DDoS, data theft, and malware are storming the gaming industry

When the pandemic kept people at home in 2020, millions turned to games for an escape. The surge turned every console, PC, and phone into part of a vast online network. More players meant more logins, payments, and personal data. That created a target larger than the industry had ever faced.

A growing industry with new responsibilities

The global games market is expected to reach $188.8 billion in 2025, a 3.4% rise from the previous year.

Players invest a lot of time and money into their online profiles, so it’s no surprise they see them as something worth protecting. Even when a game doesn’t involve real money, virtual items often carry real-world value.

Younger users, in particular, rarely think about protection, making them easy targets for phishing and malware. Weak passwords, account sharing, and reusing the same password across platforms only increase the risk.

DDoS attacks intensify across gaming

Gaming was the most targeted industry for HTTP DDoS attacks in 2024, with Layer 7 incidents rising 94 percent year over year.

In October, several major gaming platforms went offline at the same time. Early reports from security researchers point to a large DDoS campaign. The Aisuru botnet, known for previous high-volume attacks, was mentioned as a possible source.

Blizzard Entertainment recently confirmed a DDoS attack on its Battle.net platform that caused login issues, high latency, and disconnections across several games. It wasn’t the first time the company had experienced such an outage.

“DDoS attacks pose a serious threat to the online gambling and gaming industries, since it’s relatively easy for those with financial or competitive interests to disrupt operations long enough to alter or delay outcomes in their favor,” noted Richard Hummel, Senior Threat Intelligence Manager at NETSCOUT.

Targeted breaches reveal new weak spots

Nintendo confirmed that hackers had accessed parts of its systems but said no player or payment data was affected. A group called the Crimson Collective claimed responsibility and shared what looked like proof online, including screenshots showing internal folders and files.

The company said the breach was limited to external web servers used to host public sites and was not linked to its development or business systems. Still, the incident shows how exposed even major publishers are when attackers focus on cloud setups and public infrastructure.

Attackers exploit player trust to spread malware

Illegal cheat programs often hide malware that infects thousands of devices without the user’s knowledge. But that malware often spreads through familiar, trusted channels.

Valve removed a malicious game demo from Steam after researchers found it was spreading info-stealing malware to players.

In a separate campaign, Check Point researchers identified an active malware campaign that exploited expired and released Discord invite links. Attackers re-registered these vanity links to redirect users from trusted communities to malicious servers.

Issues with third-party systems

Many third-party sites don’t explain the risks of using their services. Some lure users with discounted game currency or rare items in exchange for downloading apps, watching ads, or sharing personal details. Such offers can expose players to credit card fraud, malware, and identity theft.

These sites also gather personal data such as email addresses, gaming usernames, IP addresses, and browser details. To handle payments through services like Stripe or PayPal, they may ask for banking or card information. Some of these marketplaces have already been hit by data breaches.

Money laundering moves into the gaming world

Researchers have found that gaming marketplaces can be used to launder money. In a common setup, someone opens several accounts on different platforms, uses illegal funds to buy in-game items or currency, transfers those assets between accounts, and then sells them for cash on third-party markets. With each transfer, the money trail gets harder to follow.

Game development is moving so fast that security teams can’t keep up

Game studios race to meet deadlines while trying to protect game stability and player trust.

Security teams deal with constant code changes, fast release cycles, and a steady flow of new vulnerabilities. Traditional vulnerability management struggles to keep up. Manual reviews, disconnected tools, and limited visibility across teams slow response times and increase exposure. To stay secure, studios need security practices that fit into each stage of development and release.

Regulatory and compliance awareness

Cyberattacks in gaming can lead to legal and regulatory consequences, especially when user data is exposed. Governments around the world have strengthened privacy and security laws, including the GDPR in Europe, the California Consumer Privacy Act in the United States, and PCI DSS 4.0 for payment data.

“The reputational risk of compliance failure isn’t just a legal or financial issue, it’s a fundamental breach of trust,” said Marco Goldberg, Managing Director at EQS Group. “A single data breach or compliance misstep becomes instantly visible to customers, regulators, and partners worldwide. The damage to reputation can be far more costly and longer-lasting than any financial penalty.”