Users of itch.io have reported that fraudulent copies of popular indie games are currently being sold on the online marketplace.
Itch.io, which describes itself as an "open marketplace for independent digital creators with a focus on independent video games" is designed to provide content creators with an easier, more direct way of selling their products to an audience.
Content creators are able to set a minimum price for their goods, with purchasers then given the option to pay more on top of that minimum, as they see fit. Importantly, unlike Steam and other major digital retailers, members on itch.io are not required to go through a vetting or approval process before they can begin selling on the store.
In other words, this story is an example of why we can't have nice things.
It appears that some fraudulent sellers have been taking advantage of this relaxed sign-up system today, using itch.io to sell pirated copies of popular indie games, including Rimworld and Dead Cells.
One itch.io user, Michael, contacted Kotaku UK earlier today, explaining that he'd purchased a copy of Rimworld around lunchtime, following an alert from video game discount tracker isthereanydeal.com. At 12:53pm the tracker reported that Rimworld was currently available on itch.io with 75% off.
"I immediately bought it," said Michael in his email, "thinking it might have been a pricing hiccup." However, when he added it to his library, there was only a .rar file to download, "So I grabbed that and fired up a VM [virtual machine], since I was already feeling a bit odd about this, and extracted to find it was only a copy of the Rimworld Steam folder. After that I tried to contact the game dev, still haven't heard anything."
It seems that Michael isn't the only one to run afoul of fraudulent sellers on itch.io today. Other users have taken to the site's Twitter page to report more fake listings, again presented as discounted popular indie titles, with many more appearing over the last few hours.
For its part, itch.io appears to be responding swiftly to complaints, suspending and removing fraudulent sellers from its site as soon as they are reported. The company's twitter told one user that "We're taking them down as fast as we can see them." If any user suspects they have found a fraudulent seller, says itch.io, they should report it using the 'Report' button on each page.
Representatives of IsThereAnyDeal.com, meanwhile, also appear to be taking proactive steps, seeking to confirm the validity of all deals reported as fraudulent, and quickly removing them from the site's database as necessary.
At the time of writing, the majority of fraudulent games listings appear to have been removed from itch.io's search index, although it's still possible to access the sellers' pages through other means. We found the above through a simple Google search although, thankfully, the 'Buy' button no longer appears to function.
Of particular note in this case is that the fraudulent seller had been masquerading as 'Motion Twin', the actual developer of Dead Cells. This is obviously a nightmare for both developers and players, and if itch.io's enabling it then — no matter how fast the company responds to isolated incidents — this kind of fraud will keep on happening. Even more confusingly, the official Dead Cells download is listed under the seller 'Plug In Digital.' This all suggests that itch.io's platform needs a mechanism whereby users can easily check that they're purchasing from an authorised seller.
"There is no easy answer," one itch.io tweet noted, "but we are discussing ways to prevent this. We take this very seriously and intend to put a stop to it."
When last we spoke to Michael, he'd yet to receive a response from itch.io regarding a refund for his 'purchase' of Rimworld. We've contacted itch.io ourselves to find out what affected users should do next, and what steps the site will be taking to prevent this from happening again.
In the meantime, those old words still apply in our new digital world. If something sounds too good to be true, it probably is.
Itch.io has been in touch with a statement, which we reproduce in full.
A scammer created a handful of accounts on our system and uploaded pirated games to it. Due to the nature of being an "open marketplace" we don't have a forced review before allowing people to publish. We were made aware of the scammer by the community and through our own internal review, and we removed the content as soon as we discovered it.
Since we're an open marketplace, there have been attempts at scamming in the past, but we tend to always catch them before anything happens. This time was a bit different.
There are websites that have a bot that constantly scrapes our site, and they noticed these "sales" the instant they went up and sent out notifications to people who had subscribed. This happened in a matter of minutes. This caused a handful of unsuspecting people to go and purchase these pages after getting an email notification a deal.
As with all scammers we suspend their accounts immediately, ban their payment information from the system, and ban those files from being sold.
This particular scammer is also taking advantage of a "direct payment" mode that we originally offered that allows a seller to skip itch.io and sell directly into their PayPal account. Although this might be nice for some some sellers, it means they're essentially getting away with the money without allowing us to intervene. We're going to be heavily restricting this feature of the site for the foreseeable future.
We’re reaching out to the customers affected by this individual’s actions for refunds.
Finally we’d like to thank our community for helping us identify these non-legitimate pages with the speed and understanding that they have.
Fair play to itch.io, and you have to feel a little sorry for them too – the fundamental problem here is the platform's desire to be as open as possible to all creators, and the willingness of bad people to take advantage of that. Nevertheless, customers only focus on things like a digital storefront's prices and reliability. Itch.io took a hit from the scammers today but its response, at least, shows a platform prepared to move quickly and solve problems.