Fortnite is a free-to-play game, but features an in-game currency that can be used to purchase skins, emotes, and Battles Passes. V-Bucks or “Vindertech Bucks” can be earned by completing daily quests and missions or purchased through online vendors like Microsoft Store Online or the Official Playstation Store. 1,000 V-Bucks will run customers $9.99 USD.
The Independent and cyber security firm Sixgill found out that stolen credit cards are being used to purchase V-Bucks. These V-Bucks are then sold at a steep discount on the Dark Web or through social media scams. Sixgill agents pretended to be potential customers and discovered that V-Buck laundering operations were being conducted throughout the world.
Benjamin Preminger, a senior intelligence analyst at Sixgill noted the money laundering operations were conducted with relative ease. He remarked, “Epic Games doesn’t seem to clamp down in any serious way on criminal activity surrounding Fortnite, money laundering or otherwise.” He hopes that Epic Games will take measures to better monitor their in-game currency and to work more closely with law enforcement.
Epic Games also recently patched a vulnerability that would have granted access to users’ accounts. Israeli cyber security company Check Point uncovered two Epic Games subdomains where the single-sign-on (SSO) tokens could be easily transferred to hackers. They then would have been able to acquire users’ in-game currency and the last four digits of their credit card. Epic Games quickly responded to the issue once it was reported, but it is unclear how long this free v bucks generator vulnerability was available.
IT security firm Zerofox discovered 53,000 Fortnite scams in just a one month period. Although money laundering is certainly an issue, most scams are shared through social media or other seemingly benign websites. Fortnite’s large user base is relatively young and therefore less likely to recognize fraud. Hopefully the company will do more in the future to protect their players.