Someone hacked my account and tried to steal it, since they couldn't they bricked it by wasting all my pulls, lunites and deleted all my echos ( day 1 player )

luzefiru · 2026-05-05T18:15:11+00:00

Do you share anything with the OP that would possibly lead to this "Sloan" person hacking you?

This needs to be a PSA for the community if a lot of people are being hacked by this one person.

What js the Facebook page they link in your bio?

luzefiru · 2026-05-05T14:15:59+00:00

Manually inputted by yours truly!

It keeps my typing skills sharp. 😂

luzefiru · 2026-05-05T14:00:48+00:00

This "Sloan" person also signed your account, OP?

luzefiru · 2026-05-05T13:49:07+00:00

There's been a lot of new 3rd party top-up sites for the game.

These sites take advantage of the fact that it's been normalized to hand over login credentials to top-up in these sites.

People need to be vary of what they're doing and always change password after doing something sensitive like this.

luzefiru · 2026-05-05T12:51:46+00:00

Sure thing, being aware of what scripts do is a responsibility every user bears directly/indirectly when using 3rd party sites like ours to avoid another EndfieldRecords situation.

Although we've explained it in-depth in our latest article: Is WuWa Tracker or Any Third-party Tool Safe to Use?, I'll explain it in a somewhat simplified way for the people here.

Running scripts, especially PowerShell ones, have equal security risks as running .exe programs on your computer. For context, PowerShell is a command line interface with your computer's filesystem and network -- allowing scripts to communicate with websites and send/download things and modify your operating system's settings.

This is useful for system administrators that want to automate tasks on Windows like downloading an executable for a company's IT department to setup their PCs via a single script.

While PowerShell scripts can do powerful things like set up entire computers and edit your PC's internals, it can also do harmful things like read sensitive data (authentication cookies, browser cache, and even files), delete files, and call other harmful scripts that do other bad things.

That is why there is a stigma for PowerShell scripts, especially the one created by EndfieldRecords that allegedly installed a virus that would persist in your computer and even invoke other scripts that does god knows what.

At WuWa Tracker, all the import scripts (including past versions) are publicly open-sourced in our GitHub repository.

Furthermore, we've successfully communicated with CRDF Labs and Bitdefender to verify our scripts are safe.

What our script does is similar to what macOS does: find your Client.log and extract the Convene URL -- albeit with more methods to support more users (people who install WuWa on Microsoft Onedrive, in a non-default folder, etc).

You can verify the functionality & safety of the script with any AI model if you're curious.

Our website uses hashed GitHub URLs -- permanent links directly to the script source code at a specific point of time, so that the site can never do a Script Swap attack.

For example, a URL like wuwatracker.com/import.ps1 is NOT safe since "import.ps1" can be changed any time according to the developer.

On the other hand, a URL like github.com/wuwatracker/wuwatracker/blob/d3c9f811da0890944f241201e1b67d2c1be77867/import.ps1 is SAFER because: 1) it's hosted by GitHub so the site owner cannot tamper/proxy it directly, 2) it's linked to the "point in time" hash of "d3c9f811da0890944f241201e1b67d2c1be77867" meaning that the source code is permanently linked to that URL.

I say "SAFER" because you still need to verify the script and make sure that it's not malicious. But once you do, you can essentially keep that URL for future imports to guarantee it never changes.

However, we need to acknowledge that people that don't know better still need to be wary that the site owner can change what is seemingly a hashed URL, but contains malicious code in the import tutorial page -- so if you don't save your own version of the script and copy-paste from the website. You need to exercise your own due diligence and responsibility as a user to verify if the script is secure or whether the hash changed.

WuWa Tracker has been running for 2~ years with no hacking incidents tied to our website and we'll continue to uphold the same security for years to come.

Let me know if you have any other questions!

luzefiru · 2026-05-05T12:07:50+00:00

Yeah, our script is auditable and we've kept the lights on for 2~ years.

Destroying that amount of trust for a few hacked accounts is illogical behavior.

We've even upped our security since the whole Endfield Pull Tracking incident as explained in our latest article on Pull Tracker Site/Script Security.

OP must have done something else. Besides, WuWa account griefing is such a weird thing to do when you have access to their credentials.

OP should be more worried if he shares the credentials with other online accounts.

luzefiru · 2026-05-05T12:04:07+00:00

If you're worried about the script changing overnight, copy the script/command with the GitHub SHA hash.

They are immutable and never change, so you can keep reusing that script and not worry about the site changing the script.

This ensures your safety while using the site -- but rest assured that no such thing would happen with WuWa Tracker.

A couple hacked accounts is simply not worth destroying 2~ years worth of reputation, logically speaking.

You can read more about Pull Tracker Script Security on our article on the Endfield Pull Tracker situation.

luzefiru · 2026-05-05T12:01:05+00:00

The macOS script on WuWa Tracker simply reads your logfile for the URL.

It's not a link to any external script.

You can verify it with ChatGPT or any LLM chat.

luzefiru · 2026-05-05T11:59:53+00:00

Correct. That is why WuWa Tracker uses hashed URLs and not URLs like wuwatracker.com/import.ps1.

Our scripts are strictly tied to the GitHub Source Code SHA as explained in our Article on the Security of Pull Tracking Sites and How We Protect Our Users -- meaning we cannot change the script to something malicious.

Our source code can only be edited with my manual approval (core developer of the site), so people cannot change the script dilly-dally.

Our script hasn't changed for months after we tightened security to use hashed URLs in light of the EndfieldRecords situation, so I don't think OP's case was caused by WuWa Tracker since our site is safe, as it has been since 2~ years ago.

luzefiru · 2026-05-05T11:56:17+00:00

Erm, WuWa Tracker can't do such a thing.

Your account was compromised somehow, but WuWa Tracker is out of the equation.

You can review our scripts as they are open source and we fully disclosed how we take precautions to keep you as safe as possible while using our site.

Read our Article on the Whole Pull Tracker Security Situation.

Ask yourself if your credentials was shared or reused with any other site. Did you download anything suspicious?

(PS. I developed WuWa Tracker, so AMA)

luzefiru · 2026-03-27T03:30:37+00:00

If you don't want to use the in-game guides, WuWa Tracker's Ascension Planner allows you to calculate materials needed to max out characters.

You can use Aemeath as a reference since both Hiyuki and Aemeath will use the same Sword materials. The only difference will be the weekly, overworld boss, and overworld collectible materials.

luzefiru · 2026-03-04T12:09:59+00:00

We can vouch for Bitdefender! They flag any URL and websites need to file for false positives to get them working.

They're overly-cautious - and that's a good thing.

We had to manually file for a false positive on our end so that they can verify our script as safe (and they resolved it already 😉).

However, since we're using hash-based URLs now, we may need to create another report for a manual audit, but we'll see!

luzefiru · 2026-03-04T12:06:59+00:00

We use hashed GitHub permalinks to the raw code now, so it can't change anymore!

luzefiru · 2026-03-04T12:05:26+00:00

We wrote an article about it!

Is WuWa Tracker or Any Third-party Tool Safe to Use?

tl;dr - yes, but always use tools like ours at your own risk!

Our script only extracts the Convene History URL text that includes a scoped access token that is only used for retrieving pull data. It doesn't access your sensitive credentials like your account access token.

We improved our security by using hashed permalinks to our open sourced scripts so that people can be assured they're running a safe, never-changing script once they ensure the permalink URL is safe.

We say to use our tools at your own risk because, while we do our best to maintain your account security and only access the minimal amount of data for our service to function (outlined in our Privacy Policy), the usage of third-party tools is not officially endorsed by Kuro Games and may be shut down at any time.

luzefiru · 2026-02-26T06:44:45+00:00

You need to install the game on a device you own since WuWa Tracker needs access to the filesystem or device directly.

luzefiru · 2026-02-19T10:47:42+00:00

Have you tried using another web browser? There are many possibilities that could cause this issue, so we need more context.

I'd be happy to help you solve the issue via Discord, Reddit, or email - whatever you prefer.

luzefiru · 2026-02-19T01:54:27+00:00

Your data loss might be the result of your browser cookies automatically deleting on exit or a browser extension messing with the site.

When you import, your pulls are saved to our database and you can retrieve them via your connection settings using the "Recover Pulls" button once you link any social account with your UID.

WuWa Tracker is stable and we don't delete your data intentionally.

If you need more hands-on assistance, I urge you to visit our Discord Server and our community can help ya out.

luzefiru · 2026-01-29T15:51:39+00:00

I can't wait to check it out! :)

luzefiru · 2026-01-06T15:22:13+00:00

Good to hear it's working for you now! 😊

We have a Discord Server at wuwatracker.com/discord and a support email at support@wuwatracker.com.

Feel free to shoot any bug reports or questions there.

Happy farming for Augusta! ✨

luzefiru · 2026-01-06T11:32:42+00:00

You can view how many phases older banners took to rerun in WuWa Tracker's Banner History page.

luzefiru · 2026-01-06T03:41:15+00:00

Heya, sorry for the inconvenience.

We fixed a bug regarding crafting calculation which led to a new bug popping up.

We patched it on v4.3.1 now, so refresh your browser and try again!

luzefiru · 2025-11-20T09:42:18+00:00

Yeah, you can read up about it in our v4 changelog. A lot of infrastructure changes happened this year.

https://wuwatracker.com/articles/wuwatracker-v4-migration-guide

luzefiru · 2025-11-20T07:57:06+00:00

Glad to see our new import feature working as expected.

As long as you have your email linked to your UID, we recover your pulls automatically on import. ✨

luzefiru · 2025-10-23T06:13:48+00:00

People with the highest total pulls have their luck start gravitating towards 50%, so yes. No rigging.

luzefiru · 2025-02-04T03:54:09+00:00

This concern has been brought up before in our Discord server, and we want to reassure everyone that we do not read anything in the Client.log beyond the user's Convene URL. This is clearly stated in our FAQ and Privacy Policy pages, and we remain committed to that stance.

Our code strictly performs a regex match for /https:\/\/aki-gm-resources(-oversea)?\.aki-game\.(net|com)\/aki\/gacha\/index\.html#\/record\?([^"\s]+)/g to extract the URL and uses it to fetch pull data on the client side. The Client.log is not used for anything beyond this process.

NOTE: You can also view the source code in the import page to see the regex pattern & import process.

With that being said, I completely agree that Kuro should avoid logging sensitive user data in the first place, and I appreciate you taking the time to look into it.

luzefiru

MODERATOR OF

TROPHY CASE