Crime & Safety

Commack Gaming Company Accused of Spying on Users for Bitcoins

New Jersey Attorney General claims gaming company used information it illegally obtained from 14,000 users to turn virtual currency into real money.

A Commack-based competitive gaming company, E-Sports Entertainment, has agreed to settle a $1 million case, in which it was accused of using illegally monitoring users’ computers to gain Bitcoins, according to a press release by the New Jersey’s attorney general.

The complaint accuses E-Sports entertainment of embedding a malicious code in its anti-cheat software, which observed programs subscribers were running by infecting 14,000 computers in New Jersey and elsewhere, to generate approximately $3,500 by mining for bitcoins, a virtual currency that has real monetary value, John J. Hoffman, New Jersey’s Attorney General said in the release.

The Commack-based company was established in 2006 and charges subscribers $6.95 per month to play E-Sports-supported games against other E-Sports subscribers on the company’s hosted, anti-cheat game servers. To play on E-Sports-hosted game servers, subscribers must download and install E-Sports software onto their computers. Once installed, the software enables E-Sports full administrative access to subscribers’ computers.

Find out what's happening in Commackwith free, real-time updates from Patch.

The State’s complaint alleges that, via its software, E-Sports downloaded malicious software code onto subscribers’ computers that enabled E-Sports to observe which programs were run by subscribers, even when those subscribers were not using E-Sports services and the E-Sports software was not turned on. The complaint also alleges that Thunberg and Hunczak developed the malicious bitcoin-mining software code that enabled them to use the graphics processing units of subscribers’ computers to mine for bitcoins undetected.

“This is an important settlement for New Jersey consumers,” Hoffman said. “These defendants illegally hijacked thousands of people’s personal computers without their knowledge or consent, and in doing so gained the ability to monitor their activities, mine for virtual currency that had real dollar value, and otherwise invade and damage their computers.

Find out what's happening in Commackwith free, real-time updates from Patch.

As part of its settlement with the State, E-Sports has agreed to refrain from deploying software code that downloads to consumers’ computers without their knowledge and authorization. The company also must submit itself to a 10-year compliance program and create a dedicated page on its Web site that specifies what type of data it collects, the manner in which the data is collected, and how the information is used.

E-Sports must pay the State $325,000 of its $1 million settlement obligation. The remainder is suspended and will be vacated within 10 years, provided the company adheres to all settlement terms and avoids future violations of the law.

The State’s complaint alleges that software engineer Sean Hunczak created at least four bitcoin “wallet” addresses where he deposited bitcoins mined via the E-Sports botnet. Hunczak allegedly then sold the mined bitcoins, converting them into U.S. dollars and ultimately depositing them into a personal bank account. According to the State’s complaint, Thunberg supervised Hunczak’s activities, provided Hunczak with input, and authorized Hunczak to use company time to develop, create and test the E-Sports bitcoin mining code. E-Sports apparently terminated use of the bitcoin mining code in May 2013 after an E-Sports subscriber discovered it.

The complaint filed Tuesday charges E-Sports co-founder EricThunberg and Hunczak with violating New Jersey’s Consumer Fraud Act and the State’s Computer Related Offenses Act. 

While the company agreed to the settlement, E-Sports Entertainment issued a statement to Polygon, which first reported on the case, that it does not agree with the Attorney General's account of the Bitcoin incident, nor does it admit, to the state’s allegations.

The company has agreed to put in place a privacy and data security program that contains comprehensive privacy controls and procedures, and is designed to ensure the confidentiality of consumer information. As part of the program, E-Sports has agreed to regular testing or monitoring of its security controls. It also has agreed to hire a third-party professional to conduct a Privacy and Security Audit Report covering the first 90 days after the settlement’s effective date and, subsequently, every two years through 2023.


Get more local news delivered straight to your inbox. Sign up for free Patch newsletters and alerts.

We’ve removed the ability to reply as we work to make improvements. Learn more here

To request removal of your name from an arrest report, submit these required items to arrestreports@patch.com.