More than 2 billion breached Fortnite accounts have gone up for sale in underground forums so far in 2020 alone.
Hackers are scoring more than a million dollars annually selling compromised accounts for the popular Fortnite video game in underground forums.
With Fortnite’s immense popularity skyrocketing over the past few years – it currently has more than 350 million global players – the game is a lucrative target for cybercriminals. So lucrative, in fact, that 2 billion breached accounts have gone up for sale in underground forums so far in 2020 alone, according to a new report.
After tallying the auction sales for several high-end and low-end Fortnite account sellers over a three month period, researchers found that on the high end, sellers averaged $25,000 per week in account sales — roughly $1.2 million per year.
“The market for stolen account sales is much larger than just the gaming industry…However, from our research, the black market for the buying and selling of stolen Fortnite accounts is among the most expansive, and also the most lucrative,” said researchers with Night Lion Security in a report last week.
The value of a hacked Fortnite account is centralized around a character’s in-game “skin” (essentially a digital costume), researchers said. Players of the game can purchase these in-game accessories using Fortnite’s currency, called V-Bucks. Some of the skins are rare and worth a lot of money; for instance, the “Recon Expert” skin is one of the most valuable, averaging roughly $2,500 per account.
These Fortnite accounts are initially hacked via simple brute force and password cracking: Username-and-password combinations can be extracted from data breaches of other companies, and checked against Fortnite accounts, as many people reuse passwords.
Cybercriminals have tools that can make these types of techniques even easier. One well-known password cracker in underground hacking circles (known as “DonJuji”) says high-end Fortnite cracking tools can average between 15 and 25 thousand checks per minute (roughly 500 account checks per second), according to the report.
Epic Games does limit the number of logins allowed per IPs in an attempt to limit password cracking attempts. However, cybercriminals bypass this by utilizing automatic proxy rotation, which creates a new IP for each request. One popular Fortnite account checker called Axenta (costing $15 per month), for instance, provides automatic proxy rotation, as well as a number of other different built-in tools allowing password checking and automatic password-changing.
Cybercriminals then create “logs” of these varying compromised accounts and sell them. These collections, which contain a few thousand stolen accounts, are auctioned in private Telegram channels for anywhere between $10,000 and $50,000. From there, accounts are then extracted from the log and individually posted for sale.
Night Lion Security paints a picture of a sophisticated underground marketplace, with “distributors” initially selling these logs to “resellers,” who then sell them to “consumers.” Many account resellers host their own account shops on sites (like shoppy.gg or atshop.io), which feature a mix of accounts that can be purchased, including Netflix, Disney+, HBO Max, and more.
This marketplaces are highly organized, even containing customer service and return policies. One site is overseen by a system called “Community Checkup.” Community Checkup, which is made up of a group of five “judges,” keeps track of scammers, sellers, buyers who are breaking community bylaws.
According to the report, video games in general are extremely profitable for cybercriminals, with Roblox, Runescape, and Minecraft also proving to be popular on underground forums.
“We can then confidently predict that an additional 30 percent revenue, or $300 million per year, can be generated by tallying the black-market sales for every other video game in existence, conservatively making the entire hacked video game market a billion dollar a year industry,” said researchers.
Fortnite has previously faced various security issues. In 2018, an array of malicious Android apps purporting to be Fortnite were uncovered accessing cameras, harvesting and wiping device data, and recording audio on victims’ phones. In 2019, Epic Games patched a bug that could have allowed hackers to break into millions of Fortnite accounts and steal virtual currency or resell virtual goods. Also that year, a ransomware called “Syrk” targeted gaming juggernaut Fortnite’s enormous user base, purporting to be a game hack tool.