PC Gaming’s Grey Market

(aka “What, Officer? It fell off a truck!”)

If you’re interested in the arcana of PC gaming sales and fraud in the games industry: I hope all three of you find something interesting in this post.

First, some background…

The PC gaming ecosystem is amazing. It’s where I’ve spent an embarrassing amount of my life, going back to when I was a kid. I’ve been building online games there the whole time and wouldn’t trade it for anything. The unique combination of open platforms and open commerce have allowed people to build a veritable cornucopia of services that create real benefits for gamers.

When smart people are all able to build, with no barriers to entry, magical things result.

As with any open platform, in addition to the good actors who create universal benefits, you also get overtly bad actors seeking to benefit from doing harm, as well as neutral actors who may not do bad things themselves, but they do enable bad behavior.

Taking the bad with the good is part of any open ecosystem. It’s inevitable. However, some of us feel strongly about shining a light on the bad, and those in the neutral who profit from enabling the bad, while still believing that open is the best way to go.

Keys and open markets: Black, White, and Grey

In games, much of the grey market revolves around “keys.” Digital representations of the right to play a game, or virtual items inside of games. Once those became widely used, it didn’t take long for enterprising outsiders to find ways to profit, creating new markets for their sale and resale. In itself, a great concept. As long as it’s done legally, and not harming others in the ecosystem.

In a good use case, the grey market for keys would involve people buying legitimately and reselling, widening the audience for games, and everyone benefiting. Sure, there might be some small number of people getting things for more cheaply than they otherwise could due to regional pricing differences, but in general, a net positive.

In reality, the most common use of “the grey market” is bad actors using stolen credit cards, stolen PayPal accounts, hacked steam accounts, and so on, buying up digital keys for games, then selling them on services who profit from each transaction.

In some cases, including one we helped shut down earlier this year, the “markets” aren’t actually markets at all. They’re the customer-facing site for people committing direct fraud, to sell digital goods that they fraudulently bought themselves. (In the US and most of Western Europe, the authorities act quickly, and companies like this are usually extinguished before they can take root.) There’s no other way to put it: They’re blatantly stealing, then selling what they stole.

In other cases, the markets really are neutral markets — They’re just extremely convenient destinations for those who are doing the theft. This is the area in particular that’s become the hot topic: Where should the lines be drawn? Who’s to blame, the platforms or the actors? What responsibilities do markets have to their own customers? To others in the ecosystem that’s benefiting them?

Why is this suddenly a thing?

This became a topic earlier this year, following an incident where a large grey market seller of game keys was found to have sold off $450,000 of fraudulently obtained digital key inventory.

I’ve spent a lot of time dealing with fraud-related topics in online games, running digital storefronts, and partnering with legitimate resellers, for online games that have made hundreds of millions of dollars. Not at all to brag, but as a way to say: I’ve spent vastly more time on this topic than I ever cared to.

Put bluntly, I’ve seen some shit.

Fraud is a real topic, and one that’s exploded in the last few years as hackers get better (some even operating with state sponsorship), as more sites leak credentials, as more stolen credit cards go up for resale than ever before. Some details of which I discussed in a chat with the same site.

The site approached me for a follow-up Q&A yesterday, in which I added some further thoughts on the state of the world in the six months since.

They did a solid job, and I wanted to share some details from our chat that didn’t make the cut.

On creators protecting themselves

To be clear — My opinions are drawn from my experience in online games in particular, specifically with the games I’ve worked on and the investigations my teams have personally been involved in. The grey market may be perfectly ideal for everyone other than me and the developer who saw that half a million dollars of fraud. But I doubt it.

I think when you look at who you choose to work with, you have to look at both what they’re doing as well as how they’re going about it. Make the decision that’s right for you, just do it with open eyes.

With that, here’s some of what didn’t make the cut.

Q: How do you feel about G2A Direct, the partnership scheme under which G2A give an 89/11 revenue split with developers for direct, approved sales of their games, and the ability for developers to query third-party keys listed on the market if they suspect fraud? (More information: http://www.pcgamesn.com/g2a-direct)
 
A: I think it’s important to them to give what they do a veneer of legitimacy, following being revealed as the leading fraud-driven game site on the internet. That said, the protection racket pitch isn’t compelling to me. “No, we won’t prevent people from listing fraudulent keys for your games even though we easily could. But, sign this agreement with us (and let us include your name in an announcement, because we really want to appear legitimate), and you can do extra regular work to protect yourselves from us!”

I love mafia stories as much as the next guy, but I prefer their business model on TV, not in my email.

Q: As well as developer queries via G2A Direct, G2A told us their anti-fraud measures include algorithms to check key listings against their game’s SRP and sources like SteamSpy, as well as human analysis.
How much progress do you feel has been made since the TinyBuild affair, and do you feel G2A are now doing enough to flag suspicious keys?

 

A: Couldn’t really say. It’s not relevant to us anymore. Because of them and sites like them, we’ve moved away from keys in favor of direct backend platform integration with our partners. That allows us to do digital sales and pricing that’s relevant to a wide range of regional economies, in a way that protects us and our partners from parasites.

I do feel very badly for the developers it continues to impact, and for those whose only recourse is to become party to a blatant protection racket.

Q: For the consumer, is it possible to assess the quantity/percentage of fraudulent or defective keys on G2A so as to calculate the risk of buying there?
 

A: If it were, would they aggressively upsell a nearly impossible-to-cancel service to protect people from their own platform? Grabbing one article from your site — 16 clicks? Reports of users having to cancel credit cards to get out of it? I’m not seeing a lot of “legitimate” here yet.

Q: Roughly how many audits/checks did you do? Could you explain briefly how your auditing process works and was able to determine that not a single key was legitimate?

A: It’s just a normal part of how we operated. Every time we saw a batch go up on one of the fraud sites, we bought one. 
 
Once we had the key in hand we knew exactly which partner we issued it to, when, and what the price should have been. And then we can see what actually happened with it. Invariably, that key was purchased with either a hacked paypal, stolen CC, or region exploit. 
 
That’s how the “grey” market works for online games. (And, to my point in the bigger reply, also how gold sellers work. This has been the case since 2001.)
 
That it’s called “grey” at all is in reality pretty preposterous. A guy selling unrealistically cheap electronics out of the back of his van is not a “grey market for car stereos.” It’s selling stolen goods. Whether he personally stole them or not isn’t really relevant.

Q: Has your impression of G2A changed since the summer? Do you feel they are sincere when they say they want to improve? Why/why not?
 

A: I don’t spend time pontificating on the motives behind someone changing their model to “somewhat less theft than before.” My goal has been to render them irrelevant to us, which we’ve been very successful at doing.

Wow. That’s some strong words

When someone tells you: “I could easily stop hurting you right now, but I won’t unless you let me keep making money off of you,” there’s a word for that, and it’s not “partnership.”

For developers, especially small ones trying to eke out a living, their jobs are hard enough as it is. Help them out. Support them whenever you can.

If you want to play a game, please think about supporting a developer. Buy from them directly, or from their primary source partners like Steam, Amazon, GMG, and others. Every sale they make that way helps them keep making games for you to enjoy, and it means the world to all of them.

Now that that’s all out of the way — Happy holidays! I hope this season brings all the best to you and yours, and we all find ways to go forward, in genuine partnerships, making greater and greater things together.