NordVPN exposes GTA 6 pre-order scams, as malware threat rises before release date
Despite a promising Best Buy leak, GTA 6 pre-orders have yet to begin. Regardless, scammers have taken advantage of the hype building ahead of its November 19th release date. NordVPN has issued a warning about beta-test hoaxes, malware-infected downloads, and phishing sites that steal GTA Online credentials.
NordVPN CTO Marijus Briedis highlighted how cybercriminals view the game as an irresistible mark. He explained, “When people are desperate to get early access to something, their guard comes down. That's the window attackers exploit.”
False hopes for early access
Rockstar hasn’t announced a public beta test, and given their aversion to leaks, the opportunity seems unlikely. Even so, scammers have fooled unsuspecting players, hoping for a sneak peek at Leonida. These individuals set up websites promising early access ahead of the GTA 6 release date. Once users complete a form, they are redirected to another page to download beta files.
Not surprisingly, many of these packages include malware or viruses. Once installed on PCs, victims risk losing files or having personal information stolen.
Piracy and GTA 6
Nefarious parties have capitalized on the growing accessibility of piracy. In late April, a Redditor documented how a virus disguised itself as a repack from a popular group. While it’s suspected the post was an attempt at trolling, NordVPN has analyzed legitimate threats. In one case, an installer ran malware in the background, impersonating an Nvidia driver.
The danger isn’t limited to PCs, with Android packages labeled as beta tests. On multiple platforms, hackers are also targeting Rockstar Social Club logins. Phishing sites tease GTA Online items from the unreleased Rockstar project. The often valuable commandeered accounts are sought after on grey markets.
NordVPN offers some common-sense suggestions to avoid fraudulent websites and damaging viruses. GTA 6 pre-orders are most likely to become public on Rockstar’s social media. Until then, gamers should steer clear of any offers to reserve the game from retailers with no reputation. In addition, never enter sensitive information on third-party sites with suspicious URLs.
Source(s)
Press release via NordVPN
NordVPN’s Threat Intelligence team exposes malware surge exploiting GTA VI pre-order hype
Fake beta keys, trojanized repacks, and credential-harvesting phishing sites are flooding the internet ahead of the November release
NordVPN’s Threat Intelligence research unit has identified malware and scam campaigns exploiting anticipation around GTA VI’s release. When rumors circulated about pre-orders opening soon, threat actors moved to capitalize on the hype. They deployed fake installers, Android adware, and phishing pages targeting PC and mobile users, platforms for which GTA VI will not initially be available.
The campaigns span multiple attack types, from DLL sideloading trojans hidden inside fake game repacks to a sophisticated Android adware package impersonating a “GTA 6 Beta”, as well as hundreds of amateur phishing sites targeting Rockstar Social Club credentials.
“GTA VI is one of the most anticipated releases in gaming history, and that level of public excitement is exactly what criminals look for,” says Marijus Briedis, CTO at NordVPN. “When people are desperate to get early access to something, their guard comes down. That's the window attackers exploit.”
Fake beta keys and subscription traps
NordVPN identified multiple scam sites promising exclusive beta keys for PS5 and Xbox Series consoles. The mechanics are straightforward but effective: users fill out a short form, are then funneled through a bot-verification step, and are directed to subscribe to paid services or download potentially unwanted applications (PUAs). By targeting PC and mobile users with promises of console beta access, scammers exploit both curiosity and FOMO.
Trojanized repacks targeting Windows users
Threat actors have deployed clones of well-known piracy and repack sites, including fake versions of FitGirl, DODI, and ElAmigos, to distribute malware disguised as game files for Windows.
One analyzed sample, detected on May 17, 2026, shows how convincing these fakes can be. The malicious package presents itself as a legitimate game installer. Once a user runs it, a hidden malicious file quietly activates in the background, disguised as a standard NVIDIA graphics driver component to avoid raising suspicion.
From there, it can modify the device’s memory, download additional malware, and connect to external servers to receive further instructions. The download was traced to a domain that had been registered just 23 days before the attack was detected, a common sign of infrastructure built specifically for short-lived malicious campaigns.
Android adware masquerading as a “GTA 6 Beta”
A fake Android app circulating under the name “GTA 6 Beta” is another front in the same campaign. The application is an empty shell that shows authentic-looking Rockstar Games branding and an intro video before prompting users to download additional data. There is no actual game inside.
When running, the app silently serves full-screen ads and redirects users to external pages that pressure them into subscribing to paid services or downloading further malware, disguised behind fake human verification steps.
To avoid detection, it uses several evasion techniques and hides its web traffic to conceal where it’s actually sending users. The trail ultimately leads to a domain with a documented history of distributing infostealers, banking trojans, adware, and ransomware on both Android and Windows.
Amateur phishing targeting Rockstar Social Club accounts
Beyond the more engineered campaigns, NordVPN has tracked hundreds of amateur phishing pages targeting Rockstar Social Club credentials through fake login forms. These sites are frequently hosted on legitimate platforms such as GitHub and Vercel, using the reputation of trusted infrastructure to bypass basic security filters at no cost to the attacker.
Compromised accounts could be resold on dark web marketplaces or used for in-game fraud. Many of these pages also function as malware distribution points, using fake download buttons and promises of exclusive GTA VI content to deliver adware, infostealers, and trojans.
How to stay safe
Marijus Briedis advises gamers and GTA VI fans to:
Avoid third-party download sites for any game content. Legitimate game files are distributed exclusively through official storefronts like the PlayStation Store, Xbox Marketplace, or Rockstar’s own platform. Any unofficial site should be treated as a red flag. Treat beta key offers with skepticism. Legitimate betas for major titles are announced through official channels only. Any site asking you to verify your identity or subscribe to a service to claim access is a scam, regardless of how convincing it looks. Check URLs carefully before logging in. Always check the URL before entering your login details anywhere. Official game platforms and storefronts will never ask you to sign in through a third-party site.
Methodology
The investigation used open-source intelligence (OSINT) methodologies, and the findings were corroborated and validated by cross-referencing collected data.
Core data collection strategies included search strings applied to major search engines as well as specialized platforms for indexing domains and internet-exposed devices, including IoT search engines and Shodan-like services such as Fofa.io and Shodan.io. Static and dynamic analysis of malware samples was conducted to map attack mechanisms, infrastructure, and indicators of compromise.
The primary objective of this layered approach was twofold:
To obtain the most exhaustive overview possible of the digital entities involved in these campaigns. To precisely identify compromised or actively malicious domains, going beyond theoretically vulnerable infrastructure.
Conclusions are based on verified data, with the perimeter of the compromised systems delimited with the maximum possible accuracy.
Add as a preferred source on Google
