Redistributing Billions in the Neopets Economy · Daniel May
Redistributing Billions in the Neopets Economy<br>2026-07-03<br>internet-historyreverse-engineeringsecurityengineering-ethics
Over six months in 2014, a network of over 200 Neopets players ran software I made to record 48,000 snapshots of a single shop’s inventory. We saw total item flow valued at over 6.5B Neopoints, built an autobuyer that generated roughly 167M NP in profit, before the project abruptly ended amid server instability due to a corporate transition. When the site returned, backend issues enabled game-breaking exploits: mass item duplication and “free NP”. We abused those glitches to duplicate the game’s most coveted items, donated billions to the Money Tree, and then released a script for the community to use. At the time, I thought of it as redistribution. Reflecting now, I think it was just a selfish attempt to be seen.
I started playing Neopets in 2003, and it was cutting edge for its time, competing with other online timesinks like Newgrounds.com and early social networks. For me at least, it offered an eccentric mix of Tamagotchi, Miniclip and Drug Wars. The Neopets Team (“TNT”) made something really special.
Over time, though, I grew tired of the repetition. The giant omelette only gave away one piece per day, and other activities were “daily” gated. Searching for items on the shop wizard would lock you out if you spent too much time looking for a good deal. Unaware that these limitations were likely caused by bots, I asked the question why can’t this computer just play the game for me?, and that led me to look online for cheats. Eventually, I built cheats of my own - not so much surfing the web as drifting between communities.
I wound up enveloped in a cheating/hacking community, researching and developing programs that automated Neopets. I learned how to engineer software by building autobuyers that spoofed browsers and tried to beat the competition, and then posted those programs on forums and MSN Messenger1. Seeing something I produced delight other people was too addictive to ignore, even as it brushed against an ethical line I didn’t yet understand.
And from that passion, I built a career. By 2014 I was 22, four years into building foreign exchange trading platforms in London, traveling to tier one banks to advise Directors on which technologies deserved their attention, surrounded by real engineers with real degrees. I was good at the job, but I still braced, most days, for someone to work out that I didn’t belong there. I’d decided the Neopets stuff belonged to an earlier version of me that I’d grown out of, but still I ended up back there, partly because I think everything I built at work was in service of someone else’s problem, and partly because of how it felt to be there. Nobody in that world knew or cared where or whether I’d gone to school. It was a place where I already belonged, where the only thing that counted was whether you could take a system apart, and I could. I wanted a problem of my own again: something unsolved, that would give way to the kind of attention that I was good at.
Detection and Enforcement
Neopets’ bot detection was always rudimentary, but TNT never held back on enforcement: once bot activity was detected, accounts were frozen (banned) immediately. Spoofing a browser was table stakes, and if you were a particularly naughty individual, they’d block by IP. This landscape created an arms race and incentivized widespread proxy use. My take is that they likely had a user base too large and activity too great to justify investing in analytics to enable better anti-cheat.
Unfortunately, this landscape did harm the player experience. Searching player-owned shops too quickly would lock you out until the next hour rolled around, and refreshing too frequently at an NPC shop risked receiving a similar multi-hour temp ban. Surprisingly early on, a custom captcha was added to the item purchase flow that asked the user to click a Neopet overlaid on a background:
The now-defunct click-the-Neopet captcha. The pet is usually the darkest cluster of pixels.<br>This wasn’t much of a setback for the experienced programmers in the community. By choosing to layer a darker image on top of a lighter one, a simple loop finding the darkest 10x10 pixel cluster successfully identified the pet, most of the time:
int darkest = 255, petX = 0, petY = 0;
for (int x = 0; x w; x += 10)<br>for (int y = 0; y h; y += 10) {<br>int b = brightness(x, y); // HSV value, 0-255<br>if (b darkest) { darkest = b; petX = x; petY = y; }
click(petX, petY);<br>I imagine they might have been a bit disappointed to see a solve like this. Whichever dev shipped it did leave a little easter egg for us though: calls to GET /captcha_show.phtml were forced to supply a captcha identifier in a parameter ironically named _x_pwned - nice. This relic was retired in June 2026, sadly.
The Attic
Over time, TNT continued to shape virtual economy features around bot...