Bursting onto the gaming scene in 2017, Fortnite quickly rose to become the world’s most-played online game. With tens of millions of active players per month and about $2.5 billion per year in revenue, the game is a small economy unto itself. It’s thus not surprising that a black market has developed for hacked Fortnite accounts; what is surprising is how much business it brings in.
A set of underground marketplaces that deal in stolen accounts from various games is estimated to do about $1 billion in annual business, with $700 million of that coming from just four games. In addition to Fortnite accounts, criminals do big business selling stolen assets from Minecraft, Roblox and Runescape.
How black market Fortnite accounts became big business
Digital forensics firm Night Lion Security recently published a report on this phenomenon, investigating various dark web and underground forums to uncover this very brisk trade in stolen Fortnite accounts.
Any online game that is at all popular has its own sort of underground economy, with players often selling their own accounts and in-game items or providing various services that are out of compliance with the game’s terms of service. Certain games become targets for hackers and scammers when they become big enough, however, with even elements of organized crime getting in on the game. Given the game’s continued popularity three years after release, Fortnite accounts are one of the hottest items in this category.
The hacking of Fortnite accounts (and those of other games favored by younger players) has become particularly profitable during the Covid-19 pandemic, as kids are home from school and have limited options for out-of-home entertainment. Many have turned to video games to fill the hours, greatly increasing demand.
The black market sites that sell Fortnite accounts generally operate on an “auction” model somewhat similar to that of eBay. They sell stolen account credentials as well as individual items scavenged from certain accounts, such as the coveted cosmetic “skins” that change the in-game appearance of players. Accounts labeled as “full access” grant the buyer the login credentials of the email address that the Fortnite accounts were registered with. Aside from the cosmetic and rare items they contain, people are willing to spend as much as hundreds of dollars on a Fortnite account for bragging rights. In some cases, streamers who make a living playing the game for an audience find the accounts desirable as an investment as they help to drum up interest in their broadcasts.
The Night Lion report finds that the biggest sellers in the black market Fortnite accounts game are making about $25,000 per week, or a little over a million dollars per year should they stick with it for that long. Even the smaller sellers tend to make what would be a respectable middle-class living in most of the developed world; about $5,000 per month.
How Fortnite accounts are hacked
Credential stuffing attacks on email accounts sometimes yield access to Fortnite accounts as a bonus. The Fortnite password doesn’t necessarily need to be shared with that of the email login; the Epic Games Store, the login portal to Fortnite, does not require accounts to have multi-factor authentication enabled so it is often possible to simply reset the password via the linked email account that has been compromised.
In-game scamming is also a common means of acquiring accounts, as was demonstrated by the young Twitter hacker who got his start in this exact way by stealing accounts in Minecraft. The attackers engage in confidence schemes in which they usually promise to buy player accounts, having them transfer the login information first (and then running off to the black market with it).
Though there is sometimes this sort of targeted theft of high-value accounts, most Fortnite accounts are hacked with a set of automated tools. For about every 1,000 accounts that hackers access via credential stuffing, about one will have skins and time-in-game that make it substantially valuable for resale. The bulk hackers sell accounts in large bundles to the retail aspect of the black market, which then dissects them to determine how to best sell individual accounts and items directly to consumers. Credential stuffing tools designed to exploit Fortnite can try as many as 500 logins per second.
The Night Lion report indicates that game publishers are not implementing effective means of curbing these account thefts and black market sales, with one of the largest sellers doing their best to meet a demand for a million Fortnite accounts and items per week at one point. They also note that most end users are not aware of their account being compromised until they are locked out of it, and do not know where to find it once it is.
The black market Fortnite accounts phenomenon is part of a general spike in demand for hacked entertainment accounts during the Covid-19 pandemic. Online streaming service accounts, such as those of HBO Max+ and Netflix, are also being sold at a rate that is much more brisk than usual.