Cyber Incident Victim: League of Legends Philippines

On July 14, 2018, users of the League of Legends Philippines client operated by Garena began experiencing suspicious activity traced to unauthorized cryptocurrency mining malware. A Redditor named Lestergonzag first publicly documented the incident on the League of Legends subreddit after his antivirus software flagged the Garena client application. He shared a screenshot showing detection of CoinHive, a Monero-mining JavaScript typically embedded in websites to covertly harness visitors' computing resources. The malware operated by exploiting the processing power of players' systems during gameplay sessions, mining Monero cryptocurrency in the background without user consent or disclosure. This caused increased CPU usage that could degrade system performance, though players might not immediately recognize the source of the slowdown.

League of Legends Philippines officially acknowledged the compromise through a Facebook post, confirming unauthorized modifications to their client lobby software. The operators swiftly removed the malicious code after its discovery. Security analysts noted CoinHive's prevalence in similar attacks due to its customizable mining scripts, which site owners could deploy without transparency. Malwarebytes had previously blocked CoinHive domains in 2017 due to frequent abuse cases where operators neglected to seek user permission. While the official response addressed the Philippines client specifically, some Redditors reported broader potential impact across all Garena+ clients, suggesting wider exposure for Filipino gamers using the platform. The incident highlighted risks of supply-chain compromises in gaming ecosystems, where trusted software updates could deliver payloads turning user hardware into cryptocurrency mining assets for attackers.