Online criminals are reportedly laundering hundreds of thousands of dollars using blockbuster mobile games like Clash of Clans, Clash Royale and Marvel Contest of Champions, according to a new report by German cybersecurity firm Kromtech.
Free-to-play games often rely on in-app purchases that allow players to exchange real money for gold, gems, or some other “premium” currency. With this premium currency, players can buy advantages, bypass time gates, and generally make themselves better at many games. In the most successful mobile games, like Clash of Clans and Clash Royale, in-game purchases rake in hundreds of millions of dollars in yearly revenue. The currency is also a relatively easy way to launder money.
Online criminals reportedly used 20,000 stolen credit cards to make purchases in Clash of Clans, Clash Royale, and Marvel Contest of Champions, Kromtech says. The criminals resold accounts with those same purchases on third-party markets like G2G or iGameSupply and received money in exchange, with no attachment to the stolen credit cards.
“I was really shocked,” said Bob Diachenko, head of communications and security researcher at Kromtech Security, in a Skype call with Kotaku. What shocked him most was how easy it is to launder money through free-to-play mobile games. “This process should be much more complicated than it is now,” he said. All Apple requires to create an Apple ID, which players can use to play Clash of Clans, is an e-mail address, a password, a date of birth and a handful of security questions. According to Diachenko’s team, criminals automated the Apple account-creation process.
Neither Clash of Clans publisher Supercell nor Marvel Contest of Champions publisher Kabam returned requests for comment.
Kromtech’s investigation started with a popular database-building software called MongoDB. For years, poor configurations allowed hackers to connect to and collect data from tens of thousands of MongoDB databases. Analyzing samples from one database, Kromtech happened upon these Clash of Clans criminals, who stored over a hundred thousands credit cards there. Those numbers, Diachenko presumed, were mined from other data breaches.
“When we started digging into this, I was also surprised to see the amount of shadow business behind the internal currency, gems, in Clash of Clans,” Diachenko said. “This internal currency just became a real currency in the real world. Good too for guys like this to launder their stolen credit card money.”