Money launderers exploit online gaming loopholes

In Counter Strike: Global Offensive, the multiplayer online game, players can choose to be terrorists or counter-terrorists. Increasingly many of them are choosing to be money launderers in real life, not just in-game.

In a blog post at the end of October 2019, the gaming firm Valve abruptly announced that players would no longer be allowed to trade ‘container keys’. These are used to obtain in-game items, such as guns, rare knives or limited edition stickers.

“Worldwide fraud networks have recently shifted to using CS:GO keys to liquidate their gains,” Valve wrote. “At this point, nearly all key purchases that end up being traded or sold on the marketplace are believed to be fraud.”

CS:GO has developed a cult following online. As of January 2019, the game had more than 20 million monthly active users, double the figure from May 2016, says Statista. At its peak in December 2019, more than 750,000 gamers were playing CS:GO concurrently.

So it was quite some admission from the games developer that money laundering and fraud had become so widespread. So much so it accounted for “nearly all” of a particular trading activity on the game’s marketplace.

State of play

Multiplayer online games have many characteristics which open them up to abuse from money launderers. For example, in-game items sometimes have a real-life value outside the game. These include artefacts that change a character’s appearance or ability to progress more quickly within the game.

They can be bought for government-issued fiat currency and re-sold or exchanged for value.  In-game purchases are known within the gaming industry as ‘micro transactions’. This is somewhat of a misnomer as while some of the transactions may be small in value ($0.99-$4.99), to unlock a particular character within a game can cost up to $80-$99 or more.

These ‘micro transactions’ add up to a considerable source of revenue for games companies. Although somewhat old, the following figures serve to illustrate the income from micro transactions, especially within the so-called ‘freemium’ games model. This is where games are free to download, but players pay for upgrades, extra skins or skills in-game.

Activision Blizzard, the leading online games company in the US, generated more money from in-game purchases than it did from full-game downloads in the quarter ending December 2017. It earned roughly $4 billion in revenue from micro transactions in 2017, 57 percent of sales for the year. Electronic Arts (EA), the second-largest games company in the US behind FIFA, Battlefield and Star Wars, made around $787 million in micro transactions in the first quarter of 2018.

Then there are lootboxes. These contain randomised content and are bought in-game for real-world money. It is a revenue stream forecast to be worth $50 billion by 2022.  Players do not know what it is in the box until they have bought it. Consequently, loot boxes may be classified as gambling in some jurisdictions and may be prohibited.

Lootboxes and the risks to merchant underwriters were discussed in detail at RiskConnect 2019 as the interview  by Peter Naessens, general director, Belgian Gaming Commission, explains.

Secondary market

A thriving secondary market for in-game items exists officially within games platforms themselves, but also unofficially on online marketplaces and social media sites. Naturally these in-game items can be bought with stolen money. In a variation of using stolen cards to purchase physical goods for resale, criminals can also buy virtual goods or in-game currency and sell them on.

In January 2019, cybersecurity firm Sixgill alleged that criminals were using stolen card details to buy V-bucks from the official Fortnite store. These were then sold in online black markets at discounted rates to clean the money. Similarly, so-called ‘lifestyle spending’, where criminals use the proceeds of crime (e.g. stolen card details) to game or gamble as a leisure activity, is another form of money laundering.

These virtual-to-virtual layering schemes that attempt to obfuscate transactions are comparatively easy, cheap and secure to execute within the online gaming sector. Online games are not currently regulated. Yet any digitisation or virtualisation of value which can be traded or exchanged offers the potential for abuse, thereby increases acquirer risk exposure.

Implications for merchant underwriters

‍In June 2019, the Financial Action Task Force (FATF) provided further clarity on how FATF requirements should apply to virtual assets and virtual asset service providers.  The guidance focuses on virtual assets that are convertible for other funds or value, including those convertible to other virtual assets, to fiat money or intersecting with the fiat financial system.

Online games are out of scope yet the principles behind the FATF guidance are still useful to risk professionals underwriting games operators. As part of merchant on-boarding and monitoring, underwriters are advised to evaluate a merchant’s ability to assess money laundering risks and monitor these over time.

What preventative measures does the merchant deploy, such as customer due diligence and suspicious transaction screening and monitoring? What are their reporting and record-keeping procedures?

In addition, underwriters are advised to request a copy of the merchant’s policies and procedures relating to how they manage and mitigate the risks of anonymity-enhancing technologies. These include cryptocurrencies, mixers, tumblers and other technologies that obfuscate the identity of the sender, recipient, holder or beneficial owner of virtual assets.

Update to Mastercard BRAM program

Digital game reseller services have recently been added to the Mastercard Business Risk Assessment and Mitigation (BRAM) program. At the end of January 2020, Mastercard advised that it had received several formal complaints from digital game rights holders regarding merchants who:

• Provide cardholders with account login credentials for digital games (which may have been stolen or set up for illegal commercial services)
• Enable cardholders to download digital games, build in-game progression (also known as ‘levelling up’) or purchase virtual gaming currency

These activities are not authorised, are unlawful and are consequently prohibited under the BRAM program.

Web Shield’s InvestiGate and Monitor solutions have been updated to reflect the changes to the BRAM program.