Those discounted V-bucks might be helping cybercriminals launder their money.
The game Fortnite is massively popular, with over 200,000,000 players around the world. The game made its developer, Epic Games, $3-billion in 2018. Apparently it may be making cybercriminals some money, too. Or at least helping them to launder it, according to a report from the UK’s Independent.
If that sounds crazy, it’s because it is a little bit crazy. But it’s also incredibly clever.
So, today we’re going to spend a little bit of time talking about Fortnite, money laundering and whether or not Epic games bears any responsibility.
Let’s hash it out.
Let’s talk about Fortnite
Fortnite has become a cultural phenomenon around the world because it’s free and can be played on pretty much any platform (console, PC, mobile).
You may be asking, how does a free game make $3-billion? Good question. Micro-transactions. Fortnite has its own in-game currency, V-bucks. You can use V-bucks to customize your game – buy costumes, weapons, items – you name it.
And much like what’s been documented in other games such as World of Warcraft, criminals have figured out a way to monetize the in-game economy, in the process laundering their ill-gotten gains.
Ok, how do you launder money in Fortnite?
And there’s the $3-billion question. Here’s how: use stolen credit card info – or create accounts using stolen personal info – to purchase V-bucks from the official Fortnite store. These kinds of credentials are readily available on the dark web (and even some places on the normal web). They don’t cost much, either.
Using those stolen credit cards, cybercriminals purchase points from the Fortnite store and then sell them at deeply discounted rates, essentially laundering the money.
The Independent’s investigation monitored six different dark web black markets where it found myriad discounted points available, oftentimes in exchange for cryptocurrency.
“Criminals are executing carding fraud and getting money in and out of the Fortnite system with relative impunity,” Benjamin Preminger, a senior intelligence analyst at Sixgill, told The Independent.“Threat actors [a malicious person or entity] are scoffing at Epic Games’ weak security measures, saying that the company doesn’t seem to care about players defrauding the system and purchasing discounted V-bucks… This directly touches on the ability of threat actors to launder money through the game.”Benjamin Preminger, Sixgill
Sixgill found that over a 60-day period, just on eBay, Fortnite items grossed over $250K, but that doesn’t really speak to the extent and breadth of this problem.
If you’ll remember last year when we covered some of the biggest cybercrime statistics of 2018, that one of the biggest issues faced by most cybercriminals is how to get the money out. Stealing it is one thing, but how do you launder it so that you won’t draw suspicion when you actually take it out?
Well, here’s one way. Using Fortnite.
I’ve got a suspicion there are more than a few mobile apps that accomplish something similar, using micro-transactions to launder money through Apple and Google.
Does Epic Games bear any responsibility for this?
That all depends on your perspective. Let’s start with Sixgill’s Ben Preminger, who thinks more should be done:
“Epic Games doesn’t seem to clamp down in any serious way on criminal activity surrounding Fortnite, money laundering or otherwise,” Mr Preminger said. “While completely stopping such criminal activity is extremely difficult, several steps could be taken to mitigate the phenomenon, including monitoring the transfer of high-value goods in the game, identifying players with large stockpiles of V-bucks, and sharing data with relevant law enforcement agencies.”Benjamin Preminger, Sixgill
Epic Games didn’t respond to a request for comment from The Independent, but I’m sure on some level the company just wants to focus on making games and not have to become some kind of international money laundering policeman.
Which, that’s fair.
Certainly, this industry has an interesting take on corporate responsibility. We inspired more than a little vitriol a couple years ago when we documented the number of SSL/TLS certificate Let’s Encrypt had issued to PayPal phishing sites. The prevailing logic being that discerning the good actors from the bad wasn’t a job for Certificate Authorities.
Recently, Let’s Encrypt announced it’s not even going to check the Google Safe Browsing list any more before issuance.
Let’s Encrypt has stopped checking domains against the Google Safe Browsing API before issuance… Since 2015, Let’s Encrypt has been using this API to check domains before issuing certificates. If a domain was flagged as unsafe by Google Safe Browsing we would not issue a certificate.Josh Aas, Executive Director
So, going by that logic, don’t worry about it, you just keep doing you, Epic.
As always, leave any comments or questions below…