Back to all insights
Picture of Shane Brown

Shane Brown

Xbox Underground

Xbox Underground: The Teenage Hackers Who Stole $200 Million and the One Who Got Away

Between January 2011 and March 2014, a group of teenagers and young adults pulled off one of the most brazen cybercrime campaigns in gaming history. They called themselves “Xbox Underground.” Their targets included Microsoft, Epic Games, Valve, Activision Blizzard, Zombie Studios, and the United States Army. The U.S. Department of Justice put the damage between $100 million and $200 million in stolen intellectual property.

Four members went to federal prison. Two are dead. One became an FBI informant. And one, the Australian teenager at the center of it all, has never been convicted.

Dylan Wheeler lives openly in the United Kingdom. He runs a legitimate cybersecurity company and attends industry conferences. This is the full story.

Who They Were

Xbox Underground was never a formal organization. It was a loose group of young gaming obsessives who met in Xbox modding forums and IRC channels. What brought them together was a shared obsession with console hardware and unauthorized access.

Here is who was involved:

Dylan Wheeler, alias “SuperDaE,” was 19 at the time of the indictment. Australian. He fled to the Czech Republic, then the UK. Never convicted.

David Pokora, alias “Xenon,” was 22. Canadian. He served 18 months in federal prison and became the first foreign hacker convicted of trade secret theft on U.S. soil.

Sanadodeh Nesheiwat, alias “Sonic,” was 28. American, from New Jersey. He also served 18 months.

Nathan Leroux, alias “natelx,” was 20. American, from Maryland. He received 24 months. Deceased after release.

Austin Alcala was 18. American, from Indiana. He pled guilty in April 2015 and cooperated with the FBI.

Justin May, alias “MTW,” was from Delaware. He served as an FBI informant during the investigation and was later sentenced to 7 years for a separate warranty fraud scheme totaling more than $3.5 million.

How It Started

The story begins in the original Xbox modding community of the mid-2000s. Hardware enthusiasts were jailbreaking consoles, running homebrew software, and reverse-engineering Microsoft’s systems. By 2010 and 2011, a new generation of modders had moved from soldering mod chips to probing network infrastructure.

Dylan Wheeler was 14 years old in Perth, Western Australia, and among the most aggressive.

Wheeler connected online with David Pokora in Ontario, who was deep into Halo modding; Nathan Leroux in Maryland, who had strong technical skills; and Sanad Nesheiwat in New Jersey, who wanted early access to unreleased games. Justin May, already arrested at a gaming convention for a prior offense, also orbited the group.

The First Breaches

Their initial attack method was SQL injection. They inserted malicious code into web applications used by gaming companies, pulled employee usernames and passwords from backend databases, and used those stolen credentials to log into Microsoft’s Game Developer Network Portal and PartnerNet. These were platforms designed for authorized developers to access pre-release tools, builds, and documentation.

Once inside, the group spent “hundreds of hours” navigating Microsoft’s internal networks. They copied login credentials, source code, technical specifications, assembly instructions, and software design documents. They used TeamViewer for remote desktop access and routed their traffic through a hacked Comcast modem to hide their IP addresses. They rented computers in the UK, the U.S., Hong Kong, Australia, and the Netherlands to further cover their tracks.

What They Stole

Microsoft’s then-unreleased Xbox One, internally code-named “Durango,” became their biggest target. Wheeler found the Durango files by accident while browsing a developer account. Inside was a SharePoint site with spec sheets, hardware photos, driver software, and operating system source code for the next-generation Xbox.

They downloaded everything. Nathan Leroux cross-referenced the stolen specs with retail hardware on Newegg, assembled a counterfeit Durango from off-the-shelf parts, and installed the stolen operating system on it. It worked.

Beyond the Xbox One, they also stole pre-release copies and source code for Call of Duty: Modern Warfare 3, Gears of War 3, FIFA 2012, and titles from Valve and other studios.

The most alarming theft involved military software. Through their breach of Zombie Studios, a Seattle-based developer under contract with the U.S. Army, they obtained the AH-64D Apache Simulator, software used to train military helicopter pilots. In a wiretap, Pokora boasted about hacking both the U.S. military and the Australian Department of Defense.

The eBay Stunt That Blew Everything Up

The group tried to sell the counterfeit Xbox One for $5,000. The buyer, another hacking group, wired money to Wheeler internationally. Nathan Leroux handed the unit to Justin May for shipping to the buyer in the Seychelles. The package never arrived. Some believed the FBI intercepted it. Others suspected May had already turned informant.

Undeterred, Wheeler posted photos from the build and listed a “Durango” on eBay under his alias SuperDaE. The listing went viral. Bids passed $5,000, then $10,000, before eBay cancelled the auction near $20,000. Wheeler later admitted the stunt was really about publicity. It also put a massive target on the group.

Microsoft assigned a senior security executive named Miles Hawkes to investigate. Hawkes traced the eBay account back to Wheeler’s home in Perth. He flew to Australia and knocked on the family’s door. Wheeler sat down with him and voluntarily explained how the hacking was done. He even called Epic Games to confess he was the one who breached their network and asked for some swag. They sent him a signed poster.

The Physical Break-In

The group’s crimes were not limited to digital attacks. A teenager named Arman, identified in court documents only as “A.S.,” physically infiltrated Microsoft’s Redmond, Washington campus.

Arman’s mother was dating a Microsoft employee. When the boyfriend came home wearing his badge, Arman used a badge cloner to copy it. For roughly a year, he walked in and out of the Microsoft campus wearing Microsoft-branded clothing, blending in without question.

In September 2013, Arman entered the campus at night. He swiped the badge, climbed to the fifth floor, and searched cubicles in the dark. Motion-detecting lights forced him to a lower floor. There he found two Durango prototypes sitting on a cubicle desk. He stuffed both in an oversized backpack and walked out. Austin Alcala and David Pokora brokered the deal, purchasing the stolen units from Arman.

Microsoft eventually identified Arman from security footage, which led to his arrest.

The Arrests

The FBI hit Nathan Leroux’s Maryland home first. He was mid-anime-marathon when agents showed up. Scared, he disappeared from the hacking scene and took a legitimate job at a small game studio.

Fifty FBI agents hit Nesheiwat’s New Jersey home at 5:30 a.m. He opened the door in his boxers to a tactical shield and drawn guns. Agents seized roughly twenty Xbox development kits, multiple consoles, binders of internal Microsoft and Sony discs, and four handwritten pages of inventory.

When Wheeler heard about Nesheiwat’s raid, he posted the personal information of the FBI agent in charge and the federal judge who signed the search warrant on a hacking forum. He also called for a hit on both of them, something he later admitted was “stupid.”

Perth police raided Wheeler’s family home on February 19, 2013. He was 17. They seized credit cards, a MacBook Pro, his phone, and roughly AU$10,000 worth of technology. He was questioned but not immediately arrested.

Pokora was arrested at the U.S.-Canada border in March 2014. A 65-page, 18-count indictment was unsealed in September 2014, naming Pokora, Nesheiwat, Leroux, and Alcala as defendants. Wheeler appeared in the indictment only as “D.W.”

The Informant

The indictment included a figure listed only as “Person A,” a co-conspirator from Delaware who fed information to the FBI while continuing to participate in the hacking. Multiple members suspected Justin May. The FBI possessed chat logs predating Nathan Leroux’s involvement, suggesting the informant was embedded from early on.

May’s later conduct confirmed those suspicions. In 2017, the FBI seized a new BMW and $38,595 cash from his home. In June 2021, he was sentenced to seven years in federal prison for defrauding Microsoft, Cisco Systems, and other companies of more than $3.5 million through a warranty replacement scam he was running even while serving as an informant.

Sentencing

In September 2014, Pokora and Nesheiwat each pled guilty to one count of conspiracy to commit computer fraud and copyright infringement. Leroux and Alcala followed. Sentences came in 2015.

Pokora received 18 months. The DOJ called it the first time a foreign hacker had been convicted in the United States of hacking crimes involving the theft of trade secrets from American companies.

Nesheiwat received 18 months. Leroux received 24 months. Alcala pled guilty and cooperated with the FBI on a separate case involving illegal FIFA coin trading.

The U.S. government seized $620,000 in cash and proceeds tied to the conspiracy.

The Deaths

Two members of the broader Xbox Underground circle did not survive the aftermath.

Holly Leroux, formerly Nathan Leroux, transitioned after prison and lived as a transgender woman. She was later found dead alongside another woman in a Fresno, California motel room. Investigators found respirators and evidence of a chemical-making process. Police described the deaths as potentially a murder-suicide, double suicide, or accidental.

Anthony Clark, a peripheral member who made millions selling illicit FIFA coins with Austin Alcala, died in his Whittier, California home. People close to his family said the death resulted from a lethal interaction between alcohol and medication. He was approximately 27 years old and had amassed an estimated $4 million from the FIFA coin operation.

The One Who Got Away

By early 2015, Wheeler had been tangled in the Australian court system for nearly three years. Facing charges that carried a potential 10-year sentence, he decided to run.

Despite a court order to surrender his passport, Wheeler slipped out of Australia using his Australian passport. He later told ABC’s 7.30 program it was “scary” how easy it was. The PACE system used at border control to flag criminals attempting to leave the country did not enter his name until six days after he had already gone.

Wheeler traveled to Dubai, then moved to the Czech Republic, where he held citizenship through family connections. Czech citizenship effectively shielded him from extradition. The Czech government confirmed to the ABC that Australia never formally requested his return.

His escape cost his family. His mother, Anna Wheeler, 52, was arrested and charged with attempting to pervert the course of justice for funding his plane tickets and wiring him thousands of dollars while he was overseas. A jury convicted her in December 2016 in just 90 minutes. The judge sentenced her to two years and four months in prison, noting her actions were an attack on the justice system itself. Anna Wheeler collapsed at the feet of security guards as she was led away.

Life in Plain Sight

What separates Wheeler from most hacker fugitives is that he has never tried to hide. After leaving the Czech Republic, he relocated to the UK and operates openly.

He founded a cybersecurity consultancy called “Day After Exploit Ltd,” taking on security auditing and vulnerability disclosure work. He is active on social media and has spoken openly about his past, including a two-part interview on the Darknet Diaries podcast, episodes 45 and 46.

He regularly attends cybersecurity conferences in London and other cities. Wheeler has claimed the Australian charges are effectively dead, saying he was a minor and the case is no longer active in the courts. Australian authorities have never confirmed this. His original charges, including computer hacking, possession of child pornography, an offensive weapon, and drugs, were never formally adjudicated.

What Went Wrong (And What You Should Learn From It)

This case is a study in cascading security failures on both the digital and physical side.

On the digital side, SQL injection, one of the oldest and most documented attack vectors, was the primary entry point. Once inside, the group moved freely across internal networks because of poor access controls and little apparent network segmentation. The breach went undetected for years. Internal security tools did not catch it. An eBay listing did.

On the physical side, a teenager cloned a Microsoft employee badge and used it for over a year without triggering a single security review. He walked the campus wearing branded clothing and was never once stopped or questioned. Xbox One development kits worth millions in pre-release intellectual property sat unsecured on open cubicle desks.

Why This Story Still Matters

The Xbox Underground case is worth studying for several reasons.

The hackers were not initially motivated by money. They wanted to see unreleased hardware. That means organizations face threats from talented, obsessive people who do not always grasp the severity of what they are doing.

The group never held insider access, but Arman’s physical infiltration and the use of legitimate developer credentials made their activity nearly indistinguishable from insider threats.

The international makeup of the group, spanning the U.S., Canada, Australia, the UK, and the Czech Republic, created jurisdictional problems that allowed Wheeler to escape prosecution entirely.

And Justin May’s role as “Person A” shows how law enforcement uses embedded informants, and how paranoia within a hacking group shapes who gets caught and who does not.

Where Are They Now

Dylan Wheeler lives in the UK, runs Day After Exploit Ltd, and attends cybersecurity conferences. Never convicted.

David Pokora was released in mid-2015, returned to Canada, and reportedly pursued a career in security.

Sanadodeh Nesheiwat served his sentence, worked through extended probation including multiple violations and an overdose, and eventually returned to work and school.

Austin Alcala cooperated with authorities. His current status is largely unknown.

Holly Leroux is deceased.

Justin May is serving seven years in federal prison for fraud.

Arman was arrested after Microsoft identified him on security footage. Further public details are limited.

more insights

Cicada 3301

March 16, 2026

Cicada 3301: The Internet’s Greatest Unsolved Mystery On January 4, 2012, a black-and-white image appeared on 4chan’s paranormal board. The message was simple: “Hello. We

Read more >

The Invisible Mercenaries

February 27, 2026

The Invisible Mercenaries: How Anonymous Cyber Hit Men Built a Shadow Industry Law Enforcement Still Cannot Dismantle In 2017, a federal courtroom in Minneapolis revealed

Read more >