Hacker Sells Sensitive Data from Gaming Hack for $100,000 XMR

A hacker is selling user data they stole from Singapore gaming company Razer for 135,000 SGD worth of crypto on an online forum.

The gaming company confirmed the hack on Monday but did not deny or confirm a leak of 404,000 email addresses.

Hacker Steals and Sells User Rewards Wallet Data

The addresses were allegedly linked to an in-game economy that earned users rewards in digital wallets. Additionally, the hackers stole a folder zVault containing keys controlling access to these rewards. The attacker is selling the information on an online marketplace for $100,000 worth of Monero, the privacy coin.

Razer has not confirmed whether the hack was related to a 2020 breach that compromised personal shipping details. The Singapore High Court awarded Razer $6.5 million in damages after the gaming company sued its information technology vendor. A former Capgemini employee disabled security measures enabling hackers to gain unauthorized access to data.

Binance recently rescinded the use of privacy coins like Monero from being used in France. Unlike Bitcoin and Ethereum payments that require a client to sign purchases with a single private key to pay another entity, Monero uses a ring-signature scheme dependent on multiple users whose involvement obscures the source of funds.

Europe’s Markets in Crypto-Assets bill, due to come into effect in 2024, forbids exchanges to list privacy coins. MiCA’s money laundering rules require exchanges to report users on both transaction ends.

Recently-gazetted regulations in Hong Kong and new proposals in Singapore prevent crypto exchanges from listing privacy coins.

US Treasury Sanctioned Service Anonymizing Stolen Funds

Last year, the US Treasury Department banned the Ethereum mixer Tornado Cash for its money laundering potential. The services commingle funds from multiple sources, making it impossible to trace the origin of stolen crypto.

Attackers wishing to avoid blacklisting by the operators of centralized cryptocurrencies often convert stolen funds to wrapped ERC-20 tokens. They then passed these tokens through Tornado Cash to scramble their identity.

All centralized exchanges under US jurisdiction may not interact with 44 cryptocurrency addresses linked with TornadoCash.

Attackers that stole $655 million from Axie Infinity’s Ronin Bridge hack in 2022 moved 21,000 ETH through Tornado Cash. The hack was one of the largest single attacks in the decentralized finance space.

North Korean hackers have also used the service.

Got something to say about the Razer data breach or anything else? Write to us or join the discussion on our Telegram channel. You can also catch us on TikTok, Facebook, or Twitter.