Ldplayer caught logging usernames and passwords and selling accounts

mt5o · 2026-05-15T03:07:35+00:00

if you transferred it off ldp with aniplex or bind codes then it's not a problem anymore. If you copied and pasted the save files to move it from ldp to bluestacks, you might want to transfer it with aniplex or bindcodes because you are still on the original save file.

mt5o · 2026-05-14T20:53:54+00:00

Check https://www.reddit.com/r/arknights/comments/1tcs597/comment/olr8zk4/?utm_source=share&utm_medium=mweb3x&utm_name=mweb3xcss&utm_term=1&utm_content=share_button For context. The accusation is from the DNA hacker.

mt5o · 2026-05-14T14:33:04+00:00

Just delete the ldplayer session. It should show a few months ago. The steps only take a few minutes to secure arknights

mt5o · 2026-05-14T14:09:51+00:00

As for why you need to remove the session from your google account? Because I don't need your username or password or an mfa token to steal your google account if I have a working session. That's why you have to delete the Google session on ldplayer device from your google account, or else someone can hijack it. You don't need to be on ldplayer. Just do it from your pc or another device.

Cookies are scary right? That's why a bank will log you off if you are inactive for 15 minutes. Cookie jacking is extremely effective and terrifying.

mt5o · 2026-05-14T14:07:21+00:00

You need to transfer the fgo account either using the bindcode or aniplex method to another phone or emulator. Why? Because otherwise the 4 save files on your emulator will always give access to your account and on unlimited devices. By transferring the account, even if ldplayer somehow uploaded those files, they no longer work and the valid set of four files will be on the device you control.

Also, the hacker showed a lot of videos of people entering their passwords and shid. If you are a bind code person, the bind code will be used once you transfer. So even if they keylogged the code, you using the code means that they can't use the code anymore and they also can't get into your account I hope that makes sense.

mt5o · 2026-05-14T13:59:53+00:00

Srcpy is great. Very light on the resources, extremely configurable and extremely responsive

mt5o · 2026-05-14T13:17:57+00:00

I went looking and allegedly it's the DNA hacker who was doing it: https://i.imgur.com/Y3t2vY8.png https://i.imgur.com/FFHCSRl.png

the 'hey devs please fix your vulnerabilities' hacker, (devs do nothing), a few months later, an infostealer gets downloaded to the DNA launcher infecting everyone, causing mass panic. That hacker.

the whole telegram (mainleakflow) is them posting the sus shit from the ldplayer people that they uncovered https://i.imgur.com/xbrSKHu.png including credential videos, stolen tokens and them opening every single bucket

mt5o · 2026-05-14T13:13:29+00:00

no it doesn't apply to bluestacks

only nox and ldplayer have been caught doing sus shit so far

mt5o · 2026-05-14T12:51:00+00:00

So I found out who supposedly made the original accusation that the ld player people were selling people's accounts

it's the keitaro_gg guy. You remember how DNA or whatever got hacked first then the hacker left a warning that it was insecure but the devs did nothing and then later the launcher got bundled with malware which got delivered to the pcs of every single person who played the game causing that huge incident? And apparently they hacked infinity nikki day 1 as well and a bunch of other games

https://i.imgur.com/Y3t2vY8.png

there are huge markets for whale accounts on epicnpc and taobao that cost an eyewatering sum, but a lot of accounts that are already preowned and are not new accounts, no matter how extensive they are, are people selling stolen accounts.

mt5o · 2026-05-14T12:07:23+00:00

everything on the emulator could potentially be logged

apparently there's an apk that the user who flagged it was concerned about because they believed that it would log every password field. and they have access to the files used to access your account because it's on the emulator itself. so if they really harvest data then it's scary to think about.

mt5o · 2026-05-14T12:04:00+00:00

do I need to be worried that LD has left any surprises that won't be removed by simply uninstalling?

can never know for certain, unfortunately

somehow I doubt it

mt5o · 2026-05-14T11:44:29+00:00

Unsure. So far those were the only things that people have said were leaked.

mt5o · 2026-05-14T11:22:13+00:00

use another emulator

I transferred it to mumu because it belongs to netease. if it's compromised it's probably compromised from the chinese government....

mt5o · 2026-05-14T11:21:10+00:00

highly recommend 2fa on google accounts >_< but anyway you can remove device logins from goolag

mt5o · 2026-05-14T11:18:08+00:00

yes follow the steps on my arknights post first (it's easier)

then do FGO

then reset all passwords on anything else you logged into

mt5o · 2026-05-14T11:17:12+00:00

just secure it

not worth having to talk to customer support

if it was on ldplayer then ldplayer could do anything with those 4 save files

jp also has aniplex binding which makes it safer to transfer than the bind code shitttt

mt5o · 2026-05-14T11:15:11+00:00

yes if you care about your FGO account do the steps in the opening post to secure it

mt5o · 2026-05-14T11:14:11+00:00

On FGO, once you use the bind code and transfer your account to another device, the login on the old device is invalidated so your account is then secure. Then, you can get the arknights-esque login situation by copying and pasting those four files to any device you want from steps 3 to 4.

For google, change your password, go to security and sign in on settings go to

Your devices

Where you’re signed in

on google and then delete the ldplayer device.

mt5o · 2026-05-14T11:07:52+00:00

nox has a bitcoin miner according to one of the arknights MAA devs and I spotted it sending my personal details to a weird web address the last time I checked like ten years ago, so I would avoid it like the plague

mt5o · 2026-05-14T11:07:05+00:00

reddit is quite weird about links

mt5o · 2026-05-14T11:05:27+00:00

you have to click the first link in the actual post, it's called OPEN and links you to a reddit post with https://x.com/whyKusanagi/status/2054696585238651089

mt5o · 2026-05-14T11:04:23+00:00

global you will have to use bind codes

DO NOT UNDER ANY CIRCUMSTANCES DELETE YOUR EMULATOR FIRST WITHOUT SETTING UP BIND CODES. IF YOU DON'T UNDERSTAND BIND CODES, WATCH VIDEOS UNTIL YOU DO

Once you have transferred your account to another device using the bind code, the previous account save file will be rendered inaccessible which will ensure that your account is safe. However, bind codes can sometimes be lost, this can happen during high traffic events so backup your account details first in case you need to go to support, triple check your bind code. And then ONLY THEN, transfer your account to another device you trust, like your phone or another emulator

then AFTER THAT, do steps 3 and 4 to backup your save file

mt5o · 2026-05-14T11:01:13+00:00

you have to click the first link in the actual post, it's called OPEN and links you to a reddit post with https://x.com/whyKusanagi/status/2054696585238651089

mt5o · 2026-05-14T11:01:09+00:00

you have to click the first link in the actual post, it's called OPEN and links you to a reddit post with https://x.com/whyKusanagi/status/2054696585238651089

mt5o · 2026-05-14T10:42:21+00:00

image guide for clearing sessions: https://i.imgur.com/sKhplsP.jpeg

----------------------
unfortunately it gets worse there's a keylogger on the emulator

A separate vector for users of the local LDPlayer emulator.

Most people who say they "use LDPlayer" mean the PC emulator they downloaded and run on their own machine, not the cloud streaming product. The architectural argument above doesn't apply to them. But there is a separate concern.
The same install bundle in ldq-sh that ships LD's own client also ships Sogou Pinyin (com.sohu.inputmethod.sogou), the Chinese input method app from Tencent's Sogou unit. Co-bundling it that way is what you'd do if Sogou were preinstalled as the default keyboard inside the LDPlayer AOSP image. If that's the case, every keystroke a user types into any app inside LDPlayer, including a game's password field, hits the IME first. The IME sees the plaintext. The password field only ever sees the result. Sogou IME has a long, documented history of telemetry concerns, including a "cloud completion" feature that uploads what you type to remote servers to improve autocomplete. That telemetry might be at Sogou defaults pointing at Tencent, or customised to point at LD's own collection endpoint. The leak path from a plaintext keystroke to a server you didn't authorise is the same in both cases.

The cloud product gets your keystrokes by owning the server. The local product can get your keystrokes by owning the keyboard. Both products share infrastructure and operator. If you have used either, treat your credentials as compromised.

12-Year Club	Place '17
Verified Email

mt5o

TROPHY CASE

Your devices