In small fits and spurts, a Fortnite hacker recently typed out some sentence fragments over Discord: “maybe tomorrow / i get a letter / from epic games / holy fuck / paying 25k for fraud.” What if, after a month of lucrative work, Epic Games shut him down with a firm letter from their lawyers? There was a pause before he added, “kek,” memespeak for “lol.”
The hacker, who I’ll call John, is a small player in the industry of hacking accounts for Fortnite, the biggest game in the world right now. It’s a booming industry. Released July, 2017, Fortnite Save the World is a survival game where players stave off zombie attacks and defend themselves in player-built forts. In September, riding on the heels of blockbuster survival shooter PlayerUnknown’s Battlegrounds’ success, publisher Epic Games released Fortnite Battle Royale for free. Early last month, all at one time, 3,400,000 players were logged into Fortnite. A few weeks later, I noticed dozens of them complaining on Reddit, Epic Games’ forums and Twitter that they were receiving mysterious $99.99 and $149.99 charges on their accounts.
One player said hackers spent so much money inside their account that they’d struggle to pay rent (Epic Games refunded the charges). Another showed Kotaku e-mails accounting for over 700 illicit log-in attempts. On online marketplaces, these break-ins have resulted in hundreds of cheap listings for Fortnite accounts and codes for Fortnite games. The $3-10 codes for Fortnite Save the World are a deep discount from Epic Games’ $40 price tag. For people who play Fortnite, this may be surprising because the game’s Save the World mode received pretty middling reviews. But as one source told me, “I play STW because I’m shit at BR [Battle Royale].” The accounts worth selling, a lot of the time, are full of rare skins for Fortnite’s Battle Royale mode and boastable win rates that will make the seller look pretty good to their friends.
Every day, more and more players stepped forward on social media to say they’d been hacked, too. The trend exploded earlier this month. There’s no hard data on how many, but a dive into sites where Fortnite players congregate suggests the number of alleged fraud cases in the world’s most popular games is sizable. Hackers I interviewed say that’s because security for Epic Games’ software is, in John’s words, “top kek.” Epic Games doesn’t ask for a lot of verification before players make in-game purchases, which, hackers say, paves a clear opening for their attacks.
Reached for comment, Epic Games told Kotaku, “Epic continues to work with our customers who have been impacted by credential stuffing or brute force attacks,” linking to their recent security bulletin and adding, “We encourage players to guard their account information and not to trust third-party websites with their account information.”
Content creator Adam Taylor was an avid PlayerUnknown’s Battlegrounds player who, earlier this year, took a bid on the Fortnite Battle Royale trend. It was free, he reasoned, and a lot of his buddies had already jumped on the bandwagon. On March 9th, Adam hooked his PayPal account up to his Epic Games account to purchase a $10 BattlePass for Fortnite Battle Royale, which earns him items and perks the more he plays the game.
Six days later, he woke up, logged into his e-mail and noticed notifications and receipts from Epic Games acknowledging two charges unfamiliar to him: a $99.99 upgrade and a $150 Limited Edition upgrade for Fortnite Save the World, which each come with codes for Fortnite’s Standard Edition for friends, along with other goodies. The descriptions were both in Russian. When he logged into his account, the upgrades were gone.
“It’s as if I was charged $250 for Russian gibberish and no bonus to my account,” Taylor said.
A dozen other Fortnite players interviewed shared similar stories. Hackers broke into their accounts and upgraded them to receive codes for Fortnite’s Standard Edition. After reporting on these widespread fraudulent charges, I wanted to figure out who was doing this and how it worked. The industry appeared opaque until a software engineer who identified himself as “Marksman” reached out with an intriguing lead.
In further conversations on e-mail and Discord, Marksman says he does not himself sell or hack into Fortnite accounts, but he does engineer software that these hackers have used to do so, which Kotaku was able to confirm. The industry, he said, has ballooned because of two things: account-holders’ previously compromised information and Epic Games’ allegedly lax security.
To explain, Marksman dropped four links to forum posts on a site called Nulled.to, which describes itself as a “cracking community where you can find tons of great leaks.” At any time, about 4,000 users are browsing it. “Fortnite Standard Edition Keys / $4/$5 [WTB],” “x180 Fortnite Accounts | Data Captured,” and “Cheap High End Fortnite ACC for sale” are some of the posts that appeared on the site today. On posts like those, sellers drop links to their shops on Selly and Ebay, where listings for “Fortnite Standard Edition” codes and Fortnite accounts with V-bucks went for anywhere from $3 to $800, depending on how many rare cosmetic items, like the Skull Trooper costume, the account had.
One post for an account asked Nulled.to buyers for bids starting at $12 in Bitcoin for a level 89 account with the Battle Royale Elite Agent skin and an AC/DC-style pickaxe. Another seller offered $25 for a level 70 account with 47 solo wins and the “Reaper” skin.
Between those posts, forum users dropped download links for “combo lists,” hundreds of thousands of known email and password combinations for Netflix, Spotify, Dominos and other PayPal-linked services. They’d been mined from other leaks, like the 400 million-user MySpace breach and the 164,000-user LinkedIn breach. Those combinations, Marksman told me, are the key to hacking Fortnite accounts.
According to Marksman, selling Fortnite codes is a safer bet than selling broken-into accounts, although the accounts can be more lucrative (one seller I spoke with was selling an account with rare skins for $900). Players can recover stolen accounts by contacting Epic Games’ support and changing their information. The codes are immaterial.
Through Nulled.to, I got in touch with hackers who had more hands-on roles in breaking into Fortnite accounts. My presence on the site was immediately apparent to its users, who began speculating whether I was FBI or a “real girl.” One prolific Fortnite key seller who declined an interview told me that “Your mum is so fat that even Dora couldn’t explore her.” Not everyone was as keen on the idea of talking to a journalist as John was. He went so far as to call one of his Nulled.to buddies a “pussy” for evading my interview requests.
John, who is 19, says he cracks accounts linked to credit card numbers and PayPal accounts. Hackers take thousands of known email and password combinations and load them into software that automatically enters them into Epic Games’ client (although John says, “I pref do it manual. More fun.”). When they get a hit, they get into the Fortnite account through the software, which can make its request for entry seem legitimate to Epic’s client—a vulnerability, according to the hackers.
Hackers then make purchases for, for example, Fortnite Save the World’s priciest edition at $149.99. Sometimes, the account information will be made widely available for anybody to log into and purchase codes on. When they receive the codes, they log out of the account and sell them on an online marketplace for a couple bucks, often, with cryptocurrency. All of this is done through a proxy service, which explains the Russian (or, in some cases, Chinese or Portuguese) purchase descriptions.
Fortnite codes and accounts aren’t being sold widely on top darknet marketplaces, from what I found. They’re on Ebay. They’re on PlayerUp.com. They’re on Selly. How much money is anyone making off this? Hackers I interviewed say anywhere from $50 to $900 a week, depending on how good your software is and how much time you have.
“Epic Games doesn’t require a pin or a back code to do payments,” John explained. “When you do an online payment, they [other places] at least ask for the log-in details of your PayPal or any info. . .”. To make a purchase in Fortnite, a player just clicks on what they want and hits “Purchase.” That takes them to a screen displaying redacted PayPal account information where they can review and place the order. Then, buying is as easy as clicking “Place Order.” All the information is saved. A few weeks ago, Epic Games added in 2-factor authentication, and yet, the attacks are still ongoing.
Other games might ask players for a Captcha number, confirm their PayPal password or otherwise verify their identity before making an in-game purchase. Overwatch, for example, might ask players to log in again prior to buying loot boxes. Hackers interviewed say that, because Epic does not do this, and because of Fortnite’s incredible popularity, Fortnite right now, is as ripe as can be for account hacking.
On March 7th, Epic Games posted a security bulletin noting that “a number of accounts have recently been compromised using well-known hacking techniques.” Epic goes on to explain that users ought to have unique passwords across all every online platform because, if information is compromised in a data breach, it can be used to break into your Epic Games account. “Attackers frequently download password dumps - lists of email/password combinations -from third party sites and use credential stuffing to find out what other websites those credentials work on,” Epic explains. “When they are successful at logging in to those accounts, they see what trouble they can create for the account holder. In many cases, that appears as fraudulent V-Buck purchases.”
In the meantime, Epic says they’re proactively hunting down passwords dumps and asking players whose information has leaked to change their credentials.
The next time a Fortnite Battle Royale player in fresh, expensive gear guns you down and spams the “Take the L” emote on your immobile corpse, instead of gritting your teeth, take solace in the fact that their account could have been bought.
[Update—4:50 pm ET]: This post has been updated to reflect Epic Games’ additional security measures. [Update—6:30 pm ET]: Shortly after publication, a source in this article revealed that the pseudonym they gave was not sufficiently secure. We have changed their pseudonym to protect their privacy.