IntSum – Week 33 | 15th – 19th August 2022

Key Issue:

USD 6 million worth of in–game items stolen from CS.MONEY trading platform

Cybercriminals:
Ransomware groups target organisations susceptible to downtime

Nation
–
State:
Nation–state actors focus on facilitating military activity

Key Issue:

This week, cybercriminals stole 20,000 skins (in–game items that change a character’s appearance) worth approximately USD 6 million from CS.MONEY. CS.MONEY is the largest item trading platform for the online multiplayer game Counter–Strike: Global Offensive (CS:GO).

The threat actors gained access to Mobile Authenticator files used for Steam authorisation and took control of bot accounts that contained the skins. They proceeded to transfer skins to their own accounts by issuing outgoing transaction offers, as well as to accounts of other users likely to hide their malicious activity. To further hinder attribution efforts, the threat actors generated false transaction messages mentioning other CS:GO item trading platforms that resembled the legitimate messages sent by the platform’s bots.

CS MONEY’s internal systems and website users alerted employees about the suspicious transactions and the website was taken offline to reset all authorisations to prevent further transactions. At the time of writing the platform remains offline, and the stolen skins have not yet been recovered, however, they are in trade–lock which prevents the further transfer of the items. Gaming–related platforms have previously been targeted in operations intended to steal credentials and in–game items
as they can be sold on other online marketplaces and forums. We assess that financially motivated cybercriminals will continue targeting platforms that manage digital assets worth significant sums of money.