Fortnite: Battle Royale has grown to epic proportions over the past year, with a staggering 200 million registered players and a height of 8.3 million concurrent across all platforms. Sadly, this immense popularity has drawn the attention of cyber criminals who have in turn created a “thriving criminal eco-system around the game.”
Cybercrime is nothing new in video games, with perpetrators often utilising the most popular titles to do their dirty work. Over the past decade, Blizzard’s World of Warcraft has been a prime target of phishing scams, as has Dota 2 and even Fortnite itself. Multiple times. Cyber security specialists at Sixgill have been monitoring the deep and dark web (DDW), noting that surge in popularity of Fortnite has spurred on an entire ecosystem for criminal activity.
Image: Criminal activity graph produced by Sixgill's threat intelligence platform
Sixgill’s threat report documents a DDW user by the name of DilanAV, who explained one of the more common methods of fraud within Fortnite called “carding.” This practice involves criminals pouring money into Fortnite accounts via stolen credit cards while using a virtual private network (VPN) to mask their location.
Once the money is loaded onto the account, the illegally-acquired funds are used to purchase in-game currency otherwise known as V-Bucks. In turn, this is spent on the vast cosmetics within the game before selling the account to launder the dirty money. This can be via “clearnet” third-party sites like G2G, G2A and eBay, or the less structured dark net space.
Sadly, this market has proven to be rather lucrative, with eBay seeing a collective $250,000 made from Fortnite items in just two months. The highest grossing item managed to garner over 30 bids before hitting its toal of $15,000. It isn’t just high-rollers that are targeted either, with one listing on the DDW selling an account with 55,000 V-bucks and over 50 skins for just $150.
Currently, Epic Games doesn’t provide a whole lot of protection against such fraudulent activity, often relying on banks and credit card providers to block the process. If a card declines the transaction, Epic automatically blocks the account it is attached to in case of illicit action, meaning that “carding” is not a certain way to commit fraud.
“Epic Games do not care if you are from China, with a VPN from Mexico and you are buying with a credit card from Germany, they do not check any of that,” explains DilanAV while citing previous experience. Two of his accounts managed to get caught for using duplicate credit cards across both, however Epic’s system didn’t verify the details of the cards, such as name, surname, address and zip code.
Short of better tracking for VPN and credit card locations, Sixgill’s Cyber Threat Intelligence Specialist Benjamin Preminger suggests that Epic Games could better “monitor the transfer of high-value skins and other in-game items,” actively investigating red flags. “Additionally, Epic Games could monitor the V-bucks economy, and identify extremely ‘wealthy’ players, much like a finance authority would do in a real-life scenario,” noting “odd patterns and inconsistencies.” And finally, this information could be used in collaboration with cyber and financial crime units, allowing nation state bodies to utilise their superior intelligence capabilities to prevent and catch culprits.
With talks of an in-game gifting system set to appear within Fortnite, KitGuru asked Preminger how that would affect the criminal ecosystem built behind the game. We were told that while the short-term implication would be threat actors gaining another means to transfer items of real-world monetary value, the long-term would increase the level of monitoring available to Epic, and “in turn potentially law enforcement.”
Epic Games has yet to clarify whether or not it is aware of the report.
KitGuru Says: As always, digital fraud is an uphill battle that many developers struggle with, and Epic’s Fortnite has been the target of many criminals thanks to its immense popularity. It’s worth noting that while offers might seem genuine and authentic for those browsing online listings, it could very well be in support of an illicit activity