According to the formal complaint, the malicious code enabled E-Sports to monitor users’ computers even when they were not signed onto or using E-Sports services. E-Sports also created a botnet - a network of computers running malicious software - using its customers’ computers.
The botnet used the computing resources of users’ computers to mine for bitcoins, a virtual form of currency. It is estimated that, during a single two-week period, E-Sports took control of approximately 14,000 computers in New Jersey and across the nation, and generated approximately $3,500 by mining for bitcoins.
As part of its settlement with the State, E-Sports has agreed to refrain from deploying software code that downloads to consumers’ computers without their knowledge and authorization. The company also must submit itself to a 10-year compliance program and create a dedicated page on its Web site that specifies what type of data it collects, the manner in which the data is collected, and how the information is used.
E-Sports must pay the State $325,000 of its $1 million settlement obligation. The remainder is suspended and will be vacated within 10 years, provided the company adheres to all settlement terms and avoids future violations of the law.
E-Sports co-founder Eric Thunberg and E-Sports software engineer Sean Hunczak are each parties to the settlement being announced today.
E-Sports was established in 2006 and is based in Commack, NY. E-Sports charges subscribers $6.95 per month to play E-Sports-supported games against other E-Sports subscribers on the company’s hosted, anti-cheat game servers. To play on E-Sports-hosted game servers, subscribers must download and install E-Sports software onto their computers. Once installed, the software enables E-Sports full administrative access to subscribers’ computers.
The State’s complaint alleges that, via its software, E-Sports downloaded malicious software code onto subscribers’ computers that enabled E-Sports to monitor what programs were run by subscribers, even when those subscribers were not using E-Sports services and the E-Sports software was not turned on.
The complaint also alleges that Thunberg and Hunczak developed the malicious bitcoin-mining software code that enabled them to use the graphics processing units of subscribers’ computers to mine for bitcoins undetected.
As part of the process, the complaint alleges that Hunczak turned E-Sports’ subscribers’ computers into a botnet for the purpose of mining bitcoins. The bitcoin-mining software code enabled Hunczak to mine for bitcoins only when users were away from their computers.
The State’s complaint alleges that Hunczak created at least four bitcoin “wallet” addresses where he deposited bitcoins mined via the E-Sports botnet. Hunczak allegedly then sold the mined bitcoins, converting them into U.S. dollars and ultimately depositing them into a personal bank account. According to the State’s complaint, Thunberg supervised Hunczak’s activities, provided Hunczak with input, and authorized Hunczak to use company time to develop, create and test the E-Sports bitcoin mining code. E-Sports apparently terminated use of the bitcoin mining code in May 2013 after an E-Sports subscriber discovered it.
The complaint filed today charges E-Sports, Thunberg and Hunczak with violating New Jersey’s Consumer Fraud Act and the State’s Computer Related Offenses Act.
In addition to the $325,000 settlement payout and a general agreement to refrain from any unfair or deceptive acts, E-Sports has agreed under the settlement to a variety of changes in its practices. Among the changes is creation of a new consumer information page that, among other things, will include information on how consumers can restrict, limit, opt-out of, or otherwise control the data or consumer information collected by E-Sports about them or their computers.
The company also has agreed to put in place a privacy and data security program that contains comprehensive privacy controls and procedures, and is designed to ensure the confidentiality of consumer information. As part of the program, E-Sports has agreed to regular testing or monitoring of its security controls. It also has agreed to hire a third-party professional to conduct a Privacy and Security Audit Report covering the first 90 days after the settlement’s effective date and, subsequently, every two years through 2023.
“This is an important settlement for New Jersey consumers,” said Acting Attorney General Hoffman. “These defendants illegally hijacked thousands of people’s personal computers without their knowledge or consent, and in doing so gained the ability to monitor their activities, mine for virtual currency that had real dollar value, and otherwise invade and damage their computers.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.