Call of Duty players seeking out third-party “cheat” software to manipulate the popular first-person shooter game were among the victims of a targeted phishing attack, cybersecurity firm VX Underground said on Wednesday.
The attack also targeted players seeking “pay-to-cheat” software for use on Activision Blizzard’s Battle.net, the PC platform for games like World of Warcraft, Overwatch, and Diablo. The cheat software installed crypto-drainer malware onto the user’s computer, and could be used to gain access to information to swipe coins from their Bitcoin wallets.
“Over the past couple of days, we have become aware of malware targeting gamers!” VX Underground said on Twitter. “More specifically, a currently unidentified threat actor is utilizing an “info stealer” to target individuals who cheat (pay-to-cheat) in video games.”
According to VX Underground, the crypto-draining malware potentially impacted more than 4.9 million accounts in total, including nearly 3.7 million Battle.net accounts, over 560,000 Activision accounts, and about 117,000 ElitePVPers accounts.
Over the past couple of days we have become aware of malware targeting gamers! More specifically, a currently unidentified Threat Actor is utilizing an infostealer to target individuals who cheat (Pay-to-Cheat) in video games.
A Call of Duty cheat provider (PhantomOverlay) was…
— vx-underground (@vxunderground) March 27, 2024
Crypto wallet drainers refer to malware that, once installed, targets a user’s hot wallet, either installed as an application on their computer or browser extension. In January, cybersecurity firm Kaspersky warned Mac users of an exploit targeting Bitcoin and Exodus Wallets.
VX Underground said the drainer in this case targeted Electrum Bitcoin wallets, but acknowledged that the exact amount stolen is unknown.
“The scope of the impact is so large, and in a bizarre twist of fate, Activision Blizzard is coordinating with cheat providers to aid users impacted by the massive info stealer campaign,” they said.
Also included in the malware attack were cheat providers UnknownCheats and PhantomOverlay, which had 572,831 and 1,365 compromised accounts, respectively. As VX Underground explained, PhantomOverlay was alerted to the attack by users who reported unauthorized purchases.
“When Elite PVPers was approached by PhantomOverlay administrative staff about the compromised accounts, Elite PVPers confirmed they have identified 40,000+ valid user accounts compromised,” VX Underground said.
VX Underground did not immediately respond to Decrypt’s request for comment.
A spokesperson for Activision Blizzard emphasized that the attack was not just related to their games and platforms, and is not directly related to their own servers.
“There have been claims that some player credentials across the broader industry could be compromised from malware from downloading or using unauthorized software. Activision Blizzard servers remain secure and uncompromised,” the spokesperson told Decrypt in an email.
“Our priority is always player account security,” the Activision statement continues. “If players believe they may have clicked on a suspicious link or if they want to ensure their account is protected, they can change their password and follow recommended best practices here, such as adding [two-factor authentication].”
At the time of writing, VX Underground still did not know how hackers delivered the malware, but traditionally, malware comes through malicious websites, phishing emails, or messages that install programs on the victim’s computer after being clicked.
Other forms of malware—for example, cloned websites—drain wallets after the victim signs a transaction in their browser wallet, unwittingly giving the hackers access to their funds and NFTs.
On Tuesday, the founder of Bitcoin Ordinals project Ordinal Rugs said they were the victim of a wallet drainer phishing attack targeting the Bitcoin Rock Discord server. Thieves stole $1.47 BTC, around $103,003, and 4 BTC, around $208,196, worth of Ordinal inscriptions from the wallet of pseudonymous founder, Archon.
“No funds/accounts/logins related to [Ordinal Rugs] were affected… this was just my own personal wallet and I only have myself to blame here,” Archon said on Twitter. “Needless to say, I will not allow this to happen again.”
Edited by Andrew Hayward