How cybercriminals use free-to-play gaming apps to launder money

• Credit card cyberthieves launder money by sell gaming resources.
• Cybercriminals stole around 20,000 credit cards in under two months.

Cybercriminals are readily abusing free-to-play gaming apps for money laundering purposes, researchers found. Security researchers at Kromtech discovered an exposed MongoDB database in June that happened to contain a large number of credit card numbers and personal data.

After digging deeper, researchers found that the publicly exposed database was not an ordinary corporate database.

Instead, it belonged to credit card cyberthieves who were using a complicated automated system of free-to-play apps, third party game and resource resale websites, and Facebook to launder money from stolen credit cards.

"If you have ever played a free-to-play game you know that most of them require resources of one type or another to play,” Kromtech communications head Bob Diachenko said in a statement. “Whether it be gems, gold, power ups, or other, these resources are required to advance within the game, making them critical to the game play.”

It can sometimes take gamers weeks or months to gather enough free resources to move up levels.

“This is where the game makers make their money. They sell resources through ‘In-App Purchases’ to help people play the game and speed up the game play,” Diachenko added. “The lure of speeding up your play is a strong incentive to spend money on resources, and many spend to play. This has turned free-to-play games into a multi-billion dollar industry.”

20,000 stolen in under two months

Kromtech researchers estimate that the cybercriminals stole around 20,000 credit cards between April and June 2018. The cyberthieves were found targeting three specific games - Clash of Clans, Clash Royale (by Supercell) and Marvel Contest of Champions (by Kabam).

“Just with these three games, there are over 250 million aggregate users, generating approximately $330 million USD a year in revenue,” Kromtech researchers wrote in a blog. “These three games also have a very active third party market, utilizing sites like g2g.com to buy and sell resources and games. All of which makes these a good choice to blend in for a little money laundering.”

Modus operandi

The cybercriminals use custom, automated tools to create iOS accounts using real email addresses, adding a stolen credit card to the account details. Given how easy it is to create Apple and other accounts, the carders managed to automate the account creation process.

Kromtech researchers found that the carders were active in India, Saudi Arabia, Indonesia, Kuwait and Mauritania. Credit cards belonging to 19 different banks across the globe were stolen and processed by the cybercriminals.

"Money laundering through the Apple AppStore or Google Play isn’t a new idea and has been done before. In the 2011 the Danish part of the Apple App Store was flooded with expensive suspicious applications,” Alexander Kernishniuk, Kromtech communications director said. “More than 20 out of 25 of the most downloaded applications were from China. The price of the apps ranged from $50-$100. This pointed to money laundering then, however, what we encountered now is much more sophisticated.”