Breaking News: zFire Xue is a Convicted Criminal

14 03 2011

Ebay Fraudster Since 1997Never let it be said that zfRedZone is drama free. In a sensational development, someone has uncoverd evidence that everything we said about zFire Xue is true. I have said I will not use his full real name on this forum (although I have known it for quite some time). In the light of this news, I say stuff it!

Michael Stefan Prime has multiple criminal convictions, including convictions for ebay fraud. This is an article about Mike Prime – zFire Xue. A longer PDF court record is here, and a New York Times article is here. Note from the court record that he had a string of previous convictions for first and second degree theft, two counts of possession of stolen property in the second degree, and forgery – at the age of 19!!

Bronxelf released this link to the court records for this case in a sensational post on SLUniverse a short while ago. Theia Magic confirmed this was the information she passed on to Linden Lab on Friday, and that the Lab is therefore now aware of zFire’s criminal record.

As zFire’s usual response is to fib and deny, I will pre-empt questions as to whether this is the same Michael Prime by saying that the age and details in this report fit him perfectly (19 in 1999 – he is 30 now, which we know is correct), and I had already scoured the web some months ago and I am 99.9% confident that he is the only Mike Prime in the Seattle area in the region of 30 years old. Theia Magic has also spent the weekend confirming identity and turning up some interesting names to others we have seen before – including John Hamlin. Theia’s blog is linked on the right, so check there to see if she posts updates.

So there you have it. It is as we always knew it: The fight between us and RedZone was always about thousands of honest sim owners and content creators on the one side, and a small band of thieves and criminals on the other. And the criminals built a system called RedZone.

Now, in our view, Linden Lab must act.

Consider what we have here:

  1. Mike Prime set up a system that unreliably but with some success links alts by IP address. He does not care about false positives, as long as he finds a few real positives because:
  2. Most people who have lats use the same password or some variation on the same.
  3. Mike Prime has been harvesting password information from the 5,000+ users of his site by logging real passwords and failed attempts.

there is a very real risk that Mike Prime intends to use stolen accounts and stolen alt accounts for more petty theft and fraud.

URGENT: Please put aside all grudges and tell all users of RedZone, and anyone who ever registered at Mike Prime’s site to CHANGE THEIR PASSWORD IMMEDIATELY IN ALL PLACES THEY USE THAT PASSWORD!


Latest Neighbourhood Watch Updates

14 03 2011
zFire Xue is panned on his own gossip forum

zFire is a victim of his own nasty forum

I have always said the neighbourhood watch is one of the nastiest things on zFire’s site. Right now, however, I am enjoying it.

I expect zFire will delete these when he sees them. We are not meant to criticise him after all.

Does Anyone Still Trust zFire Xue?

12 03 2011

Since this time yesterday when zFire was hacked in response to his foolish challenge to test his (pathetic) security, it seems he has been hacked again – at least once. a whole bunch of SQL tables or maybe even the entire database was dropped in what looks like yet another SQL insertion attack. It is clear that zFire has been gemming up on avoiding SQL injection attacks. Keep reading zFire … you will get there eventually.

But not before it is all too late. Password outing functionality, and indeed the veracity of the video we carried this week has been confirmed by the hackers from last night who released their findings to the Alphaville Herald. It may be they attempted to contact us with the information first, for which I thank them but I think the Alphaville Herald is a good place for that report.

Yesterday’s hack was still annoyingly obvious – and today’s moreso. I can allay some fears however in that I understand that significant quantities of false data have been injected into that database by yet another person or persons who have demonstrated they understood the security vulnerability well enough to do this. This same source suggests that zFire was about to manually add the names of all members of the inworld GreenZone users group to the list of “known copybotters”[sic]. Attached is the evidence provided – snipped away are well over 1000 names take from the group membership.

Letter to zFire Xue from Merlin Swordthain

Letter to zFire Xue from Merlin Swordthain

Since today’s hack the forums appear to have had it although it looks like there was a recent database backup. If anyone else is thinking of cracking this database I should point out that its no great challenge but at this time the working database is zFire’s biggest albatross It shows he has been a very very bad boy so please do not be tempted to take it offline. False IP address reports will do no harm though.

To end on a lighter note, Theia was confused by this remark from new RedZone poster arooga:

by arooga » Fri Mar 11, 2011 1:48 am

I would like to have crackerjack’s babies for the way he got Theia Magic
Done Up Like A Kipper she was, hung by her own petard

Her comment to that was amusing bit this is even more amusing in the light of this:

Arooga is Crackerjack

Arooga is Crackerjack

[Edit: Someone challenged the image showing that Arooga is Crackerjack, saying anyone could have written that on the forum. I edited down the screenshot I was given and now include a bit more to show this was a message sent directly to zFire. The message and the screenshot predate Friday’s crack on the database.]

It seems Crackerjack, in an attempt to beef up his security by changing his email address, locked himself out of that account. He decided Arooga would be fun for alt games. Strange from someone who finds alt outing so important.

So Arooga wants to have Crackerjack’s babies? Nice to see him getting in touch with his feminine side.

Hack…or Cover Up

11 03 2011

A few minutes ago someone pasted a link on a group to Merlin Swordthain saying that someone had hacked his account on the isellsl forum. As I was browsing the forum the whole site died.

It may be that someone took zFire up on his challenge to beat his security. I hope not really. But if they did, we could see quite an extended outage!

Move along now…there is nothing more to see.

Oh, but another theory: Merlin may have been watching for the posting of that URL. This may have been an attempt to bow out graciously – take the server down when people will think it is hacking… blame the griefers and walk away.

Either way – RedZone could be gone.

EDIT 3:12 SLT – This is a confirmed crack on the database.

ZFire had posted this earlier:

Originally Posted by zFire Xue
Let me be very clear when I say:
zFire did not “underestimate the tech savvy community of Secondlife if he thinks they will not [insert illegal hack attack here]…”

My server remains online, DDOS, URL probing, port scans, and seriously did you just try to “NUKE” me on port 139 Mr Germany?
They offer technical resumes, and warnings of everything they feel I did wrong.
My server is still online, even with low tech abuse reports to my ISP, DDOS of 860 million a second (Impressive but pointless), and whatever else.
This therefore means that my server is the most secure server and database in all of Secondlife.
That is a challenge.
Many people have already made battle cries, suggested methods, or claimed not to support methods of hacking.
Bring it on.

I am the guy that logs your shoe size right? Do you think any server software exists that does NOT log the IP, date and time of an attempted cybercrime? Wow this will be fun.

“My computer is bigger than your computer”
Cyber criminals need banning, so please feed attempts to

His site was actually an exercise in how not to do security, but I am annoyed that this crack was so unsubtle. That’s what happens when you challenge the whole Internet to come hack your server.

zFire Xue Admitting He Hacked SL Accounts

11 03 2011

This video is everywhere now. Thanks Anastasia for this upload to youtube.

Compare it with this one if you have any doubts about who it is.

This was quickly deleted from redzone forum:

Re: *knock knock* WTF?

Postby RedzoneGlugGlug ª Thu Mar 10, 2011 5:32 pm
Go look up “mars006kgb” on google. Then look at the cache Google has.
Creation date Apr 4, 2008.
Then look up marskgb006. It’s creation date is Apr 8, 2008.

Seems those nasty GreenZone folks have a time machine and can go into the
Or that they predict an account name 4 days before zFire creates his own
account. Then wait almost 3 years before springing into action.
Or perhaps we should go for a long shot and claim that zFire lies. I know
it’s unlikely, but it is a remote possibility.

Best laugh of the day though was when zFire categorically denied to a concerned flakseed that this was a video of him – against all the evidence that has been collated to prove that it is. Once again I smell the heady aroma of roasting pants.

zFire “Fractures” himself

11 03 2011

Things are too busy for me to keep up with news on this site, but Samantha Poindexter did a useful summary on the-thread-that-will-not-die. Once again I shamelessly repost it. Feel free to thwack me in my comments if you think that is bad 🙂 :

It hasn’t been that long since the last summary, but another one is totally warranted.
When we left the last summary, SLU and zFire’s forum were abuzz with discussion of that leaked YouTube video.
On the SLU side, people were cross-referencing it with other videos from zFire and Insanity Productions, finding remarkable similarities between the voices and faces of the people therein.
On zFire’s forum, the prevailing opinion was that of course the video was a fake, made by the anti-RedZone griefers to try to bring him down.
The consensus here was that whether the video was real or not, zFire would have to be a complete idiot and/or a pathological liar to address it at all without consulting a lawyer.
So of course he addressed it.
On his forum, zFire explained that of course the video was a fake.
He said that this new account, “mars006kgb”, had nothing to do with him.
He said that he wouldn’t need “mars006kgb”, because he already had “insantiyproductions” and “marskgb006” and other YouTube accounts.
He outlined a vast Green-wing conspiracy, telling all manner of lies to try to bring RedZone down, with this shameless copycat account being just the latest example.
There was just one teensy little catch: the “new” mars006kgb channel page was still cached on Google.
mars006kgb’s account (the “fake” one) was created on April 4, 2008.
marskgb006’s account (the “real” one) was created on April 8, 2008.
For zFire’s claim to make any sense, the anti-RedZone forces would have had to have made their account four days before he did.
On SLU, at least, this is now conclusively settled. The only reasonable explanation is that he (or his team) made both accounts, the video is real, and he’s been lying his ass off to everybody.
On his own forum, zFire has explained that, well, clearly the only possible explanation is that the anti-RedZone forces found a way of hacking YouTube to change the signup date.
Just to be absolutely clear for anybody who doesn’t have a YouTube account… no, that can’t actually be done.
Incidentally, somewhere along the way there, zFire averred that “my server is the most secure server and database in all of Secondlife” and challenged people to try to hack it.
Also, it turns out zFire is publicly listed as a member of an inworld group that presents itself as some sort of computer crime syndicate.
Several highly empathetic members on this forum have expressed sincere concern for zFire’s psychological wellbeing in the wake of all this.
The general consensus is that while zFire may be a bad person, a pathological liar, and/or an evil sack of shit with delusions of grandeur, he’s still a human being and we don’t want him to actually kill himself or anything.
Others have pointed out that pathological liars have the amazing ability not to let anything get to them, so that’s not likely to be a problem.
In other news, Quickware’s website is now advertising services to help you get right back into Second Life, even if you’ve been hardware banned by LL.
It’s also offering the source code for its alt-detector to the highest bidder.

There are plenty of screenshots and copies of deleted videos painting a very clear trail from the video and the rest of Mike’s RL information – especially the admission from him that those youtube channels he pulled down are his, so there is simply no doubt it is genuine.

zFire Xue Admits He Hacks SL Accounts

10 03 2011

An anonymous comment on this blog was too good to leave buried in the comments. Everyone take a look at this quickly, because as soon as zFire Xue spots this he will take the link down. Take copies if you can.

Youtube Video of zFire Xue Admitting to Hacking SL Accounts

In this video zFire Xue (the man behind the avatar) tells his girlfriend about a special HUD he has made her which has all the usual (now banned) features of RedZone in it for alt detection, geolocation etc. But also, it shows that he harvests possible Second Life passwords of the users of his website. They log in there with real SL names and sometimes type their SL password out of habit. zFire collects these passwords it seems, and this hud shows them for any user.

The key bit is where zFire says that in his tests he has found they sometimes indeed use SL passwords by accident.

zFire admits in this video to hacking the SL accounts of some of his customers.

Edit: Some people are asking how we know this is the real zFire as this was posted anonymously without evidence. Take a look at this video of the real zFire (Mike) and see if you agree that the voice and face in the video look the same.

Edit 2: Here is the transcript for anyone with difficulty accessing video. Thanks to people at SLUniverse for typing it up:

This webpage will let you look up basic information about a person at isellsl, as well as if and when they joined isellsl, if they own a RedZone, if they’re on anybody’s RedZone’s safe list, and if they ever got a RedZone demo… which those three things are more useful for me.

What’s useful for you is that this website will also predict people’s Second Life passwords. Now you know how that’s done? It does that based on incorrect passwords that they enter. A lot of times out of habit people of course enter their Second Life username and by habit enter their Second Life password occasionally.

All of the incorrect passwords that they’ve ever entered will be visible. Not everybody has one. Many of them do and in my tests many people have indeed entered their Second Life passwords. So that’s here.

A little useful thing I am also going to make it display are people’s real world locations. For us only, that will be very interesting. Nobody else can access this page at all; only me and ze. Anyway that is all for now. I do have another page I’m gonna make for you. But here’s this one for now.