Gnosticplayers: A Tale of Hacking Mobile Apps and Profit
In the summer of 2019, the login information of over 170 million accounts associated with the mobile gamer developer Zynga was stolen. For those unfamiliar, Zynga is one of the largest mobile game developing studios. They are responsible for titles such as Draw Something and Words with Friends. In September of 2019, Zynga admitted the information of over 170 million accounts registered mainly with those games had been stolen. The hacker steals the information and sells the accounts and info on the deep-web. The hacking cost a revenue loss for Zynga and a class action lawsuit against Zynga by those who had their data stolen.
The Origin of the Hack
The hack was committed by an anonymous hacker who goes by the name of Gnosticplayers. After Zynga held a press conference in September 2019, Gnosticplayers contacted the popular hacker magazine HackerNews. He informed the publication that he began the breach by hacking Words with Friends. Anyone who had downloaded and registered in the game before September 2, 2019, had their information stolen.
Type of Hack and How a Computer Was Used.
The type of hack isn't ransomware or malware, its more traditional information stealing known as cyber-trespassing and theft.
How the Hack Was Exploited
Both Zynga and Gnosticplayers have not given any details on how the hack was performed. This isn't Gnosticplayers' first time stealing account information of mobile and online games. In early 2019, he stole the information of over 620 million users for various websites. Being the hack was a data breach, Gnosticplayers likely exploited outdated or older software. From there, he was able to steal the account information, store it on his computers and upload it to an illegal market place on the deep web. According to the Hacker News, Gnosticplayers is from Pakistan, making it harder for US Law Enforcement to catch him.
The other exciting thing about stolen account attacks is that usually, it takes companies a few days to a few weeks to even realized they were hack on a massive scale. It also takes companies a hefty amount of time to make the fact that they were hacked public information. Even after they do, many users are lazy and have a "well my account wasn't hacked" mentality. This means many users won't change their passwords. This means if the accounts are sold quickly enough, the buyers can quickly possess them and change the passwords.
The Actors and Sophistication
The actor of the attack is none other than a hacker than refers to himself as Gnosticplayers.
Gnosticplayers might be one user, but law enforcement and hacker media have theorized that it may be more than one person.
The most interesting thing about Gnosticplayers is unlike most criminals who wish to remain anonymous, he boosts to the media after he commits his cybercrimes. Almost as if he is an online version of Son of Sam. The reasons for doing this are not only to gain notoriety but also to attract buyers on the deep web.
The Motive: Why People Purchase Stolen Accounts
We know the motive for Gnosticplayers is to profit off of selling the stolen accounts. But why does his market exist? When these accounts are stolen, they are sold on an illegal market place for an average of $15 (usually in Bitcoin).
This seems to be baffling. Currently, there is a trend of hackers stealing accounts for AAA video games such as Fortnite and selling them on the dark web. The reason people purchase these accounts is so they can have the items and achievements that are already unlocked. However, mobile games like Words with Friends, Draw Me, and others aren't exactly competitive games like Fortnite. There is nothing to unlock, no custom skins, achievements, nothing. Words with Friends is literally Scrabble, so what would buyers want with these accounts? We weren't able to find a specific answer. My theory is that either people are buying these accounts in order to launder money.
How Darknet Markets Work
During his previous hacks, Gnosticplayers would sell the stolen accounts on a darknet market known as Dream Market. Dream Market was shut down in April of 2019. It was a replacement for previous darknet market places such as the Skill Road, Alpha Bay and Hansa. Websites like Dream Market allow users to buy and sell stolen accounts, passwords for websites, illegal drugs, stolen goods, counterfeit items, weapons and more. It's like eBay for criminals. The websites are usually hosted in foreign countries on Onion servers. Goods are purchased through using cryptocurrencies, with Bitcoin being the de facto currency accepted at most markets.
Many more of these darknet markets exist, but they operate on a very underground level and are difficult to find. Because most of these markets operate in foreign countries, they are usually taken down by global task forces, which end up forcibly seizing the website.
The big lesson learned for Zynga is that as one of the largest mobile developers, they have to be on top of their cybersecurity. Hundreds of millions of users from around the world have downloaded and installed their games. They cannot have week security that can be exploited by a random hacker.
Gnosticplayers 2019 hack of Zynga is part of a growing trend of large mobile and gaming hacks. Hackers are finding security breaches in mobile apps and gaming software. They are exploiting these weaknesses to steal information and selling it on the deep web for an illegal profit. These hacks are a form of cyber-trespassing and theft. As the hackers are trespassing in areas they aren’t suppose such as data servers and game hosting servers. They do this in order to steal the account information and sell it on the deep web for a profit.
Dark Web Link . (2020, April 10). Top Darknet Markets List. Retrieved from Dark Web Link : https://darkweblink.com/top-darknet-markets-list/
Darknet Markets. (2020). Darknet Markets. Retrieved from Darknet Markets: https://darknetmarkets.org/
Hern, A. (2019, December 19). 170m passwords stolen in Zynga hack, monitor says. Retrieved from Guardian UK: https://www.theguardian.com/games/2019/dec/19/170m-passwords-stolen-in-zynga-words-with-friends-hack-monitor-says
Holt, T. (2016, June 22). Buying and selling hacked passwords: How does it work? Retrieved from The Conversation: https://theconversation.com/buying-and-selling-hacked-passwords-how-does-it-work-60894
Holt, T., Bossler, A., & Seigfried-Spellar, K. (2018). Technology and Cybercrime. In T. Holt, A. Bossler, & K. Seigfried-Spellar, Cybercrime and Digital Forensics: An Introduction (pp. 22-23). Oxon: Routledge.
Jareth. (2020, February 20). How do hackers make money from your stolen data? Retrieved from Emisoft: https://blog.emsisoft.com/en/35541/how-do-hackers-make-money-from-your-stolen-data/
Khandelwal, S. (2019, September 29). Exclusive — Hacker Steals Over 218 Million Zynga 'Words with Friends' Gamers Data. Retrieved from The Hacker News: https://thehackernews.com/2019/09/zynga-game-hacking.html
Khandelwal, S. (2019, March 17). Round 4 — Hacker Puts 26 Million New Accounts Up For Sale On Dark Web. Retrieved from The Hacker News: https://thehackernews.com/2019/03/data-breach-security.html
Lyons, K. (2019, December 19). Zynga hack affected 170 million accounts. Retrieved from The Verge: https://www.theverge.com/2019/12/19/21029682/zynga-hack-words-with-friends-draw-something-password-data-breach
Pagliery, J. (2013, October 2). FBI shuts down online drug market Silk Road. Retrieved from CNN: https://money.cnn.com/2013/10/02/technology/silk-road-shut-down/index.html
Smith, S. V. (2018, February 22). Take A Peek Inside The Market For Stolen Usernames And Passwords. Retrieved from NPR: https://www.npr.org/2018/02/22/588069886/take-a-peek-inside-the-market-for-stolen-usernames-and-passwords
Troia, V. (2020, January 1). GnosticPlayers Part 1: An Overview of Hackers Nclay, DDB, and NSFW. Retrieved from Data Viper: https://www.dataviper.io/blog/2019/gnosticplayers-part-1-nclay-ddb-nsfw/
Zynga. (2019, September 12). Player Security Announcement. Retrieved from Zynga: https://investor.zynga.com/news-releases/news-release-details/player-security-announcement