Cyber criminals are opportunist thieves who look for lazy ways to steal a living, but they’re also remarkably inventive and determined. The latest tactic for online criminals who need to legitimise their ill-gotten gains is to circulate their cash through popular games, thus obfuscating the origin of the cash and providing a clean source.
Like all money-laundering schemes, this approach is borne of criminals’ need to be able to explain the origin of the cash they obtain through theft and deception. Large sums of money landing in their bank accounts, without a clear origin, would raise questions about their activities and whether the income was taxed.
This latest scheme involves buying in-game currencies for popular games like Clash of Clans, and then selling them on the third-party marketplaces that exist for these games (these markets have sprung up as an alternative way to accumulate game currencies, which then give players greater capabilities within the game, effectively allowing them to pay to accelerate their progression through the game).
Money laundering using in-game purchases isn’t new. The Financial Action Task Force issued a report in 2010: Money Laundering Using New Payment Methods, which highlighted the use of digital games as a forum for cleaning dirty money.
But criminals have likely been using games and online worlds like Second Life as a money laundering technique since their inception in the early 2000s, partly because cash can be paid into games, and later withdrawn as a transfer directly into a bank account, giving scammers ‘clean’ cash and another layer of complexity between them and the criminal source of their income. Researchers have found that some fraudsters transfer their in-game funds into cryptocurrencies, adding yet more distance between their money and its source.
Dr Mike McGuire, speaking to security company Bromium, said: “Gaming currencies and items that can be easily converted and moved across borders offer an attractive prospect to cybercriminals. This trend appears to be particularly prevalent in countries like South Korea and China – with South Korean police arresting a gang transferring $38 million laundered in Korean games, back to China. The advice on how to do this is readily available online and explains how cybercriminals can launder proceeds through both in-game currencies and goods.”
Earlier this year, researchers from Kromtech Security found an unsecured database online, which was clearly managed by money launderers as it contained thousands of credit card details. Kromtech’s researchers found that the thieves were targeting three games, Clash of Clans, Clash Royale and Marvel Contest of Champions. While these are all free-to-play games, they offer in-game purchases for virtual currencies. The card thieves create fake Apple and Google accounts, and then pay for in-game currencies using the stolen cards. Rather than using the stolen cards to make large purchases, the thieves can make many small orders, accumulate lots of in-game money, and then sell the game currencies in the market, for cash which they can then exchange for Bitcoin.
This emerging story is noteworthy because it helps to make sense of what scammers are doing when they go looking for data. Thieves aren’t looking for a big payday, or the equivalent of a bank robbery; it’s all about lots of small thefts so they can remain hidden and continue their crimes unnoticed. This is another reminder that your customer data – and particularly their payment card data – are deeply desirable to the modern criminal.