The global electronic sports (also known as esports) market is valued as a billion-dollar industry and is projected to grow to a USD 5bn market by 2029. It has benefited from a growing viewership, advertisement revenue, media rights and sponsorships, resulting in esports tournaments held in stadiums that can hold thousands of spectators and with large cash prizes for winning teams, however, such growth has also made it a lucrative target for cybercriminals. 

According to the distributed denial of service (DDoS) protection service Akamai, “the gaming industry is targeted for 37 percent of all DDoS attacks.” DDoS attacks can cause esports competitions to lag and go offline, leading to an entire day of competition being cancelled in one case.

A DDoS attack can be used for match-fixing, to influence a betting outcome and for extortion purposes – in other words, demanding a payment in exchange for stopping disruption to a live competition. Esports teams and game server hosts have also previously carried out DDoS attacks against their competitors to gain an unfair advantage. The growing number DDoS attacks on such competitions can potentially lead to tournaments being moved offline, which can result in a lack of regulation and illegal gambling.

Ransomware extortion attacks similarly leverage the esports sector’s high uptime requirements and the reputational, regulatory and financial risks of such attacks. Combined ransomware and data leak extortion attacks enable criminals to put additional pressure on victims by threatening to leak or sell information stolen from video game production environments at all stages of the development process – design, artistic, programming and testing – on the deep and dark web. 

The tools used by threat actors – including exploits that target vulnerable game servers and custom hardware to facilitate cheating at competitions – also remain available on dark web forums and marketplaces, continuing to lower the entry barrier to cybercrime (see Figure 1).


Figure 1: Dark web forum post advertising a DDoS service that can be used against online gaming

Finding this article useful?

As well as stealing sensitive intellectual property, research and development (R&D) data and middleware (software integrated into a game to handle specific elements such as graphics or networking) to compel victims to pay ransoms or monetise their data on underground criminal forums, attackers are also targeting such companies’ customers. This includes, for example, compromising accounts belonging to highly successful gamers and stealing any in-game currencies. We have also observed cybercriminals using in-game marketplaces for ‘loot boxes’ – virtual bundles of random items exchanged for real-world money – to help facilitate money laundering schemes.

Case studies

In January 2022, threat actors disrupted the Le Mans Virtual esports competition in which real-world F1 drivers compete alongside gamers for a prize money of USD 250,000. Current F1 world champion Max Verstappen was disconnected from the server while leading the virtual race, shortly after the organisers confirmed that they had suffered a suspected security breach.

Riot Games this month also suffered a social engineering incident in which the attackers stole the source code – and demanded a $10m ransom in exchange for not leaking it – for its League of Legends title, one of the most popular esports games globally, with over a dozen international competitions centred around it.

This follows several other high-profile incidents targeting video game developers since 2020. Stealing sensitive data related to games that are played as part of esports competitions can enable threat actors to more effectively target esports events.

  • September 2022: confidential internal data, including source code files, is stolen from Rockstar Games
  • September 2022: a breach at 2K Games leads to customers being infected with malware
  • July 2022: a combined ransomware and data leak extortion attack hits Bandai Namco (see Figure 2)
  • March 2022: an extortion group steals 70 gigabytes of Ubisoft’s source code
  • June 2021: threat actors steal 780 gigabytes of data from Electronic Arts
  • February 2021: CD Projekt Red’s employee and game data is stolen in a ransomware attack
  • November 2020: Capcom suffers a ransomware attack
  • October 2020: a ransomware group steals sensitive data from Ubisoft’s and Crytek’s internal networks.

Figure 2: Ransomware group leaks Bandai Namco’s data on its dedicated leak site

Mitigation against DDoS attacks

Organisations in the esports sector need to ensure they are protected against DDoS attacks that use UDF floods, which are highly effective and require a few sources to carry out. It is a preferred type of attack against online gaming as it is a connectionless protocol – meaning that to establish a connection before data is sent is not required – and attackers can take advantage of unprotected connections by spoofing a gaming server and overloading the target with a large number of packets.

Scaling up network bandwidth can help mitigate against such volumetric attacks, implementing deep packet inspection (DPI) can help effectively handle packets, and upgrading hardware can protect against network and application layer attacks. A DDoS filter can identify and block unwanted traffic by recognising anomalies to typical behavioural patterns associated with a gaming server.

Six strategies to consider mitigating ransomware threats

  • Implement a comprehensive data backup and retention plan
  • Maintain regular and secure audit logs, which forensic teams can use to investigate incidents
  • Perform regular external and internal vulnerability scans to detect technical weaknesses in controls that threat actors could exploit to deploy ransomware to IT systems
  • Establish a patch deployment process, including for emergency patches that may need to be applied outside business hours
  • Build logical and physical segregation between networks to reduce the risk of ransomware spreading and infecting other parts of the network
  • Have in place a response plan, which should include managing ransomware attacks. This should also include associated decision-making processes and procedures, with first-responder contact details and any response required under data protection regulations such as the EU’s GDPR.

These incidents also highlight the importance of a defence-in-depth approach that implements multiple layers of security to reduce vulnerabilities, contain threats and mitigate risks. For more information on our services, visit our Cyber Threat Intelligence, Cyber Protect and Cyber Response pages