Skip to main content

Gaming company fined $1m for infecting customers with bitcoin-mining malware

An online gaming firm has been hit with a $1 million (£621,196) fine for surreptitiously installing malware on customers' computers that mined for bitcoins.

The software, distributed by E-Sports Entertainment, also monitored what programs subscribers were running without their permission.

"These defendants illegally hijacked thousands of people's personal computers without their knowledge or consent, and in doing so gained the ability to monitor their activities, mine for virtual currency that had real dollar value, and otherwise invade and damage their computers," New Jersey's acting attorney general, John J. Hoffman, said in a statement.

According to Hoffman's office, E-Sports created a botnet using its customers' computers, which was used to mine for bitcoins, a virtual currency, when users were away from their PCs. In one two-week period, E-Sports was in control of 14,000 computers in New Jersey, which earned it about $3,500 (£2,174) by mining for bitcoins.

The bitcoin scheme was dreamed up by E-Sports co-founder Eric Thunberg and E-Sports software engineer Sean Hunczak. Hunczak allegedly created at least four bitcoin "wallet" addresses, which collected the mined currency. Hunczak then sold those bitcoins, converting them to US dollars, and depositing the funds into a personal bank account. This went on until May 2013, when an E-Sports subscriber discovered the scam.

New York-based E-Sports was established in 2006 and charges subscribers $6.95 (£4.32) per month for multi-player game access on its network. Gamers had to install E-Sports software onto their computers, but that unknowingly provided E-Sports with full administrative access to subscribers' computers.

E-Sports is required to hand over $325,000 (£201,900) of the $1 million settlement to the state of New Jersey. The remainder will be suspended and vacated within 10 years provided E-Sports adheres to the settlement terms and stays out of trouble.

Those terms include the creation of a new consumer information page that lets customers restrict, limit, opt-out of, or otherwise control the data or consumer information collected by E-Sports about them or their computers. The firm must also hire a third-party to audit E-Sports for the first 90 days after the settlement's effective date and then every two years through 2023.

In April of this year, bitcoin-mining malware was found to be propagating through skype.