Cybersecurity Threats From Online Gaming – Analysis


By Prateek Tripath

From the emergence of the video game “Pong” in 1972 to the release of “Hogwart’s Legacy” in 2023, the video gaming industry has come a long way. With a revenue of over US$227 billion in 2022, gaming is no longer the niche industry it was once thought to be. The number of gamers in the world is expected to reach a figure of 3.32 billion by 2024. This recent surge in growth has, in a large part, been a result a of the COVID-19 pandemic when the market expanded by about 26 percent between 2019 and 2021.

However, this popular form of recreation has also imperilled cybersecurity. There has been a surge in cyberattacks on the gaming sector, with an increase of 167 percent in web application attacks in 2021 alone. In 2022, the gaming industry became the biggest target of Distributed Denial of Service attacks, accounting for about 37 percent of all such attacks. Account takeovers, cheating mods, credit card theft, and fraud are all issues faced by gamers on a regular basis. The most alarming development, however, was the leaking of secret documents in April 2023 containing confidential US Intelligence on a videogame chat server, in what has come to be described as the worst Pentagon leak in years. This just goes to show how ignorance of this threat could have unforeseen and potentially catastrophic consequences, even from a national security perspective.

Mining Pentagon data 

In April 2023, several highly classified documents, some even marked “Top Secret”, were leaked on a Discord server, dedicated to “Minecraft”, a popular video game. The data later found its way to social media platforms like Twitter and Telegram.

The documents contained sensitive information such as Ukraine’s status in its ongoing conflict with Russia, potential problems with Ukrainian ammunition supplies, and the losses sustained by the Russian military. Apart from this, they also provided a strong indication that the United States (US) has been spying on its allies, particularly Israel and South Korea. The motivation behind the leaks remains unclear, but it seems to have originated from an online spat between two players over the Ukraine conflict. One of the users, a 21-year-old US National Guard airman Jack Teixeira, seemingly posted the classified documents to win the debate. Reportedly, the leaks began in February 2022 in a Discord group called “Thug Shakers Central” created by Teixeira, and later spread to other Discord servers and social media platforms.

This has come about in part due to the US military’s recent attempts to identify and engage Gen Z recruits using online gaming platforms like Discord, which already runs a 17,000-member server for service members to talk about first-person shooter games and participate in the so-called “Army of Tomorrow.” It is part of the Army Recruiting Command’s army e-sports programme, which is designed to unite the army and general population through a shared passion for gaming.

In-game currency, gambling laws, and money laundering 

With the rapid increase in the popularity of video games, developers have found new ways to monetise them as well. This has led to the creation of virtual or in-game currencies, which can be purchased using real money, usually via the use of credit cards. These can further be used to conduct “micro-transactions” or purchase “loot boxes”. Micro-transactions refer to small in-game transactions that unlock specific content or features, which can be purely cosmetic like outfits and shaders, or items affecting gameplay like experience boosts and weapons. A loot box is a variant of a microtransaction in which a player can purchase a virtual item or a “loot box,” which further contains a randomised selection of virtual items such as cosmetics. The catch is that the player does not know what they are going to get in advance.

In-game currency and loot boxes have become the source of a lot of controversy lately since they have evolved into a form of predatory monetisation by greedy developers, especially when it comes to minor players. They have been declared outright illegal in several countries, which now consider them to be a form of online gambling. For instance, in 2018, the Belgian government banned the purchase of “FIFA points” (an in-game currency) in the famous football franchise “FIFA” made by one of the biggest video game developers in the world, “Electronic Arts.” In February 2023, Austria followed suit and declared FIFA packs as “illegal gambling”.

Another outcome of micro-transactions and the increasing value of in-game items has been the rise in the cases of money laundering via the medium of video games. The virtual economy of video games has become a flourishing market online, with examples of items costing millions of dollars. This has made them a prime target for money launderers. Gaming marketplaces provided by games like “Call of Duty” are often overcrowded and hard to monitor. Launderers can purchase in-game currency or items using a pre-paid, single-use credit card and subsequently put these up for sale on third-party websites, where it is purchased by enthusiastic gamers, usually via cryptocurrency like Bitcoin, and the seller receives his payment immediately. This transaction leaves behind no trace of the identity of the seller or their source of income. For instance, in May 2023, India’s Enforcement Directorate conducted a nationwide crackdown on foreign registered online gaming companies suspected of laundering INR 4,000 crores. These companies were registered in tax havens like Curaçao, Malta, and Cyprus, and all of them were linked to Indian bank accounts opened in the name of proxy persons with no links to online gaming activity. 

Current policy framework around online gaming 

In April 2023, the Ministry of Electronics and Information Technology (MeitY) notified the new rules for online gaming that divided online games into two categories: Online real money games, which are registered with Self-Regulatory Organisations (SROs), and those that do not involve real money. The new rules banned all online games involving betting and wagering. They further defined online gaming intermediaries and their obligations with a focus on Know Your Customer norms, parental consent, and grievance-redressal mechanisms. Finally, the rules declared the appointment of three SROs comprising industry representatives, educationists, and other experts, who will be responsible for deciding which online games are permissible.

These rules are a good beginning but inadequate to contend with the issues threatening this sector. They only focus on games that involve real money and wagering, and thus are drastically limited in their scope. Most online games nowadays are riddled with micro-transactions and, thus, can easily circumvent these rules. Games can just offer prizes in virtual currency and completely bypass these laws. Moreover, there is no mention of loot boxes in these rules and, therefore, they remain completely legitimate. Purchase of FIFA points, for example, remains legal within India. There needs to be a discussion on whether allowing loot boxes in video games amount to gambling and what kind of impact it has on players, particularly children and minor users. The plethora of cases on this issue reported from around the world can provide ample guidance to lawmakers.

The issue of money laundering using video games also needs to be addressed. The MeitY must consult the Ministry of Law and Justice, the Ministry of Finance, and industry experts to frame laws to deal with this issue. There is also an urgent need to figure out a way to trace these virtual currency transactions and differentiate them from regular transactions. India can perhaps work with other like-minded partners to tackle this novel and potentially dangerous avenue for laundering money.


The online gaming world has provided cybercriminals with a new avenue to conduct nefarious activities. What started with cheating in competitive online games and stealing credit card information, has now evolved into money laundering schemes and military leaks threatening national security. There is an urgent need for governments and policymakers around the world to start paying more attention to the online gaming industry and the escalation in cybersecurity threats surrounding it. Online gaming is one of the fastest-growing sectors in the global entertainment and media industry and provides a powerful new platform to unite people from all around the world. Consequently, we need to ensure that the industry continues to grow in a safe and responsible manner, and the bad actors looking to tarnish the experience for others are dealt with accordingly.

About the author: Prateek Tripathi is a probationary Research Assistant with the Centre for Security, Strategy and Technology at the Observer Research Foundation.

Source: This article was published by the Observer Research Foundation

Observer Research Foundation

ORF was established on 5 September 1990 as a private, not for profit, ’think tank’ to influence public policy formulation. The Foundation brought together, for the first time, leading Indian economists and policymakers to present An Agenda for Economic Reforms in India. The idea was to help develop a consensus in favour of economic reforms.

Leave a Reply

Your email address will not be published. Required fields are marked *