For the past several months' hackers have not been friendly to businesses in the gaming industry. CD Projekt Red, Ubisoft, and Crytek have all suffered ransomware incidents. Now it has emerged that EA has suffered a data breach, in which it is believed several games have had their source code stolen. The company is a giant of the industry boasting several high-earning franchises including Madden NFL, EA SPORTS FIFA, Battlefield, The Sims, and Need for Speed. Further, the company has over 450 million registered players worldwide and posted GAAP net revenue of $5.5 billion for the fiscal year 2020.
Several reports have emerged stating that Electronic Arts (EA) has had 750 GB worth of data stolen during a breach of their network. The data is believed to contain source code and debugging tools used by developers. Popular tech publication Motherboard reported that the Frostbite Engine, used in many of the publishing giants games including first-person shooters like the Battlefield, was also stolen. For fans of the FIFA franchise, it is also believed that the source code for FIFA 21 was stolen.
The discovery of the breach was made when posts were found on underground hacking forums. In the forum posts, hackers claimed that they had also been able to make away with information about proprietary EA frameworks and software development kits (SDKs), bundles of code that can make game development more streamlined.
EA responded to Motherboard’s request for information, in which they confirmed they had suffered an attack. A spokesperson for the company stated,
“We are investigating a recent incident of intrusion into our network where a limited amount of game source code and related tools were stolen. No player data was accessed, and we have no reason to believe there is any risk to player privacy. Following the incident, we’ve already made security improvements and do not expect an impact on our games or our business. We are actively working with law enforcement officials and other experts as part of this ongoing criminal investigation.”
According to the posts the hackers have valued the data stolen at 28 million USD. Accepting a hacker’s evaluation of the data is problematic as the hackers have a vested interest in getting the most amount of cash for their activities. Granted EA is a large company as has been seen with a healthy profit taken for the previous year so the data may be perceivable worth a few million to the right buyer. Bleeping Computer has reached out to the hacker who made the posts, who has claimed that they have also made off with points that are used as in-game currency. Such in-game currency has been used by criminals in the past to launder money.
Money Laundering and In-game Currency
While gamers across the globe moan about in-game currency and pay-to-win practices, they are still increasingly important revenue streams for games publishers. The same can be said for hackers and cybercriminals who have seen the potential to both earn money and launder it. D. Crijns in an excellent article notes,
“For criminals it is a highly attractive market in which to operate. On this worldwide market it is possible both to earn and to launder money, and it is easy to go into hiding because large amounts of money circulate in a relatively non transparent way.”
When online games began instituting forms of in-game currency, sometimes referred to as values, either to unlock different abilities or cosmetic additions to alter a player's in-game avatar a pandora’s box was unwittingly opened. Once these values could be purchased for fiat currency rather than achieved through playing the game, the worst offenses would soon come to light. It was quickly found that players would sell values to one another for real money, this was referred to as Real Money Trading. While games publishers forbade this, marketplaces soon cropped up online to enable this and there is no enforceable law to stop it.
This reality gives hackers two options, either they can hack the game and its infrastructure to steal values or in-game currency then sell it to other players for real money or they can use the buying of in-game currency to facilitate laundering ill-gotten gains. There are also cases where hackers target players, steal their earned or paid-for values then sell those on a Dark Web marketplace. It is even possible for a criminal enterprise to develop a game themselves and sell values to help clean illegal money sources, as Crijns notes,
“For a criminal organisation with a game of its own, selling game values to numerous random players who pay for their purchases with anonymous values (prepaid cards, bitcoins etc.) can be a good earning model because it allows you to bring large numbers of fake players into the game so that your (enhanced) profit is nicely legalised. Even less conspicuous is to use actual players and to make purchases (again using prepaid cards etc.) through their accounts (to which you have access as a service provider). You then sell those purchases on to RTM sites before the player notices anything. The player notices nothing, but the game provider (the criminal group) realises extra turnover and profit. Naturally the RTM site is not stuck with these values. The criminals then proceed to buy them back using anonymous methods of payment.”
Given that the hacker responsible for the EA data breach claims to have stolen not just source code but in-game currency, the hacker has now multiple ways to generate a profit for their efforts.
CD Projekt Red can’t Catch a Break
In related news it has been discovered that data stolen by the HelloKitty ransomware gang before encrypting CD Projekt Red’s infrastructure has emerged online. The company refused to pay the ransom, or at the very least made public statements saying that they would not. The company released a statement which confirmed that data is illegally circulating the Internet. It was stated that,
“We are not yet able to confirm the exact contents of the data in question, though we believe it may include current/former employee and contractor details in addition to data related to our games. Furthermore, we cannot confirm whether or not the data involved may have been manipulated or tampered with following the breach. Currently, we are working together with an extensive network of appropriate services, experts, and law enforcement agencies, including the General Police Headquarters of Poland. We have also contacted Interpol and Europol. The information we shared in February with the President of the Personal Data Protection Office (PUODO) has also been updated.”
The HelloKitty operators did say that they had sold the data stolen in February of this year. Recently, the allegedly stolen gang emerged and linked to another threat actor. PayLoad Bin, previously known as Babuk Locker, had recently published what they claim is the full source code for CD Projekt games, consisting of 364GB of data. It is not yet confirmed if HelloKitty sold the data to PayLoad Bin or if they got the data through some other method.
While this article focuses on victims of cybercrimes in the gaming industry, several lessons can be learned. Perhaps the most important is that it doesn’t matter the size of the company or the economic sector the company resides within, if hackers can compromise the company’s network they will. There are too many cases to count of hospitals, government departments, and critical infrastructure sectors that have fallen victim to hackers of all kinds.