An interesting quote from a recent Vice article “The Pursuit of Cheap Video Games Has Been Getting Switch Owners Banned” put me on a path:
Most games cost $60 these days, and if you want to play a lot of them, that can add up quickly. It's one reason why many players turn to third-party online stores, where they can buy Nintendo games for cheap instead of buying them from Nintendo directly.
I was curious why players would turn to third-party online stores for game codes, in-game currency, skins, accounts, etc. Of course the re-sellers offer discounts, but aren’t the sites sketchy and tied to scams? Maybe some of the buyers are not attempting to steal a game, they simply think they are buying an extra game code from a third-party market. Video game companies certainly warn against using them and have locked accounts and banned certain transactions tied to them. I was told by a hardcore gamer friend that real gamers don’t use third-party sites. But who am I to judge and who is a real gamer and who is just a passionate player with limited financial resources?
Well, I decided to check it out for myself. I asked a colleague at Nethone who specializes in studying the darknet markets for some examples of these third party sites. He sent me a long list. And I didn’t even have to download TOR to access the darknet markets. They’re available for easy access on the regular web, aka the Clearnet.
Here’s what I discovered after a bit of exploration. Some of the results were surprising.
One of the first that I checked out was https://juicy.atshop.io/gaming-accounts. At first glance, it kind of looks like a regular e-commerce or digital goods site:
Maybe I was expecting something nefarious with lots of darknet style jargon, but instead I found a slightly shabby but professional enough looking site with a wide selection of game accounts to choose from. It even looks somewhat user-friendly and customer-focused. The prices are very low (much lower than I expected), there’s a vendor rating system, and an indicator of how much merchandise is in stock.
I decided to attempt to purchase a couple of FIFA 20 accounts. What happens when you click on “Purchase”?
Quantity of two, at .75 cents each, equals $1.50. Obviously it’s cheap compared to $60 or 50 Euro. So far so good. Let’s check out.
OK, so now the third-party site and seller have my email address. Yay. Or yikes (?). It’s a pretty simple transaction flow. But like all digital goods, it usually is a pretty straightforward, quick process to buy and receive the product.
I was surprised to see that some of the third-party sites state that they are concerned with fraud and scams. https://spilz.atshop.io/ indicates that it has identity verification protection measures. Have a look at the left side of the screenshot: They request that you provide your real phone number “to verify you are who you claim to be.”
Vendors even ask for positive feedback on social media to boost their seller profile. This one offers skins and accounts for Fortnite in return for positive reviews:
atshop vendors are easily found with a Twitter hashtag or on Discord: In addition to atshop, another popular third party online marketplace is Shoppy. The Shoppy app is available for easy download on the Apple Store and Google Play: Shoppy appears to be less visually appealing than the typical atshop stores, but I suppose the offering speaks for itself (below): a random Steam account, 12+ games, with a good nickname no less, for 1.50€: Maybe this is a legitimate transaction. Maybe someone is just selling an account that was made available by some player who grew weary of the 12+ games and decided to move on from Steam to EA Origin, Ubisoft, Nintendo, or some other game ecosystem. Maybe the user quit gaming altogether! There are many possible scenarios.
Michal Barbas, an Intelligence Specialist at Nethone, provided some sobering perspective: “When you check similar sites by audience overlap for Shoppy in Alexa, in the first position is cracked.to (hacking forum with a huge accounts market); in the second position is nulled.to (another hacking forum with a huge accounts market); in the third, we see sellix (a Shoppy clone) and in fourth place we have throwbin.io (a pastebin often used to share free login and password combo lists).” So Shoppy is strongly correlated with sites that sell stolen account information.
Closing thoughts on third-party online stores
My impressions? The third party online stores look less nefarious than expected, mundane even, offer a huge selection at insanely cheap prices, and are easy to use. I can see why they’re popular.
Aaannd they’re tied to video game scams.
Since they’re more accessible than ever, have been around for a while and probably aren’t going anywhere anytime soon, perhaps all parties involved, including the video game companies, retailers, distributors and all of the Shoppys, sellixes, and the atshops of the world should invest in fraud prevention solutions. It won’t stem the tide of sales of stolen accounts, but it would address the issue of transaction attempts with stolen credit card information and automated money laundering. Machine Learning could also be used to help secure in-game transactions, which are a source of chargeback fraud, friendly fraud, stolen accounts and game codes.