Stolen Fortnite Accounts Are Making Millions for Cybercriminals

Despite the latest tensions between Epic Games and Apple, Epic's Fortnite is still a seemingly bottomless gold mine. However, the game is generating a lot of money not just for Tim Sweeny and his company but also for cyber criminals.

The massively popular game has hundreds of millions of active accounts - statistics dating back to May 2020 peg the number at around 350 million. However, this also means that bad actors have a lot of lucrative ground to work with. The most commonly used way to steal accounts is simple brute forcing of passwords, as well as using leaked password databases and feed the leaked passwords into known accounts, as password reuse across accounts and platforms is a very common occurrence. The bad actors doing this also have very good tools that make the process easier for them, as according to reports, as many as 500 account checks can be run per second.

Hackers Use Proxies to Avoid Security Measures

Epic Games have made a small but ultimately futile effort to limit those practices by enforcing a limit to the number of login attempts allowed per IP, but this just means cyber criminals need to use a proxy that rotates their IP. Similar tools and password checkers that have integrated proxy functionality are even offered as a monthly subscription for as little as $15 per month.

Breached accounts are being resold through a sort of a chain operation, with top-level crooks selling them in bulk to "retailers" of sorts who then sell them to the end customers. The value of each account is driven primarily by the cosmetics and customization items accumulated by the original account owner. Fortnite is a free to play game that makes money by selling customization items to its players. Customization items are, in turn, purchased using the game's V-Bucks in-game currency that is purchased with real money. Certain rare cosmetic items can reach exorbitant prices that may seem ludicrous to anyone who is not familiar with virtual game markets. For example, an account that has one of the rarest player skins called 'Recon Expert' can go for as much as $2,500.

Bad Actors Make a Million a Year From Just Fortnite

The stolen accounts are sold in bulk through Telegram and go from $10,000 up to $50,000 per bulk collection. The parties that buy them re-sell to the end buyers. A lot of those parties run domains that sell all sorts of accounts for other services as well, such as Netflix or HBO. Research shows that the high-end sellers who deal with Fortnite accounts alone can make over $1 million per year.

Fortnite is not the only game where accounts are targeted by bad actors. Any game or service that has accounts of varying value depending on the content of the account can be targeted and the accounts resold online.

September 14, 2020

Leave a Reply