A new report from cybersecurity firm Data Viper values the black market for stolen and hacked video games at over $1 billion. The free report describes the supply chain hackers use to acquire and sell Fortnite accounts for as much as $10,000 each.

According to the report, the average hacker rakes in nearly half a million dollars per year, with top sellers bringing in more than $1.2 million per year.

Hackers typically make bulk purchases of tens of thousands of compromised email addresses and passwords. Because many people use similar or identical passwords across different websites, hackers use these passwords to attempt to access Fortnite accounts. Hackers use bots in these “brute-force” attacks that can attempt 500 username/password combinations per second.

Epic Games attempts to limit these brute force attempts by limiting the number of logins per IP address, but hackers can get around this by using software that changes their IP addresses as soon as they are locked out.

Once hackers gain access to an account they take inventory of its contents. If a compromised account has a rare or valuable character skin, which is the case in 10 to 15 percent of the accounts, hackers place it on an online marketplace where it is sold. The accounts are more valuable if they can be tied to an individual’s email credentials because the buyer can retain control of the account even if the original, legitimate owner tries to change the password.

The entire system is surprisingly sophisticated. For example, one seller community employs a 5-judge panel to settle disputes. Sellers who do not comply with a ruling may be labeled a “scammer” online.

In a statement to Business Insider, an Epic Games spokesperson confirmed that selling accounts is against the company’s Terms of Service, and the company works hard to return stolen accounts to their original owners.

“Epic Games takes a sophisticated layered approach to protect our players,” the company representative said. “We use technology like captcha, IP reputation, machine learning, and proprietary technology to detect threats in seconds, proactively block login attempts, and automatically take action to secure any compromised accounts we identify.”

Gamma Law is a San Francisco-based firm supporting select clients in cutting-edge business sectors. We provide our clients with the support required to succeed in complex and dynamic business environments, to push the boundaries of innovation, and to achieve their business objectives, both in the U.S. and internationally. Contact us today to discuss your business needs.