The market for compromised or breached online gaming accounts has ballooned into a multi-million dollar industry, with some hackers reportedly making up to $25,000 per week.
The developers of massively popular online titles such as Fortnite, Roblox, and Warzone primarily rely on selling in-game “loot” as a business model, where new items and features can be purchased with real and virtual currencies linked to player accounts. As online gaming has spiked during the Covid-19 pandemic, the market for credentials linked to valuable accounts has grown accordingly.
Collections of thousands of account credentials are commonly sold in underground auctions for anywhere between $10,000 and $50,000 and then individually via social media platforms, including Instagram. They are also offered for sale on dark web forums. Hackers often use the accounts to purchase more in-game content to transfer and sell on semi-legitimate forums, or they ransom the owners for a payday.
The primary methods for compromising accounts are brute force-style attacks, where hackers enter massive numbers of user and password combinations until finding a successful match, and credential stuffing, where logins and passwords from previous data breaches are used.
“[A] well-known and respected cracker in underground hacking circles… states that high-end Fortnite cracking tools can average between 15 and 25 thousand checks per minute, or roughly 500 account checks per second,” stated a recent report on gaming-related cybercrime by Data Viper, a cybersecurity firm.
The same report estimates the resale of stolen accounts may be generating $700 million a year.
Research from another firm, Arkone, reported that between April and June 2020, 31% of login attempts to online gaming accounts were fraudulent, representing an 11% increase over the same period in 2019.
While gaming companies have attempted to add more security measures and resources to recover compromised accounts, customers are encouraged to take basic data precautions including the activation of multi-factor authentication and using new and complex passwords for each account.