When Sean Noonan announced the Steam release date for his game, an infinite runner called Jack B. Nimble, he started getting emails from people who wanted review copies. Normally, this would be great news for any developer. Getting enough attention from media outlets and streamers can pull a game from the dregs of Steam and turn it into a skyrocketing success. But something didn’t seem right.
“My name is Lev,” wrote one emailer, saying he worked for a Russian website called KG-Portal. “Our team of editors took a look at your game Jack B. Nimble, and we would like to make a review and feedback on it. [sic] For that I want to ask for a few Steam keys for a review if you have such an opportunity.”
The email address, firstname.lastname@example.org, was the biggest red flag. Why would someone working for the website KG-Portal be using a gmail account with that website’s name in it rather than an account from the website’s domain? A quick search takes you to the actual KG-Portal, where an author’s bio reads: “All main ways of contacting me are listed here. Any requests in my name from other emails (email@example.com, for example) should be considered scam.”
It turned out “Lev” was a key scammer, one of several who approached Noonan after his game launched last month. One claimed to work for a video game outlet in Japan. Another, using the email address firstname.lastname@example.org, was impersonating a French YouTuber. Their emails were full of red flags, and all it took was a little Googling for Noonan to find corroboration that many of them had sent the same exact emails to other indie game developers before. Noonan suspected, based on the blanket emails and the requests for multiple Steam keys, that the scheme was to re-sell copies of these games on grey market sites like G2A.
“This is super scummy, and I want to shine a light on it,” Noonan told me via private messages. “I’ve mentioned it in various developer circles, only to get a ‘yeah, you get used to it’ style response.”
It’s an epidemic that has been affecting indie game developers for years. When a game launches, strange emails start coming in. Sometimes they claim to be reviewers for websites that don’t exist. Other times, they pretend to work for major outlets, using misleading email addresses to con developers out of their games. The scams have grown increasingly elaborate over the years, and for small-time developers who don’t have a ton of experience dealing with press, it can be tough to sort out which requests are legitimate. (The problem appears to be more common in the indie scene—one PR rep working in big-budget games told me they don’t receive any scam requests like this.)
Emily Morganti, who handles PR for adventure games like Thimbleweed Park and West of Loathing, said in an email that these key scammers have become a regular feature of her job, like yanking weeds out of a garden.
“I have the benefit of working for a lot of different indie devs, so I notice patterns that a developer who’s only putting out their one game wouldn’t see,” she said. “Some of these people email about every game that comes out, using the same copy-and-paste email. Some people do a blanket request for multiple games on the same day—so multiple developers are getting the exact same email about how excited someone is to stream their game. There was one guy a few years ago with a long sob story about how he’d lost his job and had a big tax bill to pay and couldn’t afford games but a free copy of [insert game name here] would make his life complete.”
Last fall, someone who went by the name Dmitry Tseptsov sent several emails to Morganti to ask for codes, explaining that he operated a coffee shop in Ukraine where he’d give out video games as prizes for trivia. “Even 1 key will help me a lot, for which I will be grateful,” he wrote. “The cafe opened quite recently, but has a demand, and many people go to us. I mean, for my part, I promise to advertise your game.”
The coffee shop did exist, but Tseptsov had nothing to do with it, and as one developer discovered, the story was full of holes . Tseptsov’s address was wrong, his Twitter account was clearly fake, and he’d claimed the coffee shop had opened “three weeks ago” when there were photos of it operating over a year earlier. Tseptsov, or whatever his real name was, had emailed Morganti and other game developers with the same template, pretending to be an entrepreneur in hopes of getting free codes.
Even the straightforward scams are hard to differentiate from legitimate review requests. A few years ago, Morganti said, she received simultaneous requests from both an editor for a real video game website and a scammer who was pretending to be that same editor. “I heard from the editor first and added him to my list for a review copy, and then I heard from the scammer on the day we got keys, and I sent it to him thinking it was the same person,” she said. “A few days after that, the real editor emailed me to ask where his key was, and we pieced it together.”
One person, claiming to work for a Spanish game review site, wrote their email from a Russian IP. The review site might have appeared legitimate if not for some investigation, which is also something Morganti says she sees a lot—websites that use free registrations, like Wordpress, and take all of their content from other places. “Sometimes I pick up on it because I see a review for a game I represented on another site,” she said. “Sometimes it’s two reviews mashed together, or they’ve changed the wording slightly to make it harder to detect.” (She’s found a few examples of email addresses claiming to be from other countries that show a “via mail.ru” Russian address in their headers.)
Earlier this month, as Morganti was helping launch the point-and-click adventure game Unavowed, someone sent her a cheeky email. She might have been fooled if she hadn’t been dealing with scammers like this for years.
“My name is Brian,” read the email. “Shortly there will be a massive blast of likes in the area of my youtube channel. The bomb will blow up. The bombing will your game and the review on it. [sic] And there will be an infection of your game by my subscribers.”
“This is a common tactic,” she said. “The YouTube page is real, but the email address is off by one letter. The real email is theterroriser (two Rs followed by one R) and he’s using theterorriser (one R followed by two Rs). Even if you’re paying attention it’s hard to spot.”
The real Terroriser, who has over 2.7 million subscribers on YouTube, has publicly expressed frustration with this scammer, writing on Twitter in June that he’d “love to find where he lives.” His Twitter bio notes that he does not email developers requests for games.
As these scams grow more elaborate, some developers have written guides to help their fellow indies spot the fakes. Others have put the spotlight on specific scammers: A 2017 story on the video game website Destructoid highlighted one who was accused of impersonating representatives from big publishers like Square Enix, requesting codes to send to grey market sites.
For anyone whose job is to facilitate the transfer of review codes from video game publishers to critics, this can be a massive waste of time. By last Thursday, eight days after Unavowed launched, Morganti said she’d received 34 scam requests. She said the numbers have gone up over the years, which hurts not just PR people and developers, but freelance critics who are hoping to get their hands on copies of games in order to do their jobs.
“I’ve been doing PR since 2006 and always had a policy of sending a key to anyone who asked for one, no matter how small the site, but I’m a lot more suspicious now,” she said. “The work involved in vetting people to figure out if they’re legit or not isn’t worth the effort and I think writers from smaller sites and freelancers are paying the price.”