Some Fortnite hackers are now making $1 million a year
SOPA Images/LightRocket via Getty Images
Fortnite has been in the news a lot of late, what with Epic Games taking legal action against Apple and Google. If you want to play the latest season of Fortnite on Apple hardware you are out of luck. Android users can get in on the action if they install Fortnite directly from the Epic Games website, an option not available to iOS users. The news that interests me, however, as a gamer with a professional interest in matters of cybersecurity, is just how dynamic and profitable the underground Fortnite economy is.
Get started on your cybersecurity degree at American Military University.
How profitable, do I hear you ask? How does $1 million (£750,000) a year in stolen account sales sound? Sure, that’s towards the top end, but criminals are making that kind of money, $25,000 (£19,000) a week, because of the value of stolen character skins.
And because hackers know how to compromise your account.
The Fortnite underground cybercrime economy
Vinny Troia, CEO at Night Lion Security, has today published his report into the Fortnite underground cybercrime economy. It doesn’t make for very encouraging reading if you are a Fortnite player. If you are a Fortnite account hacker, on the other hand, it reinforces what you already know: there’s lots of money to be made hacking game accounts.
It all starts and ends to be honest, with a lapse of account security when it comes to logins. Username and password combinations from data breaches, not just of gaming sites themselves, are traded on the dark web.
One recent dark web audit found an astonishing 15 billion stolen logins from more than 100,000 breaches available. Some hackers sell these credential databases, and others give them away for free to other cybercriminals.
The point being, if you reuse the same credentials, the same passwords, across multiple accounts, then you are asking for trouble. It only takes one of those sites or services to be hacked, and all the others are open to attack. You have opened up to a credential stuffing attack, to be precise. This is where the breached credentials are used to try and access high-value accounts elsewhere, high-value like your Fortnite account.
Even if you use simple variations of the same password, say incremental numbering, for example, then you are not safe. Testing out variations is done in double-quick time by fully automated processes.
Cracking Fortnite accounts
According to Troia, one Fortnite account-hacking tool can average 500 such account checks every second. The most successful hackers are those who understand the psychology of password creation amongst the general population, including Fortnite players. Troia quotes a prolific password cracker as saying that many people use “small and predictable changes” such as capitalization differences, for example. Then there’s using email addresses and usernames as password seeds, and so on.
It’s not all plain-sailing for the would-be Fortnite hacker. Epic Games does, for example, limit the number of logins allowed per IP address to prevent such bulk automated account probing. But, Troia says, the hackers circumvent such barriers by paying for proxy rotation services, which can issue a new IP for every account checking request.
These don’t come cheap, with one Fortnite hacker stating he pays more than $10,000 (£7,500) a month for such services. These services don’t use IPs that are typically associated with such proxies or with VPNs, but instead, use residential IPs to be more likely in passing through any filtering that Epic Games has in place.
But it doesn’t stop there. Another tool, a Fortnite account checker capable of automatically changing passwords, checking for available skins and the like, is employed to do just that. The most efficient version of this tool is sold on a personal referral basis only, on a $2,000 (£1,500) per month license.
I have reached out to Epic Games regarding the account protections they have in place and will update this article once I have a statement to publish.
A $1 million per year criminal business
So, with the criminals investing a fair bit of money in the tools they use to crack open Fortnite accounts, you can be sure there is a profitable return waiting for them. Out of every 20,000 accounts available to the hackers, maybe 2,000 will come complete with character skins associated.
These accounts can be bundled together into a collection known as a log, and sell for anything from $10,000 (£7,500) upwards, Troia states that one such log sold for $38,000 (£28,750) in a private Telegram channel auction.
The buyers will then raid those accounts, and resell them. Individual Fortnite accounts with a skin can sell for anything between $25 (£19) to £2,500 (£1,900) depending upon the scarcity of the skin involved.
That top=end amount was realized earlier this month for an account with a ‘Recon Expert’ skin, for example. Then there’s the account value itself. If it’s unlinked, that is not linked to an existing PlayStation Network account, then the value doubles compared to a linked one.
Suppose the account comes with the ‘bonus’ of access to the owner’s hacked email account, known unsurprisingly as a full access account, then the value triples. Troia says that just one full access, recon expert skin account can sell for $10,000 (£7,500.)
The most successful criminals in the Fortnite underground cybercrime economy are making, according to the report, an average of $25,000 (£19,000) per week, or more than $1 million (£750,000) per year. Even at the lower, more normal, end of the criminal marketplace, hackers are making $5,000 (£3,750) every week.
Mitigation advice is simple, so follow it
My advice, as always, is to make sure you are using strong and unique passwords for every site or service you use. A password manager app makes this easy to do. Don’t reuse passwords. Ever.