MangaGamer, a localiser of adult visual novels, wanted to reward customers who'd bought games through their website with free Steam keys. Two years into the promotion, a hacker allegedly used stolen credit cards to fraudulently buy hundreds of games. The scam cost MangaGamer tens of thousands of dollars. Why'd the hacker do it? To sell keys on the controversial marketplace G2A.
Illustration by Sam Woolley
No one would blame you if you haven't heard of MangaGamer before. Their most recent game announcement was for Funbag Fantasy, a visual novel about "a simple man who likes simple things like bread and boobs". As you might expect, it's full of nudity and sex. But whatever you think of MangaGamer's products, they represent something very common in video games: a small, independent developer trying to get by selling games to a niche audience.
"We're a developer/publisher where every single sale counts," MangaGamer head translator and public relations director John Pickett recently told me.
When a game is sold on a PC storefront like Steam or GOG, the developer or publisher controls the price and gets most of the profit. Marketplaces like G2A, however, are more like eBay or StubHub. Users bring their own goods to the table.
What they're bringing to G2A aren't games they have played, but spare keys that activate games, keys they haven't used for some reason and they're willing to sell for less than the standard price for a video game. Thanks to those key sales, full-price games can be found for a fraction of the cost on G2A. (I recently bought a copy of Shadow of Mordor on G2A for $US7.03 ($9). The game sells on Steam for $US39.99 ($53).) In theory, it's a way for people with extra keys make a few bucks, and it allows other players to get big discounts. But there's an element of risk; you can't guarantee where the key came from or if it's legitimate.
The MangaGamer situation involves the shadier practices of some G2A users that have given the marketplace a bad reputation, a rep some say G2A deserves. The service has been hit with criticism for a perceived lack of security and scrutiny when it comes to weeding out fraudulent keys. Some keys are allegedly ripped off from companies as small as MangaGamer and as large as Ubisoft.
Over the course of my reporting, I reached out to more than a dozen studios and none had a positive thing to say about G2A. They view the company as uncaring about seriously changing the fraud on its service. Several said they'd prefer players who can't afford their games use piracy, rather than support G2A.
The name G2A may ring a bell, because, in late June, independent development studio TinyBuild picked a public fight with the company. TinyBuild CEO Alex Nichiporchik claimed they saw their games getting sold on G2A for a fraction of their retail price just after someone used stolen credit cards to purchase keys from their own, personal online store.
Infuriated, they alleged G2A was "facilitating a fraud-fuelled economy". TinyBuild felt G2A wasn't doing enough to weed out and protect developers from from these kinds of keys. Developers do not get a cut from games that are re-sold on G2A, so they had an understandable interest in this problem.
The two responded to each other through the press over the next few days, before G2A rolled out a series of solutions meant to address the issue, including a program where developers can get a 10 per cent cut from game sale. (That program, called G2A Direct, is now alive.) A few weeks later, G2A also revealed new layers of seller authentication, including phone number verification.
It's unclear how big of an impact they will have.
"We'd like to be clear that the origin of fraud is not theft of the game codes themselves, but rather stolen credit cards used to purchase codes," a G2A spokesperson told Kotaku. "That said, we stand shoulder to shoulder with every financial institution and major e-commerce player in the world in the fight against credit card theft. While we do not disclose specific details regarding fraud occurrences, we do know that it is well below average in the industry. Our systems are amongst the most robust in the world when it comes to identifying stolen credit cards. We have world specialists working [to] provide 100 per cent satisfaction guarantees on the G2A's [sic] Marketplace."
A screen shot from A Kiss For The Petals, one of MangaGamer's tamer games available on Steam.
For two years, MangaGamer's Steam key promotion was going swimmingly. Then, this past February, it got weird.
"All of a sudden, we saw that there was this one IP address that was creating new accounts, buying new games, and trying to refund them," said Pickett. " [...] Why is someone buying 30 copies of the game? That's not normal user purchasing."
MangaGamer would ban one account, only to have another pop up. Different credit cards were being used to make the purchases and the volume kept increasing. It was whack-a-mole. At the same time, MangaGamer alerted their payment processor, the company that handles their online transactions. The payment processor makes their money by taking a cut from each sale.
As MangaGamer was trying to get a hold of what was going on, their payment processor would realise the credit cards in question were stolen and issue a chargeback fee to MangaGamer. (This can also happen with a disputed transaction.) The chargeback fee for MangaGamer was $US30 ($39) per sale.
(A different online company, choosing to remain anonymous, told me this was high but "not unheard of, especially when someone is hit with a spike of chargebacks." Both sets of numbers were backed up by data analytics firm CNP Solutions, which specialises in online payments.)
"When a chargeback occurs on purchase of a $US40 game," said Pickett, "we lose both the $US40 from the cancelled sale, and take a $US30 penalty. So at a hundred fraudulent purchases, that's $US3000 ($3948) lost; $US30,000 ($39,000) if there are 1000 keys stolen."
A spokesperson for Humble Bundle, which only sells keys to customers, told me the company was once forced to stomach $US34,000 ($44,744) in chargebacks fees in 24 hours from a sale of games in 2012.
"We learned our lesson the hard way," said Humble Bundle director of product Nate Muller. (Just this week, the company revealed the detailed steps it takes to avoid those problems in 2016.)
These money headaches are why MangaGamer does everything it can to avoid credit card disputes. The fees are often more than the original sale.
In this case, the chargebacks were happening frequently enough that MangaGamer's payment processor dropped them as a client. MangaGamer could no longer distribute Steam keys, and, even worse, couldn't sell anything online.
"It was quite a nightmare," said Pickett. "I think one of our managers calculated how much we were losing each day by not being in business, and it was not a number to laugh at."
Pre-orders had already been taken for MangaGamer's next release, but without any way to process transactions, those had to be dumped, and everything in their schedule was put on hold.
"It took us one or two months to find [a] new payment processor because of how difficult it is to find people who will handle our content and give us a rate that we can still make a profit at," he said.
(In most cases, payment processors take a 3% cut off each sale. In the adult entertainment business, it's 10 per cent or more because payment processors consider it a "high-risk transaction".)
In February, the company published a blog post explaining the frantic situation. The news was picked up by a few publications and made the rounds on social media. Under a post on Facebook, one person's comment gave MangaGamer pause. It came from someone openly claiming to have been the person who stole the keys from them.
"Muuumuaaaaaywhuwhwuhweuuwhe," they wrote. "I got a lot of keys, grateful hahahahahaha."
There didn't seem to be a way to determine if that was the same same person. Maybe it was a jerk looking for attention? Recently, I sent that person a message on Facebook. To my surprise, they responded and agreed to an interview. I asked the individual to provide receipts from their fraudulent purchases, which they did. I showed them to MangaGamer, which cross-referenced with their database and confirmed they were legitimate. This was the person who stole the keys.
"To be honest, I'm doing it [committing fraud] all that time," said the Facebook user, who claimed his name is Vitor Reis. We spoke in a Skype text window about what he'd done and why. To prove his identity he showed me a censored version of his Brazilian ID. Reis' English was not very good, and at times, he was clearly pasting answers to my questions through a web translator.
He agreed to speak with me because, according to him, there's nothing to hide. Reis claims he's a "famous hacker" in Brazil, breaking into government websites and leading a hacking group called Proto Wave. On Proto Wave's Facebook page, the organisation posts images of the websites it's reportedly compromised. Several appear to be official pages for the Brazilian government.
The reference to "Coolmemes1993" riffs on one of Reis' online aliases, and is the one I used to initially contact him.
"I do not think my hacking helps Brazil directly," he said, "but encourages Brazilians to protest."
That doesn't explain why he slammed MangaGamer with credit card chargebacks that cost the company thousands, but his motivations are simple: it's fun, easy, and without consequences.
"Someone rarely is caught by practising such a crime," he said.
Reis doesn't make money off a chargeback. He makes money by selling the Steam keys. The chargebacks aren't triggered immediately, so he's getting the keys before the payment processor has time to investigate (or be alerted to) stolen credit cards. Chargebacks can occur days, weeks, or months later, which means Reis has plenty of time to sell the Steam key sent to his email address.
"This is easy and very basic," he said. "In minutes you can hide your tracks. [...] You do not need a gun to steal, just your fingers and patience."
This is what complicates the situation for companies like MangaGamer; if the Steam key has been sold on G2A or another marketplace, it may be in the hands of a person who thinks they have legitimately paid for a key. There's no way for that person to know the key they bought is tainted, and it's often too late for MangaGamer to try to deactivate the key.
In 2015, Ubisoft famously deactivated thousands of keys it later discovered were purchased with stolen credit cards, then sold on marketplaces like G2A. After public outrage, it left the keys active. When MangaGamer cancelled its stolen Steam keys, it didn't hear from any disgruntled players.
Reis said he made more than $US500 ($658) by re-selling the keys he stole from MangaGamer on G2A.
"G2A [is one of the] great sites to sell fraudulent keys," he said, referencing another key-selling site, as well. "The keys of commerce [are] quick and easy, and there is [not] much bureaucracy."
Though G2A has not specifically responded to my questions about this incident, the company admitted it was distressed about the growing reputation that it's become untrustworthy.
"We are listening to the feedback, and after that, making improvements," said G2A CEO Skwarczek in an interview with me a few weeks ago. "Sometimes it is harsh. Sometimes when we see these articles, they are not very nice, but we understand that [it's] our [job] to show people how it is from our point of view."
The company told me recent events have not impacted their bottom line. Just today, G2A launched G2A Direct, allowing developers to sell keys to consumers through G2A, run keys through a database in search of fraudulent sales, and receive up to a 10 per cent cut on third-party auctions.
It's unclear if that could or would stop someone like Reis. He claimed he was exploiting a security flaw with MangaGamer's payment processor, but he's not Robin Hood. Reis was stealing the keys and selling them for financial gain.
"To be honest, yes, I feel sorry," he said. "I have saved the mangagamer, [sic] the damage could be much worse."
That's one way to look at it.