Following a report last week of a ransomware attack on Epic Games that allegedly made off with nearly 200GB of data, Epic now says the whole thing was in fact “a scam“—and so does the group that claimed credit for it in the first place.
The attack, reported on February 28 by Cyber Daily, was supposedly carried out by a hacking group calling itself Mogilevich, presumably adopting the name of notorious Russian crime boss Semion Mogilevich. The group said it had obtained 189GB of data in the attack, including “email, passwords, full name, payment information, source code and many other data,” and was offering it for sale, with a pay-up deadline of March 4.
The whole thing seemed a bit suspicious from the outset: No specific ransom amount was set, nor was any proof provided that the hack had actually taken place, which is fairly standard practice for this sort of thing. For its part, Epic said there was “zero evidence” the claim was legitimate, and that its efforts to contact Mogilevich had gone unanswered.
Sure enough, when the ransom deadline arrived Mogilevich admitted that the whole thing was a scam: A new Cyber Daily report says a link that purportedly contained the stolen Epic data instead led to a message advertising the group's services as “professional fraudsters.”
“None of the databases listed in our blog were as true as you might have discovered recently,” a representative of the group calling themselves Pongo wrote. “We took advantage of big names to gain visibility as quickly as possible, but not to [gain] fame and receive approval, but to build meticulously our new trafficking of victims to scam.”
The message explains how Mogilevich used fake claims of hacks and “social engineering” to extract ever-increasing sums from victims, beginning with sales of its hacking services (which didn't actually exist) to eight people for $1,000 each—an amount that was boosted to $2,000 each once they agreed to pay—and eventually leading to what Mogilevich claimed was an $85,000 payment for materials taken in a hack of drone maker DJI, although the group has again provided no proof that the payoff actually occurred.
But now the jig is up: Migolevich has confessed to the real nature of its crimes, and Epic has confirmed that it was not hacked.
“Our investigation has concluded,” Epic tweeted. “The group’s claims were never legitimate – this was a scam.”
As for why the hacker-fraudsters spilled the beans at all, it appears to be a case of the classic villain flaw: Mogilevich wants to gloat.
“This was done to illustrate the process of our scam,” Pongo wrote. “We don't think of ourselves as hackers but rather as criminal geniuses, if you can call us that.
Pongo added that they believe they've “taught a lot of people, especially Epic Games, a lesson” that reports of hacks and ransom claims actually had the opposite of the intended effect: They ultimately did “nothing [more] than advertise us by enlarging our fraudulent network.”
Of course, as Cyber Daily noted, none of that rationale is verifiable, and it's also possible that Mogilevich knew Epic wasn't going to play ball and decided to stake a little claim to fame while it still could. Whatever the reason, and however many people were actually taken for a ride by this scam, it's yet another reminder to be careful out there: As the Russians like to say, trust, but verify.