Hacker News new | past | comments | ask | show | jobs | submit login
G2A pays Factorio developer $40k over illegally obtained game keys (polygon.com)
195 points by haunter 13 days ago | hide | past | web | favorite | 156 comments

G2A is, and has always been, a black market for software. They list Windows 10 for $27 [0], McAfee for $4 [1], among many other things [2]. They sponsor professional esports teams to add legitimacy to their brand [3].

[0]: https://www.g2a.com/microsoft-windows-10-pro-microsoft-key-g...

[1]: https://www.g2a.com/mcafee-antivirus-pc-1-device-1-year-mcaf...

[2]: https://www.g2a.com/category/software-c5

[3]: https://navi.gg/en/read/text/232-navi-prolongs-the-partnersh... (Note the logos on the uniforms)

Why do you say it's a black market? Reselling of license keys is legal within the EU. Granted the hundreds of keys mentioned in the article were originally stolen, therefore illegal to sell but it seems they're taking steps to combat those, including honoring the 10x agreement with the developers.

Having quickly googled it, I've seen much criticism about their sale of grey market keys (keys sold cheaper to specific markets being sold to other markets) but those are legal. Many of the other criticisms are because some users are selling stolen keys, which puts g2a at the same level as Amazon or Ebay.

The stolen key system (legit keys bought with stolen CCs) has been how G2A keeps their prices low.

I don't think this has been a mystery to G2A and they've been at it for years / not been responsive to developers who have contacted them about it ...

How is that different than someone selling products on eBay or Amazon that were purchased with stolen cards?

It's not, but that doesn't make it legal.

It also doesn't make G2A "A black market for software".

G2A is fundamentally a consumer empowering type of market/organization, businesses who sell keys do not want their completely legitimately purchased keys resold, and if you don't think they are going to stoop to painting the people who enable that as horrible monsters, you have ignored the entire history of markets and PR.

G2A has a standing offer to pay devs 10x what any fraudulently obtained keys cost them, and they are making good on that offer here, the fact they are still being treated like some kind of mafia-esque organization in these comments says a lot about the power of PR.

Remember when the RIAA was coming out about the evils of used CDs and was asking congress to make their resale illegal?

We are at that point right now with digital goods, with the majority of people cheering on this blatantly anti-consumer bullshit and painting those that enable fighting it as scumbags

That standing offer is no longer a standing offer now that they've proven that they are re-selling stolen keys.

Now they simply (and appropriately) offer to repay proven fraudulent keys and chargeback fees.

G2A doesn't get much good press because many people empathize with indy games devs, and prior to this finding G2A loudly and broadly claimed that there were not stolen keys being sold through their storefront.

Do you think Ebay is free of stolen goods and illegal credit card transactions? G2A works exactly like Ebay does, and I don't see much hand wringing about how we need to shut down the scum at Ebay, for the children.

So you think because sometimes ebay listings are stolen goods that G2A selling stolen goods is fine, gotcha. Seriously what is your point here.

Its not fine, but its also completely impossible for G2A and ebay to fully avoid, because both are marketplaces.

What matters is how they address it, and that is being completely ignored in these comments in favor of vague moralizing about the evils of consumer choice.

Here's a tangentially related def con about the strange economics of that whole scam. Basically, everyone in the chain apart from the cardholder benefits.


Does it have to be different?

It doesnt, but we dont see front page posts on HN saying "Stolen goods sold on ebay".

IMO this should be a congratulatory post "G2A owns up to their mistakes and follows through on their word" ...

Let's see if G2A does... they've profited from not doing so for a long time. They knew, they didn't care and they sold other people's work for their own profit. They earned plenty of skepticism and this wasn't a one off mistake, it was exactly how they chose to do business for a long time...

Let's see if eBay does... they've profited from not doing so for a long time. They knew, they didn't care and they sold other people's work for their own profit. They earned plenty of skepticism and this wasn't a one off mistake, it was exactly how they chose to do business for a long time...

If the majority of goods on ebay were stolen then you would absolutely see that post.

If you're going to claim with a straight face that the majority of goods on g2a are stolen, which is what you're implying, you're going to have to provide sources.

Are the majority stolen on G2A?

When I went to Poland earlier in the year, I even saw they sponsor a massive Arena: https://g2aarena.pl/

Last time I bought a very cheap Windows 9? (circa $35) it was simply an OEM edition that required you to call MS and tell them you are registering new hardware. It obviously implied you could not reuse the key for new hardware.

But that was a genuine key.

PS: I just checked the listing you gave and yes - that is an OEM version where they clearly describe that you would need to personally register your copy over phone and that you can only use it for one PC.

It seems like you are at least partially wrong about them being generally a scam.

dunno about the others but 27$ Win10 is OEM license that is locked to a single machine. Seems legit.

The link I attached is to a normal license, not an OEM one, which goes for even cheaper: https://www.g2a.com/microsoft-windows-10-oem-home-microsoft-...

That's actually way too high a price for a windows 10 OEM licence. You can get entirely legitimate ones on eBay for <7€.

The reason they are so cheap is that EU laws protect the consumer right to resell things they purchase, and EU feels very strongly that this extends to software licenses. Most pre-built computers come with a bundled OEM Windows, which any EU resident can legally sell. Since a lot of computers bought by businesses, schools, hospitals, etc also contain Win 10 Home licenses, which are promptly replaced by whatever OS the site actually uses, and then immediately sold to someone reselling them, there is a healthy marketplace that has pushed license prices very low.

Yes exactly. The computer 'recyclers' take the parts out of EoL computers if viable and take the key off. Considering the demand for Windows keys is pretty low, and tens if not hundreds of millions of laptops/desktops go EoL each year, it's basically a virtually worthless commodity now the EU lets you transfer licenses from a PC.

That explains the cheap "consumer" (eg. home/pro) versions, but how does it explain the "rare" ones (eg. enterprise/LTSC) selling for $8 as well?

I'd speculate that the market for people who want or need an enterprise license but are willing to mess with grey market risks is actually pretty small?

Considering that enterprise is better than other editions in every way[1], there's no reason why anyone would not get enterprise, especially since it's around the same price.

[1] https://en.wikipedia.org/wiki/Windows_10_editions#Comparison...

We're talking about your average Windows user, here.

Well I don't see any of those on G2A.

OEM licenses are tied to the hardware that they were originally sold with and cannot be transferred. These licenses would not pass an audit.

The person you’re responding to is saying that such licenses are not legal in the EU.

Not in EU they are not, because doing that is not legal.

Do you have a reference for that? Does Microsoft continue to sell OEM licenses in the EU?

They do, but you are legally allowed to sell them on. Yes, the licence forbids that, but it's not enforceable and is meaningless. Courts have decided many times that software licences are like any other asset and yes, you can sell them on.

There's a full summary of the legal situation(in Polish, but I'm sure google translate will manage), with legal documents supporting it(it's actually been going on in early forms since 2000, but it's the ruling from 2012 that has cemented your right as a consumer to sell on software, regardless of whether the manufacturer allows it or not)


IANAL, but if the license is illegal, it wouldn't mean that it's illegal to sell a product under such a license.

It would just mean that enforcing all terms of that license would be impossible.

Nothing prevents you from writing an illegal contract, even enforce it a bit. Laws needs to be enforced to have an effect.

Heard of eBay? VS2k19 for $5, Windows Server 2k19 for $5.

Black market, hah.

Yeah I mean I've been buying all of my Windows 10 keys of ebay for years, they always work fine.

Also keep in mind that in EU re-selling software is completely legal and that's where most of these keys come from(dismantled PCs, post-lease laptops etc). I bought a 100-user licence for Microsoft SQL Server 2016 for like $1000 because the company that used to own it went into liquidation and the assets were being sold off.

Yup. I grab all my Office keys from eBay too. Guess I'll look at G2A as well.

See the second part of this blog post[1] from 2019 for more context.

In a nutshell, fraudsters buy keys from the official Factorio store with stolen credit cards. They then sell these keys on G2A and Factorio gets charged back (+fees) when the real owners of the credit cards report the transactions as fraudulent.

[1] https://factorio.com/blog/post/fff-303

>>> With an average chargeback fee of about $20

Ouch. The charge back fee is as much as the item.

The problem is with Valve, who charge a 30% commission, even for sales directly from the Developer.

In a world of 12% commissions (ie. Epic Games Store) the effort to sell directly wouldn't be worth it and G2A wouldn't exist.

Epic has also recently enabled keyless integration with some 3rd-party stores eg. Greenman Gaming.

> The problem is with Valve, who charge a 30% commission, even for sales directly from the Developer.

That doesn't match what I've heard before, do you have a source? This site says that there is no fee to generate steam keys to sell directly, and in fact, you aren't even allowed to mark down the price of those keys. You are actually required to pocket the commission!


Valve doesnt take 30% cut from the keys. You can generate and distribute them for free

I should have been more specific and said 'for traffic generated by the developer', ie. even when they have the Steam widget on their website.

These keys are effectively serial numbers, not blinded tokens, right? Why don't the original sellers just revoke ones that were obtained through credit card fraud?

They did, as detailed in this blog post: https://www.factorio.com/blog/post/fff-303

They still had to eat the $20 fee per fraudulent transaction and deal with the pissed off customers though.

It's difficult because game-devs rely heavily on good reviews. Even if you revoke a key that you know for a fact has been stolen (or bought and charged back on CC), if it has been resold there is a very good chance that the new buyer will leave you a bad review. It's a lose-lose really.

How does that get the devs any of their money back?

I don't know what you mean. Someone who wanted a key would have to buy one that wasn't fraudulently obtained, thus supporting the developer. The seller in fraudulent transaction would still have to eat the chargeback fee, but it would be a better overall result than now where the fraudster profits. Eventually they would do this quick enough that it would become pointless to attempt the fraud, thus reducing the chargebacks.

The fraudster profits regardless of whether the key is revoked or not, because they sell the key to some sucker before the fraud is discovered. The fraud is discovered when somebody looks at their credit card statement and notices the unexpected charge, so the game developer has a very limited ability to revoke fraudulently obtained keys more quickly.


No, it's how terrible people are. The chargeback mechanism is consumer protection through and through. It's there to help you deal with shady merchants, fraud, and theft. The fault lies entirely on the people abusing it.

Blaming the banks here is akin to blaming the postal service because they delivered a bomb.

You are too easy on the credit card system. If you manage to steal my european bank card, you can't use it without the pin code. If you get all numbers on it, you still have nothing usefull. This kind of fraud simply does not exist with our bank cards.

This raises the bar for theft and fraud significantly compared to the credit card system, where a simple copy of the numbers on it is enough to take any amount you want.

This depends. My Dutch credit card with a PIN protecting it can be used online as long as you have all the numbers.

However, almost everybody I know never uses credit cards to buy anything. Everyone I know uses debit cards. With the rise of contactless payments there's an argument to be made that those are still usable, but it only takes a quick call to your bank to disable that.

All Dutch banks I've seen used online require at least SMS 2FA. Payment through mobile banking apps often do not, but the process of authenticating your phone with your bank is very cumbersome even for legitimate use. In my local banking ecosystem, digital fraud only really exists in the form of phishing. I don't think I even know anyone who's ever done a chargeback.

The credit card system is horribly designed and because of compatibility reasons (and fear of change) fraud is much more common than with banking like I'm used to. I use my credit card as backup on holidays and for paying on some foreign websites but I never feel at ease entering my card details. It's ridiculous how in this day and age credit cards are still so easy to abuse.

> However, almost everybody I know never uses credit cards to buy anything. Everyone I know uses debit cards.

Why? Here in America CCs give fraud protection. Debit cards only after the first $50 after a fraud charge. Banks almost always reverse CC charges.


Because Europeans are weird about this, there isn’t really any reasonable explanation.

> if you manage to steal my european bank card, you still can't use it without the pin. If you get all the numbers on it, you still have nothing usefull.

You can absolutely use a credit card online if you get the card number, date and those last three numbers on the back. No need for a pin there.

You can even use a stolen credit card these days in physical stores, because of the Contactless Payment on most new cards. As long as you don't spend too much, you won't need the pin.

Not entirely. Since Strong Customer Authentication took effect in Europe, 2FA is now required in most places for most purchases. Additionally, contactless now "expires" occasionally, and requires you to put your PIN in after spending €150 since the last time you entered your PIN.

I have manage to go a few weeks without putting in my pin. I don't think there is a set limit. Not for my bank/card at least.

In fact, you don't need a pin and you don't need the last three digits either. Pretty much every terminal can do a "card not present" transaction where you only need the long card number and the amount. My bank classes those as "telephone transactions" and I can disable them entirely on my card, but they are enabled by default.

That's more or less what I was saying? My european bank card is a debet card. If I pay online, it redirects to a page for my bank. This does a 2 factor authentication. The 2FA challenge contains the monetary amount and the IBAN check digits, so even MITM is hard.

There's also 3-D Secure, which e.g. UK banks have implemented. This is a solved problem with sane solutions, just like chip&pin, and not using cheques.

[0] https://en.wikipedia.org/wiki/3-D_Secure

3-D secure is still extremely vulnerable to phishing. And when you do get phished, you’ll generally be in a far worse position than you’d be without it.

Sane solution? For merchants, maybe. For consumers, no.

Your bank doesn’t enforce this, the merchant accepting the payment chooses to require this.

I've always wondered, does using a PIN make it both safer for the consumer and merchant, but also make it harder for the consumer to argue fraud? With my signature-only card, it's easy to receive the benefit of the doubt from the issuer when a shady charge hits, but with a PIN card, would the issuer respond, "It's your PIN, you agreed to guard it, so it's your fault."? I'm imagining some sort of ATM fraud situation where someone records or otherwise logs the PIN number. Or is the safety more from the chip not being replicable?

Yes it does make it harder to argue fraud. If the stolen credit card is used with the pin by the perpetrator, the bank will often say it was your responsibility to guard it.

Had my card skimmed at a gasstation once, bank covered it and issues a new card with zero interaction from my side.

There are two parallel systems for payment cards, only one of which is "protected" by the PIN and which one is probably instructive for you.

Authorisation is the system which verifies that you, the card's holder, authorised this payment. This is the part that EMV ("Chip and PIN") and lots of anti-fraud technologies are focused on, and yes its main purpose is to prevent you (though also the merchants) from defrauding the bank or other card issuer.

Settlement is the system which transfers money from your account to a merchant's account.

Authorisation is optional. If there is zero authorisation a settlement will still work, though there is some higher chance either the card holder later disputes it or the issuer decides it was fraudulent by their own methods.

Big merchants often just don't use Authorisation at all. Whereas if they didn't do Settlement they wouldn't get the money, not doing Authorisation just means it's harder for them to "prove" you agreed to pay, but they may find it just isn't worth fighting you anyway.

Knowing this you should read your card statements every time they're sent, in proportion to how careful you need to be about money (if you're Elon Musk maybe don't sweat any line item under $1000) because that's the first time you may find out that, for example a hotel in a country you've never visited has submitted Settlement data taking $500 for a hotel room you never booked. Mistake? Fraud? Who cares, if you don't spot it then you're out $500.

Yes banks may tell a jury in a fraud trial (against you, their customer who has been stolen from, convicting you of fraud means they aren't on the hook for the missing money) that only you should have known the PIN and therefore the jury should assume that your inability to explain how "someone else" had the PIN means you're lying. You will need a good lawyer and experts to explain that actually the bank's insiders can know the PIN (the bank will try to dodge this awkward fact, insider fraud at banks is common and banks would prefer you never think about that) and there are various means by which it could have been stolen that the bank doesn't do enough to prevent.

When EMV ("Chip and PIN") was introduced the main increase in fraud went like this: You hide a skimmer inside the PIN terminal, and it harvests card details (it could also harvest PINs). The terminals are supposed to have "anti-tamper" systems to defeat that, but they're trivially bypassed. Now, you can't use these to make EMV cards, but you can use it to make a convincing fake non-EMV card, and then use it in countries that haven't rolled out EMV.

This fraud mostly went away as more countries finished deploying EMV but other types replaced it. Some of these things are only possible because EMV is a typical "Hand rolled crypto" solution where nobody remembered to hire actual expert cryptanalysts to critique and revise the design before it shipped. Others aren't technical at all.

Ross Anderson's Blackhat talk, "How Smartcard Payment Systems Fail", has some awesome details about this. See e.g. 26 minutes in for the No-Pin attack.

[0] https://www.youtube.com/watch?v=ET0MFkRorbo

Why is checking my email more secure than paying for something online? Why are we still using usernames (credit card numbers) and maybe a 14 bit password (pin)? The merchant should give the user a signed request for money, which the user's account signs and the money is transferred.

Even this is too little criticism. Why do banks not implement an open standard with credit card processors, that allows the bank to talk directly to the processor and do a direct "push" transaction that I authorized, instead of having to "pull" money out of the card I'm giving to some shady site?

Hell, even having disposable credit card numbers that were locked to a single merchant upon first use would basically eliminate card fraud.

Jeez people, at no point did I say that banks / credit card companies were perfect. Far from it.

There are N+1 ways transactions could be improved, and each one probably has many reasons why "it can't be done". I don't feel like getting into all of that though, because it would take forever.

Jeez guy, nobody is attacking you. I was agreeing.

> If you get all numbers on it, you still have nothing usefull.

Does that also apply to online purchases?

Yeah, and with the banks I have used, there is always a second factor like an authenticator or phone confirmation as well.

That's....usually not true. At least the way it's implemented in the EU, yes, your bank has to verify if the transaction is legitimate, and optionally show you a challenge step. So when you pay online you usually get a small window displaying your bank's verification page, but unless there's something unusual about the payment, they don't actually verify it at all. So when I'm placing orders on Amazon it pretty much never comes up, but when I'm buying flights it usually does(but even then not always).

That is not true at all.

You're saying that just needing a username (and maybe a couple of bits of password), that you have to give to everyone you buy something from is good security?

I think it's a bit more nuanced than that. You have credit card companies offering a service that's easily abused and then charging companies for accept their credit card service for their lack of fraud protection. As an online only platform, you don't have much choice other than to accept credit cards. It seems like it'd be so trivial to enact measures to reduce this type of fraud. My credit card company frequently sends me an SMS whenever I try to use my credit card on OVH.com, I suspect as a result of frequent fraud on their website.

I think it's a little of column A and a little of column B. Just a few weeks ago I had two back-to-back $400+ fraudulent online charges on my card, but due to alerts I discovered it within 20 minutes of them happening. I immediately called my bank and notified them that they were fraudulent. Apparently they didn't bother to do anything for weeks because 1) the charges still went from pending to posted several days later 2) the vendors were apparently not notified through some other method because they shipped the products and 3) the charges showed up on my bill (although later I received credits when they completed their "investigation."). So as far as I can tell the vendors got left holding the bag even though the bank knew the charges were bad. I know that the vendors shipped the equipment because at least one of them contested the fraud by submitting proof of delivery from the shipper (to the wrong address)...

G2A knows very well that they are used as a money laundering device for criminals, they just don't care.

What I don't understand is why banks and other financial organizations keep retaining G2A as a customer. Surely they must have hundreds if not thousands of cases involving G2A by now.

Dont they charge 20 dollars per chargeback as someone said? In a normal country the national bank would regulate this

Far as I'm aware, there is no law restricting chargeback fees in Canada, which countries are normal?

Merchant services providers do need some fees to accurately process chargebacks, and in the normal case it also functions as an incentive to make sure you perform transactions that you reasonably believe won't be reversed.

The developer of factorio was charged 20 dollars for charge back.

I imagine G2A is using a more fraud-friendly payment processor.

> G2A told Polygon at the time that it intended to use either PricewaterhouseCoopers, Ernst & Young, KMPG or Deloitte to perform the audit. Unfortunately, according to a blog post issued on Wednesday, G2A couldn’t come to terms with those large firms and just did the audit themselves.

I wonder what the story is there, and I doubt those are the only companies capable of auditing.

The total value of keys stolen was $4k and the settlement was $40k. The big 4 audit firms won't do a custom audit operation for that kind of price.

It only really takes someone with a bit of technical expertise who both parties can trust. In this case you could probably find some enthusiast to do an excellent job for free. If Wube and G2A were able to agree the process was fair, that also seems good enough here - they don't need to satisfy a regulator or a tax authority, which are the main purposes of audits.

$4k per the one game they looked at, not $4k total, right?

Only one developer, who only develops one game, applied for the audit/refund process.

Audits normally cost a lot more than $40k. If the auditor is going to take legal liability for the audit being wrong, they will also typically want rock solid evidence, which it's likely hasn't been kept.

I'd bet that the sticking point in the negotiations was the cost of the audit.

A single fresh-grad analyst for a week costs more than the total value of the keys stolen at those firms... I've seen single, generic ppts sold for more than 40 grand.

Yes, definitely cost on that one.

That sounds like they basically walked in alone to Rolls Royce, McLaren, Ferrari, and Maserati dealership in fleece parka with an open can of Red Bull in hand, and it turned out it just don’t work like that

If you have enough money, they are absolutely going to sell you a car.

It's interesting, they actually might not.

I've always assumed that since I have money I can just walk into a hotel and pay "room rate" on the spot unless they're actually full, because why wouldn't they take the money? The advertised room rates are high, but in a pinch it's much better than sleeping under a bridge.

And then one night (after midnight) I arrive at my pre-booked hotel for the night and as I'm checking in an obviously drunk person in a tuxedo staggers in with a half-full bottle. He wants a room, he has cash, and I stopped for a moment to see if that works how I'd expect. It does not, the night staff tell the man their hotel is "full" (it's a quiet weekday night, fat chance) and so it's impossible to give the drunk man a room. The man tries arguing, displaying the cash, it makes no difference and he is escorted out of the hotel. Interesting.

Big difference between a clearly very drunk person who's likely to cause issues and someone who simply isn't wearing a suit trying to buy a car.

Welcome to the world of audit. There are only 4 firms left after decades of consolidation and an Enron scandal. They are the only people they actually check the books of firms, and they all have profitable consultancy services that totally don't create conflicts of interest.


Well, no. There are thousands of small accountancy firms that will audit your small business' accounts. For large companies, you may as well go with one of the big 4 partly because of economies of scale - you want your auditor to have experience with similar companies, and almost by definition a smaller audit firm won't have lots of large clients.

Nothing that they said is wrong. The Big Four are a huge problem, and it's particularly interesting that the US hasn't done anything about it. Maybe not under its current (extremely corrupt) administration, but some of the previous ones seemed like they were at least sometimes shooting straight. This would for example, definitely be the kind of thing I'd expect an alternate universe President Warren to "have a plan" for.

London has an obvious excuse, three of the four are legally based there (the Big Four are all organised as groups of franchised firms, to reduce overall legal exposure, but they each have a group HQ and three of those HQs are in London). Even if you are quite sure they're committing billions of dollars of fraud (which I can't prove but you'd think a government might have the resources) some of those billions go into the UK economy via these HQs, so driving them away seems like a bad idea. The US doesn't even have that incentive, any replacement audit system would also spend a lot of money in New York and Washington as the current one does, but it could hardly be any more corrupt, so why not intervene?

all the "factorio friday facts" (blog title) leading up to the offer to audit and the 10x settlement




Just curious, how do these illegitimate keys get obtained to begin with? Is it some kind of payment fraud where keys are obtained through fraud and the payments then get reversed? If so why don't the keys get invalidated when the associated payment is disputed?

I could imagine:

1. Mr evil uses stolen credit cards to buy game licenses.

2. Mr Evil sells those game licenses on this marketplace to Alice.

3. Alice has paid her own money for this game, starts playing it, maybe buys a few in-game items.

4. The original card owner disputes the charges.

5. Now, if the game manufacturer disables the game remotely, they will take a PR hit from Alices vocal complaints on twitter. Yet if they don't disable the game remotely, they continue to loose revenue.

Exactly this.

Typically the keys come from legitimate promotions such as the Humble Bundle, but purchased (as you said) with stolen card details.

Also, don't forget that the stolen credit card charge back incurs fees to the developer. So not only do they lose (potential) revenue, they actively lose money.

One common route is game bundles. They’ll ask for 20000 keys “just to start” and pay you 10% of total bundle revenue.

Surprise surprise, the bundle sells 150 units, you make $5, and suddenly you have 50 copies of your game being activated everyday for the next year.

Just a note to indie devs out there: unless it’s a colossal site like Humble Bundle, all game bundles are scams. Ask them if they can return unused keys to you after the bundle finishes and they’ll suddenly stop replying. Legitimate sites have no problem doing this if sales really ended after the bundle did.

There's nothing wrong with this. Someone who legitimately buys keys from a bundle should be able to resell them.

I'm pretty sure the comment you are replying to is talking about the group/company/person that runs the bundle. They ask for 20,000 keys, sell 150 legitimately, and then sell the rest of the 20,000 on the gray/black market. Reselling a key you bought legitimately isn't the issue here AFAICT.

I think the point is that the people -running- the bundle are reselling all of the keys that didn’t sell as part of a bundle. Not the end customer who purchased a bundle.

Yes, lots of stolen credit cards and automated account creation in Steam. I understand that the publishers had to ban the accounts by hand to invalidate the keys.

As well as credit card fraud, I believe some shady key resellers buy keys in poorer countries where the game's price is low, and make a profit reselling the keys in richer countries, for a price somewhere between what they paid for the key, and the legitimate price in that country.

If the game is on sale in the poorer country, all the better for the reseller.

With the Internet, I imagine this is all very easily done.

Perhaps this is a game dev stealing keys from their employer and reselling?

A couple of ways I've seen are:

Pretending to be an "influencer" so you get free press keys

Buying keys in a region with low regional pricing then reselling them in a higher region

Buying a bunch of keys during a sale, then reselling them a couple of months after the game is no longer on sale

All of those are completely above water, legally speaking. There's even a term for that: arbitrage.

The first is probably Fraud by False Representation if you do it in England and Wales. ("Made a false representation, dishonestly, knowing that the representation was or might be untrue or misleading, with intent to make a gain for himself or another, to cause loss to another or to expose another to risk of loss.")

Though note that Factorio never goes on sale.

Is it the same price everywhere in the world though?

It is not.

Steam has lower prices in some countries. Factorio sells for the equivalent of $12 in India while it sells for $30 elsewhere. Most games are similarly discounted. That said, someone who buys it from Steam can't gift the game (or presumably extract a key) to someone in a different country. If you bought the game in India, only an Indian account can play it.

You can see the prices per region here:


> Buying keys in a region with low regional pricing then reselling them in a higher region

Notice that companies can do that with labor and buildings and tax evasion, and it's 'situation normal'... But when real humans try to, its bad and illegal and horrible.


I just stared playing Mindustry [1] after someone on HN recommended it a few days ago and I'm hooked. My understanding is that it's roughly a Factorio clone, which I haven't played. Should I go play the original? Glad the developer got what they were owed here.

[1] https://mindustrygame.github.io

I've played both, and while Mindustry is good, it's...hmmm.

Mindustry is a tower defense game with surprisingly deep supply chain, research, and crafting system bolted on to it. They're still very much secondary.

Factorio is a stupidly complex supply chain optimization problem, that also has an actual game bolted on to it, and some of the gameplay is tower defence related, sure (depending on your game settings).

They look similar, and both let you mine ore to turn into ammo for turrets, but the similarities end there. If you really enjoy the tower defence part of Mindustry, Factorio will probably seem like an overly complicated version of Mindustry that's not even as fun. If you're fine with the tower defense parts of Mindustry but you just really want to spend 6 hours redesigning your secondary copper smelter to iron out a throughput kink which is causing bottlenecks in your northwest electronic fabs, with flow on effects to your entire atomic energy program, then you'll love Factorio.

(Disclosure: I much prefer Factorio.)

Also, Factorio is quite moddable, and there are some interesting mods that make it even more insane, so there's that to look forward to as well.

If you're curious, I'd recommend giving it a try. If you're still cautious, there are a ton of really good streamers and lets plays on Youtube; they should give an EXCELLENT view of what the game is like and if it's "for you".

Finally, if you do like Factorio, I'd also recommend modded minecraft. Some packs focus heavily on massive, enormous research trees and automation.

Could you please link some of the minecraft mods worth looking at? I did reasearch that in the past but was disappointed greatly. Thanks in advance!

Not OP. A bit out of the game but when I was watching streamers a few years ago Buildcraft was pretty popular.


Another comment mentioned this modpack:


Analysis paralysis of which one to choose is getting real. Thanks for the recommendations.

Go with FTB. From skimming the news on the FTB page, I saw that buildcraft appeared to get an update, which implies it is included. FTB is a huge mod pack with many popular mods on integrated to work well together. You can always go back to vanilla buildcraft if you want.

You can start at /r/feedthebeast on reddit. Modern industrial-theme-modded minecraft has some massive and well crafted modpacks.

If you want a concrete insane example, try Project Ozone 3.

Project Ozone 3 seems great indeed. Thank you!

As a game player probably look at mod packs rather than individual mods to change up the game. The best packs put together a bunch of different mods, tweak the resulting balance of the game and might offer a "quest" system if you're the kind of person who needs to be told what your objective is rather than making their own way. Feed The Beast linked by others is the best way to find such packs these days, they make their own but also offer others.

Somewhat like Factorio, most modded Minecraft assumes you already know what you're doing so it can be pretty daunting for a beginner. Obstacles that come to mind (but I'm far from a beginner and may well have forgotten some):

JEI ("Just Enough Items" and predecessors including "Not Enough Items", "Too Many Items") knows all the "things" that exist in your game, and usually how to get them or what to do with them, but it mostly assumes you actually knew and were just looking for a reminder. I know I can probably make an electrum ingot by melting gold and silver ore in this TiC smeltery and waiting for the alloy to form, and technically the JEI says that, but chances of a beginner going from "I need an electrum ingot" to "I need to build a TiC smeltery" are almost zero without help.

Some "vanilla" Minecraft trivia takes on a great significance in most mod packs. Knowing how to make a "Cobblegen" (a structure with lava and water which produces one or more cobblestone blocks that when mined are replaced each time) and a "Mob farm" (a place where enemies are endlessly created and, perhaps later, killed automatically in order to get the "loot" they drop) are things you'll do in modded Minecraft that you may never have needed in casual play of the original game.

If it doesn't hurt your enjoyment, try watching a "Let's Play" of a pack you think you might be interested in. The nature of random seeds and different preferences means you will end up doing something different than what you see unlike in a linear narrative game, but you can pay attention to how the gamer you watch deals with problems you had, and you will likely see techniques you want to imitate or clues to how something you didn't understand works.

As to specific mods though (packs will usually advertise which mods are used, though the pack might change how they work or when you get access to them):

AE: Applied Energistics (these days most commonly Applied Energistics 2): What if instead of storing things in chests you had a storage network to keep everything in, so you can type "Gold" hit tab and see all the gold things you own? What if this network could also be used to automate crafting, now you can type "Gold" and it'll offer things you don't have yet but the network knows how to make from what you do have? Doesn't building and debugging this network sound like fun too?

RFTools: Everything should clearly be powered by electricity. Smelting, obviously, but also potion manufacture, planting and harvesting food and wood, creating and destroying enemies, making entire dimensions to explore...

Integrated Dynamics: Obviously under the hood Minecraft is just a bunch of data you could program. Some mods expose parameters (an RFTools machine with 4059RF that needs 5000RF to do something is exactly 941RF short) but many do not, however those details must exist. ID lets you dive down there. e.g. I have built a Predicate (a boolean function that given an input returns either TRUE or FALSE) that decides whether my Astral Sorcery crystals are "finished" or not and then that Predicate is installed in a machine that pulls TRUE crystals out of the liquid starlight they're bathed in for further processing. Astral Sorcery isn't a technical mod, but ID doesn't care, there's a data structure and so you can write a predicate to examine the structure and make decisions.

Extreme Reactors (previously Big Reactors): Just the fun "optimisation" part of managing a fission power plant without the explosions and deadly radioactivity (if you want those other mods can do that, I find dying in an explosion to be unsatisfying but each to their own).

For modded minecraft, you're looking at finding a good modpack. Modpacks are often built around a handful of mods (sometimes even a single mod can define the feel of a pack), but will invariably contains dozens or hundreds of mods. Just configuring everything to work together can be a major challenge; there's a similar amount of work and creativity that goes into curating a modpack as a mod.

As for what modpack, I'm not sure. I haven't played in a couple years and the scene moves fast, and plus, there's a lot of different types of packs. For example:

Some packs are tech focused, and expect you to start from sticks and mud and grind your way up the tech tree to create an enormous factory dedicated towards building a massive fusion reactor.

Others are magic focused, and instead want you to build elaborate alchemical labs, summoning circles, or similar.

Skyblock packs start you in a vast empty void, often on a single block of dirt, or a 3x3 block of stone, or on the branches of a single tree or similar, and expect you to build from there up to a "normal" endgame; generally there are special mechanics to help you do this (like being able to place barrels to collect water when it rains, or being able to sieve gravel looking for nuggets of ores), and often a quest system to reward you with key items by completing certain challenges. There's more work to do (you have to build the island from scratch, one block at a time, and there's always risk of falling off), but you have more control than if you just found a flat-ish plain and started building huts.

Some packs are "kitchen sink" packs that just have every mod the curator can find and get mostly working, focusing on changing the game as MUCH as possible.

Some packs are narrowly focused on a theme or mechanic, or have an actual story line. Crash Landing (https://ftbwiki.org/Crash_Landing) is a bit old now (but should still work fine!) and could EASILY have been a standalone game; it was a great story of trying to survive in a hellish desert after your ship crash landed and is one of my top 50 favourite games period really.

Some packs focus on making things hard. Their tech trees are aggressively deep, and your starting tools are sharply limited. These often contain GregTech (if tech focused).

Some packs focus on allowing creativity. Some mods let you create extremely elaborate base designs and decorations, or craft enormously powerful custom armor.

I'd recommend looking around the Feed The Beast (FTB) subreddit (https://www.reddit.com/r/feedthebeast/), installing the FTB launcher, trying out a couple recent packs, look at what packs people are chatting about, etc.

I haven't played any of these, but based on how things worked previously:

Direwolf20 1.12 Pack will be a middle of the road pack, and a popular streamer (Direwolf20) will have a very extensive lets play series of videos about it, so it's easy to get started.

FTB Stoneblock 2 is a reverse skyblock (you start in an infinite world of stone) with lots of quests and tweaks to make that work.

FTB Builders Paradise is more about building cool stuff than grinding out crazy tech trees.

FTB Continuum is just about grinding out crazy tech trees.

FTB Interactions is meant to BIG, well integrated, and since it has Gregtech, probably a bit slow.

There are many other packs (some of the most popular packs are NOT official FTB packs, but it's easier to find info on the current FTB packs), and many other launchers, and the above may not be right for you, but if you try a couple of those, and poke around the FTB subreddit, you should at least get a feel for what direction you'd like to go in.

Also, I highly recommend finding lets plays to watch at first; modded minecraft can be hard to get into because it's basically a series of new games, built out of mods, built on top of a hacked API, built on top of a sandbox game; there's a LOT of layers to the onion, and not a lot of documentation. :) Stuff like learning how to use JEI to quickly lookup items and how to craft them is critical when trying to understand a new modpack that might literally add thousands of items and recipes.

Don’t play Factorio if you have other responsibilities such as family, friends, work or hobbies.

I avoided Factorio for years because it sounded like the sort of thing I'd get addicted to. At one point about a month ago, I saw it here and decided to give it a try.

I barely slept for the next two weeks, I played something like 100 hours in that time, and kept going to bed at 7 am.

Luckily, I never played again after launching the missile, it's kind of lost its appeal after I saw the full tech tree and there was nothing else to research.

> the full tech tree

Thanks to modding, such a thing does not exist.

Bob's & Angel's is the most popular big mod. Krastorio2 is a recent 'vanilla+' offering that I've been enjoying a lot recently. The 'familiar but different' feel is very compelling. There are loads of smaller mods, but I've always like the modpack approach a la Minecraft.

It's noteworthy that Wube has unofficially supported the Krastorio2 modders. It demonstrates their commitment to the community, and was just a great decision all around.

Oh huh, I'll install that, thank you. I like things that add new functionality, but I'm not very excited about mods that just split the existing tech tree into more/harder steps. Do these mods add new functionality, or just make things like circuit types more numerous and expensive?

Depends on what you define as new functionality. They can have things like warehouses (huge chests), mini factories (https://mods.factorio.com/mods/MagmaMcFry/Factorissimo2), by-products that you need to manage (more complex versions of uranium/oil processing), new equipment (like early game buildbots or huge late game inventories) etc.

Thank you, those all sound interesting. I installed a Nanobots mod and the game was twice as enjoyable, it really should have that built-in.

I work all day, then start my second job. Optimizing my way to a 1k science per minute base. Good thing I upgraded my PC last year!

The factory must grow to meet the needs of a growing factory!

The PC must grow to meet the needs of a growing factory

I had the exact same question, thanks for posting it.

My issue is that 15 years of using Steam have taught me to almost never buy a game unless it's on sale, and Factorio doesn't go on sale. I get they're taking some sort of principled stand or whatever, but honestly I am way more likely to buy a game listed for $40 that's "on sale" for $30 than one that's just $30. Hell I'm probably more likely to buy the game "on sale" for $32 or $33. Obviously this is a stupid psychological trick and I recognize I'm falling for it, but it definitely happens to me, at least where Steam is concerned.

They are very different. Mindustry focuses more on the waves of enemies and tower defence aspect while in Factorio the enemies are kind of a secondary thing.

Yes, I think you would probably like Factorio. It even has a demo, which makes it easy.

I played and enjoyed both casually (40hish hours); in addition Satisfactory is also fun, as it has a more immersive 3D view: imagine a giant tower of stacked factories with belts and elevators rushing resource in and out. Dedicated SF players build enormous, enormous multi level structures.

SF is different in that as you explore the world, you can find alternative and perhaps more different recipes and combat against the passive monsters is entirely player vs monster.

Mindindustry looks a lot like The Space Game... thanks for turning me unto it.

"G2A couldn’t come to terms with those large firms and just did the audit themselves"

That's not an audit, it's just deep introspection

Deep introspection is free... audits cost $100k+

Black/gray market aside, the G2A "shield" cancellation process is the epitome of dark patterns.


Terrible company.

Please can someone explain to me this: Why cant game developers just make a key retroactively invalid if it was found to be stolen?

They could, but it wont hurt the person who purchases the codes with a stolen credit card or the reseller who already offloaded the stolen goods. It just hurts the people who unwittingly bought the stolen keys.

Perhaps but they wont make that same mistake again right? At least they would never buy anything from g2a again

Usually they blame the developer and then go buy someone else's games on G2A

Likely that the cost/benefit isn't there for such a system if you're a smaller pub.

An MVP Implementation would require Something to determine if a key was stolen. Let's just imagine it's something that keeps a Key tied to a given Order number, and can mark a key as invalid if there's a chargeback on the order.

You probably need another subsystem to periodically re-check the key if you weren't already doing that.

You'll also need additional CS / PR staff to deal with the eventual case of people who bought keys complaining and blowing your company up on Social media.

Pulling numbers out of the air, I'd guess that this would add 50-100k to the overall budget of the game. Possibly a high number but I'm assuming at least one additional staff member would be required to deal with the potential fallout of such a move.

But even then the catch rate would be limited; within the first 1-3 months it will likely be cracked anyway and your protection mechanism will be meaningless to the people who really want to steal your software. Assuming your thieves buy the keys day 1, it would likely take a good 2-3 months for the chargeback to happen...

Wube was doing this, but the people who bought the keys of G2A didn't know they were stolen and got sad/mad.

Great factorio blog post on the topic: https://factorio.com/blog/post/fff-303

Because the game developer had to pay the credit card company a chargeback fee so they're out of money.

Thats not what Im asking though. Lets assume the thefts go on as they do with no changes, if devs made the keys invalid it would starve g2a's business.

exciting! i wonder if this will set a precedent going forward for any other software impacted by G2A’s very grey area tactics .i do believe there could be a marketplace which facilitates swapping keys for other keys, setting aside any monetary value and basing it on a persons perceived value of the game they would like to play.

The thing is the developer already knew they were stolen and resold. So this is likely just a tiny sample of what might be much higher numbers that go undetected. The burden of proof in their model is basically on the developers.

The developer knows which keys have been stolen from the developer, i.e. ones it has allowed to be used, but hasn't received revenue for, possibly because of a credit card chargeback.

It doesn't account for, e.g. having your laptop stolen with the games installed on it, or charged-back keys that were never used. But the developer knows about much more than "a tiny sample" of the thefts that actually affect it.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact