Credit card thieves are using mobile games like 'Clash of Clans' to launder money

It's like Breaking Bad, but with video games. Kind of.

German cybersecurity firm, Kromtech, has reported on the growing concern of money laundering in mobile games. Credit cards thieves are using popular games like Clash of Clans, Clash Royale, and Marvel Contest of Champions to launder hundreds of thousands of dollars.

The cultural perception of money laundering is usually something akin to Breaking Bad or Netflix’s Ozark — brick and mortar businesses taking dirty money and “washing” it through the legitimate business’ revenue. These days, money laundering isn’t as cut and dried as all that. PayPal has cracked down on launderers. And now they’ve popped up in games like Clash of Clans, Clash Royale, and Marvel Contest of Champions.

“In the 2011 the Danish part of the Apple App Store was flooded with expensive suspicious applications,” Kromtech communications director, Alexander Kernishniuk said in the company’s report. “More than 20 out of 25 of the most downloaded applications were from China. The price of the apps ranged from $50-$100. For example, one of them LettersTeach, was intended for children who are learning English letters, yet it cost nearly $78. This pointed to money laundering then, however, what we encountered now is much more sophisticated.”

“This laundering is possible because of the accessibility to automatically create accounts on a large scale,” according to Gamasutra. Apple’s requirements for creating an account are relatively lax: valid email address, password, date of birth, and three security questions. Creating these accounts on a large scale with relative ease doesn’t require much more than scripts and a bit of processing power.

Kromtech doubled-down on their previous research into MongoDB security flaws and did another round of audits. Lo and behold, there was an errant database that wasn't locked down that gave away the game. “In June 2018 we spotted a strange database publicly exposed to the public internet (no password / login required) along with a large number of credit card numbers and personal information inside.”

It spurred the cybersecurity firm onwards and they determined that within just the three games previously mentioned, there are approximately “250 million aggregate users, generating approximately $330 million USD a year in revenue.” These games apparently have an active third-party market and use sites like g2g.com to “buy and sell resources and games.”

“With the account creation process automated,” the report continued, “the malicious actors then took the process further, automatically changing cards until a valid one is found, automatically buying games and resources, automatically posting the games and resources for sale, working with a digital wallet for order processing, and managing multiple Apple devices to distribute the load.”

There’s no easy solution to this, as it’s a nuanced problem with multiple companies and stakeholders involved in addition to these “bad actors.” Kromtech advises that developers (and Apple) start to take more of an interest in these transactions, rather than just bask in the earned revenue. If money talks, then this money has nothing good to say anyway.

Managing Editor

Amanda has been meandering around the game journosphere since 2010, mostly covering indie games, culture, and industry news. These days, she talks about the business of making games through a critical cultural lens. She adores RPGs, weird narrative indie games, and strategy games that take forever to learn. Amanda is also the managing editor of SuperParent. You can find her on Twitter as @AmandaFarough or you can email her at amanda.farough@gamedaily.biz.