The Federal Bureau of Investigation (“FBI”) has charged a 25-year-old hacker with illegally accessing the computer servers of FIFA 2018, a popular sports video game, and stealing $324,000 worth of game licences and in-game virtual currency.  The FBI alleges that Martin Marsich, a Serbian and Italian national, hacked into computer networks operated by the game’s publisher, Electronic Arts (“EA”), and hijacked the accounts of some 25,000 users.  Marsich is said to have stolen virtual currency and copies of the game, which were re-sold on the black market.  If convicted, Marsich faces up to five years imprisonment and a $250,000 fine.

Since its launch in 1993, soccer video games in the “FIFA” franchise – a reference to soccer’s governing body, the Fédération Internationale de Football Association – have sold over 150 million units worldwide, making FIFA the best-selling sports game franchise of all time.  In recent years, EA has developed a range of new gameplay modes – such as the card collecting “Ultimate Team” mode – which are driven by in-game micro-transactions.  The popularity of such modes has created a significant black market for the game’s virtual currency, which is purchased using real money.  These factors have driven up the real-world value of the game’s virtual currency, making it a target for hackers.

Court documents show how Marsich allegedly used a sophisticated intrusion strategy to gain access to the FIFA servers.  According to an affidavit sworn by FBI Agent Justin J. Griggs, the accused was able to exploit a security flaw to access the backend servers of NBA Live 15, another sports video game published by EA.  Marsich then used his NBA Live 15 access token as a “bridge” to the FIFA servers.  As Agent Griggs explains:  “The secret access token allowed the hacker to forge a connection between NBA Live 15 and FIFA 18.  Since NBA Live 15 was a trusted server, the hacker was able to exploit the trust between NBA Live 15 and FIFA 18 to gain access to FIFA 18.”

Once he had gained high-level privileges, Marsich gave copies of FIFA 2018 to 17,000 compromised EA accounts, and distributed in-game currency packs to 8,000 compromised accounts.  Marsich then was able to re-sell $324,000 worth of game licences and currency packs to gamers on the black market.  When EA discovered the hack, the company turned over logs of user activity – including IP addresses – to the FBI.  Agent Griggs noticed that the same IP address was used to log into both a consumer FIFA 2018 account and the backend server.  Investigators made a breakthrough when they discovered that the FIFA account associated with this IP address listed a recovery email address matching one used by Marsich in a United States visa application.

On August 8, Marsich was arrested at San Francisco International Airport while attempting to board a flight to Serbia.  He was charged with accessing a protected computer without authorization and accessing a protected computer to defraud, in violation of the Computer Fraud and Abuse Act.  Judge Jacqueline Scott Corley, Magistrate Judge of the U.S. District Court, Northern District of California, ordered Marsich to post bail of $750,000, the equivalent of what he paid in cryptocurrency before being released to a halfway house.

Marsich’s case is not the first instance of hackers targeting FIFA’s virtual currency.  In 2016, Texas resident Anthony Clark was charged with stealing $3 million worth of virtual currency from EA.  Clarke was found dead in his home before the case could go to trial.