G2A sold $450k worth of our game keys
For a while now our devs have been getting e-mails from G2A with proposals to work together. We no longer actively jump on additional distribution opportunities (there's a new bundle every day...), but the whole G2A subject needs to be talked about a bit more.
Before I dive deeper, it's important to understand what G2A is and how it works. You may have seen the occasional reddit thread with their G2A Shield Deactivation experience, and probably saw tons of streamers and youtubers endorsing the company due to their affiliate program.
In short, G2A is like Ebay for game keys.
The basic idea is a novel one - with the abundance of game keys spread through bundles, odds are you'd want to sell off keys for games you don't really want, and make a few bucks when doing so. So it's pretty simple for sellers:
Get a game key from a bundle
Sell it on G2A
Make a couple of dollars
Meanwhile the consumers get a really good price on games. The problem is that this business model is fundamentally flawed and facilitates a black market economy. I've spoken to a merchant on G2A about how he's making $3-4k a month, and he outlined the core business model:
Get ahold of a database of stolen credit cards on the darkweb
Go to a bundle/3rd party key reseller and buy a ton of game keys
Put them up onto G2A and sell them at half the retail price
I've reached out to distribution partners inquiring about the amounts of chargebacks happening, and it's killing some of them. [Article on IndieGameStand] There are variations on this business model, as some "merchants" live off bots who actively scavenge keys from Twitter/Twitch/Facebook, and then use Steam's gifting feature to "sell" the key on G2A.
tl;dr websites like G2A are facilitating a fraud-fueled economy where key resellers are being hit with tons of stolen credit card transactions and these websites are now growing rapidly due to low pricing of game keys
The financial impact is actually huge
I've been dismissing the issue for a long time. Sure, a few game keys leak here and there - nothing major. For a few months we supported our own little store on tinyBuild.com - just so we can give some discounts to our fans, and do creative giveaways that'd include scavenging for codes. The shop collapsed when we started to get hit by chargebacks. I'd start seeing thousands of transactions, and our payment provider would shut us down within days. Moments later you'd see G2A being populated by cheap keys of games we had just sold on our shop. Coincidentally, this is when we were having discussions about partnering up with G2A and how that'd work.
I really wanted to find out what kind of financial impact this marketplace can have, and after asking for sales stats in 3 separate discussions, I finally have them. From the e-mail:
SpeedRunners Early Access Global: 24,517 units sold with an average price of $6.26 per unit.
Punch Club Global: 1,251 units sold with an average price of $8.72 per unit.
Party Hard Global: 890 units sold with an average price of $7.95 per unit.
If I do some simple calculations, it comes down to this:
The total value of these transactions on G2A was ~$200k
Meanwhile, if these transactions happened at Retail price, it's closer to $450k.
With this information in hand, my obvious question was where did the keys come from, and can we get compensation for that? Here's the reply I got.
"So the issue you have pointed to is related to keys you have already sold. They are your partners that have sold the keys on G2A, which they purchased directly from you. If anything this should give you an idea on the reach that G2A has, instead of your partners selling here you could do that directly. I can tell you that no compensation will be given. If you suspect that these codes where all chargebacks aka fraud/stolen credit card purchases I would be happy to look into that however I will say this requires TinyBuild to want to work with G2A. Both in that you need to revoke the keys you will be claiming as stolen from the players who now own them and supply myself with the codes you suspect being a part of this. We will check to see if that is the case but I doubt that codes with such large numbers would be that way. Honestly I think you will be surprised in that it is not fraud, but your resale partners doing what they do best, selling keys. They just happen to be selling them on G2A. It is also worth pointing out that we do not take a share of these prices, our part comes from the kickback our payment providers."
In short, G2A claims that our distribution partners are scamming us and simply selling keys on G2A. They won't help us unless we are willing to work with them. We are not going to get compensated, and they expect us to undercut our own retail partners (and Steam!) to compete with the unauthorized resellers. There's no real way to know which keys leaked or not, and deactivating full batches of game keys would make a ton of fans angry, be it keys bought from official sellers or not. Make your own conclusions.
A lot of people have been asking about revoking keys. It seems like an easy no brainer solution - simply disable the keys that leaked or are being sold illegally. The problem with this is a bit more complex than you might think. You have some keys which are legit from bundles, others from a bunch of fraudent credit cards, and random keys scavenged from giveaways. These would be from at least 3 different batches. How do we track which one to disable? Now imagine when we have hundreds of these batches. Large corporations tackle this by having a ton of people working on tracking smaller batches, but we want to stay small & nimble. This means automating as much as possible. And even if we were to spend a ton of time on micromanaging this, it wouldn't solve the overall problem. Awareness of the general issue is what makes an impact.
In the original article I refer to key distribution partners, the ones that G2A claim are sneakily reselling keys. I can confirm without a doubt that these partners do not resell their keys: Humble Store, BundleStars, IndieGameStand, IndieGala. They're our trusted partners and everything you buy from them is legit.
G2A issued an official response to Kanobu (a Russian games publication) in regards to their post about my article. Below is the translated response:
Statement translated from Russian:
At G2A we believe in being innocent until proven guilty, meaning we believe that all of our 200k merchants are legit until proven otherwise. We support merchants and assume they operate within the law. Of course, unfair "players" appear in any business, which unfortunately includes our system. Nonetheless, G2A does not hold any liability for vulnerabilities in someone's billing system. We are sorry that tinyBuild's shop was attacked and that it impacted their negotiations with G2A. We hope to restore a good relationship, because our door is always open for cooperation. G2A has lots of experience working directly with developers and publishers of different sizes. For example, recently we had a promotion where 21 developers and publishers from post-soviet countries participated in. During the promotion G2A did marketing pushes for the partners without taking additional revenue for itself. This promotion was supported by known companies, like Gaijin, Bitbox, Herocraft, Nekki, Nival and many others. G2A is always open to working with developers and publishers. We are working together to make the Marketplace better for gamers. Not only that, but we also invite all developers and publishers experiencing problems with chargebacks to use our G2A.Pay payment solution for their stores. It's free and we guarantee 100% security of payments and cover all expenses associated with chargebacks, preventing any losses from our partners' side.
TL;DR "use our payment solution for your shops"
G2A recently issued an aggressive press release trying to discredit us as a company. They lean on our (completely irrelevant to the subject) Punch Club Piracy Story, and demand we give them a list of keys we believe are fraudulent. In a rather corporate way, they start off with a 3 day ultimatum. We've already told Polygon, GameInformer and other media outlets on why we won't share the list of keys. Below is a list of recent statements from companies and industry people, alongside a a summary of what we actually sent to the media inquiries regarding G2A's aggressive press release.
Some coverage & Investigations regarding G2A
Our official statement & summary for press inquiries
They reached out to us & Jacob from IndieGameStand regarding our article about Punch Club piracy and how G2A is damaging small key resellers (http://blog.indiegamestand.com/featured-articles/steam-key-reselling-killing-little-guys/)
The tone of the statement is different from the tone in that conversation. Now our Punch Club piracy story is questionable? How can they say our story is unreliable? We never even mentioned G2A there. Obviously they're pissed off, but why try to discredit us on a completely unrelated subject? They reached out to us because they LIKED that story and wanted to be part of it (stopping piracy).
We were never told they removed 200 keys/merchants -- we wanted them to do it, they told us they weren't going to unless we decide to work with them _and_ we had to provide the keys. So did they or did they not? Because they just said we didn't give them a list of keys, which is true. So how did they remove these keys/merchants? I'm genuinely curious.In other words, they need to have a list of keys to remove merchants. They don't have that list. How did they remove the merchants?
Pointing to bundles/resllers again. First they said our bundle partners are selling keys directly to them which is absolutely false (verified with Humble, BundleStars, IndieGala, IndieGameStand, etc). Now they're just pointing to bundles as the escape goat.
So _now_ they're willing to help with keys, but instead phrase in the same blackmail way - you have 3 days to send us keys to verify. Previously it was "we're not going to help you unless you sign up working with us".
With the information above, I'm not comfortable sharing lists of keys from multiple batches that may or may not be stolen. The way our business works is we work with a ton of partners, and tracking down individual key batches is an insane amount of work.
Everybody knows their reputation, so why would anyone even consider giving them a list of keys to "verify"? I believe they'd just resell those keys and make more money off of it.
We're not really talking about solutions here, only symptoms. And the cause of everything is really that they're not verifying merchants, not acknowledging the scope of their problem, and blackmailing us into working with them (saying they'll only help us if we work with them).
A possible solution would've been (we talked about the first 2 points with them!)
Allow publishers to set a minimum price for the distributed products
Set a minimum cut for all 3rd party sales of said keys (these would come out of merchants' cut)
Actually verify your merchants. I just made an account and within an hour was able to sell a ton of keys no verification whatsoever. If Ebay allowed you to sell merchandise without verifying sellers' credentials (they ask you for IDs, tie it to your bank account statements confirming addresses, etc) they'd probably under similar fire right now as they'd facilitate stolen goods trade.
Instead they're demanding lists of keys within 3 days or else (what?).
We've got an idea for a solution!
In the same fashion as G2A issued us a 3 day ultimatum to share keys we are issuing a 3 day ultimatum for G2A to provide a solution for developers and publishers to benefit from the marketplace. Our proposed solutions are above. I'm sure there are smart people working at G2A that can come up with how to integrate something like that or even better. Any business revolves around mutually beneficial partnerships. As everyone knows there's currently no way for a company like ours to benefit from the marketplace without undercutting actual retailers. If we have solutions to set minimum pricing and/or flatout not allowing sales of our keys on the marketplace getting revenue shares the tides could turn into a positive direction for the industry as a whole.
Here's a good video summarizing the whole situation. LevelCapGaming did some of their own investigations and share the perspective of someone previously affiliated with G2A.
G2A came out with an initiative that finally addresses some of the issues we've been talking about.
The only tangible part about their program is royalties to developers and database access which undoubtedly is a good step -- we will need to see how it works in practice. It still doesn't solve the issue of stolen keys or the shady business practice of forcing down insurance on consumers you won't get a guaranteed key unless you sign-up for their insurance service. It seems they want it all to be on developers' hands and unless the devs become actively involved in policing G2A (and thus working with them) they'll wash their hands off any responsibility. We as a community want to see more extensive merchant verification to go alongside this.
Unless they actually solve the main issue -- fraud on their platform -- this initiative invites developers to become accomplices. G2A claims that fraud is a very small part of their economy. If so it shouldn't be that difficult to implement ethical business practices of extensive merchant verification?