Fueled by the growth of Internet games and their make-believe economies, consumer use of “virtual currency” has rocketed in recent years, creating what law enforcement officials and others say is a multibillion-dollar new territory for crooks to exploit.
In many cases, the play money is bought with and exchanged for real cash. Yet experts say it’s often poorly protected from hackers. And when someone is victimized, seeking compensation from the sites where the virtual funds were obtained can prove an exercise in futility, said Adam Wosotowsky, a researcher at Intel (INTC)’s computer-security operation, McAfee Labs.
“The currency itself isn’t backed by the full faith and credit of a government entity,” he said. “Your ability to get legal backing if you’re scammed … is somewhat limited.”
Popularized over the past dozen years, most virtual currencies are for playing Internet games and purchasing items associated with them. But the currencies increasingly are being used to buy other online products, such as music and movies, and some exist mainly as alternatives to government-regulated money.
With millions of people playing online games, Javelin Strategy & Research estimates the amount of real money spent on virtual currency and related goods by U.S. consumers alone has surged from $1.9 billion in 2009 to a projected $3.7 billion this year and $4.9 billion in 2013 — sums that have attracted criminal elements.
It’s unclear how often consumers are ripped off, in part because experts say police rarely investigate or track such incidents. But of 1,500 online gamers surveyed a few years ago by the European Network and Information Security Agency, 30 percent “had lost something of value and only 25 percent of those had recovered the items.”
Blaming most of the losses on crooks who seized and often sold the virtual assets after hijacking the players’ passwords, the agency warned, “the failure to recognize the importance of protecting the real-money value locked up in this grey-zone of the economy is leading to an exponential increase in attacks.”
In a report in April, the FBI cited two thefts involving bitcoins, a virtual tender accepted as payment by a number of online vendors. One victim in June reported that someone broke into their online wallet — a data file that stores the currency — and stole bitcoins worth $500,000 in real money. Three months before that, a similar heist netted more than $5,000, the FBI added, noting that “as long as there is a means of converting bitcoins into real money, criminal actors will have an incentive to steal them.”
In March last year, a British hacker received a two-year prison term for stealing virtual poker chips from a game hosted by San Francisco-based Zynga and peddling the chips for more than $85,000 in real cash. In addition, some players of Zynga’s YoVille game this year reported that their virtual goods were stolen.
Other people have suffered losses when the virtual banks holding their virtual money were robbed or the bank’s deposits were depleted by a sudden spate of withdrawals. Thefts of virtual items have even resulted in violence. A few years ago, a Chinese man was convicted of murdering someone who stole and sold his virtual sword.
Because virtual assets often can be exchanged for real money — frequently through third-party websites and black markets — many people participate in the games hoping to earn a profit.
One player of the online game Entropia Universe reportedly netted more than a half-million dollars. After buying a virtual space station for $100,000 — money he got by mortgaging his real house — he sold the station five years later in 2010 for $635,000 in real currency.
Moreover, thousands of “gold farmers” make a living by playing the sites “and selling the resulting virtual assets to wealthier players,” according to a 2011 report by The World Bank. But that cottage industry also has been targeted by hackers, who “break into players’ and gold farmers’ game accounts, steal the currency and sell it for real money to wholesalers and retailers,” it said.
Experts advise anyone conducting virtual-currency transactions to do so on computers bolstered with antivirus software and other protections from hackers. In addition, Alisdair Faulkner, chief products officer of San Jose security firm ThreatMetrix, recommends only playing sites known to be reputable.
“It’s like any type of commerce,” he said. “Go with brands you trust.”
However, avoiding problems can be difficult, given some of the schemes cybercrooks use, said Larry Ponemon, who runs a data-protection research institute in Michigan. He recently discovered malware that had been built into some virtual currency, which the average person would never notice.
“Basically, a lot of these technologies are grossly insecure,” he said of virtual worlds. “You have to be careful.”
Contact Steve Johnson at sjohnson@mercurynews.com or 408-920-5043. Follow him at Twitter.com/steveatmercnews
Taking care with virtual currency:
Anyone playing online games with virtual currency should heed these tips, according to McAfee Labs researcher Adam Wosotowsky:
