Cyber Incident Victim: CS.MONEY
Date:
Aug 2022
Location:
—
Summary
A major CS:GO skin trading platform suffered a cyberattack where hackers compromised Mobile Authenticator files used for Steam authorization, enabling unauthorized control of 100 bot accounts. The attackers executed approximately a thousand transactions, stealing 20,000 virtual items valued at $6 million before attempting to obscure their activity by distributing some skins to unrelated users and generating fake messages implicating third-party platforms. The breach prompted an extended outage as services were taken offline for restoration, with collaborative efforts among trading platforms to block transactions involving stolen assets. Recovery and user compensation were prioritized pending full operational recovery, while Valve’s potential intervention to reverse transfers remained uncertain.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around August 13, 2022, CS.MONEY, a prominent Counter-Strike: Global Offensive (CS:GO) virtual item trading platform, suffered a cyberattack resulting in the theft of approximately 20,000 weapon skins valued at $6,000,000. The attackers compromised the platform’s security by gaining unauthorized access to Mobile Authenticator (MA) files critical for Steam authorization. This breach enabled them to assume control of 100 bot accounts managed by CS.MONEY, which stored the skins held in the platform’s inventory. Over the course of the incident, the threat actors executed roughly a thousand transactions to systematically transfer these items to accounts under their control. Initially, the stolen skins were moved directly to the attackers’ own Steam profiles. Subsequently, the hackers attempted to obscure their activities by distributing some items through random transactions to unrelated ordinary users, prominent traders, and bloggers who had no involvement in the breach. They further complicated attribution efforts by generating fake messages referencing various third-party trading platforms, aiming to mislead investigators about the attack’s origin. CS.MONEY detected the intrusion through a combination of automated monitoring that identified an abnormal depletion of inventory and user reports highlighting suspicious exchange offers. The platform’s security team intervened to halt the attack, but not before the majority of the $6,000,000 in assets had been exfiltrated.
Following the breach, CS.MONEY immediately took its website offline, initiating an extended outage that persisted for at least three days as restoration efforts continued. The platform’s total asset value dropped from $16,500,000 to $10,500,000 as a direct consequence of the theft. In collaboration with other CS:GO trading platforms, CS.MONEY implemented a blockade on trading the 20,000 stolen items to prevent their sale or further circulation across the ecosystem. All transferred skins were placed in a trade-lock state, restricting additional movement while recovery options were explored. Timofey Sobolevky, CS.MONEY’s head of public relations, confirmed plans to prioritize returning stolen items and compensating affected users once full platform functionality was restored. The incident highlighted the potential for Valve, Steam’s parent company, to reverse fraudulent item transfers based on historical precedents, though no intervention had been confirmed at the time of reporting. User assets remained unrecovered during the initial recovery phase, with the platform focusing on service restoration and incident analysis while maintaining communication through official channels like Twitter.