Money laundering has come a long way since 1920’s Chicago. During what some consider the ‘golden years’ of mafia rule, notorious crime boss Al Capone made a fortune by using Laundromats as a front to mix his illegal earnings from drug and alcohol bootlegging with the revenue of his “legitimate” businesses. In doing so, the crime boss earned approximately $1 billion for the Family.
Today, the act of money laundering, the “process by which proceeds of crime and corruption are transformed into ostensibly legitimate assets,” lives on. According to the United Nations Office on Drugs and Crime, nearly 2 – 5% of global GDP, or $800 billion – $2 trillion in current US dollars is laundered each year. While the majority of this money results from skimming cash, drug sales, and securities fraud, another medium to launder money is quickly gaining in popularity: that medium is online video games.
Connecting the Dots – Account Hijacking & Credit Card Fraud
To connect the dots between money laundering and online video games, you must first understand the concept of account takeover, the virtual hijacking of player accounts by financially motivated hackers, fraudsters, and cheaters. While video game publishers once viewed account takeover as a nuisance and tolerated it as the cost of doing business, it has evolved into a global epidemic in which virtual and real-world currency combine, and sensitive player information is compromised and exploited daily.
Today, when assessing an online video game’s overall risk profile, credit card fraud and associated chargebacks, the “demand by a credit-card provider for a retailer to make good the loss on a fraudulent or disputed transaction,” rank highly among publishers as major causes of financial loss. As a consequence, significant attention and resources are devoted to stopping credit card fraud, chargebacks, and fees that, on average, cost the merchant an additional $2.40 for every $1 of losses.
But account hacking is just one vector for credit card fraud. When accounts are taken over, hackers can use the connected credit cards to purchase virtual currency. With the rise of free-to-play games, however, anyone can purchase a list of stolen credit card account numbers on the dark web, create hundreds or thousands of free game accounts, and purchase virtual items and currency using compromised cards, without ever having to hack into anything.
In both instances, after the virtual items are purchased using stolen cards, they are sold in an online gray market for a fraction of a publisher’s official price, negatively impacting the game’s revenue. Kabam, publisher of Kingdoms of Camelot, Star Wars: Uprising, and Marvel: Contest of Champions, warned players of its Hobbit game about the perils of purchasing cheap Mithril (in-game currency) on third-party websites:
We have seen a surge of activity from fraudulent third-party sites that are not affiliated with Kabam, claiming to sell cheap Mithril for various Kabam games…the use of these sites may compromise your game and payment information. These web sites use stolen credit card information to make the Mithril purchases that you would receive. This opens you to potential fraudulent activity in the future.
Despite the efforts of in-house fraud teams and third-party fraud prevention solutions, the average digital merchant incurs 2% in direct chargeback losses annually, which is well above the 1% that is considered the high end of acceptable by credit card companies. Considering the $2.40 multiplier for every $1 in losses, the financial impacts of credit card fraud can add up quickly. In order to protect themselves from unexpected financial burden, some publishers opt to purchase chargeback insurance, which offers100% protection against chargebacks should a bad request manage to slip through the cracks. While this option allows publishers to plan financially and avoid unexpected financial outlays, costs for this type of insurance can be as high as 8% per transaction.
Money Laundering by way of the Gray Market
Because transaction-layer services do not benefit from any player behavior data generated in-game, discovery of fraudulent activity is limited to after a transaction is attempted, or worse, after it occurs. Under this reactive security posture, video game publishers frequently remain in the dark about fraudulent transactions for 30-60 days post-incident. This delay provides cyber criminals with ample time to use stolen credit cards to continue to purchase virtual assets before the compromised card is blacklisted.
When the publisher is notified of the chargeback at 30 – 60 days after the purchase, it’s all but impossible to track down the fraudster or hacker, leaving the video game publisher on the hook for the chargeback and lofty fees. The criminal, on the other hand, wastes no time in unloading the stolen virtual goods and currency in an online gray market in exchange for cash. In doing so, the criminal has effectively perpetrated a 21st century money-laundering scheme at the expense of the video game industry.
With billions of dollars now being spent in online video games, the motivation for fraudsters and cyber criminals to perpetrate credit card fraud, and then launder that money through the gray market, is so enticing that we’re certain that Mr. Capone would exploit this lucrative opportunity were he alive today.
For a real-world credit card fraud and money-laundering example, download our use case here.