{
	"id": "7089c1aa-1fc0-4157-8cd7-d97b557b89e2",
	"created_at": "2026-04-06T00:07:47.04551Z",
	"updated_at": "2026-04-10T03:20:32.949363Z",
	"deleted_at": null,
	"sha1_hash": "a764bf11256e7d794171adf0964002a72e58fa17",
	"title": "Gaming Industry Under Attack: Darknet Threats \u0026 Leaked Data",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 809818,
	"plain_text": "Gaming Industry Under Attack: Darknet Threats \u0026 Leaked Data\r\nPublished: 2021-01-04 · Archived: 2026-04-05 18:22:31 UTC\r\nDarknet Threat Actors Are Not Playing Games with the Gaming Industry\r\nBy KELA Cyber Team\r\nEdited by Ben Kapon\r\nPublished January 4, 2021\r\nThe gaming industry should really thank Covid-19: People are stuck at home, seeking indoor hobbies, and giving\r\nonline gaming a chance. With the rise of gamers and purchases, the online gaming industry is estimated to reach\r\n$196 billion in revenue by 2022. However, the growing success of this industry also calls attention to\r\ncybercriminals scouting out their new targets – and what better target could cybercriminals ask for than an\r\nindustry that’s up and coming and may not be prioritizing their security precautions as much as their industry\r\nadvancement and profit. So, though this industry isn’t valued at the trillions of dollars that the financial industry\r\nmay be valued at, it still checks off boxes for two key factors that many profit-driven cyber criminals tend to seek:\r\nincrease profits and minimize the complexity of the process in order to do so.\r\nhttps://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/\r\nPage 1 of 10\n\nIn order to assess the threat landscape of the gaming industry in light of Covid-19, we explored the risks\r\nthat are potentially threatening employees and internal resources of the leaders of this industry.[1] We’ve\r\nincluded some of this blog’s major key takeaways below:\r\nKELA observed multiple instances of supply and demand for initial network access of gaming\r\ncompanies (especially their resources designed for developers).\r\nKELA found nearly 1 million compromised accounts pertaining to gaming clients and employees, with\r\n50% of them offered for sale during 2020.\r\nKELA detected more than 500,000 leaked credentials pertaining to employees of the leading companies\r\nin the gaming sector.\r\nThe gaming industry is growing, in turn increasing the number of threats against it. By proactively\r\nmonitoring darknet communities, organizations in this industry can collect real-time valuable\r\nintelligence in order to help gain an external viewpoint on their organizations’ attack surfaces and\r\nmitigate cyber threats.\r\nTerms\r\nBefore diving into some threats targeting the gaming sector and the implications they may have, let’s first review\r\nthree commonly used terms throughout this blog post:\r\nInitial Network Access – A broad term referring to remote access to a computer in a compromised\r\norganization. Threat actors selling these accesses are referred to as initial access brokers – threat actors\r\nlinking opportunistic campaigns with targeted attackers, namely ransomware operators.\r\nCompromised Accounts – Credentials, cookie sessions and additional technical fingerprints which are\r\noffered for sale on automated underground marketplaces such as Genesis and more. These accounts are\r\nbreached and stolen from victims’ computers generally via infections by banking trojans or other stealers.\r\nSuch accounts can grant access to tools and software used in a targeted environment, such as RDP, VPN\r\nsolutions, and more. They could be leveraged by a sophisticated actor to gain initial network access to the\r\nrelevant corporate’s network.\r\nLeaked Credentials – Credentials from various breached databases constantly traded and circulating in the\r\nunderground. Mostly, these databases include private and corporate email addresses and associated\r\npasswords, including plaintext ones. This data can enable attackers to access the company’s resources and\r\nprovide further malicious activity, such as account takeover attacks, social engineering, phishing and\r\nmalware spreading campaigns.\r\nAll these threats, altogether or separately, can be used in an attack chain aimed to compromise organizations.\r\nSupply and Demand: Threat Actors Specifically Looking for Access to Gaming\r\nCompanies\r\nFor the past two months, we’ve observed several different actors looking for access to networks of gaming\r\ncompanies.\r\nA perfect example highlighting the demand for initial network access to gaming companies is seen in a listing by a\r\nRussian-speaking actor who was looking to purchase multiple types of accesses and databases. This actor\r\nhttps://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/\r\nPage 2 of 10\n\nspecifically stated that he was interested in access to developers’ networks of Xbox (Microsoft), Nintendo,\r\nQualcomm, and Apple.\r\nA threat actor stating he is interested in access to developers’ resources of gaming companies in a format\r\n“developer.COMPANY.com” or similar links\r\nAnother example, from December 18, shows a threat actor selling data related to a major Japanese video game\r\ndeveloper, which has recently been disclosed as Koei Tecmo. The listing included FTP credentials – in this\r\ninstance it does not necessarily indicate a network access, rather it provides an access point into the company’s\r\nenvironment. The sample of data posted by the actor included email addresses, which KELA confirmed were\r\nindeed leaked from the company’s server in March 2020 and later offered on Cit0day – a service that operated\r\nhacked databases and provided access to information for a subscription fee. Just a few days after the original\r\nlisting, the threat actor decided to release all of Koei Tecmo’s data for free on the same forum that he published\r\nthe original listing on.\r\nAnother instance showed a member of a Russian-speaking underground forum stating that he is ready to buy\r\naccess to big gaming companies anywhere in the world. He claimed he was specifically interested in access to\r\nservers or repositories used for development. Such accesses, as we’ll describe later, are frequently offered for\r\nsale in different underground markets.\r\nhttps://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/\r\nPage 3 of 10\n\nA threat actor seeking for access to “developments servers to GitHub analogues where they keep their code” of\r\ngaming companies\r\nInterestingly, four days later the same actor offered access to a server of a publisher of online games in Latin\r\nAmerica. It’s possible that these are two unrelated events: the actor was looking for accesses to developers’\r\nresources and separately worked on breaching the Latin American publisher whose access he soon offered for\r\nsale. However, it can also be true that he managed to buy some kind of access and transformed it into the server\r\naccess offered for sale. Regardless of the connection of events, or the lack thereof, these two instances (as well as\r\nthe others mentioned above) showcase the fact that threat actors are actively interested in targeting organizations\r\nin the gaming sector.\r\nThe threat actor, previously looking to buy access to gaming companies, is himself offering access to a gaming\r\ncompany’s server\r\nSome other offers that we observed by initial access brokers include access of an unknown type to an online game\r\nof a German developer and access to a cloud storage solution (“analogue of AWS”) used by a major game\r\ndeveloper.\r\nhttps://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/\r\nPage 4 of 10\n\nAccess to an online game of a Germany-based developer\r\nAccess to cloud storage solution of a “major game developer”\r\nIn private communication with the threat actor that offered access to the cloud storage solution, he claimed that\r\nthe offer is no longer relevant, but alternatively offered something else – access to the network of a major\r\nJapanese game developer. Seeing that this was offered only in private conversation with the threat actor, we can\r\nassume that the number of threats is greater than actually presented.\r\nhttps://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/\r\nPage 5 of 10\n\nSupply: Compromised Accounts\r\nCompromised accounts originate from infected computers (also known as bots), usually infected with banking\r\ntrojans or infostealers. These bots are sold in automated shops, where new listings are added daily, essentially\r\nmaking it very easy for threat actors to attain access to a variety of resources. As one can imagine, a victim’s\r\ncomputer might have access to different services such as corporates’ portals, employees’ internal resources and\r\nplatforms, social media accounts, kids’ school portals, bank accounts, and much more. These markets essentially\r\nassist threat actors to attain access to desired services with the click of a button and at a price of a couple of dollars\r\nper bot.\r\nKELA has been monitoring the major underground markets of this type for over 2.5 years and has tracked nearly\r\n1 million compromised accounts of employee- and client-facing resources of the 25 major gaming\r\ncompanies in question – with half of them being listed for sale in 2020 alone.\r\nIt’s important to note that we detected compromised accounts to internal resources of nearly every\r\ncompany in question. These resources are meant to be used by employees, for example – Admin panels,\r\nVPNs, Jira instances, FTPs, SSOs, dev-related environments, and the list goes on and on. As seen in the\r\nexamples below, with a payment of just a couple of dollars a potential attacker can have access to the core areas of\r\na company’s network.\r\nDeveloper-related and Jira credentials collected from the information stealer Vidar, which could indicate some\r\ninternal resources of a leading gaming company are being compromised\r\nAdmin-related credentials collected from the information stealer AZORult, which might indicate some internal\r\nresources of a leading gaming company are being compromised.\r\nVPN and SSO from Vidar, which might indicate some compromised internal resources of a leading gaming\r\ncompany.\r\nFor the past three months, we’ve observed four ransomware incidents impacting gaming companies – three of\r\nwhich were publicly reported. In addition, it’s possible that another major gaming developer was attacked, as\r\nSodinokibi (REvil) stated in their interview.\r\nhttps://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/\r\nPage 6 of 10\n\nCredentials to internal resources of recently attacked companies – such as VPN, website management\r\nportals, admin, Jira and more – were put up for sale and hence were available for any potential attacker\r\nprior to the cyberattacks that occurred. We also detected an infected computer (bot) which had credential logs\r\nto plenty of sensitive accounts that could be accessed by attackers upon purchase: SSO, Kibana, Jira,\r\nadminconnect, service-now, Slack, VPN, password-manager and poweradmin of the company – all on a single bot\r\n– which strongly suggests that it’s used by an employee of the company with administrator rights. This highly\r\nvaluable bot was available for sale for less than $10.\r\nThough we cannot directly correlate an attack on one of these victims to a bot that was listed in this market,\r\nthis incident still highlights the risk that stands when an organization’s sensitive resources are available for\r\nmalicious use with an investment of just a couple of dollars.\r\nScenario: How Cybercriminals Could Play Around with Compromised Accounts\r\nto Execute a Cyber Attack\r\nTo understand the risk, let’s review a quick scenario of a possible cyberattack that can lead to ransomware\r\ninfection once a compromised account is offered on the underground automated shops:\r\nGoing back a few years, a threat actor would have to spend some time in the reconnaissance phase, carefully\r\nchoosing victims and using multiple tools to get access to a valuable, functioning RDP server belonging to a\r\ncorporation. Nowadays, an actor needs to only enter underground marketplaces and purchase a bot containing\r\nRDP credentials (another possible way – access one of the many remote access markets and acquire multiple RDP\r\ncorporate servers for a few hundred dollars).\r\nNext, the potential attacker needs to explore them and proceed with ones that look “interesting” – meaning they\r\nenable access to a network of a large company with significant revenue (and probably from a sector willing to pay\r\nransom – government organizations, for instance, usually do not negotiate with ransomware operators). Finally,\r\nthe actor will attempt to escalate privileges or install further tools in order to gain initial access.\r\nFrom that stage on, once there’s initial access to a specific company, the attacker will usually choose one of two\r\ndirections:\r\nUsing the initial access to deploy ransomware on the company’s network on their own.\r\nSelling it to ransomware affiliates, who will deploy the ransomware themselves as part of a more organized\r\ncrime.\r\n However, deploying ransomware is only one of the many different cyberattacks that these cybercriminals may\r\nattempt. This access could also enable them to initiate other offense such as corporate espionage, fraud, and other\r\nmethods that could cause victims to incur severe financial losses.\r\nSupply: Leaked Credentials\r\nWhen looking at an exposure of a company, unfortunately, employees continue to remain as the main entry point,\r\ndriving us to also analyze the sample companies’ leaked credentials stemming from 3rd party breaches. As of\r\nDecember 2020, we’ve observed more than 500,000 leaked credentials pertaining to the employees of the 25\r\nhttps://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/\r\nPage 7 of 10\n\nmajor gaming companies in question.  many cases, such credentials are available for free in the underground\r\necosystem, creating another opportunity for attackers to utilize for further attacks that could lead to profits.\r\nWe found that these credentials also include high-profile email addresses such as senior employees and email\r\naddresses which are generally a significant channel in the company – invoice, purchasing, admin, HR-related\r\nemails, support and marketing are only some of the examples we noticed.\r\nIt’s worth highlighting that KELA’s caching capabilities allows visibility into additional context of leaked\r\ncredentials, such as associated passwords to a certain email address, previous leaks of a specific email address and\r\nmore. As part of our regular review, we unfortunately still come across a great deal of re-use of passwords, as can\r\nbe examined in the example below:\r\nThis single (censored) email address was leaked in numerous unique breaches, as well as some of the Collections\r\ndumps (referring here to Collection #1-5), and we can still see that once this user signs up with their corporate\r\nemail address to a 3rd-party platform or website, they are most likely using an identical password across\r\nplatforms. This exact behavior, which is unfortunately widely and commonly practiced, is really a “human\r\nvulnerability” that is continually being leveraged by threat actors, allowing attackers to gain access to services of\r\ninterest.\r\nScenario: Leaked Credentials Are Level 1 in the Attack Process\r\nAs one of the main attack vectors still stands as phishing (also the vector possibly used against Ubisoft), there’s\r\nroom to exemplify how leaked credentials can be easily “translated” into a more significant\r\nattack. Combolists (email address: password lists) as well as databases with credentials originating from previous\r\nbreaches are no news in the Darknet. Once an adversary is going through their reconnaissance phase of looking\r\nfor their next potential target and puts their hands on an email address of interest, there are a variety of techniques\r\nthat they may use. For instance:\r\nAn attacker can be seen using social engineering, or phishing attempts specifically tailored to the victim –\r\neither based on the place they work in, or on personal details. The aim is, of course, attaining the relevant\r\nhttps://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/\r\nPage 8 of 10\n\ncredentials in order to gain access to services of interest, find an entry point to a targeted network and then\r\nescalate privileges and move laterally.\r\nA threat actor can attempt to perform brute force and dictionary attacks, for which these databases with\r\nplain text passwords are highly useful. Once access was gained to a service of interest – the actor will\r\ncontinue to move laterally to eventually deploy ransomware, as we supposed earlier.\r\nHence, these databases may be highly useful for a potential attacker to perform a variety of attacks. The\r\nexamples presented above reflect the types of threats KELA is detecting on a daily basis and can be used as an\r\nexcellent example of why it’s crucial to educate employees and ensure that they understand the various ways that\r\nattackers may use to enter the organization’s network.\r\nTraining the Targets: What Organizations in the Gaming Sector Should do to\r\nReduce Cyber Threats\r\nThe examples laid out in this blog present the ever-growing threats against the gaming sector that can be leverage\r\nby threat actors in a cyberattack. Over the years, new sectors will continue to emerge as the main targets for cyber\r\ncriminals. These new targets are generally becoming popular among cyber criminals due to the simple fact that\r\nthey are driving large sums of money. For that particular reason, we’ll likely continue seeing new major targets\r\nrise, and organizations will need to prepare in accordance.\r\nOrganizations in the gaming sector have to act fast as they are the new target that cybercriminals are interested in.\r\nThis preparation begins with security training to employees, including:\r\n1. Raising awareness to employees about the risks presented above.\r\n2. Enforcing password changes.\r\n3. Implementing unique password use and MFA policies.\r\n The organizations in this sector will also be required to invest in different measures in order to ensure that they\r\nare protecting all of their different assets. Most importantly, these organizations should invest in ongoing\r\nmonitoring of their assets, to get an external viewpoint of their organization as seen by cybercriminals. By\r\nmonitoring mentions of their assets across the darknet, they will gain the necessary intelligence in order to help\r\nthem better assess their exposure and prioritize security operations.\r\nAs we’ve all been observing – attacks and attackers are becoming more sophisticated and customized to the\r\nvictim. Some attackers try to search for the specific data and information that is relevant to the scope or\r\nindustry of the victim and reproduce the successful attacks. As the gaming industry continues to grow in\r\nrevenue, we will likely continue to detect more threats and attacks targeting the online gaming\r\nindustry. With constant monitoring of their assets’ exposure in the darknet, these organizations can proactively\r\ndetect threats and map out their risk in order to foresee potential weaknesses in their environment.\r\n[1] Excluding Google, Apple and Microsoft. We have checked 53 domains which are related to the companies at\r\nissue, meaning not only looked into the companies’ main domains, but also some of their most popular games.\r\nhttps://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/\r\nPage 9 of 10\n\nSource: https://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/\r\nhttps://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/\r\nPage 10 of 10\n\nWhen looking driving us at an exposure to also analyze the of a company, unfortunately, sample companies’ employees leaked credentials continue to remain stemming from as the main 3rd party breaches. entry point, As of\nDecember 2020, we’ve observed more than 500,000 leaked credentials pertaining to the employees of the 25\n   Page 7 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/"
	],
	"report_names": [
		"darknet-threat-actors-are-not-playing-games-with-the-gaming-industry"
	],
	"threat_actors": [],
	"ts_created_at": 1775434067,
	"ts_updated_at": 1775791232,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a764bf11256e7d794171adf0964002a72e58fa17.pdf",
		"text": "https://archive.orkl.eu/a764bf11256e7d794171adf0964002a72e58fa17.txt",
		"img": "https://archive.orkl.eu/a764bf11256e7d794171adf0964002a72e58fa17.jpg"
	}
}