Kromtech Security—a German-based IT and security company—has discovered evidence of a large scheme where scammers use stolen credit cards to buy in-app currencies from mobile games Clash of Clans, Clan Royale, and Marvel Contest of Champions, then sell those currencies on the grey market for cash.
“A group of malicious actors with a complex automated system [are] utilizing free-to-play apps, third party game and resource resale websites, and Facebook to launder money from stolen credit cards,” says a report by Kromtech.
Love them or hate them, in-game currencies and microtransactions are important revenue streams for modern video games. Electronic Arts—the studio that published Star Wars: Battlefront II—made $787 million from in-game purchases in its most recent fiscal quarter.
Security experts have long warned that the in-game currencies and tradeable digital commodities in World of Warcraft and other video games could one day be a money launderer's dream. In theory, it would be easy for a criminal to use ill-gotten cash to buy in-game currencies in a game such as Clash of Clans, then turn around and sell that currency to an unwitting third party for clean money.
This is a scheme that security experts have been warning us about for years. In 2011, the FBI raided the dorms of college students they suspected of committing fraud in World of Warcraft, but turned up nothing. The EVE Online community—a space faring MMO—has long been worried that the game’s digital currency could easily be manipulated and used to launder money for criminal organizations.
According to Bob Diachenko, Kromtech’s head of communications, that’s exactly what his team has discovered evidence of. The Kromtech security team stumbled on the scheme during an audit of MongoDB, an open source SQL database platform, in June. The database was odd because it was only a few months old, unprotected, and stuffed with 37,606 credit card numbers. The team found links to a Facebook group where the alleged scammers organized an automated system that would process the credit cards, attach them to new Apple accounts, and make in-game purchases from free to play mobile games—then dump the currencies on the grey market.
Apple, Supercell, and Kabam—makers of Marvel Contest of Champions—did not immediately return our request for comment.
It’s unprecedented and also very odd for criminals to leave a database unsecured. Diachenko told Motherboard via email that Kromtech traced the unsecured database to a public Facebook group that’s promoting this activity. “People do mistakes, even bad guys,” Diachenko said.
Much of the system was automated, including the creation of Apple accounts. According to Diachenko, the scammers used jailbroken iPhones they managed with a tool to generate Apple accounts with predefined user data. He showed Motherboard a video the Facebook group promoted with a bank of iPhones on a rack, all running the automated software.
“With the account creation process automated, the malicious actors then took the process further, automatically changing cards until a valid one is found, automatically buying games and resources, automatically posting the games and resources for sale, working with a digital wallet for order processing, and managing multiple Apple devices to distribute the load,” Kromtech’s report said. “The end result: an automated money laundering tool for credit card thieves.”
It used the grey market site g2g.com—a website that allows users to buy and sell digital currencies for games such as World of Warcraft and Clash of Clans—to move its ill-gotten in-game currency. Sock puppet accounts posting on g2g selling Clash of Clan accounts (which developer Supercell allows to be transferred between users) bundled with in-game currency cost between $30 to $90, the report said. Those transactions are small, but can add up quickly when run on an automated system posting thousands of them every day. Of the more than 30,000 credit cards, Kromtech was able to verify that just under 20,000 of them were used in the scheme.
Kromtech isn’t sure how much money the thieves made and estimated the scheme had only been running about a month and half before it was discovered. It put together a full report on the scheme for the US Department of Justice and reached out to Supercell—the company behind Clash of Clans and Clan Royale to help curb the fraud.
It appeared the thieves attempted to use Android phones as well, but Google’s restrictions on account credential transfering made it harder to automate. Diachenko said Apple could help stop similar scams in the future by doing a better job verifying credit cards. According to Diachenko, when a new credit card is added to an Apple account, Apple verifies the card by making a $1 dollar purchase and refunding it. “We saw that many were processed with an incorrect name and address,” he said. “A stricter credit card verification would make it a bit more difficult for the [scammers].”
Motherboard was able to confirm details of the scheme by viewing the Facebook group referenced in Kromtech’s documents. But, as the group is part of an ongoing investigation, we aren’t making those details public at this time. That said, it’s an intricate and flagrantly public scam that proves that as long as a pipeline exists between digital video game currency and real-world cash, someone will attempt to exploit it.