Cybersecurity consultants may have expressed widespread concern about increasing cyber-attacks on hospitals and banks during the pandemic, but new figures suggest that cybercriminals’ biggest targets over the past year have actually been gamers.

Cybercriminals launched more than 246 million web application attacks on gamers and gaming companies during 2020, according to new figures from Akamai Technologies that blamed “relentless” cyber criminals for a 340 per cent surge in attacks compared with the pre-pandemic levels of 2019.

Compare that with the 2 per cent overall increase in web application attacks, and it’s clear that cybercriminals were regularly probing gamers’ systems – and the online games where they spend real money on in-game items like skins, character enhancements and additional levels – to gather both personal data and competitive advantages.

Personal information such as email addresses, passwords, login details, and geolocation information are subsequently being sold on darkweb markets – where, Akamai security researcher and author of the new Gaming in a Pandemic report Steve Ragan said, the information is being used to compromise servers and steal yet other information for use in additional hacks.

“Criminals are relentless, and we have the data to show it,” he said.

“We’re observing a remarkable persistence in video game industry defences being tested on a daily – and often hourly – basis by criminals probing for vulnerabilities through which to breach servers and expose information.”

Credential-stuffing attacks were particularly common – increasing by 224 per cent year-on-year and, with 10.85 billion attacks observed, representing 6 per cent of all attacks during 2020.

This included SQL injection targeting databases of gamer details – which comprised 59 per cent of attacks alone – and deceptive offers that steal details in bulk, then use the details to access other gaming, personal, and business applications.

In January, security analysts at Kela Research found more than 1 million compromised accounts from gaming-company employees and customers, half of which were offered for sale online last year.

Those lists often have long shelf lives, with cybercriminals recycling them to be tested against each major new breach as it’s announced.

No longer just about winning the game

The surge in attacks on gamers and gaming companies reflects a surge in gaming during 2020, when hundreds of millions of locked-down customers turned to gaming to pass the time.

One Nielsen survey, for example, found that 82 per cent of consumers were playing video games and watching gaming content during the lockdowns in early 2020 – with a 63 per cent surge in game sales propelling the market to be worth an estimated $210 billion ($US159b) last year, more than the movie and music industries combined.

Time spent playing fighting games increased by 30 per cent last year, with multiplayer online battle arena and ‘battle royale’ games – which involve online activity, credentials, and purchases of extra content – up by around a quarter.

This increased activity set them up for exposure to cybercriminals – whose increasing interest in credential theft also saw a nearly 20 per cent drop in distributed denial of service (DDoS) attacks – a long-time favourite of gamers trying to disrupt their rivals’ online play, or to shut down a particular gaming service.

Yet cybercriminals weren’t necessarily targeting the gaming industry from outside: “while their intentions are malicious,” Ragan wrote, “they are still people.”

“They talked to each other, they played games, and in some cases this social bond meant they coordinated their efforts” with a wealth of online tutorials and hacking forum discussions suggesting that many had come to see hacking the game, as being the game itself.

This change in focus reflects a growing climate in which gaming companies – and the extremely valuable intellectual property they develop and manage – have become favoured targets.

Just last month, gaming giant Electronic Arts became the latest victim in hackers’ crusade against gaming companies, with hackers stealing a claimed 780GB of data including the source code for its FIFA 21 soccer game and its Frostbite gaming engine.

The code was found listed for sale on several darkweb forums, with the thieves restricting responses to “serious and rep [reputation] members” of the online forums.

“Gamers are a focused, highly engaged, and motivated demographic,” Ragan noted. “Criminals, on the other hand, are cold and ruthless – and gamers, as well as gaming companies, are some of their favourite targets.”

“The main driver behind the increase in attacks isn’t new customers; it’s persistent criminals.”