Understanding the Threats to Online Video Games: Gray Markets

Virtual items and virtual currency are an integral part of today’s online video games and a critical component of the industry’s business model. Unfortunately, financially motivated cyber-criminals have found a way to exploit games for their own financial gain, by selling ill-gotten virtual goods outside of the game for real money. In video games, gray markets facilitate the re-sale of everything from in-game items (weapons, armor, etc.) to virtual currency. While gray markets for virtual items and virtual currency have been around since the early days of buy-to-play games like World of Warcraft and EVE online, they have proliferated in the last few years as the industry has grown and its business model has evolved.

So here’s the first thing you have to know about gray markets: they’re not, in and of themselves, illegal. According to Wikipedia, “a gray market, sometimes called a parallel market, is the trade of a commodity through distribution channels that are legal but unintended by the original manufacturer.”

Although gray markets aren’t illegal, they are shady, as the name implies. These underground resellers build stocks of virtual goods by hacking player accounts and stealing their accumulated items and currency; by purchasing them using stolen credit cards; and through  “gold farming,” which employs people or automated scripts (i.e. bots) to play the game around the clock and amass items through normal game-play. All of these activities damage a game’s top and bottom line. Costs associated with financial and reputational damages encompass:

While gray markets originated with buy-to-play games, free-to-play games like Clash of Clans and Game of War (titles that are perennially perched atop their app stores’ “Top Grossing” lists) have, at their core, a monetization model that relies on selling players a steady stream of gems, gold, chips, and other in-game items, for small amounts of money, over time. Since players access these games for free, sales made in-game are essential to cover operating expenses and generate profit. Any sales that occur outside this economy represent a total loss to the operator. Consider the scenario laid out by one free-to-play publisher in a recent interview:  

“People who create free accounts to level up with bots to sell on gray market sites are a huge issue for us, since we rely on players who are really into the game purchasing small add-ons as they go. But if that player decides instead to purchase a top-leveled account with a fully-stocked inventory for $15 or $20 from a re-seller, that might cost us two or three times that amount in lost revenue.”

This revenue loss is compounded when actual fraud is employed to obtain the virtual goods in the first place. When cybercriminals use stolen credit cards to purchase game codes or virtual currency, which they then turn around and quickly re-sell on the gray market, the publisher is left with credit card chargebacks and compounding fees.

Some gray markets even empower the secondary sale of the actual games themselves, a situation that can threaten both a developers’ and a publishers’ bottom line. For example, in May of 2014, game developer Devolver Digital, took to Twitter to let its customers know that re-sold game keys obtained via gray market suppliers like G2A.com “are not legitimate, not guaranteed, and not supported.”

While it is difficult to estimate the actual costs of the gray market economy on the online video game industry, there is no debate that cyber criminals with financial motivations are aggressively and frequently targeting online video games. Kaspersky Labs, a global cybersecurity firm is leading the fraud research in the industry. To date, its researchers have identified 5,000 new types of malware targeting online games daily and 50,000 instances of redirects to phishing links imitating game developer websites. In December 2015, Steam, one of the world’s largest online game platforms, admitted that 77,000 accounts are hacked every month. And in March 2016, Kaspersky released another report detailing a new type of malware, dubbed Steam Stealer, which is specifically designed to gain control of Steam accounts.

The bottom line is that by using advanced and elusive techniques, cyber criminals and cheaters take advantage of major in-video game security gaps, which leave both publishers and players vulnerable. The result of such attacks on publishers can be crippling: in some cases, up to 40 percent of a game’s in-game revenue can be lost per month, on top of the irreversible reputational damage to the game’s brand.

And publishers and players are collectively failing to effectively stop the bad guys from exploiting games. Publishers rely heavily on login controls such as multifactor authentication and IP/GEO location to keep bad guys out of their games and execute PR campaigns encouraging players to secure their accounts using commonsense practices. Unfortunately, savvy hackers and cheaters defeated these controls a decade ago using what is now readily available malware that enables man-in-the-middle exploits, keylogging, remote access, and more.

On the player side, while amazing deals on games and in-game items can often be found on the gray market, gamers must understand the potential impact of these activities on the lives of the game developers and publishers. If developers can’t make a living on their work, they’ll be forced to find employment elsewhere, shuttering more and more talented studios and canceling promising games. As players, we must acknowledge and address an uncomfortable truth: that the great sale on game keys we just ran across on Kinguin, or the half-price gold package we’re considering shelling out for on any one of a hundred virtual currency sites is not only risky, but is, in fact, destroying the industry we love.

Gray markets might not be illegal (yet), but they are harmful. It’s time for gamers, developers, and video game publishers alike to acknowledge the problem and take steps to keep games safe and fun for players and profitable for the companies that operate them.