Selling stolen login credentials for popular battle royale game Fortnite nets the most prolific hackers more than $1 million per year, according to a new research report.
Published by Night Lion Security, the report (opens in new tab) delves into the highly lucrative black market for stolen video game accounts, which has grown to become a billion-dollar industry in recent years.
Fortnite is at the heart of this underground economy, accounting for hundreds of millions of dollars worth of illegal sales.
The demand for stolen Fortnite accounts is driven predominantly by the popularity of character skins, which alter the player’s appearance in-game, but have no bearing on gameplay. The greater the quantity of rare skins held on an account, the more it will sell for on the black market.
- Check out our list of the best antivirus (opens in new tab) services around
- We've built a list of the best identity theft protection (opens in new tab) out there
- Here's our choice of the best malware removal (opens in new tab) software right now
On average, Fortnite account sellers are said to earn $40,000 per month (or $480,000 per year), with the highest earners raking in a whopping $1.2 million per year - more than the vast majority of doctors, lawyers, bankers and CEOs.
In one recorded instance, a batch of accounts with rare skins attached was sold for as much as $38,000 via a private auction held over messaging platform Telegram. Accounts that own the highly coveted “Recon Expert” skin, meanwhile, are said to fetch circa $2,500 each.
In order to gain access to Fortnite accounts, hackers use login credentials acquired via previous data breaches, which are then tested against a database of Fortnite players.
This type of attack is referred to as “credential stuffing” and relies on the fact that many people reuse passwords across multiple online accounts. For example, with one email and password combination, a hacker could access an individual’s Facebook (opens in new tab), Gmail (opens in new tab), Netflix (opens in new tab) and Amazon (opens in new tab) accounts - and perhaps their Fortnite account too.
“Hacking groups like Gnostic Players and Shiny Hunters account for a vast majority of breaches involving stolen user data, and are indirectly responsible for fueling an entire criminal economy of stolen accounts,” explained Vinny Troia, founder of Night Lion Security.
“These stolen accounts are then packaged and resold across a number of sub-ecosystems, the most profitable being the market for hacked gaming accounts.”
Specialized tools are then used to determine whether the stolen credentials can be used to access active Fortnite accounts. According to DonJuju, described as a “respected cracker in underground hacking circles”, top cracking tools can perform between 15,000 - 20,000 login checks per minute (or 500 per second).
While Fortnite developer Epic Games has measures in place to prevent users from performing many login attempts in a short space of time, hackers bypass this filter using proxy rotation services that give each login request a new IP address, thereby concealing the suspicious activity.
Accounts that have been successfully compromised are pushed through software designed to check which skins are present on-account. Once their value has been evaluated, the accounts are then bundled together to be sold as a single batch to a reseller, which acts as the shop front for individual buyers.
The market for Fortnite account sales, including purchases made by both resellers and individual buyers, is said to be worth $142 million per year - and potentially more. The entire market - including illegal sales linked with popular games such as Minecraft (opens in new tab) and Runescape - is said to be worth more than $1 billion.
To shield against account compromise, users are advised to use different passwords for all online accounts and protect each with multi-factor authentication where possible.
Epic Games is yet to respond to our request for comment about the measures in place to protect players against account hijacking.
- We've also highlighted the best password manager (opens in new tab)