Hackers are scoring more than a million dollars annually selling compromised accounts for the popular Fortnite video game in underground forums.
With Fortnite’s immense popularity skyrocketing over the past few years – it currently has more than 350 million global players – the game is a lucrative target for cybercriminals. After tallying the auction sales for several high-end and low-end Fortnite account sellers over a three month period, researchers found that on the high end, sellers averaged $25,000 per week in account sales — roughly $1.2 million per year.
“The market for stolen account sales is much larger than just the gaming industry…However, from our research, the black market for the buying and selling of stolen Fortnite accounts is among the most expansive, and also the most lucrative,” said researchers with Night Lion Security in a report last week.
The value of a hacked Fortnite account is centralized around a character’s in-game “skin” (essentially a digital costume), researchers said. Players of the game can purchase these in-game accessories using Fortnite’s currency, called V-Bucks. Some of the skins are rare and worth a lot of money; for instance, the “Recon Expert” skin is one of the most valuable, averaging roughly $2,500 per account.
These Fortnite accounts are initially hacked via simple brute force and password cracking: Username-and-password combinations can be extracted from data breaches of other companies, and checked against Fortnite accounts, as many people reuse passwords.
Cybercriminals have tools that can make these types of techniques even easier. One well-known password cracker in underground hacking circles (known as “DonJuji”) says high-end Fortnite cracking tools can average between 15 and 25 thousand checks per minute (roughly 500 account checks per second), according to the report.
Epic Games does limit the number of logins allowed per IPs in an attempt to limit password cracking attempts. However, cybercriminals bypass this by utilizing automatic proxy rotation, which creates a new IP for each request. One popular Fortnite account checker called Axenta (costing $15 per month), for instance, provides automatic proxy rotation, as well as a number of other different built-in tools allowing password checking and automatic password-changing.
Cybercriminals then create “logs” of these varying compromised accounts and sell them. These collections, which contain a few thousand stolen accounts, are auctioned in private Telegram channels for anywhere between $10,000 and $50,000. From there, accounts are then extracted from the log and individually posted for sale.
Night Lion Security paints a picture of a sophisticated underground marketplace, with “distributors” initially selling these logs to “resellers,” who then sell them to “consumers.” Many account resellers host their own account shops on sites (like shoppy.gg or atshop.io), which feature a mix of accounts that can be purchased, including Netflix, Disney+, HBO Max, and more.
This marketplaces are highly organized, even containing customer service and return policies. One site is overseen by a system called “Community Checkup.” Community Checkup, which is made up of a group of five “judges,” keeps track of scammers, sellers, buyers who are breaking community bylaws.
According to the report, video games in general are extremely profitable for cybercriminals, with Roblox, Runescape, and Minecraft also proving to be popular on underground forums.
In 2019 alone, there were more than 4 billion breached records – and in 2020 so far, researchers said an estimated additional 2 billion breached records have gone up for sale on various darkweb markets.
“We can then confidently predict that an additional 30 percent revenue, or $300 million per year, can be generated by tallying the black-market sales for every other video game in existence, conservatively making the entire hacked video game market a billion dollar a year industry,” said researchers.
Fortnite has previously faced various security issues. In 2018, an array of malicious Android apps purporting to be Fortnite were uncovered accessing cameras, harvesting and wiping device data, and recording audio on victims’ phones. In 2019, Epic Games patched a bug that could have allowed hackers to break into millions of Fortnite accounts and steal virtual currency or resell virtual goods. Also that year, a ransomware called “Syrk” targeted gaming juggernaut Fortnite’s enormous user base, purporting to be a game hack tool.
Threatpost has reached out to Fortnite developers Epic Games for further comment.
This article has been updated on Sept. 1 at 2 p.m. to clarify a statistic regarding 2 billion breached records. While the article originally stated that researchers have reported 2 billion breached Fortnite accounts in 2020, that figure actually accounted for the overall number of breached video game records in 2020 so far.
On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Resister today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.