Developer Accuses G2A Of Profiting At Their Expense

One of the largest differences in today's world of gaming is the way digital marketplaces have flourished and made the market more accessible for developers and gamers over the last ten years.

But it's also opened up a whole lot of grey areas, opportunities that third-party vendors have used to flourish. Some of those opportunities, however, can come at the developers' expense.

In a blog post this morning, the developers of Punch Club accused major key reselling website (and other key resellers) of facilitating fraud and subsequently refusing to assist unless they were "willing to work with them". The implication of the latter is that TinyBuild would end up undercutting Steam and their own retail partners, but we'll return to that later.

The post, which was subsequently sent out to all media after TinyBuild's website went offline due to a distributed denial of service (DDoS) attack this morning, starts by explaining how G2A and other key reseller websites function.

The idea's simple: you have a key for a game you don't want. Instead of just letting it sit there in your library or gifting it to a stranger, why not list it on a website and make a couple of dollars?

Here's the issue.

The problem is that this business model is fundamentally flawed and facilitates a black market economy. I've spoken to a merchant on G2A about how he's making $3-4k a month, and he outlined the core business model:
• Get ahold of a database of stolen credit cards on the darkweb • Go to a bundle/3rd party key reseller and buy a ton of game keys • Put them up onto G2A and sell them at half the retail price

Where things get additionally complicated is the fact that TinyBuild established a store on their own website. The developers wanted to offer discounts directly to fans, do giveaways, and undoubtedly have some sort of means where they could collect the maximum amount of revenue on their hard work as opposed to giving a cut of the money to Steam or one of their other partners.

Problem was, people started buying games through their store -- by the thousands. The store would then get hit with chargebacks, because everything was bought using credit cards, and then TinyBuild's payment providers would shut them down.

The shop collapsed when we started to get hit by chargebacks. I'd start seeing thousands of transactions, and our payment provider would shut us down within days. Moments later you'd see G2A being populated by cheap keys of games we had just sold on our shop.
Coincidentally, this is when we were having discussions about partnering up with G2A and how that'd work.

TinyBuild can't prove anything at this point, and they stressed as much in their blog post/press blast. But they're pretty certain about what's going on: people are using stolen credit cards to purchase digital copies of games, which they then resell on websites like G2A to collect a handy profit.

An interesting part of all this was a copy-paste from an alleged email G2A sent to TinyBuild, which insinuates that the developer's distributors were the ones reselling the keys in the first place. Here's the relevant part:

So the issue you have pointed to is related to keys you have already sold. They are your partners that have sold the keys on G2A, which they purchased directly from you. If anything this should give you an idea on the reach that G2A has, instead of your partners selling here you could do that directly.
... Honestly I think you will be surprised in that it is not fraud, but your resale partners doing what they do best, selling keys. They just happen to be selling them on G2A. It is also worth pointing out that we do not take a share of these prices, our part comes from the kickback our payment providers.

It puts TinyBuild in a pretty crappy situation, as Ubisoft found out when they took a stance against unauthorised resellers flogging off copies of Far Cry 4. According to details provided to them from G2A, 26,658 copies of SpeedRunners, Party Hard and Punch Club have been sold via G2A for a retail value of just over $US450,000.

TinyBuild doesn't get a single cent of that. And having their own store complicates matters too. Steam provides developers with a list of "retail activations" -- users playing the game that didn't purchase the game through Steam, basically. But there's no way to tell whether someone activated a key by purchasing it through TinyBuild's website or received it through a legitimate giveaway against whether they purchased one from G2A.

If they deactivated a bunch of keys carte blanche, it just results in a whole lot of pissed off users. And that includes gamers who purchased from G2A. They've spent their money purchasing a legitimate key for a game, probably unaware of the intricacies of the key reselling market and the implications it has. All they know is that they're getting a game for cheap, and that's good for them.

But it's a crappy deal for developers. And it's a terrible situation for TinyBuild.

I've sent off a bunch of queries to G2A about the situation, including TinyBuild's allegations and what their opinion is on the legal status of key reselling in Australia. I didn't receive a reply at the time of writing, but if anything interesting comes out of that I'll let you know.


Comments

    Some third party did something illegal (used illegally obtained credit card information belonging to someone else) and essentially stole a bunch of gaming keys. It's not G2A's fault for providing a user-supplied marketplace, it's whoever stole the credit cards and game keys' fault for stealing credit cards and games. G2A works off the same model that places like cash converters do. There are thieves that rob houses then sell stuff they don't want to pawn shops, does that make pawn shops ethically wrong? No, it makes thieves bad people. TinyBuild got screwed over in this situation cause thieves bought a bunch of game keys from them using other people's credit cards then got chargebacks cause people reported their fraudulent transactions. It doesn't make sense that that would be G2A's fault.

      Cash converters do have to get full details an identification from whoever is selling good to them though. Online this generally doesn't happen as everything can be faked pretty easily.

      But there are reasons why we have rules about how pawn shops are allowed to operate. These rules act as a way of keeping the pawn shops relatively honest and introducing some accountability. Without those rules Cash Converters entire business model is just fencing stolen goods, to the point where their business existing actually encourages crime. Those rules aren't amazingly effective but they do help keep a handle on things.

      It's a tough situation to resolve while being fair to all parties but I don't think it's unreasonable for the developers to say that G2A are making a profit fencing stolen keys even if technically all they're doing is letting people sell keys that may or may not have been obtained via fraud.

    tbf that's what you get for being an indie game developer.

    "TinyBuild doesn’t get a single cent of that."

    ...why should they? The keys sold on G2A, Kinguin and so on would already have been bought from the developer and they'd have received their cut. If Harvey Norman sell me a Sony TV, they don't give a cut of that profit to Sony, as they've already paid Sony for that TV. And if I decide to sell the TV on Gumtree a few years later, I don't give Sony a cut then either.

    Yeah, it sucks that the developer has lost out on money because some assholes bought a ton of games from them with stolen credit cards, but it sounds like the police/media/affected parties should be going after these dodgy merchants and stolen credit card database creators, rather than sites like G2A.

    Last edited 21/06/16 11:59 am

      Exactly like your example, they don't try to shutdown Gumtree for selling that stolen Sony TV. Or shutdown Steam for using their marketplace to sell items stolen from hacked accounts.

      They don't get a single cent because the credit card companies chargebacks took away all the cut that TinyBuild would've got.

      But G2A get THEIR money untouched because, TinyBuild didn't kill the keys.

      Sites like G2A are the problem because to use the analogy above, they're basically the pawn shop who is broadcasting to the criminal element that they aren't checking shit and can basically be trusted to serve as a fence.

        G2A is pretty much the pawn shop that sells spoons, lighters and rubber bands at the register. If Steam keys were made traceable to sales and consistently deactivated upon charge-backs G2A would just happen to introduce anti-fraud measures the following week.

      Yeah, as @transientmind points out, it's not that TinyBuild isn't getting a cent from resales, it's that they're not getting a cent at all. The sequence goes like this, with net results in brackets:

      1. Key is purchased from TinyBuild (TinyBuild +$ -key, buyer -$ +key)
      2. Buyer issues chargeback (TinyBuild -key, buyer +key)
      3. Buyer resells key (TinyBuild -key, buyer +money)

      If that's hard to follow, imagine this instead: You're selling your car. I pay you for your car using a credit card. After you hand over your car, I cancel the payment and sell your car to someone else. You end up with neither money nor your car, and I end up with the money that was supposed to be yours. In this analogy, G2A is the fence that's helping me sell your stolen car to someone else without doing any checks to see if I own the car legit in the first place.

      Last edited 21/06/16 1:18 pm

        In the scheme of things, it seems like a lot of fuss because a CD key isn't a big thing, but we're talking about four hundred and fifty thousand dollars worth of a small thing.

          I edited my post a little after you replied, but I think the gist is the same. And yes, we're not talking small change here, we're talking hundreds of thousands from an indie developer alone. Larger companies must have losses in the millions from this kind of thing.

        I'm well aware of that, yeah, and pointed it out specifically in my post. But unless G2A are deliberately hawking products they know are stolen (are they?), then it's not their fault that TinyBuild got screwed out of their fair share of profit. It's the assholes using stolen credit cards/doing chargebacks that are at fault, and that's who should be taken down.

        If we're talking about thousands and thousands of purchases as mentioned in this article, that sounds like something that's pretty organised and can surely be traced by the authorities in some manner.

        Last edited 21/06/16 5:03 pm

          I'd say there's a good chance they know they're facilitating the sale of stolen goods, they just pretend they're oblivious the same way torrent sites pretend they're totally about legit legal torrents and not that piracy stuff, honest.

    Sounds like they need to find a way to link each key to a purchase, as soon as it is charged back, deactivate the key. I would have thought that they would already be doing this.

      Same, I really don't understand how this is an issue.

      I guess it might depend on the details of how their payment provider shut them down. You hear horror stories about PayPal holding on to the money in a merchant's account in case of a dispute, so perhaps something similar happened here?

      If the payment provider froze the account after receiving too many charge backs, the developer might not be able to tell which transactions in the current month were legitimate and which ones were fraudulent.

    So keys are bought with stolen card info. The purchases are then reversed later, presumably when the fraud is discovered and the rightful owner gets their money back.

    So when the chargebacks come through why don't TinyBuild just cancel the key associated with that purchase? If it hasn't yet been activated it becomes a dud, if it has been activated then Steam will boot them the next time they connect to play.

    The person who bought the key from G2A then has to chase back through there to get their cash. They either succeed or they don't. Either way they'll learn G2A is dodgy and probably stop using it.

    G2A dies, everyone wins.

      In a perfect world, this is the best solution

      Except the problem is that people aren't rational or logical and will assume the game maker did something wrong, not the site they bought the key from - and all G2A need to do is deflect because "hey, we are cheaper than everyone else"

        Yep. The first people to do it will have to die for it. They'll be pissing off a ton of people who regardless of what's happening behind the scenes paid money for the keys. Even if the articles themselves are fair and reasonable websites will run 'Punch Club makers deactivate thousands of users Steam keys' as the headline. That sort of publicity can really kill an indie project.

          So you do it as it happens piecemeal rather than thousands all at once. I don't know how this is even happening to begin with. If you pay for a product on amazon and then cancel the payment then you don't get the product.

          If the payment is fraudulent by using a stolen card then the person's bank will sort it out and the store will not get paid. It's then up to the store to chase up payment, or in the case of digital goods cancel the service.

          This happens everywhere else so why isn't it already occurring with game keys?

            The thing is a few hundred people doing a dozen at a time using stolen credit card numbers adds up really quickly. Most smaller developers are unprepared for this so by the time they figure out what's going on the numbers will have really piled up.
            It's a slow process and in that time the key has been taken, re-sold and the re-seller is long gone. Odds are by the time the credit card holder has noticed the damage the key has been sold.

            I'm not saying that killing the keys is a bad idea, it ruins the credibility of cheap key websites, just that I can understand why smaller developers wouldn't want to be the first to make a stand. It's a lot of bad PR for the sake of cutting off people who probably aren't going to go buy the game at full price after having gone out of their way to get it cheap and then made it halfway though the game.

            Also keep in mind they're usually working with someone else's system. Even big developers don't have much say in how Steam keys work.

            This happens everywhere else so why isn't it already occurring with game keys?

            It has been, but in the past it tended to be more of a problem with major AAA games which people aren't particularly sympathetic towards. Ubisoft actually come across like jerks for pursuing it.

              Yeah, I get how quickly everything gets processed but my point is that it should already be default that they keys get cancelled. There shouldn't be any pressure on small devs to make a stand and start cancelling keys paid for with stolen money, it should already be happening from the start.

              If they can't handle dealing with it then they shouldn't be selling through their own shop front to begin with. They've done it to try and get more of the funds from sales rather than giving a cut to Steam for every unit sold and it's ended up costing them a lot more money.

              To me it feels more like the dev should quit crying and just cancel keys like they should have been doing from the start or don't bother to sell through their own site to begin with. It's business, these things happen and are quite common, if they're unprepared to deal with it then they shouldn't be doing it.

    soon may be the end of the CD key

    face it its old method and now has too much security issues as with many things to do with computer methodology age'ing

    just link steam accounts and no CD key

    wait, let me get this straight: If someone buys something from you, and you send them the goods, but then its found out that the credit card was used fraudulently, it is the *retailer's* responsibility to refund the person scammed??

    I thought it was the credit card company that copped the loss!! what the hell are we all (customers/retailers) paying transaction fees for??

      Your bank/credit card company is not responsible for verifying that the purchase is legitimate and made by the rightful owner of the card. So if the transaction was fraudulent then the retailer has to pay the cash back to the bank/financial institute. It's up to the retailer to then chase up correct payment, write off the loss, claim it on their insurance, initiate legal proceedings etc.

      If you're paying transaction fees in this day and age then you're doing something wrong.

        Everyone pays transaction fees on credit card purchases: Visa and Mastercard don't process the transactions for free. Most businesses don't split out the fee (or only mention a surcharge for credit cards with higher fees), but it will comprise part of what you pay.

          Hence why I said if you're (you, the consumer) paying transaction fees you're doing something wrong. Businesses are charged a small fee, true, however this is rarely passed onto the consumer and if you're going to get a surcharge there's always eftpos instead. I haven't paid transaction fees in years.

            The transaction fees are a cost of doing business, and a retailer is going to take them into account when setting their prices.

            And is it really such a bad thing for a retailer to expose what the transaction fee is if their total price is competitive? In the PC parts business, which generally sells high value merchandise on low margins, I've seen multiple retailers who charge a fee if you choose a more expensive payment option (e.g. credit card over bank transfer).

              I didn't say transaction fees are a bad thing, retailers are perfectly within their rights to pass on all of their costs and add a profit margin to any sale.

              I said I haven't paid a transaction fee in years. Most retailers absorb that into their prices on a general basis as it's such a low percentage anyway. The real cost of transactions isn't that great, it's just when you get charged a "transaction fee surcharge" they tack on more than what it actually costs them (20 cents as opposed to $4 etc). IIRC there's currently an investigation going on about whether they're allowed to charge so much when it doesn't reflect the true cost of the transaction.

                I'm definitely not defending charges that don't reflect the costs of service. I've never paid for a taxi by credit card in Perth, because the 11% fee they charge is ridiculous. I have paid the 2% that PC Case Gear charges though.

                I'm more interested in whether the final price is good value or not. It isn't much different to taking shipping costs into account when comparing online retailers: "free shipping" isn't always going to mean better value.

    That is what I don't understand here. TinyBuild should kill the keys. The problem seems to be that they didn't have proper security measures in place, so don't know which keys exactly to kill. It is hardly fair to blame an open marketplace in those circumstances. At the end of the day it is the consumers fault for buying something that was stolen. That is a risk that comes with buying something at obviously dodgy prices. And whether they get their money back is not the devs concern. Track keys by order. Kill keys when fraud happens, call it a day.

      In my dealings with Credit Cards/Banks there are a few thiings that prevent the easy and quick linking of a purchase with a particular card;
      - for security reasons we cannot keep the enitre number, and communication with the bank provides only the last 4 digits.
      - date of purchase and the date that the bank "processes" payment are not always the same day thus making it impossible to 100% be sure which belongs to who.

Join the discussion!