G2A's dispute with indie devs doesn't look like it's ending any time soon
This April, at the Reboot Develop games conference in Croatia, G2A employee Mariusz Mirek took the stage to defend his employer before a group of skeptical developers. With Mirek’s appearance likely motivated by Gearbox Software terminating its then-recently announced partnership with G2A over the site’s oft-criticized business practices, many believed this marked the beginning of a public relations tour.
For the uninitiated, G2A is a download key reselling site that essentially works like a peer-to-peer digital GameStop. Let’s say you pick up the latest Humble Bundle and it’s got a lot of stuff you don’t care about. You could sell those download keys on G2A and make a bit of your money back. Or – as many developers & pundits allege – you could steal a credit card, buy hundreds of keys directly from a developer’s storefront, sell those keys on G2A for 100% profit, and leave the developer in the lurch when the cardholder hits them with a chargeback.
G2A claims it has an exceptionally low percentage of fraudulent transactions, which very well might be true. It could also be completely bogus, since those numbers have never been made available to the public or the press. G2A PR rep Maciej Kuc once told me in a previous interview that “below one percent” of transactions conducted on the site were fraudulent.
Regardless, G2A’s reputation among the general public (and especially among developers) is shaky at best. Although the Gearbox incident may have been the catalyst, it was far from the only negative press the site has earned over the years – some of which I am directly responsible for. The earliest I can remember hearing about G2A was back in January 2015, when Ubisoft batch-deactivated keys for Far Cry 4 purchased through the service. Later that year, League of Legends developer Riot Games banned G2A as an esports sponsor. 2016 brought us a public spat between G2A and indie label tinyBuild, a feud that continued well into the next year at GDC 2017.
G2A claims it has an exceptionally low percentage of fraudulent transactions.
TinyBuild alleges that G2A has cost them over $450,000 between stolen credit card chargebacks and lost revenue, but G2A vehemently disagrees, rightly pointing out that TinyBuild games are regularly discounted on platforms like Steam. During a GDC panel about how fraud affects indie developers, tinyBuild CEO Alex Nichiporchik mentioned G2A as one of the places where stolen keys could be easily fenced. However, during the question & answer session, Mirek took the microphone to confront Nichiporchik.
Although the panel was not recorded, Polygon’s first-hand report from the event paints exactly the picture you would expect. Mirek’s time with a hot mic was short and terse. “Let’s address [Nichiporchik’s] codes, because I was handling your emails,” Mirek said. “You have not provided a single [game] code [for us to validate the alleged fraud].”
“You’re really going to do this at GDC?” Nichiporchik responded.
One month later, several time zones and a continent away at Reboot Develop, the roles were reversed. Mirek took the stage for a panel titled “G2A Unplugged,” which sounds like Mirek is about to sit down in a backwards chair and talk to you about how drugs aren’t cool. The video on demand for the panel has been lost in the intervening months, but one particular highlight remains intact: Thomas Was Alone and Volume developer Mike Bithell’s now-infamous roast.
“So obviously you charge the customers who want to avoid fraudulent stuff with the [G2A Shield] system, you ask us to contribute our time and energy to detect fraud on your system in exchange for 10%, I’m interested what the 750 people [at G2A] are doing to earn the 90% of the transaction?” Bithell asked.
Mirek started to respond. “You know, there are people working in marketing, there are people working in risk, in finance–”
Bithell cut him off with a curt laugh. “Marketing,” he repeated, incredulously. At this point, Mirek was clearly fed up. He looked to the panel’s moderator, GamesIndustry.biz editor Dan Pearson, for help, but Pearson was openly laughing along with Bithell and the rest of the audience. Mirek was alone in hostile territory. “Is it mainly marketing?” Bithell asked.
“No, actually,” Mirek responded. “IT and security.”
“Good job,” Bithell quipped.
The clip is only 54 seconds, but it’s a perfect encapsulation of G2A’s contentious relationship with the development community. It’s a game of Telephone with only two participants, where G2A has been actively trying to mend fences but without properly communicating how they plan to do so.
Listen to Bithell’s question, for example. He’s right in that G2A Direct – a program where developers can sell games directly through G2A in exchange for having access to G2A’s key backend – isn’t perfect. Asking developers to track down alleged fraudulently obtained keys on their own feels like passing the buck, but it is free access to G2A’s key backend, which was one of the demands put forth by Gearbox.
Asking developers to track down alleged fraudulently obtained keys on their own feels like passing the buck, but it is free access to G2A’s key backend.
Bithell is also correct in that G2A Direct gives developers 10% from all sales conducted on G2A. But he seems to be operating under the impression that G2A will take 90% from sales conducted by the developers themselves. (Bithell did not respond to requests for comment on this article.) G2A Direct gives developers a storefront on G2A where they can make 89.2% commission on sales. The “10%” statistic Bithell mentions actually comes from G2A offering developers 10% of all third-party sales conducted elsewhere on the site.
“Developers and publishers can make up to 10% on every item sold by a third-party seller,” G2A PR specialist Gabriela Lefanowicz said in an email interview. “Imagine if you buy a Samsung TV and then go sell it on eBay. Samsung already made money the first time you bought the TV, and now they would get another 10% of the money made when you re-sold the TV on eBay. Neither eBay, nor any other marketplace in the world offers this, but we do.”
“GameStop and eBay sell used physical games which isn't a good comparison. If we had seen thousands of our digital games pop up there, we would take the same action -- try to verify legitimacy of the keys,” Nichiporchik told me in an email interview. “If we had a shop (which we did, only to find it be hit with fraud and those keys appear on G2A), and saw an influx of purchases, chargebacks, and then keys being sold at GameStop, we would definitely inquire about the origins of said keys.”
Lefanowicz said the company is more than happy to work with developers or publishers who come to them with a list of stolen keys. “If any developer or publisher has information and proof from an external/neutral institution that specific keys were stolen from them, we do everything we can to help,” Lefanowicz said. “We will always cooperate with developers and publishers to get rid of fraudulently obtained goods.”
In the intervening years since Ubisoft deactivated all those Far Cry 4 keys, G2A has reportedly beefed up its fraud protection, which Lefanowicz laid out for me step-by-step. “Imagine there is a scammer, let’s call him John. John has a couple of illegally obtained keys he wants to get rid of and because of false claims in the media, he decides on G2A,” Lefanowicz said.
“To become a seller, he has to provide a valid phone number and a social media account with history. So, let’s say John manages to get his hands on a valid phone number that cannot be traced to him and has a fake social media account which he has had for a while, with lots of friends and posts. Now let’s say that somehow John has managed to sell nine keys (the maximum number until the next verification step automatically kicks in). Let’s say John wasn’t flagged, and now he has made a small sum of money and goes to withdraw his money from G2A. At this point, John cannot use his fake identity any longer – he needs to provide us with a real bank account or PayPal account which is tied to his personal information.”
“If John wants to withdraw money through a different method than the two just mentioned, he will need to fill out a basic verification form which includes his full name, DOB, place of birth, nationality, address and his ID. So there are two options here - either John gives up, or he provides us with information that leads us right to him.”
I decided to test this for myself by creating a brand new G2A seller’s account. I used my personal email for the account to make sure I wouldn’t lose access while reporting this story, but since one user-created Gmail is indistinguishable from the next I doubt that would’ve affected anything. For the rest of the checkpoints, I would need a couple different things to fool G2A’s automated system: a prepaid cellphone, a fake social media account, and a fake PayPal account.
The cellphone was easy to get. I walked half a mile to my local CVS and picked up a burner Tracfone & refill card for about $30 total. Within an hour, I had an untraceable phone number, which I would attach to a separate burner Gmail account.
I used the Gmail account, the phone number, and a recent picture of wrestling legend Arn Anderson to create a fake Facebook account. From there, I successfully attached the Facebook profile to a G2A account. If I had performed all those steps in a free VPN-enabled browser, I’d be all set.
However, getting any money out of the G2A account was a different story. Lefanowicz was right – for a scammer to actually make money through G2A, they would indeed need a PayPal or bank account. Initial research led me to believe prepaid debit cards could be used not only to activate a PayPal account, but to set up a go-between anonymous bank account that would allow the users to withdraw money from the account.
According to Lefanowicz, PayPal will flag accounts with prepaid cards attached, but I’ve read plenty of first-hand testimonials from people who have made that exact system work. Perhaps you can get around that by using the account & routing numbers from the direct deposit account generated by the prepaid card. Either way, PayPal didn’t seem to be a problem.
The problem came from the prepaid card. I bought a generic GreenDot Visa that advertised cash access, but when it came time to activate the card online, I was surprised: the form asked for my Social Security number before the card could be activated and used. I mashed the proper amount of numbers into the field, hoping that I could just attach an SSN rather than running the number against an existing database, but no such luck. You need to input your legal name and the corresponding number.
Now, that’s just the wall I personally hit. I can’t anonymously sign up for a PayPal account, but that’s because I’m a law-abiding citizen with limited funds. If somebody’s using a stolen credit card to allegedly commit fraud, there’s probably a way around PayPal security.
But everything else – that’s possible. Hell, it’s easy. It’s easy to get an anonymous phone number, make an anonymous Gmail account, fake a social media profile, and start selling on G2A with little to no oversight. G2A does have an additional series of checkpoints for “sellers that are treated as businesses by law,” according to Lefanowicz, but it’s not clear what the line is between casual and professional seller. Those sellers will be required to provide documents including “bank statements, a VAT or TAX number, and a certificate of incorporation.”
It’s no wonder alleged scammers prefer G2A as a place to fence goods. Last year, Kotaku published an investigative piece where they spoke with a key scammer who allegedly sold a batch of stolen keys on G2A. “G2A [is one of the] great sites to sell fraudulent keys,” said Brazilian hacker Vitor Reis. “The keys of commerce [are] quick and easy, and there is [not] much bureaucracy.” G2A has added the aforementioned safeguards since then, but if I was able to make it through I’m certain a credit card scammer wouldn’t be too stymied.
Look at any G2A-centric news feature, and you’ll find quotes from independent developers who are furious at G2A for all the alleged fraud committed on their platform. I’ve even had indies heavily imply on the record they’d rather you pirate their games than buy them at G2A. Polygon went looking to speak with developers who have signed up for G2A Direct, and the most prolific studio they could find was the Superhot team.
A look at the current list of Direct participants includes the publishers of games like Killing Floor 2, Prison Architect, and A Normal Lost Phone. But it also has a lot of shovelware and subscription codes for Napster Europe. G2A Direct looks good on paper, but they’re not attracting the same voices who have been criticizing them all along.
All the developer-friendly programs in the world won’t fix the site’s reputation.
Nichiporchik says the only way tinyBuild will only do business with G2A if “we get to see all keys available for sale for our games, and are able to set minimum prices.” He’s aware of G2A Direct, but still doesn’t feel comfortable “getting a kickback for keys that fell off a truck.” That is the core of G2A’s problem, right there. In the absence of any fraud allegations, G2A Direct would be a great program. Even if you discount the 10% on all third-party transactions, raking in almost 90% of all transactions conducted through your storefront is a respectable take.
But all the developer-friendly programs in the world won’t fix the site’s reputation – only an increased focus on security will do that. Developers are right in that G2A could be doing more to combat alleged fraud. But G2A is providing a unique, even necessary service for consumers. I personally really like the idea of selling the extra keys I’ve acquired through bundles, if only because I’m never going to turn down some extra scratch. Consumers need to define their rights before digital distribution completely swallows physical media.
The problem is that when you’re buying a game on G2A, precedent says it could be stolen code. It may get deactivated by publishers like Ubisoft or MangaGamer. Or it could be somebody’s hacked PSN account, which is a real thing that happened to me last year. The site’s reputation is still in the toilet, something that won’t change until G2A finds a way to stomp out fraud once and for all.
Top image: G2A CEO Bartosz Skwarczek promoting the G2A Shield service. Photo via Polygon.
Disclosure: ZAM Network and Riot Games share a corporate parent. Riot had no involvement in the writing or publication of this article.