Cybercriminals Make Millions Selling Stolen Fortnite Accounts, New Research Shows

Thousands of stolen Fortnite accounts are selling like hotcakes in underground marketplaces, amassing around $1.2 million a year for cybercriminals, a new report shows.

The Fortnite Underground Cybercrime Economy report sheds light on a million-dollar business that capitalizes on the popularity of the free-to-play video game that managed to attract over 350 million players within three years of its launch.

According to researchers from Night Lion Security, each Fortnite account sells for between $200 and $250 on average. Still, some can even sell for thousands of dollars, depending on the value of a characters” in-game skin.

How are cybercriminals managing to crack and steal Fornite accounts? Researchers point the finger to the high number of data breaches and data brokers that fuel the black market for gaming accounts.

“Hacking groups like Gnostic Players and Shiny Hunters account for a vast majority of breaches involving stolen user data, and are indirectly responsible for fueling an entire criminal economy of stolen accounts,” the report said. “These hacked databases are then sliced up and resold, only to provide ammunition for credential stuffing attacks designed to identify valid accounts across different consumer products.”

Researchers also provided a detailed explanation of how bad actors sniff out valid Fortnite accounts, citing DonJugi, a well-known cracker who operates on various underground forums.

“High-end Fortnite cracking tools can average between 15 and 25 thousand checks per minute, or roughly 500 account checks per second,” he said. “Simple variations on existing passwords can yield extremely high results” because users chose common patterns when setting up passwords.

“Checking for valid Fortnite accounts can be as easy as loading a list of email/password combinations into the right software,” the investigators added. “When changing passwords, people commonly make small and predictable changes, like capitalizing the first letter, or adding a single digit at the end of the password,” a practice that makes it easy for hackers to guess the login credentials.

Although the game developer tried to stop mass account checks by limiting the number of logins per IP address, bad actors invest in high-end proxy rotation tools to bypass the restrictions enforced by the platform.

After locating a valid Fortnite login, bad actors check for “valuables” within the account. Digital costumes are “what makes these accounts so valuable, and is at the core of the entire underground Fortnite market,” the paper says.

Successful crackers noted that “checking for skins on Epic Games logins will yield an average success rate of 10-15%.” Logs containing Fortnite character skins are then advertised and sold on different marketplaces at between $10,000 to $30,000.

Stop guessing what the internet knows about you. Find out with Bitdefender”s Digital Identity Protection!

Investigators indicated that the pandemic accelerated demand for gaming accounts since internet users have more free time on their hands. They also noted that “video game companies have not been successfully in slowing down this underground economy, with the higher-end hackers and sellers of these accounts continuing to make anywhere between six and seven figures per year in revenue.”