Presentation
500,000 malware programs are detected every day, compared to just a few twenty years ago. This is the reality of cybersecurity today, with Interpol estimating the damage at over €750 billion.
The various lockdowns related to Covid-19 have fueled a surge in cyberattacks, particularly affecting activities that thrive during these periods: online gambling, video games, and esports.
Indeed, online video game competitions now feature professional teams competing for millions of dollars in esports tournaments that sell out and are broadcast to a wide audience worldwide on various platforms such as Twitch, YouTube, and Discord.
Some academic studies have predicted that the number of esports competitions will surpass that of traditional sports before 2022.
Following the previous report published by the Trend group in November 2019, the issue of cybercrime applied to video games has recently gained renewed attention following the publication of the “State of the Internet / Security” report by the digital server provider Akamai.
This report indicates an increase over the past two years in cyberattacks targeting the video game sector, an increase that is only expected to continue in the coming years, as many clandestine cybercriminal forums already have sections dedicated to esports.
Video Games & Cybersecurity: A Long History
The phenomenon is not new; video game publishers have been regularly victims of cyberattacks for several years:
In 2011, PlayStation Network was the victim of a cyberattack resulting in the theft of millions of personal and banking records;
In 2014, Xbox Live and Blizzard were victims of cyberattacks;
In March 2016, the Steam platform discovered the “Steam Stealer” software, capable of stealing up to 77,000 accounts per month, focusing on online items and banking data;
Between November 2018 and January 2019, Fortnite was informed of vulnerabilities compromising players’ personal data, including the ability to eavesdrop on player conversations and access their banking information;
In September 2019, Blizzard’s World of Warcraft servers were blocked for several hours.
The lockdown period saw an increase in the number of cyberattacks against video game companies. In April 2020, EA Games had all of its games blocked after its servers froze, while Ragnarok Online, developed by Whybe Online, was the target of a hacking attempt.
Nintendo, whose Nintendo Network ID system, linking player accounts on the company’s older consoles, the Wii U and 3DS, was also compromised around the same time, resulting in the theft of data from over 300,000 user accounts.
A unique type of cyberattack occurred in April 2018, targeting users of the game PUBG. The installed ransomware required players to play for over an hour to unlock the data locked on their computers.
In the esports world, similar incidents were also observed, notably in January 2019 at the first Colmar Esport Show, where its partner Vialis was the victim of two cyberattacks that damaged the internet network and disrupted the esports competition. In February 2019, the Lyon eSport event was also targeted by cyberattacks.
Players, Esports Professionals, Streamers, Publishers: Prime Targets for Cybercriminals
Splunk’s 2020 IT Security Report highlighted the main cyber threats, some of which are now affecting the esports sector.
The methods used are similar to those already employed in other industries:
- phishing, which involves deceiving internet users to obtain their login credentials;
- DDoS attacks, which overwhelm target servers, or SQL injections, which exploit application security vulnerabilities by interacting with its database;
- malware transmitted via communication channels that allow the exchange and downloading of documents;
- credential stuffing, which allows for the automated testing of numerous databases of stolen credentials across multiple websites—a process known as “Old Data, New Attack.”
One example is the innovative TeslaCrypt ransomware, which in 2016 searched computers for file extensions containing the names of well-known video game titles and locked all associated folders.
The targets of these cyberattacks are actually numerous: video game developers and publishers, esports associations, organizers, influencers and broadcasters of esports events, their sponsors and investors, and even any online spectator of such events.
Gamers, whether amateur or professional, are prime targets: highly engaged and active within social communities, they generally have significant purchasing power, as their banking information is often linked to online shopping platforms.
Recent years have seen an explosion of attacks focused on mobile and online games, using servers that compile user accounts and personal data.
The objectives of these attacks are varied: compromising accounts to steal personal information or game assets for resale, cheating by manipulating online game currencies, unfair competition by diverting customers from a server or game or simply damaging the image of victimized companies, revenge or blackmail, and even, in some cases, activism.
Esports. In esports, cyberattacks take on more insidious forms. Ransomware, cheats, aimbots, and wallhacks are used to win cash prizes; malware installations can be intended to rig bets or disrupt the conduct or outcome of a competition.
For example, DDoS attacks, which disrupt the stable and high-quality connection of servers, can pose a significant threat to both video game competitions and cloud gaming systems, disrupting the gaming experience for professionals and consumers alike.
Esports Cybercrime: Perpetrators Hunted Down and Even Convicted
Traced to the United States, Russia, Turkey, and the Netherlands, the perpetrators of these cyberattacks are, in some cases, known to cybersecurity professionals. One of the most notorious, Winnti, also known as APT41, BARIUM, and Blackfly, is a Chinese hacking group specializing in attacks on video game companies, particularly those operating from South Korea and Taiwan.
Cybersecurity solution providers Kaspersky, ESET, and FireEye denounce attacks by this group every year. These attacks have resulted in several convictions, highlighting the criminal nature of these actions:
In 2010, in revenge against other players, a 38-year-old Romanian man, consumed by rage against another World of Warcraft player, launched a cyberattack against Blizzard’s servers, blocking thousands of players and costing the publisher €25,000. Eight years later, he was extradited to the United States and sentenced to ten months in federal prison.
In the summer of 2019, another cybercriminal was sentenced to 27 months in prison and ordered to pay $95,000 in damages following attacks carried out in 2013 against Sony Online Entertainment, League of Legends, Dota 2, and Blizzard’s Battle.net service.
Cybersecurity & Esports: A Varied Legal Framework
Current video game-related crime stems from a shift in the nature of its victims. Historically, efforts focused on game piracy, particularly through the creation of software designed to bypass the security mechanisms implemented by publishers.
The development of online games, such as MMOs, which host players’ accounts (often held by minors), their winnings, and personal information, including bank details, has fueled the rise of “video game account theft” and added new victims alongside game publishers: the players themselves.
Identity Theft & Other Offenses. The development and widespread adoption of the internet has amplified the historical offense of identity theft.
This offense, defined by Article 226-4-1 of the Penal Code, punishes the act of impersonating a third party or using one or more pieces of data of any kind that allow for their identification, with the intent to disturb their peace or that of others, or to harm their honor or reputation, including when this is committed on a publicly accessible online communication network.
Related offenses have been added to the category of identity theft, including the use of a false name in a public document, identity fraud, and providing a false name to obtain a criminal record extract for a third party. In court, other criminal charges have been brought, including fraud, unauthorized access to an automated data processing system, and forgery.
The National Cybersecurity Agency of France (ANSSI) and the Directorate of Criminal Affairs and Pardons recommend filing a complaint in the event of attacks or blackmail related to information systems. This allows specialized and competent authorities to handle the investigation, negotiation, and protection of victims.
Personal data. Often overlooked, the consequences of these attacks are nonetheless considerable. Video game accounts store an increasing amount of personal data, including names, IP addresses, and even physical addresses, technical data related to internet access, the type of equipment used, video game usage data, email addresses, bank details, and, for mobile games, location data, media engagement, and even phone calls, contacts, etc.
In the case of high-level esports players, personal data can also include medical records held by their club, personal contact information, information held by the club about their fans and subscribers, and access to performance-related data, which can also be a major obstacle to their competitive gaming.
GDPR. Publishers and organizers of esports competitions can also be held liable under the GDPR for breaches in the protection of collected and processed databases. The entry into force of this recent regulation had already disrupted many publishers, with several games having to be suspended because updating their large-scale data collection systems was too costly.
While police and judicial services are organizing themselves to combat digital crime more effectively, the widespread use of digital technologies and the increasing sophistication of cyberattacks in the video game and esports sectors require all industry stakeholders to work together, as video game publishers cannot guarantee the integrity of their services alone.
Video Games & Esports: Co-regulation and Stakeholder Responsibility
The video game and esports ecosystem can benefit from the experience of other sectors already affected and which have developed numerous protection and prevention resources. Analytical audits can thus assess the vulnerability of the information systems of various companies and the games they use.
Publishers can also consolidate scheduled game updates, particularly for esports events, and work with cybersecurity companies to improve the “game mode” functionality of antivirus software or monitor botnet behavior in authentication processes and during gameplay.
Video game publishers’ control can be enhanced, notably through the implementation of multi-factor authentication on game purchase platforms and online accounts.
This is already the case for several publishers, with Microsoft, Blizzard, and Steam having developed their own authentication applications, while Ubisoft and Nintendo delegate these functionalities to third parties such as Google Authenticator.
Other measures can also be encouraged, such as establishing a whitelist of secure titles, more advanced monitoring of the hardware used for esports competitions—real-time monitoring of threats and unusual behavior on the network, from computers and software used to configurable mice and controllers.
A South American team, Thunder Predator, was disqualified from a Dota 2 competition in 2018 for using a custom gaming mouse.
The organizers considered the use of a programmable mouse to be akin to using an unauthorized software script.
In the context of the shift towards cloud gaming, securing cloud servers is also a viable option, particularly through cyber insurance policies that protect businesses. Finally, given the criminal nature of these activities, systematic prosecutions can also be a way to clean up existing practices.
To address these new challenges, digital players, especially those in esports, also benefit from another advantage: their IT expertise allows them to react quickly and prevent these new forms of crime.
