data by exploiting MongoDB via MongoBleed. This group is trying to extort Ubisoft. They have a name for their extortion group and are active on Telegram. However, I have been unable to determine the validity of their claims.
>- A FOURTH GROUP of individuals assert the SECOND group of individuals are LYING and state the SECOND GROUP has had access to the Ubisoft internal source code for awhile. However, they state the SECOND GROUP is trying to hide behind the FIRST GROUP to masquerade as them and give them a reason to leak the source code in totality. The FIRST GROUP and FOURTH GROUP is frustrated by this
>Will the SECOND GROUP leak the source code? Is the SECOND GROUP telling the truth? Did the SECOND GROUP lie and have access to Ubisoft code this whole time? Was it MongoBleed? Will the FIRST GROUP get pinned for this? Who is this mysterious THIRD GROUP? Is this group related to any of the other groups?
>Find out next time on Dragon Ball Z
>12:12 PM · Dec 27, 2025
Here's the word on the internet streets:
- THE FIRST GROUP of individuals exploited a Rainbow 6 Siege service allowing them ban players, modify inventory, etc. These individuals did not touch user data (unsure if they even could). They gifted roughly $339,960,000,000,000 worth of in-game currency to players. Ubisoft will perform a roll back to undo the damages. They're probably annoyed. I cannot go into full details at this time how it was achieved.
- A SECOND GROUP of individuals, unrelated to the FIRST GROUP of individuals, exploited a MongoDB instance from Ubisoft, using MongoBleed, which allowed them (in some capacity) to pivot to an internal Git repository. They exfiltrated a large portion of Ubisoft's internal source code. They assert it is data from the 90's - present, including software development kits, multiplayer services, etc. I have medium to high confidence this true. I've confirmed this with multiple parties.
- A THIRD GROUP of individuals claim to have compromised Ubisoft and exfiltrated user data by exploiting MongoDB via MongoBleed. This group is trying to extort Ubisoft. They have a name for their extortion group and are active on Telegram. However, I have been unable to determine the validity of their claims.
- A FOURTH GROUP of individuals assert the SECOND group of individuals are LYING and state the SECOND GROUP has had access to the Ubisoft internal source code for awhile. However, they state the SECOND GROUP is trying to hide behind the FIRST GROUP to masquerade as them and give them a reason to leak the source code in totality. The FIRST GROUP and FOURTH GROUP is frustrated by this
Will the SECOND GROUP leak the source code? Is the SECOND GROUP telling the truth? Did the SECOND GROUP lie and have access to Ubisoft code this whole time? Was it MongoBleed? Will the FIRST GROUP get pinned for this? Who is this mysterious THIRD GROUP? Is this group related to any of the other groups?
The source leak is really interesting, though. We don't often get to see game source, and it often has surprises in.
This read to me like the end of a soap opera. Tune in tomorrow to find out!
I bet it appears unchallenged at some point in a court (or insurance) document though.
But I agree with you that it would be put into a court document as "it cost us this much" for the full amount, vs the amount they were likely to ever be able to sell (and can't, now that everyone got it for free, so the value is $0)
The market is mostly reasonable about who can and will sell their shares. If a big mover does sell a lot of their shares at once, the price will fall. Most big holders will slowly sell off shares for this reason.
Regarding the second group and access to source code; this is unlikely for a combination of four reasons.
1) The internal Ubisoft network is split between “player stuff” (ONBE) and developer stuff.
2) The ONBE network is deny by default, no movement is possible unless its explicitly requested ahead of time, by developers, in a formal request that must be limited in scope.
3) ONBE to “developer network” connections are almost never granted. We had one exception to this on the Division, and it was only because we could prove that getting code execution on the host that made connections would require a long chain of exploits. Of course that machine did not have complete access to all of the git repos.
4) Not a lot of stuff really uses git internally. Operations staff and web developers prefer git strongly; so they use Git. But nearly every project uses Perforce. Good look getting a flow granted from ONBE to a perforce server. That will never happen.
Siege, like The Division, worked against Ubisoft internal IT policies to make the product even possible. (IT was punishingly rigid) but some contracts were unviolatable.
The last I heard, Siege had headed to AWS and had free dominion in their tenant, but it would need Ubiservices (also in AWS) and those would route through ONBE.
I’m not sure if much changed, since a member of the board is former Microsoft and has mandated a switch to Azure from the top… But I am certain that these policies would likely be the last to go.
.. you don't have to tell me.
https://jacquesmattheij.com/microsoft-just-bought-nokia-for-...
I think I got one prediction wrong but the rest stuck.
How?
Find out in the next episode of... Tales from Cyberspace!
Regardless if this is true or not, and how it works exactly, I find it an interesting scenario.
For players: should I go online to maybe get gifted tons of ingame valuables while risking a ban? It turns playing into a gamble.
If I take on the hacker's view, I would find it exciting to dish out rewards and punishment at random on a large scale.
There have been many victims of the eSports neuroticism. League of Legends is probably the most extreme example I can come up with. You will eventually get banned from the game if you choose the "wrong" play style. You don't even have to cheat or play poorly. Overwatch suffered a very similar fate - They removed a player slot to force it to fit the "5 man" meta. In the case of OW, the changes proved so unpopular they had to literally delete the original title from everyone's PC to force use of the only remaining option.
Also wtf happened to non-shooter games. I am so bored of these FPS variations.
FPS haven't been under the spotlights for a while, these days it's mostly MOBAs.
https://www.beyondallreason.info/
[0] https://www.youtube.com/watch?v=mXMcq_LJ8ro
- Hexarchy / Rogue hex (Civ-like)
- The Last Caretaker
- Captain of Industry (factorio-like, was posted here on HN by dev awhile back)
- 9 kings
- Super Fantasy Kingdom
- Manor Lords
- Astronomics
- Heart of the Machine
The top of the list is Genshin Impact, although it'll probably be displaced by GTA6 soon - that one's estimated to come in at $1.5-2 million. There's multiple FPS games on there but there's some pretty expensive open-world games too.
You mean billion?
Sure, but 1 in 100 still gets you dozens of games a year now. There's plenty of genres where the top titles are nowhere near an AAA budget: Hades 2, Silksong, and Claire Obscura all being popular examples from this year, and Factorio being another well known example around here. Even simpler games like Balatro and Vampire Survivor are plenty of fun for some people.
The biggest studios have rarely been the ones producing the best work - budget gets you fancy cinematics and a beautifully rendered 3D world, but it doesn't make level design go any faster. It could plausibly buy better writing, but that requires all the executives to back off and trust the creatives.
And for what it's worth, the big studios are all happy raking in money on mindless remakes - it keeps working for them.
Finding them is slightly harder, but absolutely worth it.
It isn't that the other games are bad, though. It isn't like we are talking "handheld camcorder student-written movie" vs "polished hollywood blockbuster" but more.... Beautiful painting by a mostly unknown artist vs beautiful large, publically displayed and privatly funded artist. Big budgets get you more assistance and more/better tools and more space and more human help and more connections.
It is probably important to remember that a large portion of a blockbuster's budget is advertising. Advertising is often 50-100% of the production budget and I'm guessing AAA games have similar advertising budgets. I'm not sure how a large advertising budget gives you better products, though it might get you more folks if your game is online.
Of course, I'm guessing if you limit your search to FPS games, your experience might be a different.
So, the lead developer?
[1] https://www.youtube.com/channel/UCsHlla-bq0C_2OtEy8s2_Sg
[2] https://www.twitch.tv/kinggeorge
[3] https://liquipedia.net/rainbowsix/KingGeorge
You know on linux there is a feature for a process to snoop into another process, that for the same user (non root), can be use for anti-tampering: with a proper "security" team, as all live-service games should have, you can give hell to hackers without a kernel module...
Thats probably pretty difficult.
2 - if I recall properly, that linux feature is a direct mapping of the target user process allowing extreme dynamicity in time, performant, and much more powerfull mechanisms than basic 'calls'. Namely hell for hackers if a live service game has a proper "security" team, all that without a kernel module.
The parent is right.
I'm quite literally the first person to bash Windows for being a shitty operating system, but the requirement for signed modules puts a massive barrier to entry for cheaters, where Linux can load just about anything.
If every system call can lie to you, there's a few things you can do, but it's not many.
I know this because I've actually done a lot of due diligence on anti-cheat.
One mechanism I attempted to employ was to replay initalisation vectors and determinism of inputs; this means I could replay your session out of band and witness the same outcomes. If there was variation then there's a fault. Except as soon as you introduce floating point numbers there's no more determinism... Oh well.
The other was to watch for "impossible" things, but then you need to run full complex physics simulations for every client. If your game requires you to effectively buy an i7-11700k for every user then you'd have to sell your game for a lot more money, and limit how long they can play - nobody wants this.
The third option was to score our best players and anyone who performs better than that gets their behaviour tracked. The problem is, coming up with a scoring system that's server side is much harder than you think.
GameDevs don't actually like paying a shit load of money for anti-cheat (that also breaks their debugging systems and causes bugs: a wonderful combination)... so if you've got a better way: join the industry and fix it. You'll be a moderately wealthy person.
1 - kernel anti-cheats ARE weaponized by hackers. This is not a matter of discussion unless you are into the AI generated HN news conspiracy.
2 - this linux feature should provide (if I recall properly) a very complex and flexible (not limited to "calls"), and performant, set of interactions between a set of anti-cheat processes and the set of game processes. All that as being non-root priviledge (I think you must be have the same effective user id). The actual and real parameter is the level of competence and creativity of the "anti-cheat" team which is a requirement of any "live-service games" with frequent updates.
3 - for FPS games where aiming skill is critical, anti-cheat are close to useless due to "external" AI based aim assist hardware.
The goal of cheats is to make money not to hack PCs.
And we all know this is fully hypocrit. "Computer security" does not exist, but for sure, adding a "gaming" _kernel module_ won't improve anything there... (irony).
Are they moving faster than conceivably possible by a real player? Even the most basic (x2-x1)/t > twice the theoretical will catch people teleporting or speed hacking.
Is their KDR or any other performance metric outside 5 standard deviations from the mean?
Here’s one: is everyone they encounter reporting them for cheating along with one of the above? Do people leave their matches constantly?
Defining and detecting objectively impossible things is not impossible.
1) they’re not foolproof
2) there is a delay in aggregating the data
this has annoying effects when the game has a trial period/goes on sale/has lots of cheap CD keys floating around.
3) if you weren’t delayed then the cheaters get better at adjusting to how you catch them.
We actually do a lot of statistical analysis, but it works in tandem with endpoint anti-cheat, and would hardly work at all alone.
If we banned them, they just created a new account and kept doing the same things.
When we detected them and the isolated them from all other good standing accounts, only allowing them to interact with other shadowbanned users, it virtually solved the problem. Normal users went about their day and the cheaters/fraudsters wasted a lot of time never getting through to anyone.
In gaming it seems like creating a cheaters purgatory where they are stuck competing against other cheaters forever would probably end up being its own special league after a while. Like when people suggested steroids in pro-baseball should be legal.
Give this team server side data, user level 'traps' and 'pitfalls' with frequent updates (they do that for dota2 and probably cs2, they don't need a kernel module), and you should end up with a rather sane gaming experience.
That's what GTA5 did (though, they marked you with a dunce cap)...
.. even though it's a good idea (and we nearly implemented it actually), there's probably a reason that GTA5 is still plagued with cheaters.
This is how I imagine Amazon ended up banning a large amount of players for speedhacking. The players were lagging. I'm guessing their anti-lag features ended up moving them faster than the anti-cheat expected.
But I agree that a combination approach would probably work.
It gives a score that is hard to use.
I got a better way... just look at the past. Back in ye goode olde UT2004 times, there was no random matchmaking / ranking bullshit that removed the social element, game licenses cost money, people ran their own servers, and if you pissed off server mods enough, no matter if you were a cheater, a suspected cheater, or just an asshole, your serial got banned - sometimes, across a fleet of servers that shared ban lists. Cheating had costs associated.
But of course, that means you can't lure in whales with free to play games and loot them via microtransactions any more...
The truth is that UT2004 sold 234,451 units over its life according to Wikipedia.
The Division sold over 10,000,000 copies in the first weekend.
The requirements change drastically when you have a larger audience.
Primarily driven by my utter disgust for modern monetization mechanics, corporate greed and gambling. Cheaters, IMHO, are an inevitable side effect of combining gamification with gambling, with no barriers to entry, and with removing social barriers of entry.
> The requirements change drastically when you have a larger audience.
The market has exploded in the 12 years between UT2004 and The Division.
Yes, and you can’t assert that it didn’t happen at least in part due to efforts to make games more accessible.
You couldn’t release a game like UT2004 today with the same UX and expect competitive sales. Even if you did, the experience would scale very poorly.
You don't have a better way. You have a nostalgic memory of how games should be played which doesn't match what people in a modern audience expect. It's like saying the solution to cell phones tracking you is to use a landline, because that's how we used to do things.
Even Quake 3 Arena was updated with Punkbuster at some point.
Name an exploit in EAC/BattlEye/Vanguard/FaceIT/whatever other big name anticheat middleware (though Vanguard and FaceIT don’t sell their services I think) that has actually been used for anything.
Genshin Impact’s driver got used as a vulnerable driver that one time, yeah. EAC had an exploit to inject your own code into processes, but that quickly got patched (https://blog.back.engineering/10/08/2021/).
So not an exploit, but even worse.
Unless you beleive in the conspiracy of AI generated news on HN.
You are the same type of guys who is going to try to sell 'computer security' as a deliverable, thing which does not exist.
Please, stop that.
This doesn't really make sense. If you are implying he is FOR monopoly, he would want the game on every possible platform right? He loses money by not having more players playing his game.
It’s not a bad business model if he can get the courts on his side: let others spend billions and take risks, then cherry pick the successful platforms and compete with their distribution using a cost basis that doesn’t have those up-front costs and risks.
Sure. Just as long as you agree Google and Apple let others do the work and investment to develop new games, apps and media, then swoop in and demand a cut if the risk and investment pay off.
Wait until you hear about how the entire entertainment industry has always worked!
You're right, customers don't really own an iphone, even if they've paid $1000 for it.
If that's not a flawless description of a walled-garden app store, I can't imagine what would be.
Because Epic doesn’t want payhack configs to be advertised in whatever leaderboards Fortnite has, like CS2 had for a while.
The people receiving the credits aren’t even the ones initiating the changes.
Also many anti-cheat packages do have Linux versions. The primary reason you’re not getting ports for Linux is because companies don’t want to do the port and support all versions of Linux clients they would encounter in the very tiny number of additional installs.
One has to wonder: why didn't anyone anticipate this happening? Surely the moment this exploit was discovered the team would've locked it down immediately?
If you're going to be in the business of running your own critical infrastructure, you better have spent a lot of effort planning for these situations, because they are inevitable. Otherwise, it's easier to just pay a vendor to do it for you.
Come on it is just a game (◔_◔)
https://github.com/joe-desimone/mongobleed
https://beta.shodan.io/host/212.104.194.153
https://x.com/vxunderground/status/2005008887234048091?s=20
while i don't agree with how devs and the publisher works on community feedback, it is still miles better than what EA does. not that it is a high bar to clear.