The Art of Catching Spies in EVE Online

Guest Writer Posted: Jul 30, 2019 9:00 AM

Category: Columns 0

Editor's Note: This week's EVE Online column is brought to us by Aaron Denyer, otherwise known in the EVE Community as Jin'Taan. A PC gamer who's been in love with the format before his teen years, with a special appreciation for PvP in MMOs of all stripes, having ventured into everything from WoW Arenas to Guild Wars 2. He's best known for his exploits in EVE Online, where he's a 10 year veteran of the wars and politics that embroil the game, including a 3 year stint as an elected community representative.

EVE Online has a long and sordid history with intrigue and spycraft. This includes major, landscape shaking tales such as Judgement Day, which saw one person hand over the main fortress of his coalition to their bitter enemies. But also much smaller tales, like the spy Heavy Interdictor who trapped his own fleet in position just long enough to be bombed during the battle of UALX, leading to nearly 200 of his supposed allies being wiped out in an instant.

However, what gets far less coverage is the opposite side to that coin, as alliances in EVE have dedicated counter-intelligence services which serve to attempt to neutralise such threats well before they can have such an impact. These services are decidedly not infallible, as was shown quite publicly when the Imperium (at that time called the CFC) decided to destroy a Titan belonging to one of their own pilots, only to later realise they were working off of faulty information and give him a new Titan in apology - But they do take their jobs seriously.

Most spies are actually rooted out before they can even enter a place where they can do damage, as in order to actually apply to a corporation which is a part of a nullsec alliance, you’ll almost certainly have to hand over your ESI keys to the recruiter. These keys allow other players to access EVE Online’s custom API, and with the use of a specific tool it allows those with access to take a look at the entire history of the character, from market transactions, mission completions and even where all your ships are. Now, the recruiters I talked to were understandably cagey about saying exactly what they looked for, but they were willing to share a few specific things.

For example, one of the first things a recruiter will do is head all the way back in a character’s wallet history, to check for the telltale mission rewards that come with completing the tutorial. After all, if your character hasn’t completed the tutorial, then there’s a good chance you came in with a lot more knowledge than you’re letting on - And that’s a huge red flag that the character being talked to might not be the main character of that player.

If a spy manages to slip past this process however, that’s where the real work begins, as suddenly an alliance might find things like announcements for fleets or critical internal information in the hands of their enemies. Finding out exactly who within your ranks is responsible for that is much harder, as the list of people who had access to that can be in the hundreds, or even thousands of people strong.

Sometimes, it can be as simple as recognising a voice or typing style that can tip a counter-intel officer off, as a member of Fweddit recounted to me:

“This aussie joins, pretending to be a cute newbie and I was like - I recognise that typing style…So I PM him, and I’m like “Yo, [name redacted]” and he’s like “WTF HOW DID YOU KNOW”. He left without us even having to kick him.”

However, outing spies who’re much better at hiding exactly who they are is a much more difficult prospect, and often takes a turn for the technical. Fortunately, as most alliances and coalitions have a heavy reliance on out of game web based tools, there’s a way to find out exactly who’s who within your group without relying on human intelligence - Through IP tracking. Most larger groups have been able to capture the IPs of those using their services, then compare them with IPs attached to other players names gathered from other sources. There’s a long history of third party services being accused of being used for that purpose, but one of the best publicly known stories comes from the Imperium’s attempt to find out and purge the source of the reddit leaker known as u/illumittanileaks, who was posting their internal plans and reactions to events that happened during 2016.

Eventually a plan was concocted to send that Reddit account a link, disguised as further intel for him to display publicly, but was in actuality an IP logging service. It worked. This lead to the player being identified as Lemba, a member of a Korean corp in Goonswarm, who was removed from the group shortly after - and dumped all of the logs he’d acquired over the years in revenge, an event known as the Lemba Leaks.

Outside of IP tracking however, there’s even more ingenious methods of figuring out who is leaking things, such as the system of steganography - the art of hiding information in plain site - that was set up by Pandemic Legion’s forums in 2009.

I’ll spare you reading through the gory details and attempt to put it into plain English;

By setting up multiple points in every post with alternate phrases or words, it ensures that a different version of the post will be shown to every single user, meaning that once the leak is disseminated through the ranks of the opposing alliance and caught by Pandemic Legion’s own double-agents, the leak itself can be reverse engineered to find the User ID of the player who took the screenshot or copy and pasted the text - Allowing them to be caught and removed without ever knowing what tipped PL off.

Each alliance now has its own particular brand of steganography following the leak of the general idea in 2012, ranging from pings with weird precise timestamps (that are different for each player), to pictures on forums changing ever so slightly for everyone using them.

Then, finally, we wrap all the way back around to simply knowing people as the final barrier of defence. Once again, it’s a subject few are willing to talk publicly about, but it tends to come down to looking at what they do and say. Are they asking too many questions? Are they asking no questions at all? Do they seem to only be active at weird times? Is the player only logging off in ships that might be used in a trap? Do they seem to be trying just a little too hard to gain the trust of leadership?

None of these things are likely to get you removed, but they can lead to a weight of suspicion being placed on the character, and further scrutiny on the potential spy.

This is just the barest hint at what goes on in the shadowy world of spies, double-agents and counter-intelligence that plays out completely beyond the average players notice, with what’s available to the general public being most likely only the surface of the iceberg. But if you’re like me, it only serves to highlight just how intense and unique the society that has formed in EVE Online has become, over a decade and a half of war and politics.