How hackers are using Clash Royale to launder money

Credit card thieves are using free-to-play applications – such as the Supercell games (Clash Royale and Clash of Clans) and the Marvel Contest of Champions – to launder money. The review was made by Kromtech Security on the German security company’s corporate blog, and I explain how this can happen (and work!).

In short, criminals create fake profiles to buy items that improve the user’s in-game performance with stolen cards. The accounts are then resold to legitimate players. In practice, by buying “up” accounts of “cardholders,” as they are called, by lower values, players save money.

How hackers are using Clash Royale to launder money
  • Save
Now, the whole story, or almost it. The report is on the Kromtech Security blog.

The mechanics of free-to-play games

 If you’ve played a free-to-play, you know most of them need resources for their character to advance to new arenas. They can be gems, gold coins or power-ups, but these features are needed to win. Collecting alone is a slow process that can take months to level up.

We know that there is no free lunch and it is with “In-App purchases” that game developers make money. Accelerating their evolution in the game is a strong incentive to spend on so-called “virtual goods”. Believe me, a lot of people spend a lot of money on that. Enough to turn free-to-play games into a multibillion-dollar industry and Battle Royale games for Android and iOS ( iPhone ) into a fever. 

We get to the point where the washing machines … money with games are connected.

Resale of accounts and virtual goods

Many of these “virtual goods” still retain their post-purchase value. Once purchased, features can still be traded with other players. The game (progress history) can also be transferred and, because of that, the resources won or bought, taking the progress of the game to very advanced levels, can also be resold. It is this sale that opens the door to illicit activities.

The researchers discovered in 2018 a strange database exposed to anyone, without password or login, on the open source platform MongoDB, including credit card numbers (stolen or cloned).

According to the estimate, the system processed approximately 20,000 stolen credit cards in just 1.5 months (from late April through mid-June 2018).

The entire scheme used a complex automated system involving free-to-play games, resale sites and Facebook pages to launder money from cloning credit cards. In theory, there is nothing to stop it. To be able to buy items in games, very little information is enough. An email, date of birth, name and other data (all fake) and information from a credit card.

Which games are used to launder money?

The most attractive games for the criminals were only three; two from Supercell (Clash of Clans and Clash Royale) and one from Kabam (Marvel Contest of Champions). The system brought together more than 250 million users, generating about $330 million per year.

The company notes that games were not the most popular and scaling this scheme to other applications makes the potential market grow by billions of dollars a year. These games have many offers of buying and selling accounts on sites like

In these, it is also easy to create accounts automatically on a large scale. With the automated account creation process, the system automatically changed card numbers until it found a valid card, had resource bots, automatically posted the items for sale on the websites, worked with a digital wallet for order processing, and managed several phones to take care of.

The end result was an automated money laundering tool for credit card thieves. The system used Apple account IDs, which require a valid email, password, date of birth and three security issues to be created. Email accounts also require little verification from providers.

Risk of losing your account and being robbed

The companies involved are struggling against the exploitation of their platforms and games and have policies to prohibit the irregular use of IDs, but it does not seem to be enough. Supercell, the company behind Clash of Clans and Clash Royale, claims that as a consequence of misconduct: buying gems or diamonds from “outsourced vendors” can lead to revocation of the coin in the game and even get your account banned permanently without prior notice or support.

Game makers also warn:

In a variation of illegal action, websites and individuals can offer “In-App” shopping items at cheaper prices. But cheap can be expensive. They request login and password data such as Apple ID and Google Play credentials to access their game account and make purchases using stolen credit cards. By doing so, you are giving access to your account and often it can be stolen and resold to other players.

So do not buy, sell, and do not engage in “breaking” of rules in games.

Leave a Comment

Share via
Copy link