Credit card thieves reportedly using Clash of Clans to launder money

Credit card thieves are allegedly using the mobile games Clash of Clans, Clash Royale and Marvel Contest of Champions to launder hundreds and thousands of dollars via account selling.

Credit card thieves are allegedly using the mobile games Clash of Clans, Clash Royale and Marvel Contest of Champions (developed by Supercell and Kabam, respectively) to launder hundreds and thousands of dollars. 

In the case of Clash of Clans and Clash Royale, players can spend real money for premium in-game currency like gold or gems. Players can take this premium currency and buy advantages, but the currency apparently also serves as an easy way to launder money. 

According to a report published by German cybersecurity firm Kromtech, the thieves used 20,000 stolen credit cards to make purchases in Clash of ClansClash Royale, and Marvel Contest of Champions by reselling accounts with those same purchases to third-party marketplaces and receiving money in exchange, with zero attachment to the stolen cards.

This laundering is possible because of the accessibility to automatically create accounts on a large scale. For example, Apple only requires a valid e-mail address, password, date of birth, and three security questions to create an Apple ID.  

E-mail accounts are easy to create. The thieves were reportedly able to automate the account creation process, allowing them to create accounts on a large scale, resulting in an automated money laundering tool for credit card thieves to use.

Kromtech’s investigation began with database-building software MongoDB. Poor configurations granted hackers access to data from tens of thousands of MongoDB databases. Kromtech became aware of these Clash of Clans thieves after analyzing samples from one database, which stored over a hundred thousand credit cards. 

"The tool we found and its users currently work with countries such as Saudi Arabia, India, Indonesia, Kuwait, and Mauritania," writes the report.

"We do not know if this was simply because the tool and Facebook page is new and this is just due to initial users, or if operating through these countries provides some kind of additional benefit to the thieves." 

Although there seem to be no immediate solutions, Kromtech urges developers and service providers to secure their account creation process from abuse by automated tools and police their policies when it comes to tracking and pursuing thieves. 

Latest Jobs

Cryptic Studios

Senior Producer

Anne Arundel Community College

Arnold, MD, USA
Instructor/Assistant Professor, Game Art

Night School Studio

Los Angeles, CA, USA
Level Designer / Scripter, Games Studio
More Jobs   


Explore the
Subscribe to
Follow us

Game Developer Job Board

Game Developer Newsletter


Explore the

Game Developer Job Board

Browse open positions across the game industry or recruit new talent for your studio

Subscribe to

Game Developer Newsletter

Get daily Game Developer top stories every morning straight into your inbox

Follow us


Follow us @gamedevdotcom to stay up-to-date with the latest news & insider information about events & more