The FTC distributed $72 million in Fortnite refunds from a record $245 million settlement with Epic Games, after the agency found the company used dark patterns to trick players into unwanted purchases. HN49 also covers the Lazarus Group’s latest cryptocurrency campaign: a professionally built fake NFT tank game, two Chrome zero-days including an unpatched V8 sandbox escape, AI-generated marketing content, and coordinated social engineering across X and LinkedIn targeting crypto investors worldwide.
Stories Covered
FTC Distributes $72 Million in Fortnite Refunds Over Dark Pattern Allegations
The Federal Trade Commission began distributing $72 million to 629,344 Fortnite players as the first tranche of a $245 million settlement reached with Epic Games in December 2022. The FTC alleged that Epic used dark patterns — deliberate interface designs that exploit user behavior to produce outcomes favorable to the business — to generate unwanted charges. Specifically, players were charged while attempting to wake the game from sleep mode or during loading screens, and adjacent button presses intended only to preview items triggered purchases. The agency also alleged that Epic allowed unauthorized charges by minors and locked accounts of users who disputed those charges.
Dark patterns are social engineering at the UI layer. Instead of exploiting a technical vulnerability, the designer exploits how humans process visual information and make quick decisions under ambiguity. Fortnite is a free-to-play game that monetizes through cosmetic skins and season passes — meaning the revenue model depends entirely on getting users to spend money they didn’t necessarily intend to spend. The FTC’s complaint documents a pattern of making it harder to say no: confusing button placement, inconsistent interface behavior, and charging flows that activate on incidental inputs. Players receiving refunds averaged $114 each — real money spent on cosmetic upgrades in a free game.
One practical note: the FTC explicitly warned that scammers will use this refund program as a pretext to phish for personal information or payment of fake “clearance fees.” This is a standard pattern — whenever a government program distributes money on a deadline, threat actors impersonate that authority to create urgency. There are no fees to claim a Fortnite refund. If you may be eligible (charges between January 2017 and September 2022, unauthorized minor charges through November 2018, or a locked account over disputed charges), go directly to the FTC source — not a link from an unsolicited email.
Lazarus Group Exploits Chrome Zero-Day with AI-Crafted Fake Crypto Game
Kaspersky researchers found North Korea’s Lazarus Group running an elaborate campaign since February 2024 against cryptocurrency investors, centered on a fake NFT-based multiplayer tank game hosted at tankzone.com. Lazarus built the site using stolen source code from a legitimate game, giving it a functional and professional appearance. Embedded in the site was an exploit chain targeting two Chrome vulnerabilities: CVE-2024-4947, a zero-day in Chrome’s V8 JavaScript engine that allowed arbitrary code execution, and a second vulnerability with no public identifier that escaped the Chrome V8 sandbox entirely — giving the attackers full system access. The chain deployed shellcode to profile the compromised system before deciding whether to install a backdoor called Manuscript.
The exploit chain is the technical core, but the social engineering infrastructure around it is what makes this campaign notable. Lazarus created multiple fake accounts on X and LinkedIn, used AI-generated images and content to make the game appear legitimate, and directly approached cryptocurrency influencers to promote the site — both to expand distribution and to target the influencers’ own accounts and crypto holdings. AI generation lowers the quality bar needed to fool most users: an AI-rendered tank game screenshot doesn’t need to be indistinguishable from human art, it just needs to be good enough that someone glancing at a Twitter post doesn’t pause. Kaspersky noted Lazarus is actively iterating on generative AI capabilities and predicted more sophisticated use going forward.
The cryptocurrency angle is strategic. Blockchain transactions are irreversible — once funds move, there is no chargeback, no dispute mechanism, no central authority to appeal to. For a state actor like North Korea that is funding weapons programs through cybercrime, crypto theft offers a high-ROI channel: spend relatively modest resources building a convincing campaign, harvest from thousands of targets, and extract funds with no recovery path. Lazarus has been one of the most prolific actors in this space, responsible for the 2016 Bangladesh Bank $81 million SWIFT heist and the WannaCry ransomware outbreak. The ChromeV8 zero-day campaign is a continuation of that track record — technically sophisticated, lavishly socially engineered, and aimed squarely at a target pool with liquid assets and high risk tolerance.
Leave a Reply