astronautlevel TLDR: PokeAcer (who also stole ihaveamac's exploit) stole and reported a new exploit to Nintendo: the yet unreleased Flip Note 3D exploit by MrNbaYoh for userland homebrew on 11.5. The money has already been paid out so it's likely it'll be patched very soon - I highly advice you download it now.

In one of the Flipnote-related Discord chats recently, someone posted a ZIP containing the ugopwn exploit (an exploit for the DSi version of Flip Note), the SHA256 hash matching the one pinned in a certain private Discord server. It became obvious when looking around where it came from - ryanrocks's twitter.

Ryan was asked to take it down, and immediately complied (he also claimed that twitter analytics showed no one saw the tweet, but there's no way to verify that). Around the same time, a GBAtemp thread was posted with the files. At this point, several DCMA requests were filed on the sites to get the files taken down.

The Discord group the files came from only had 8 members, plus it was given to a few people outside of the discord. A total of around 10 people had access to the exploit files, all fairly trustworthy; there was initially no obvious leaker. Everyone was asked to think hard about who might have leaked it and messages were sent out.

Later hints were given that whoever leaked it had posted in the GBAtemp thread. After a bit of thinking we decided to ask PokeAcer (aka Billy Humphreys - this is public information available on his website and Twitter) about it. He eventually admitted to impersonating ryanrocks on Nintendo's HackerOne bug bounty to report this exploit. Eventually, he confessed to stealing the session token of one of the members of the Discord.

He's also admitted to having reported the Flipnote Studio 3D vulnerability to the HackerOne program and recently received a significant amount of money from the report. He's admitted to buying a new Macbook and other accessories with this money.

Additionally, this isn't the first time he's done this. He also reported ihaveamac's browser exploit to Nintendo for a significant amount of money as well, as seen here. Then he had the gall to write an apology post begging for forgiveness saying he'd "apology [for it] until the day [he] dies," then went around and did it again.

Additionally, he says not to judge one of the projects he works on, Project Kaeru (a custom server for Flipnote Studio 3D) as the rest of team doesn't condone his actions, but later on he admitted that he was reading and stealing information from people's notes on the Project Kaeru server.

To sum it up, PokeAcer has stolen three exploits that were not his. Two he reported to Nintendo for profit and one he leaked. He is not to be trusted, and did all this after profusely apologizing for the first time. Please avoid associating and sharing anything sensitive with him unless you want it leaked and/or reported to Nintendo for money.

Until now, this entire post until now has been serious and fact oriented, so allow me to insert some of my opinion here. PokeAcer or Billy, you seem to have some legitimate mental issues. I really hope you get those sorted out, both because you seem like a talented guy, and no one will (or should) trust you right now; but also because I'm seriously concerned about your well being.

Finally screenshots, because no good callout post is complete without proof:
(I'm not the user in any of these screenshots)

EDIT: Archived his twitter, just in case:

DOUBLE EDIT: ihaveamac disclosed the amount that PokeAcer got when he sold his exploit:
[12:21 AM] ihaveahax: the amount was $1,382
Combined with the 2048 dollars from this one, that's a total of 3430 dollars

Entry Status:
Not open for further replies.
Entry Status:
Not open for further replies.
You need to be logged in to comment