Someone playing a video game.

$6 million heist targets video game skin trading site

An incredibly popular digital item trading site has suffered a spectacular loss at the hands of wily attackers. According to Bleeping Computer, CS Money lost out on $6 million via just 20,000 pilfered items. How did this happen, and why are digital items so popular in the first place?

The digitized rewards of gaming

It’s important to know what, exactly, trading sites deal in and how they relate to gaming, so here goes.

Most major titles on prominent video game platforms offer skins, items, and in-game rewards. These items are often tradeable with other players. Some can be bought or sold through specific platforms, but, sometimes, depending on the game, certain items can’t be traded, which means that those items are tied to the owner’s account forever. Those items may lead to the account becoming a valuable target for phishing and scams.

Even accounts with regular tradeable items are potentially worth stealing. Those accounts may have hundreds or even thousands of items tied to them. A quick phish here, a stolen login there, and both the account and its items may never be seen again.

Where trading platforms come into this picture is that they often make it easier to sell, trade, whatever you want to do with your digital stock. Some people are content to use the trading section of a platform’s own service. These services may also have their own community market, where items can be bought and sold.

Other folks may branch out into using specific third-party websites for all their buying, selling, and trading needs. These sites may offer more specific features not available on the major platforms. Perhaps they have a reputation for niche items unobtainable anywhere else. Whatever the reason, these sites are very popular. Scammers will often imitate them in an effort to compromise people’s item cache. Sadly, sometimes the sites themselves come under fire. When that happens, you’d better hope everything is as locked down as can be.


When a Counter Strike site is counter-stricken

No fewer than 20,000 skins were stolen after an attack on the CS Money site. CS in this instance stands for “Counter Strike,” long time favourite of the online shooter crowd. User skins vanished into the night after the attack, and at time of writing the skins have simply been blocked from further selling/trading/anything else. Good news for people who don’t enjoy large slices of video game digital skin fraud. There’s also not so good for the owners of said items, who don’t seem to have had any of them returned yet.

According to the rundown of events on Bleeping Computer, the attack was made up of several moving parts. First, they obtained authenticator files used to authorize Steam access. Then, 100 bots containing the skins were used in roughly 1,000 transactions to send the skins to accounts belonging to the attackers. Some of the items were then sent to “ordinary users, renowned traders, and bloggers.”

None of these people were involved in the attack. This appears to be the fraudster’s way of adding a little more publicity to their actions, or maybe just covering their digital paper trail.

Smash and grab

This all goes wrong at the point where authenticator files were apparently stolen. What’s interesting is pondering how the attackers came to obtain those files in the first place.

Some years ago, Steam phishers were asking victims to upload certain files from their Steam folder to the fake website. These files worked like a sort of password remembering cookie, except for Steam. Having the files on board meant you didn’t have to re-verify your identity through authentication every time you logged in. But if you sent them to someone else, they’d be able to log in as you as long as they had your username and password.

Has a similar tactic been used here? Only time will tell. For now, if you’re involved in skin trading or digital item selling: consider that the sites you use may not be 100 percent secure. If a scammer ram-raids your favourite marketplace of choice, a trip to customer support may be in the cards. As with no many forms of digital fraud, there’s often no guarantee of having your stolen items returned. Weigh up the safety pros and cons carefully with regard to the final destination of your sellable skins. Safe trading out there!


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.