Credit card thieves are allegedly using the mobile games Clash of Clans, Clash Royale and Marvel Contest of Champions (developed by Supercell and Kabam, respectively) to launder hundreds and thousands of dollars.

In the case of Clash of Clans and Clash Royale, players can spend real money for premium in-game currency like gold or gems. Players can take this premium currency and buy advantages, but the currency apparently also serves as an easy way to launder money.

According to a report published by German cybersecurity firm Kromtech, the thieves used 20,000 stolen credit cards to make purchases in Clash of Clans, Clash Royale, and Marvel Contest of Champions by reselling accounts with those same purchases to third-party marketplaces and receiving money in exchange, with zero attachment to the stolen cards.

This laundering is possible because of the accessibility to automatically create accounts on a large scale. For example, Apple only requires a valid e-mail address, password, date of birth, and three security questions to create an Apple ID.

E-mail accounts are easy to create. The thieves were reportedly able to automate the account creation process, allowing them to create accounts on a large scale, resulting in an automated money laundering tool for credit card thieves to use.

Kromtech’s investigation began with database-building software MongoDB. Poor configurations granted hackers access to data from tens of thousands of MongoDB databases. Kromtech became aware of these Clash of Clans thieves after analyzing samples from one database, which stored over a hundred thousand credit cards.

"The tool we found and its users currently work with countries such as Saudi Arabia, India, Indonesia, Kuwait, and Mauritania," writes the report.

"We do not know if this was simply because the tool and Facebook page is new and this is just due to initial users, or if operating through these countries provides some kind of additional benefit to the thieves."

Although there seem to be no immediate solutions, Kromtech urges developers and service providers to secure their account creation process from abuse by automated tools and police their policies when it comes to tracking and pursuing thieves.