Recently news of a new way to scam people on G2A has started circulating, and it’s necessary to set the record straight and explain what, exactly, is happening.
What is the story?
The story claims that there is a script which allows users to exploit the way BitCoin checkout works on G2A.COM marketplace in order to get game keys for free. You may have even seen the new “G2A hack” and “G2A.COM exploit” videos popping up.
How it’s allegedly works, is that the script, used via an otherwise harmless browser plugin (TamperMonkey on Chrome, or Greasemonkey on Firefox), changes the timezone, which is supposed to glitch the checkout system into thinking the session expired. You are supposed to get your BTC back AND receive your game keys/gifts.
What is really happening?
The true scam is perpetrated by the people distributing the script, not the users hoping to exploit the checkout for free games. The script actually changes the target BTC wallet address. This way the script users’ BTC go to the script’s distributor instead of G2A.COM sellers. Not only the users don’t get their refund as they expected, but someone else entirely is getting their for free.
What does it mean for everyone else?
People who have never used this script (or other such exploits of questionable origin) designed to glitch out and bypass security systems have nothing to worry about, their BTC are as safe as they could hope. It’s only the people who try to trick the system that are at risk and should be aware that they are being scammed by script’s distributors.
How to prevent it from happening?
A great start is not installing scripts from questionable sources. In general, using apps, scripts, extensions, etc. which affect any step in the checkout process is not recommended and can lead to any number of issues, including loss of money. The offending script in this case is often distributed via Pastebin.com, but even more reputable sources like GitHub can be prone. It’s better to just avoid scripts affecting checkout altogether, no matter the source.
You should also double- and triple-check payment info of both parties, including the amount of money transferred and the recipient information, and, when applicable, make sure you were redirected to an address you were supposed to.