CS:GO (Counter-Strike: Global Offensive) is one of the most popular multiplayer first-person shooters in recent times, published by well-known video game developer Valve Software. Weapon skins in the game have varying rarities, which prompted the creation of a trading site using the Steamworks API to facilitate players trading skins with each other.

CS.MONEY is one of the largest CS:GO skin trading platforms, with 1696 unique skins for 53 weapons, with a total asset value of $16.5 million. The platform was unfortunately targeted by hackers recently. In the first wave of attacks, about $6 million of skin was stolen, and the assets directly shrunk by more than 1/3.

Since the attack was detected on August 13, the CS.MONEY website has been closed, and the estimated time for the restoration of services cannot be given for the time being. CS.MONEY is taking various ways to recover losses via data disaster recovery. Other exchanges have agreed to block the trade of 20,000 stolen items to prevent hackers from getting their hands on it, according to a tweet it posted on Twitter.

For this attack, Timofey Sobolevky, head of public relations at CS.MONEY, wrote an article detailing the ins and outs:

After CS.MONEY received news of suspicious transactions, the initial idea was that CS.MONEY itself was hacked, they disabled the authorization of all external devices and services, suspecting that the problem might be the theft of cookie files. However, after logging in to the transaction database, the staff found that the CS.MONEY service did not record any transactions in its logs, indicating that the robot sending suspicious transactions was not controlled by CS.MONEY, but directly by the attacker. This also explains why even if they reset all authorizations and shut down the service, the suspicious transactions could not be stopped.

CS.MONEY later confirmed that the source of the incident was that hackers somehow gained access to the Mobile Authenticator files used for Steam authorization, allowing the hackers to directly control the bot hosting the skin.

In order to confuse the public, the hacker not only sent the skin to himself, but also randomly distributed it to ordinary players, well-known traders, bloggers, etc. in order to divert the attention of investigators and hide his tracks. On the first day of the attack, the hackers manipulated about 100 accounts to complete about 1,000 transactions.

The CS.MONEY team is now trying to reset their passwords and MA files, and all skins that were transferred are now transaction locked. It is unclear whether game developer Valve will intervene to recover the stolen items.

Nonetheless, they appear to have failed to learn from their mistakes and have continued to attack important facilities, such as the German oil supply company Oiltanking in February and now Creos Luxembourg. Although certain attacks are unavoidable, businesses may secure their data ahead of time to improve data breach and cyberattack protection. Doing an outstanding job in data disaster recovery and security demonstrates that services keep themselves and their customers accountable. RHV Backup, VMware Backup, Hyper-V Backup, oVirt Backup, and more backup solutions are now available for businesses.