What Trend Micro Got Right (and Not Quite Right) About Online Gray Markets for Video Game Currency

We’ve been saying for awhile now that video games are the next big industry under cyberattack.

It seems that the cybersecurity industry is starting to agree with us.

Kaspersky has been looking at this issue for awhile now, detailing and quantifying general threats against the industry as early as 2013, and published a complete report on attacks on Valve’s Steam platform earlier this year.

At the end of the summer, ESET’s We Live Security blog has been looking at the issue with an interesting series of blog posts about online video games.

Just this week, Trend Micro’s Forward-Looking Threat Research Team published a 32-page report called The Cybercriminal Roots of Selling Online Gaming Currency.

In this report, Trend Micro independently confirmed what we’ve been saying for the last few years, providing further proof of the increasing threats to video game developers through the illicit use of the gray market for online video game currency and items.

One of the most important consequences of this report is that they drew an explicit connection between the fraudulent and unwanted activity in video games and the larger ecosphere of cybercrime:

Based on our findings, the money earned from selling online gaming currency are used to fuel traditional cybercriminal campaigns such as denial of service attacks, identity theft, and financial fraud against different companies, organizations, and even other highly visible representatives in the media.

The report also does an excellent job outlining the stages in the acquisition and sale of virtual items and currency, starting with victimization. Gray marketers amass virtual items and currency in a number of underhanded ways for online sales outside of the game. Trend Micro lists the following vectors of victimization:

  • Stealing Gaming Credentials using Malware and Infostealers. Once a bad guy successfully takes over a player account, they are able to steal the amassed virtual items and currency (and sometimes the items stored in shared guild banks) for sale for real money outside of the game.
  • Exploiting Games and Game Servers through Glitching, Duping, Goldfarming, and Botting. Glitching and duping essentially take advantage of unpatched bugs in the game code to amass virtual items or currency. Goldfarming and botting take advantage of gameplay itself to earn or win virtual items. Goldfarmers and bots are detrimental to the game, because they play in a way that isn’t meant to be played and disrupt the fun of legitimate players.


A significant and damaging way that gray marketers amass inventory NOT mentioned in the report, however, is through the use of stolen credit cards. While lists of stolen card credentials can be purchased on the deep web, accounts that are hacked also often have credit cards attached to them, which cyber criminals can use to purchase in-game items to sell on the gray market for a fraction of the in-game price. Several game publishers, including Kabam and Jagex, have spoken publicly about the use of stolen credit cards to fuel gray market activity.

While much of Trend Micro’s report accurately depicts the current state of the video game industry’s vulnerability to in-game cyber attack, the report’s assertion that the selling step of the process is “very similar to the usual process of purchasing items in any online shopping website” is false. On the contrary, buying virtual items from gray market sites is not similar to the experience of buying an item on Amazon, for example. Amazon only requires your name, address, and credit card information to complete a purchase, and has a vast track record of securing your payment information. Some gray market sites ask buyers to provide a photo holding their driver’s’ license, a photo of the front and back of their credit card, game login information, or to allow the gray market customer service representative remote control their computer using (a potentially hacked version of) TeamViewer. As security professionals, everything about these requests suggest that gray market sites are not only selling virtual currency, but are also gathering (and selling) identity information and injecting purchasers’ computers with malware.

While Trend Micro has accurately outlined the gray market ecosystem, it only briefly mentions the damage that it causes to publishers and players, encompassing loss of revenue, negative impact to brand, and player dissatisfaction. This is a good place to start, but we have comprehensively defined ten ways that in-game fraud and abuse erode a game’s profits.

Finally, from our perspective, the most significant statement in the report is this:

To inhibit the proliferation of RMT [Real Money Trading], gaming companies work very hard to implement different tactics to prevent such abuses. Some of these methods involve having their staff patrol the game and launch a system wherein other gamers can report similar abuses. Despite that, however, cybercriminals hacking game accounts to harvest gaming currencies continue to rise in number.

In the end, the controls that game publishers have put in place are not effectively stopping the criminal rings that have spent years honing their skills in online banking and eCommerce. With the evolution of the video game business model, publishers and developers have only recently been forced to start thinking about cybersecurity and are primarily employing front end/login and backend/transaction level controls. Unfortunately, organized cybercriminals are already in the games. Panopticon Labs has been saying this for years and the new Trend Micro report has backed up our assertions from a threat research perspective. It’s time for the industry to get ahead of the problem and employ better in-game tools to identify fraudulent and abusive behavior.

Panopticon Laboratories’ is a publisher’s best defense against the cybercrime epidemic affecting the video game industry. Our suite of products uniquely identifies a baseline of normal activity for every online player within a game. By doing so, we help video game publishers proactively discover anomalous in-game behavior, such as an abnormal item or monetary transfer or withdrawal; or suspicious or erratic gameplay – with 99% accuracy. But we don’t stop there. Panopticon also provides video game publishers with the tools for quick and easy incident investigation and remediation, enabling them to mitigate risk and maximize revenue, while remaining invisible to players and the bad guys.

Contact us for a demo today.