They Call Me Timmy · @tsobolevsky
14th Aug 2022 from TwitLonger
Update on CS.MONEY hack
Here we go. This story started on Twitter, and it only makes sense for it to continue here.
TLDR - we got hacked. By stealing our MA-files, someone took control over our bots. The hackers already stole around $6M worth of skins.
But first, a small disclaimer – we’d like to thank the CS:GO community for its help and support. It means a lot to us, and it truly supported our team in this difficult situation.
Disclaimer #2 – we decided to be upfront about the details of the hack for a number of reasons. Firstly, we want the skin trading market to stop being treated as a “gray” zone, seen by the community as murky and non-transparent business. Being open about it is the best way to solve this problem. Secondly, we hope that our experience will help other market participants avoid similar problems.
Disclaimer #3 – I am consciously describing only the past events, talking about the hack and the damage estimates that have already happened, without disclosing our future actions. It’s very difficult to make any promises of forward-looking statements in the present situation, while the security exploit has not been fixed.
Disclaimer #4 - At this moment, while I am writing these words, we are seeing the second wave of hackers’ activity as they are starting to transfer skins to accounts named “CSMONEY Recovery”.
Let me start by briefly recapping the last night’s events:
- The hackers gained access to a bunch of our bots which contained CS.MONEY skins, and they started sending outgoing transaction offers in order to steal our inventory;
- At first they only sent the skins to themselves, but later they mixed it up by sending offers to regular users, popular bloggers and traders. We believe it was done to hide their tracks, divert our attention, and drag more innocent people in this skin-stealing scheme of theirs;
- This is when our internal systems alerted us about a sharp depletion of skins stock on CS.MONEY;
This is how it looked on our charts - https://prnt.sc/zUIOzCgUXSKm
- At the same time, we started receiving first messages from unsuspecting users outside the group of hackers about suspicious trade offers. A lot of them were personally in touch with CS.MONEY employees;
- Our initial thought was that CS.MONEY itself had been hacked, and we disabled authorization of all external devices and services, suspecting that the issue could lie in stolen cookie files;
- Meanwhile, we logged into our transaction database and saw that the CS.MONEY service had not recorded any exchanges in its logs. It means the bots sending out the transfer offers were not controlled via CS.MONEY, but rather controlled directly by the perpetrators;
- It’s also worth mentioning how they tried to hide their tracks with bot messages. When you buy something from one of our bots, our system generates an outgoing message automatically, which you receive from the bot alongside the transaction on Steam. The hackers appear to have generated a ton of fake messages mentioning other trading platforms, which they sent with their trade offers. Their goal was probably to get us thinking that the problem had something to do with authorization on 3rd party platforms.
- While this was unfolding, we saw that all our attempts at stopping the transactions were not working, even after resetting all authorizations and turning our service off.
You can see the impact of the hack on the chart. The hackers had been sending our skins out till 5 in the morning, and in total they managed to pull off around 1000 trades with about 100 user accounts in the first day of their attack.
We estimate to have lost around $6 000 000 worth of skins from the first wave of hackers’ activity. Approximately one third of the sum was in skins belonging to our users. We will prioritize returning these and compensating the users once we have restored CS.MONEY to a fully-functioning state. All of the skins that have been transferred are in trade-lock now, so they couldn’t have been moved further, and we hope to be able to get these back. Moreover, the community has been instrumental in identifying everyone who has received these skins.
We have established that the hack happened due to hackers gaining access to our MA (Mobile Authenticator) files, which are used for Steam authorization. This is why our attempts to reset authorization were futile – the thieves had direct access to the files, which allowed them to control our bots.
The CS.MONEY team is now struggling in attempts to reset our password and MA files to invalidate the compromised authorization data. At the same time, we’re doing our best to secure all the data critical to our services.
This hack is a very good, albeit expensive lesson to us. But as they say, what does not kill me makes me stronger.
P.S. The CS.MONEY service was founded by a team of enthusiasts back in 2016, when its founder was just 21 years old. All these 6 years we had been growing, making mistakes, learning from them, and we’ve pushed forward. That’s why neither this, nor any other incident will make us lose our passion for gaming, skins and our community, let alone stop us.