Hacker News new | past | comments | ask | show | jobs | submit login
Credit card thieves using free-to-play apps to launder their ill-gotten gains (kromtech.com)
148 points by 0xbxd 9 months ago | hide | past | web | favorite | 91 comments

My pet conspiracy theory: The vast majority of the CS:GO economy is a massive money laundering operation for the Russian government. You have skins for an AK47 selling for $40,000. Does anyone seriously think that's legit?

You might have something there. There's something very cyberpunk in the idea of corrupting governments through virtual arms sales. Oliver North would be proud.

Buying a $40k CS:GO skin is $10k profit for the Youtuber who earns $50k making a viral "Buying a $40,000 skin in CS:GO" video.

You'd need a solid number of views to make that money back though! (billions?)

Isn't the youtube CPM like $5? you'd need 10M views for $50k, which seems unrealistic.

Lol no, cpm varies on every video but it's more like pennies on the low end to maybe a dollar for the most viral videos of the moment.

Source: am YouTuber, talk to lots of other YouTubers.

That's assuming just YT ad money and doesn't take into account sponsorship deals you can book based on your view count.

Also you can be running your own skins gambling site on the side, promote it using your channel, and not disclose anything.

But who would ever do such a nefarious things /sarcasm

A lot of youtubers receive direct donations and have monthly subscription offerings through things like Patreon. It might not be that unrealistic as it seems.

I’m not sure what parties you suppose to make a deal through that scheme, but for those who don’t know: in Russia no money laundering is required. You simply never get ‘source of funds’ questions even when buying something enormously expensive. Just don’t put it to the bank, unless you want to lose 10% (maximum no-brainer) on converting back.

This misconception is also shared among many russian folks who use term ‘laundering’ when actually they speak about tax theft or just theft through fake middleware companies who convert it to cash and that’s it.

As was suggested below, what you mas actually want to do is inject untraceable money into a foreign financial system in order to use it later for some nefarious purpose.

This is not true. Even when you buy a simple car, our IRS will require a proof. But it's still easy to cheat them.

> Does anyone seriously think that's legit?

Yes. Supply/Demand. Price discovery. Visibility. And critical mass. They all can make ridiculous valuations.

But back to money laundering: If you consider tax evasion as money laundering too. Then the legit economy is a subset of the money laundering economy.

Tax evasion is huge. Very huge. In the Trillions. Then you have drugs, arms, illegal stuff, governments, international corporations, etc... This huge flow of money will certainly pump to everywhere money runs (App Stores, Games with virtual cash, Crypto, Digital Goods, etc...)

Do they regularly sell for $40,000 or is that just the top price that's posted?


It seems the $40,000 one was an outlier, but still $4000+ is common. Total market volume is in the billions.

The market size for computer game skins is worth billions? I find that absolutely incredible. Do you have an article that talks about it?

Someone did some back of the napkin math here https://www.hltv.org/blog/11798/how-much-money-valve-is-maki... which estimates Valve's 10% cut of all transactions at just over 355 million.

No, you've read it wrong. $320m of that $355m is the revenue from selling 21 million copies of the game (and doesn't adjust for discounted copies).

The 10% cut of transactions figure ($21m) is based on how much money they'd make if all the items on csgobackpack.net were sold at market value. But the actual fraction of those items which changed hands would be much smaller.

Valve is rolling in money from its cut of transactions but these numbers are misguided.


Well Fortnite just made over $300 million in one month.


That's fairly reasonable when thinking about it. The sales for an AAA game is in the hundreds of millions of dollars. A free to play game should be able to earn the same order of magnitude through its shop, or there wouldn't be so many of them.

Know any good writing that introduces the game item market to outsiders? I am curious about the thought process of people who spend money in this way, and their perception of value.

I imagine a taxonomy of motivations, like the one Larry Harris has in _Trading & Exchanges_. Presumably some people get entertainment value (because surely there is a kick in seeing a game's world modified beyond its normal rules of state mutation); some speculate on price trends (hence the price graph on opskins.com; what are time series graphs for if not to spark idle dreams of avarice), and others getting some sort of utility (i.e., money laundering).

Skinning is probably a slight misnomer. The skins are applied to the player's weapons and can be seen by all other players as well as spectators. They are, in effect, a status symbol.

This feeds into the supply and demand component quite heavily, as you can imagine. All secondary effects follow this initial relationship.

Play Money by Julian Dibbell! It's on the dated side now but dives into MMO economies from a practioner's perspective — incredible read.

Market volume in the low billions is probably not enough for a government to do much serious money laundering. Maybe organized crime, but not a major national government.

Why would a government need to launder money? Are there no banks in their jurisdiction? Can they not enforce their laws on those banks?

You need to get the money into the US banking system in a way that doesn't arouse suspicion.

north korea

> Total market volume is in the billions.

Trade volume, or market cap? This is an important distinction. You can't multiply the number of items for sale by the market rate for those items. What you're saying is that people are spending billions on CS:GO items and I don't think that's correct; I think what you mean is that buying all the items at their current market prices would require billions.

$40k is probably a bit of an outlier, but there's still quite a bit of volume.

For example, this gun https://opskins.com/?loc=shop_view_item&item=498470571 sold 7 times yesterday for $200/pop. That's one item on one site.

ICOs, cryptocurrency to that list.

I'd be interested to know which version of MongoDB this was.

This "no auth" was a default choice for MongoDB through at least 2013 (in this case, it helped to find nefarious actions).

For more background, I wrote a three-part MongoDB[1]. These are the notes on auth behavior from the interview with MongoDB's CTO:

> - Defaults: I feel like it’s playing with fire to set bad defaults in a database - with numerous data breaches due to 10gen’s early decisions on authentication, remote login, and encryption (see for example, https://snyk.io/blog/mongodb-hack-and-secure-defaults/ ). For auth, Eliot argues that developers need to take responsibility for exposing MongoDB on public servers - and that the SLA for a self-hosted instance is different than a managed instance (at minimum, I have issues with users having their data exposed to the world through no fault of their own). He disagreed with 10gen’s decision to turn on auth by default in later self-hosted versions once MongoDB ignored remote connections by default (but thought this was the right choice for the managed Atlas service). (But before 2014, the default behavior was no auth - and accepting all remote connections, see https://snyk.io/blog/mongodb-hack-and-secure-defaults/ ; Eliot notes that this took a while because changing the default would have caused issues for existing customers)

( https://news.ycombinator.com/item?id=14804765 )

[1] https://www.nemil.com/mongo/

For auth, Eliot argues that developers need to take responsibility for exposing MongoDB on public servers

That’s like selling a car without preinstalled seat belts and then saying it is the responsibility of the driver if they take it on the road like that. It’s technically true, but it’s sort of missing the point.

I made the same seat belt point to him, and here's the section with his response:

> I do have concerns when 10gen explicitly targets junior developers ... What [Eliot, MongoDB CTO] says makes sense say 20 years ago, but with 25% of new software engineers coming from coding bootcamps with non-engineering backgrounds, I worry that defaults matter ever more in dev tools (and even seasoned engineers may mess this up, if they’re coming from a database with different defaults). We discussed analogies like seat belt lights versus the responsibility of passengers to know better. He also argued that waiting to get all this right - not just auth - would impact database innovation, while I think there’s a balance that gets us a lot of the low hanging fruit (like security).


My position, which I'm starting to get loud about, is that defaults matter more because the most recent shift in developer 'standards', for better or worse, is to expect us to use a vast number of tools to do our work.

If I have to use a vast number of tools, not only can't I be an expert in all of them, I can't even dedicate 5% of my attention to each one of them. Or really, to any of them. Because if I do, then I have nothing left to fulfill my job description. I'd just be curating a list of third party code all day long.

We either need to back away from the 'npm install' model or we need to really start thinking about our libraries as cattle. Which means they all have to behave in a predictable fashion or we cull them from the herd.

You can't have it both ways. We can't use peer pressure to stop people from writing their own (NIH), and then blame the victim when tools behave in surprising ways. The safeties need to be on by default, and only a few things in our lives can be so dangerous that we require special training to use them without killing ourselves. We only have space for a handful.

We need to develop the humility to accept that our module should be boring to the people using it, rather than a special snowflake. Take pride in the utility, not the notoriety.

> with 25% of new software engineers coming from coding bootcamps with non-engineering backgrounds

This is unnecessarily elitist: I’ve seen no difference in security awareness based on anything other than specializing in security, and even then it can be surprisingly blinkered.

That's fair. I was mostly reflecting on the time that most bootcamps spend on a student (2-3 months) relative to other programs.

But I agree that no matter the program, security best practices are rarely taught.

Agreed — I often feel like we’re in the period where the germ theory of disease is known but it’s still a battle to get doctors to wash their hands.

Or selling a gun without a safety.

"Well just don't shoot yourself or the wrong people silly!"

Dude that is not what happens in the real world!

Rule number one of firearms is never point it at anything with a round in the chamber unless you want it dead. That's an iron rule. You can't depend on safeties working 100% of the time, even in designs that have them.

You're not wrong about that, but humans are terrible about following instructions, that's kinda what I was getting at.

Sell thing where they say "well don't do that" doesn't make much sense in some cases.

I thought it was don't point it at anything you don't want dead i.e always assume there's a round in the chamber.

Many guns are manufactured and sold without safeties. Personal responsibility transcends industry.

Name a handgun in current production, that you can buy in any Western country, that has no safety on it.


Fun fact: one of the bartenders at my old watering hole was playing with the "bar gun", flipping the cylinder closed by flicking his wrist, and shot a round into the wall. Luckily I wasn't there that night because accidental discharges are a beatable offence.

I've had an ND only once in my life, and it was with a target rifle with a <1 lb trigger pointed downrange. It still scared the bejesus out of me.

If someone shot a round into a wall at a bar, it would be more than a beatable offence for me.

Handguns without safeties are really common - in fact most newly purchased police guns in the US today don't require anything beyond pulling the trigger.

The two most popular handgun lines in the US, the Glock[1] and the M&P[2], don't have what a laymen would consider a safety. The Sig P250[3], of CounterStrike fame, has no safety of any kind whatsoever.

[1] https://en.wikipedia.org/wiki/Glock [2] https://en.wikipedia.org/wiki/Smith_%26_Wesson_M%26P [3] https://en.wikipedia.org/wiki/SIG_Sauer_P250

ALL Glocks have a safety. It is integrated into the trigger pull mechanism.

(You should NEVER put your finger on a gun's trigger unless you intend to fire it. This is taught in all good gun safety courses.)

It is disingenuous to conflate a trigger "safety" with a classic manual safety. One requires unlocking as a separate action from pulling the trigger, and has it's own state independent of the trigger.

I doubt the original commenter new the difference, and was most likely referring to manual safeties.

Bought this online not too long ago, M&P 9c No Thumb Safety.


The Glock, one of the most common pistols for law enforcement and military, has no safety catch.

There's internal safeties to stop it from discharging if you drop it, but there's no safety to stop you from pulling the trigger and discharging a round.

You're right about pistols, but revolvers have no safety mechanisms (in general, at least), and they're handguns.

Sadly Glock has one of those on the trigger safeties... it's absurd.

Kel-Tec P-32?

I don't agree with your analogy. A database is not an consumer product, it's a tool and the people using it are responsible for its appropriate use.

To me this sounds like the hardware store selling saws, an uneducated consumer coming in and buying one and then going home and cutting their finger off and complaining that the hardware store should sell safer saws.

It's your responsibility to educate yourself on proper and safe operation of your tools.

My guess is most cases where this happens the developer don't know the server is public. I've seen it happen at past companies where DB/Services were accidentally configured on AWS with a public IP and VPC wasn't set up correctly to make it more explicit when exposing public services.

That's a wrong analogy, because the security itself is there, it's just that the user has to turn it on. It would be more like selling a car and allowing to drive it without seatbelts.

Given how off many of the details are in this article, I don't know that the authors have a very deep understanding of the f2p game economy. So it's hard to trust anything beyond "f2p games are used with stolen credit cards" part. Which is true, but not exactly news.

Most importantly they keep harping on about how Supercell should be doing more to ban accounts that tranfer illicit gems between accounts, or how each gem should have an individual hash so that it could be tracked to the source, etc. Well, given that gems are not and never have been transferrable between accounts in those games, having it be a bannable offense would have no effect at all. And the chain of ownership is always going to be exactly one step long.

(Yes, any game that makes the premium currency or items transferrable is inviting a lot of abuse. It's not just stolen credit cards, it'll also be account hijacks since they'd be very lucrative. Just drain all the victims items before they can recover the account. Optionally you can also buy more items with the victim's already registered CC at the same time. So if a game does support these kinds of transfers, it's good to be deeply suspicious about the motives of the creators. But afaik it's simply not the case for any of the Supercell games that this article talks about.)

And then that table showing the scale of the problem is pretty bizarre. The stated revenue numbers must be off by around a factor of 5. I thought for a moment it was talking about the scale of the abuse they've deteted. But then that'd mean the scammers are using 100M Google accounts to wash 20k credit cards/month. That's too absurd to be true.

Of course the game makers aren't going to filter it, it makes them an "unwitting" benficiary of money laundering. It's not like their overt business purpose is any better.

They may not have any natural incentive, but whoever processes their credit card transactions could certainly provide one.

I worry that they don't really "care" either outside of a baseline of plausible deniability.

And why would they, if any fraud is insured? It’s priced into their business model.

There are some interesting ethical debates to be had around stealing credit cards. At the end of the day, who is the thief really hurting? The consumer is inconvenienced at worst. The card companies are insured. The insurance companies already priced the risk into their actuarial models.

AFAIK for card not present transactions, if a chargeback occurs, the merchant pays for the refund, plus a chargeback fee of ~$25. So unless the credit card victims are particularly clueless, this shouldn't be profitable for the merchant.

I suspect that none of the Free To Play games ever get that kind of chargeback fee given the sheer volume of money they process.

The credit card companies probably trip over themselves to give phenomenal offers to be the processor for them.

In addition, who really cares about a chargeback for an online game? Since there is no physical thing that transacted, simply reversing the transaction is quite straightforward.

Chargeback fees are the card clearing services way of discouraging chargebacks/disputes. They charge everybody them. The large banks put way more money through them than you're talking about, and they have fairly high write-off levels just because it's not worth raising a dispute unless you're damn sure the other party will be hit with the costs.

A significant amount of the time when you call your provider about a dispute (fraud or non-fraud), they will just pay out of their own pocket rather than raise it with Visa/Mastercard/whomever, it's just not worth the risk of being hit with the fees. (Unless they decide it's your fault, in which case they'll tell you to suck it up.)

(I am a developer on the disputes platform for a major bank)

>A significant amount of the time when you call your provider about a dispute (fraud or non-fraud), they will just pay out of their own pocket rather than raise it with Visa/Mastercard/whomever

Are you talking about when a customer calls their bank, or when a merchant calls their payment processor? I thought when a chargeback occurs, only the merchant side gets hit with fees?

If you have access to access to victim credit card accounts you could probably datamine the least likely to notice accounts. CC used at a bar 5 nights a week? Charge on.

Anyone else wondering if the criminals read Neal Stephenson's novel, Reamde, as a how-to guide?

> "Money laundering through the Apple AppStore or Google Play isn’t a new idea and has been done before. In the 2011 the Danish part of the Apple App Store was flooded with expensive suspicious applications. More than 20 out of 25 of the most downloaded applications were from China. The price of the apps ranged from $50-$100. For example, one of them “LettersTeach”, was intended for children who are learning English letters, yet it cost nearly $78. This pointed to money laundering then, however, what we encountered now is much more sophisticated.

I don't understand how the laundering part works. There was a similar link posted to an overpriced book on amazon yesterday on HN, which also alluded to money laundering.

So if I understand correctly, the person(s) who want to launder their ill-gotten cash publish an app with an outrageous price, and then by the same app with their ill-gotten money, thereby turning it legitimate (buy way of the app company)?

If yes, then how much money could you possibly launder this way? Won't purchase of the same app a 100 times (if that's even possible) raise suspicion? And even then you've only managed to launder 50 - 100 x 100 = max of 10,000 USD. This is peanuts for the real money launders who would be dealing with millions of $ monthly.

That’s why they are using free games with in app purchases. You can download the game for free and buy the consumables a million times on a single account. It ends up being a lot less work.

This makes the most sense. It's simple to execute and I guess the IRS can't really come after you for buying a ton of in-app purchases at high amounts, as you can simply say "I'm addicted to this game."

There are already "click farms" [0] in China that are set up to game the app store rankings, this wouldn't be an unrealistic extension of their business model.

[0] https://kotaku.com/inside-chinese-click-farms-1795287821

Make a thousand fake accounts, load accounts up with money, and have them each buy your app?

The laundering part is easy. A guy has $1M need to clean up. Release a $1000 app under account A. Buy the app 1000 times with account B, C, D, ... Account A earns legit money.

What about the 30% comission the app stores take?

What's the going rate for money laundering? :P

Nothing wrong with losing a little bit of money to make a lot of money. Even Pablo Escobar had to write off 10% of all his money due to rats eating it. I feel like these people are ok with giving Google/Apple a 30% cut if it means a platform is provided for them to make the other 70%

> Even Pablo Escobar had to write off 10% of all his money due to rats eating it.

I didn't think this was true, but your statement checks out. Wow!

> "Pablo was earning so much that each year we would write off 10% of the money because the rats would eat it in storage or it would be damaged by water or lost," Escobar wrote.

Source: http://www.businessinsider.com/pablo-escobar-and-rubber-band...

Well, the money was illegal to begin with.

That does seem steep. The main article indicates methods that I suspect don't involve a 30% cut.

You're making it sound like the credit card companies are idiots. If a huge portion of their stolen cards are buying an obscure app with a $1000 price tag, they're going to notify the authorities.

Credit card companies don’t have product level insight. They would just see payments to “Apple Inc.,” hardly a rare occurrence for any customer.

Why would the credit card companies even want to stop this? For every transaction they are earning processing fees, the only thing they need is a small amount of plausible deniability to shed any legal liability. They are basically being paid to look the other way.

Laundering money means someone is using their own dirty money in a clean transaction, not further stealing others' money. This is all happening after the initial theft has taken place.

"They chose email providers with little to no protection against automated account creation."

To be specific, go2.pl, o2.pl, prokonto.pl and tlen.pl are the exact same mail provider - in fact, those domains are aliases for each other after registering. This means that by registering a single time, they get four usable e-mail addresses. Interestingly, the same provider also provides a functionality to get more aliases if you want, but it doesn't seem like criminals used this functionality (the aliases cannot be in those four domains, rather they can be in another list of 18 domains).

Doesn't fastmail offer the same feature? I remember at least a dozen aliases when I used them a decade ago.

I'm a little unclear on how they found this database and why it was left without security. It sounds like there is some well known vulnerabilities with older versions of Mongo and these people did some security audits where they found this particular database. Is the explanation for why this database was left vulnerable just a mistake on the part of the money launderers?

MongoDB's defaults have no real authentication.

In the lower right they note selling an AppleID with some game currency on it.

Is that of any use to a given gamer, a whole new AppleID?

I wonder if we'll ever know where these tools originated from.

Does the US DOJ have a history of halting this sort of fraud yet?

Thank you, we've updated the link from https://www.bleepingcomputer.com/news/security/open-mongodb-....

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact