black markets in China’s virtual assets economy
Posted on by Lyn Jeffery
Researchers at Peking University’s Institute of Computer Science and Technology, with the University of Mannheim’s Laboratory for Dependable Distributed Systems, just released a fascinating paper laying out the technical aspects of virtual asset theft and modeling the relationships among various actors in the Chinese virtual asset economy. The paper is quite technical, but contains a lot of meat for the nontechnical reader as well. Some points of interest:
- the virtual asset market on Taobao alone is estimated at over $30,000,000. The study was conducted from January to September 2007, but it’s hard to tell whether this estimate refers to that time period or to all virtual assets ever traded on Taobao. And of course, virtual assets are traded on more than Taobao.
- They divide virtual asset economic actors into 6 categories: Virus Writers who market their services on BBS for tens to thousands of RMB per Trojan; Website Masters/Crackers, who redirect unsuspecting users to sites with malware that installs itself on their machines; Envelope Stealers, who collate the “envelopes” of data on accounts and passwords and sell them on a per-envelope basis; Virtual Asset Stealers, who log in to the stolen accounts and sell their virtual assets or their accounts for a fraction to thousands of RMB; Virtual Asset Sellers, who buy stolen virtual assets through BBS ads and then run online virtual asset shops on popular public auction sites like Taobao, Paipai, and eBay; and last but not least, Players, mainly male teens.
- Black market buyers and sellers find one another via BBS on places like Baidu Postbar, but you have to know the right jargon to find them via keyword search.
- Buyers commonly pay via Alipay, and the virtual assets are exchanged via emails or other mechanisms.
I also found in my own visits to Internet cafes that people were buying and selling virtual assets in face to face transactions, which would be hard to track.
For more analysis, especially on the aspect of malware, see Ryan Paul’s great post on Ars Technica, here.