The issue of cheating in gaming has rightfully gained increased attention over the last few years, with publishers and developers consistently making headlines as they deploy strategies like ban waves and legal actions to control and mitigate the problem.
However, beyond the occasional leak of personal data, account fraud rarely receives the same level of attention, even though, much like in the broader digital landscape, fraud is pervasive in gaming.
According to surveys, approximately 40% of gamers report being hacked at least once while playing computer games, and over 30% state that their personal information has been shared in an online game without their consent.
The apparent lack of attention to account fraud is partly explained by its more intricate nature compared to cheating, involving a variety of activities and tools. Account fraud is also widely perceived to have a lesser impact on the in-game player experience compared to cheating—although, as we will explore, this assumption is incorrect.
There is an ongoing debate among players whether 'account trading' is a genuine issue and the reasons behind publishers needing to intervene, as evidenced by this Reddit quote:
I've bought and sold many video game accounts such as RuneScape, Warframe, Rocket League. However, I am still confused on why video game companies such as Riot Games and Epic Games will ban accounts if they were bought or sold. I tried googling the answer but all I got was, "because it's in the ToS." For me it makes absolutely no sense why they would do this.
The rationale behind publishers and platforms banning traded accounts becomes evident when we consider the numbers involved.
While some vendors may sell individual accounts from time to time, most prominent sellers are listing hundreds or even thousands of accounts.
For instance, one seller on g2g is currently offering 11,500 accounts across dozens of games and claims to have received a staggering 135,000 orders in the last 90 days.
That doesn’t sound to us like a casual gamer offloading tier accounts for games they no longer play!
Before delving into an exploration of how account fraud impacts gaming and its connections to cheating, let's first establish what we mean when we talk about account fraud.
While there are numerous ways to define account fraud, the specific definition we employ at Intorqa is:
The illicit trading and unbanning of gaming accounts and associated in-game items and currency, often obtained through hacking and takeovers, and boosted using bots.
Whilst we’re talking about definitions, when we refer to gaming accounts, this includes accounts for specific games (e.g. League of Legends and Counter-Strike), those for console subscriptions, and accounts for digital storefronts such as Steam and Epic.
So, what impact does this have?
Firstly, it serves as a catalyst for hacking and account theft, with all the usual risks this involves as innocent players have their accounts taken over and stolen, a topic we’ll we’ll look at shortly, before their compromised accounts are sold.
By analysing the purchasers of these accounts, we can see the influence and impact account fraud has on gaming.
The act of a player buying a leveled-up account, often without knowing it's stolen, with the intent to bypass the grind and unlock higher-level characters or rare in-game items, may seem harmless at first. After all, it appears they’re only spoiling the game for themselves by eliminating the satisfaction derived from leveling up the account through gameplay. However, this seemingly harmless action takes a detrimental turn in multiplayer scenarios. Playing as part of a team without the necessary skills disrupts the game for more skilled players, creating issues in the game loop and potentially driving away honest players.
From the perspective of publishers, this is a problem for two reasons. Firstly, they’re losing those players who are getting frustrated. Secondly, it’s harming the bottom line as instead of selling an in-game item or currency to two players, they only get to sell it to one. In free-to-play games, this can disrupt the entire business model.
One of our clients, the Head of Global Fraud Management at a global games business, puts it best:
Stolen accounts impact everyone in gaming – the player whose account was stolen, other players who suffer from unfair competitors in games, and gaming companies who lose legitimate sales to gray market account sellers. Efforts to protect gameplay from increasingly brazen hacking by account sellers ruins gameplay and drives up the cost of gaming for everyone.
And then there’s the connection to cheating.
Account fraud directly increases the use of cheats, particularly bots. Hackers use bots to grind and enhance (stolen) low-level accounts before selling them to players wanting to skip the hard work and jump straight into higher levels.
It's highly unlikely that a single g2g seller legitimately created 135,000 accounts and levelled them up accordingly. If so, they’re incredibly talented and should consider a career in esports!
These images from a vendor selling CS2 accounts clearly demonstrate these points (note the use of a chatbot for great customer service).
But the connection with cheating doesn't stop there. Stolen accounts also serve as facilitators and enablers of cheating - in fact, the whole cheat community relies on them.
When banned in a game, cheaters turn to unauthorized account vendors to purchase new accounts, allowing them to resume playing and providing them with the opportunity to cheat again. This underscores why account bans alone are not particularly effective in assessing the impact a security team may have on cheating in a game.
30,000 players banned? Try 30,000 accounts.
Similarly, players who get their kicks smurfing, rely on having multiple accounts on the go, as they go about ruining games for less experienced players. However, this isn’t going unnoticed as evidenced by this complaint in a recent conversation about smurfing in LOL shows:
The smurfing issue is seriously getting out of hand. It's gone from 'occasional smurfing is sucky (sic) but it's part of gaming' to 'there's so many smurfs it's literally impacting competitive integrity.
And even those who smurf are getting frustrated!
I have 10 smurfs across both PC and Console at this point, and I genuinely want smurfing to be bannable. It ruins literally countless games and discourages regular players from playing Comp at all.
It’s no exaggeration to say that without account fraud, there wouldn’t be nearly so much cheating. Conversely without cheating there wouldn’t be such high demand for hacked accounts.
How the hackers do it
When millions of dollars are invested in security across the internet, how are these hackers and unauthorized sellers doing this on such a large scale? And what can publishers and 3rd party service providers do about it?
For the past couple of years, we've been closely monitoring the account fraud ecosystem, and what's truly remarkable is the extent to which malicious actors go to continually adapt their techniques and tactics.
Many of their methods will be familiar to anyone acquainted with general cybersecurity and fraud. Whether it’s DDOS attacks, phishing (gamers love a free screensaver!) malware downloaded from fake websites (or dodgy cheat sites!) or sheer brute force attacks, gamers face the same threats as other internet users.
And according to our client from earlier, this is on the increase, particularly since Covid.
The pandemic helped accelerate online growth, including fraud. Increasing discussion and democratization of dark tools and techniques on internet forums has enabled and emboldened a new generation of hackers and scammers.
Lately, we’ve seen a rise in the use of other methods within the gaming space.
Firstly, there's an apparent increase in the use of credential stuffing, where hackers employ thousands of sets of credentials stolen from one platform or game in an automated attack on another. Gamers are especially vulnerable to this, as they frequently use the same email and/or password across multiple accounts.
Secondly, as some publishers are now implementing phone numbers for two-factor authentication, we're noticing a growing trend in the sale of phone verification services within the communities we monitor. This enables individuals banned from a game to create a new account and link it to a new phone number.
Since you need a valid phone number for each account, individuals facing multiple bans need lots of phone numbers to continue playing. Consequently, phone verification services have started to appear in lots of cheat/fraud communities.
Finally, like cyber criminals everywhere hackers in gaming are commonly using social engineering techniques to exploit a company’s own support systems against them to aid their fraudulent activity, particularly the unbanning of accounts.
In the communities we monitor they continually discuss trying different methods, finding where weaknesses are, revealing names of support agents who won’t help, tips for getting round the security questions, and which regions to focus on.
What to do?
As with so much crime, it comes down to intel - knowing what to look for and taking action to stop it.
This requires constant monitoring to stay up to date and gain valuable knowledge, not only into the methods used by malicious actors, but also high-level information, such as identifying major actors, assessing significant threats, analysing payment methods, and obtaining specific details on these elements.
When executed correctly, this monitoring provides security teams with the inside track on what malicious actors are doing at any time – such as what techniques they are using to manipulate customer service agents or exploit email protocol.
As the head of one of those security teams confirms:
Bad actors use social channels to publicize the profitability of account sales, provide an easy means to exchange techniques, and supply a free advertising mechanism for account sales. Social channels are key to understanding the underground economy of account selling.
Monitoring social channels can aid in uncovering the identities of these actors, as they inadvertently disclose valuable information about themselves and provide clues to their identities. In many cases, they’re often not as smart as they think they are!
An illustrative example is the recent hacking of streamer Ali-A's Fortnite account. Our monitoring picked up additional information, as those responsible for the attack openly discussed it in the communities under our surveillance.
Another opportunity arises when actors engage in public disputes. One party may disclose personal information to discredit the other or damage their reputation. This can significantly contribute to providing additional insights and potentially uncovering real-life identities.
As well as highlighting the risks hackers may pose, monitoring is also essential in measuring the impact of the measures taken by security teams. The ability to analyse trends, such as whether mentions of bans are increasing or whether discussions about a specific method of fraud are on the rise or decline, provides valuable insight.
Take it from us, there’s no clearer (or more rewarding) sign you’re on the right track than when a fraud community Discord is buzzing with warnings and panic about getting caught.
Give it a try.