Illicit activity is easy to spot when criminals document their progress publicly

Free gaming apps are being exploited by criminals using automated tools to launder money stolen from credit cards, researchers at Kromtech Security can reveal.

Resources bought in popular free-to-play games – such as diamonds, gems, or weapon upgrades – have been used to launder illegal profits since at least 2013.

But now, savvy criminals are reported to have created an automated tool for buying and selling in-app purchases, while at the same time hiding their unlawful cash.

The tool allowed criminals to create fake Apple ID accounts at a large scale, which in turn permitted them to buy resources and games, then resell them via third party websites. Approximately 20,000 credit cards were processed in this way, Kromtech said.

“The resources even maintain value after purchase, because in many cases, once bought, they can be traded, adding to the game play,” said Bob Diachekno, head of communications at Kromtech.

“The game itself can also be transferred from one account to another. Because of this, resources gathered or bought and games built to advanced levels can also be resold. It is the selling of these on third party markets that holds the door open to the illicit activity that we found taking place.”

Apps are notoriously used in illicit activity such as money laundering, and free-to-play games – now a multibillion dollar industry – have been a goldmine for criminals due to a lax credit card and ID verification process, alongside the ease in which resources can be sold or traded.

Targeted games included Clash of Clans, Cash Royale, and Marvel Contest of Champions, although the use of the tool appears to have only been present in countries like Saudi Arabia, India, Indonesia, Kuwait, and Mauritania between April 2018 and mid-June 2018.

The tool’s sophistication, however, has been dumbed down slightly since the MongoDB database used to document this process was left open for public viewing, which is how Kromtech first discovered the illicit activity.

“In June 2018 we have spotted a strange database publicly exposed to the public internet (no password / login required) along with a large number of credit card numbers and personal information inside,” Kromtech wrote in a report.

“As we examined the database we rapidly became aware that this was not your ordinary corporate database, this database appeared to belong to credit card thieves (commonly known as carders) and that it was relatively new, only a few months old. So we dug much deeper.”

Kromtech said they had sent evidence of this automated system to the US Department of Justice.