|TRENTON – Acting Attorney General John J. Hoffman, the Division of Law and the Division of Consumer Affairs announced today that on-line video gaming company E-Sports Entertainment, LLC, has entered into a $1 million settlement that resolves allegations it infected thousands of personal computers with malicious software code enabling E-Sports to monitor what programs subscribers were running and illegally mine for bitcoins.
In a formal complaint filed today along with two consent judgments outlining the settlement, the State alleges that E-Sports created and deployed malicious software code that infected the computers of thousands of customers who subscribed to its anti-cheat services for popular on-line video games.
According to the complaint, the malicious code enabled E-Sports to monitor users’ computers even when they were not signed onto or using E-Sports services. E-Sports also created a botnet – a network of computers running malicious software -- using its customers’ computers. The botnet used the computing resources of users’ computers to mine for bitcoins, a virtual form of currency. It is estimated that, during a single two-week period, E-Sports took control of approximately 14,000 computers in New Jersey and across the nation, and generated approximately $3,500 by mining for bitcoins.
“This is an important settlement for New Jersey consumers,” said Acting Attorney General Hoffman. “These defendants illegally hijacked thousands of people’s personal computers without their knowledge or consent, and in doing so gained the ability to monitor their activities, mine for virtual currency that had real dollar value, and otherwise invade and damage their computers.
“This case should serve as a message that we are committed to protecting New Jersey consumers, and that we will hold accountable anyone who seeks to exploit them through misleading claims, deceptive practices or the invasion of their computer privacy,” Hoffman said.
As part of its settlement with the State, E-Sports has agreed to refrain from deploying software code that downloads to consumers’ computers without their knowledge and authorization. The company also must submit itself to a 10-year compliance program and create a dedicated page on its Web site that specifies what type of data it collects, the manner in which the data is collected, and how the information is used.
E-Sports must pay the State $325,000 of its $1 million settlement obligation. The remainder is suspended and will be vacated within 10 years, provided the company adheres to all settlement terms and avoids future violations of the law.
”Consumers who subscribed to E-Sports' video game anti-cheat services paid for protection from cheaters – not to be cheated by the very services they’d purchased,” said Division of Law Director Christopher S. Porrino. “Companies that collect consumer information and access users' computers have a duty to ensure that protocols and procedures are in place to protect the information they collect. Moreover, no company should obtain more access or information than is necessary to engage in the legitimate operation of its business.”
“Following our $1 million settlement with PulsePoint earlier this year, today's settlement serves as another victory for consumer privacy for New Jersey consumers and consumers across the country," said Division of Consumer Affairs Director Eric T. Kanefsky. "Whether through the circumvention of browser settings, unlawfully mining for bitcoins or by failing to adequately protect customers’ personal data from breaches, our office will hold accountable those companies and individuals that violate consumers’ expectations of privacy.”
E-Sports co-founder Eric Thunberg and E-Sports software engineer Sean Hunczak are each parties to the settlement being announced today.
E-Sports was established in 2006 and is based in Commack, NY. E-Sports charges subscribers $6.95 per month to play E-Sports-supported games against other E-Sports subscribers on the company’s hosted, anti-cheat game servers. To play on E-Sports-hosted game servers, subscribers must download and install E-Sports software onto their computers. Once installed, the software enables E-Sports full administrative access to subscribers’ computers.
The State’s complaint alleges that, via its software, E-Sports downloaded malicious software code onto subscribers’ computers that enabled E-Sports to monitor what programs were run by subscribers, even when those subscribers were not using E-Sports services and the E-Sports software was not turned on.
The complaint also alleges that Thunberg and Hunczak developed the malicious bitcoin-mining software code that enabled them to use the graphics processing units of subscribers’ computers to mine for bitcoins undetected.
As part of the process, the complaint alleges that Hunczak turned E-Sports’ subscribers’ computers into a botnet for the purpose of mining bitcoins. The bitcoin-mining software code enabled Hunczak to mine for bitcoins only when users were away from their computers.
The State’s complaint alleges that Hunczak created at least four bitcoin “wallet” addresses where he deposited bitcoins mined via the E-Sports botnet. Hunczak allegedly then sold the mined bitcoins, converting them into U.S. dollars and ultimately depositing them into a personal bank account. According to the State’s complaint, Thunberg supervised Hunczak’s activities, provided Hunczak with input, and authorized Hunczak to use company time to develop, create and test the E-Sports bitcoin mining code. E-Sports apparently terminated use of the bitcoin mining code in May 2013 after an E-Sports subscriber discovered it.
The complaint filed today charges E-Sports, Thunberg and Hunczak with violating New Jersey’s Consumer Fraud Act and the State’s Computer Related Offenses Act.
In addition to the $325,000 settlement payout and a general agreement to refrain from any unfair or deceptive acts, E-Sports has agreed under the settlement to a variety of changes in its practices. Among the changes is creation of a new consumer information page that, among other things, will include information on how consumers can restrict, limit, opt-out of, or otherwise control the data or consumer information collected by E-Sports about them or their computers.
The company also has agreed to put in place a privacy and data security program that contains comprehensive privacy controls and procedures, and is designed to ensure the confidentiality of consumer information. As part of the program, E-Sports has agreed to regular testing or monitoring of its security controls. It also has agreed to hire a third-party professional to conduct a Privacy and Security Audit Report covering the first 90 days after the settlement’s effective date and, subsequently, every two years through 2023.
Deputy Attorneys General Jah-Juin Ho, Edward Mullins and Glenn Graham, and Assistant Attorneys General Kevin Jespersen and Brian McDonough, assigned to the Division of Law’s Affirmative Civil Enforcement group, and Investigators Brian Morgenstern and Aziza Salikov of the Division of Consumer Affairs Cyber Fraud Unit, handled the E-Sports matter on behalf of the State.