My PayPal was hacked to buy dodgy Diablo III gold

Recently, I made a startling discovery: my bank account had been cleaned out via unauthorised PayPal transactions. While this, in itself, was distressing, it led to the discovery of criminality I wasn't even aware of — where online scammers scam other scammers, and where virtual currencies are used to launder money in a virtually undetectable way.

Firstly, I want to say that I place no blame here on PayPal, I'm not questioning the company's security and I'm happy with its response so far. I am, like millions of other people, a lazy password keeper, and while I regularly rotate the passwords attached to my bank account, I had overlooked PayPal for quite some time. I use PayPal for mostly small transactions; I sometimes buy movie tickets or toys on eBay. Still, I should have been changing my password regularly.

I had also directed PayPal notifications to an older email address. You know, the one you send Domino pizza vouchers and Daily Deal notifications to. I check this email address every other day, and scan for emails from friends I haven't spoken to in a while, so I wasn't watching when the notifications of these unauthorised transactions started appearing in my inbox. And this gave the scammers more than enough time to do their worst.

The discovery of being robbed is an awful feeling, the knowledge that a stranger has discovered something private about you and taken advantage of this. There's a practical burden too; having to explain the situation and borrow money, delaying automatic payments for rent and bills. I was angry, anxious and disappointed in myself.

And then the angry emails started appearing.

For as soon as I contacted PayPal, players from Diablo III, who were expecting my PayPal money, became aware that they were not going to get it. I received many threats, I was reported to the FBI for fraudulent business conduct and one guy googled me, discovered I work here at CNET and decided to name and shame me — you might have seen his handiwork in the comments section on our site. I also learned through these emails that all of the hard-earned money taken from my account had been spent on Diablo III gold. All of it — thousands of dollars equating to more than 2 billion gold in Diablo currency.

Despite the anger and the threats, I felt sorry for the guys who were emailing me. I played Diablo III for about six weeks after it launched in May and only managed to earn a little over a million gold coins, I could only imagine the dedication to the game that could produce a thousand times more. So I offered to help them recoup their losses. I told them I'd vouch for them to Blizzard and see that their gold was returned. These offers were angrily declined.

"Blizzard will not be able to help, as these types of sales are against Blizz terms of service policy and can't be proven because it doesn't keep track of non (real money auction house) trades", one of these guys told me in an email.

Blizzard wouldn't help? This seems like terrible public relations. Why would Blizzard turn a blind eye to scammers stealing gold from their loyal fan base? It is fake money, after all, so it'd be no skin off Blizzard's teeth to reimburse these players.

And then the proverbial penny dropped. I wasn't talking to lovers of the game who had been fleeced of the gold they had worked so hard to accumulate. These guys were scammers too, part of a network of people exploiting the game to earn money for nothing. A billion gold would take years to accrue at the rate I played the game, and it is only really possible with a farm of computers playing the game automatically, 24-hours a day. They call this botting, and the single purpose of this practice is to turn the game into a money-making tool. Blizzard wouldn't help these guys because it was these guys who were destroying the economy underpinning Diablo III.

Atomic PC recently published an interesting interview with a Diablo III botter, who runs game exploits on a small scale — two or three machines. The interviewee said that he can earn 300-400 thousand Diablo gold per hour, per machine, which he can then sell for about 80-cents. In all the time he has spent botting the game, he has earned a total of about AU$3000. The guy who stole my money obviously decided that botting was too slow and decided to take a shortcut.

But why, after all the effort and risk of stealing my money, would this thief spend it all on worthless virtual currency? Was he so desperate for a new virtual sword and helmet in the game?

I continued to email the Diablo III players who had been expecting my money, and though their anger didn't dissipate, they did help me understand how this works. We had, apparently, spoken several times before on third-party Diablo III forums and in the game. The thief went by the name "TNK" and had agreed to buy their gold for a competitive price. The payment was made privately, using my PayPal, circumventing Blizzard's real-money auction house system, and then they met in the game and traded the gold in a private trade window. Four different gold farmers had been ripped off by the person with my PayPal details, but the money had been subtracted from my PayPal account in over 15 different transactions. Apparently, this is to trick Blizzard into thinking that these smaller transactions are between friends and are not a business transaction. The person who stole my PayPal money now has several billion Diablo gold, which can be sold for real money again.

When you think about it, it is sort of like money laundering; the dirty money is cleaned through the process of buying and then re-selling virtual currency. Except that my money has never really been taken — it hangs in an electronic limbo until I can sort out the mess with PayPal and have it returned. In the meantime, the thief can successfully trade with the gold farmers and make off with the loot. I'm severely inconvenienced, PayPal has to field extra work investigating the claim and the gold farmers lose days worth of exploited game gold. The thief, on the other hand, makes off with several thousand dollars in cash and disappears into the ones-and-zeros.

Blizzard is a victim here, too. Not only is this a PR nightmare, but the game developer stands to lose revenue from a Diablo III economy that has been crushed by these gold farmers, where the huge influx of gold from these players has buried the price of the virtual currency. I've read in Diablo III forums about a golden age, when 1 million gold coins was worth over US$20. Today, it hovers at around US$2.50. Not unlike hyperinflation in real world economies, like Zimbabwe, recently, or Germany in the early 20th century, players in Diablo III are pushing virtual wheelbarrows full of virtually worthless gold thanks to these exploits. Blizzard has been working to introduce gold sales in its auction house, but at US$0.25 per 100,000 gold, it hardly seems worth it.

For my part, I'm still cranky, but mainly at myself. I'm also fascinated by the complexity of the Diablo economy and the involvement of millions of people who are dealing with a currency that can only be spent on intangible objects. The person who robbed me has concocted a scam out of nothing at all, trading in the desire for objects whose value exists in the imaginations of the game's players. This imagination fuels the ebb and flow of this perceived value, and out of it all, a new kind of criminal is born.