The FBI is investigating a wave of malicious titles sold through Valve’s Steam store that secretly installed malware, and the bureau is urging potential victims to come forward. Investigators say threat actors smuggled code into seemingly legitimate games and updates, then used the access to steal credentials, drain crypto wallets, and loot Steam inventories. Several offending games have already been removed from the platform.
What The FBI Says And Which Games Were Flagged
The FBI’s Seattle Field Office is seeking reports from Steam users who downloaded suspect titles and later noticed account takeovers, missing inventory items, or unauthorized financial activity. According to the bureau, identified games include BlockBlasters, Chemia, Dashverse (also listed as DashFPS), Lampy, Lunara, PirateFi, and Tokenova.
Agents are asking affected users to share their Steam username, which game versions they installed, and whether they received any unsolicited messages before or after downloading the titles. That last point matters: many malware campaigns pair a Trojanized download with social engineering, such as direct messages offering “exclusive keys,” tournament invites, or influencer collaborations designed to coax victims into running the payload.
Valve has delisted the named games after they were discovered to contain malicious components. While several of the titles drew limited attention, at least one case tied to BlockBlasters allegedly culminated in a crypto theft worth roughly $150,000 from an infected machine.
How The Scheme Worked To Spread Malware Via Steam
Based on victim accounts and common tactics seen in the wild, attackers leveraged two vectors: newly published games built with hidden malware from day one, and previously legitimate releases that shipped a compromised update. In both scenarios, the Steam client became the delivery channel, blending malicious code into the normal patch cadence that players expect.
Once executed, the malware acted like an information-stealer, hunting browser cookies, session tokens, saved passwords, and wallet data. With control of authentication tokens, criminals can often bypass passwords and two-factor prompts long enough to empty crypto apps, hijack email and social accounts, or rifle through Steam inventories to transfer and resell valuable in-game items. Security firms such as ESET, Sophos, and Kaspersky have documented similar “infostealer” families targeting gamers across PC ecosystems.
The financial upside for criminals is obvious. The FBI’s Internet Crime Complaint Center reports multibillion-dollar annual cybercrime losses, and Chainalysis has noted that crypto hacks and wallet-draining scams continue to account for substantial on-chain theft. Trojanized games neatly bridge both worlds: they can seize credentials and liquid assets in one hit.
Why Steam Inventories And Crypto Are Prime Targets
Steam’s economy turns pixels into money. Rare skins and trading cards can be flipped on third-party markets, and compromised accounts give thieves a direct line to tradable goods. The same machine often also holds hot crypto wallets and browser extensions, making it a one-stop shop for asset theft. That mix of liquidity and immediacy is precisely what modern stealers are built to exploit.
Complicating matters, many indie games ship frequent updates, and early access titles evolve quickly. That pace, combined with a low barrier to publish, makes continuous vetting hard. Without stronger guardrails around developer identity, code integrity, and behavior-based scanning, marketplaces face the same “supply chain” risks seen elsewhere in software.
What Players Should Do Now To Protect Accounts And Funds
- Check your Steam library for BlockBlasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, and Tokenova. If present, remove them and scan your system with reputable anti-malware from multiple vendors.
- Review your Steam market and trade history, and reset Steam Guard, email, and password. Revoke any active sessions and reset app passwords tied to the same machine.
- For crypto, move funds to a fresh wallet with new seed phrases generated offline. Assume browser wallets and extensions on the infected device are compromised; reimport only after a clean rebuild.
- Preserve evidence. Keep screenshots of messages, transaction IDs, and system logs. The FBI is requesting victim details via a public intake form through its Seattle office, and affected users can also submit a report to IC3. These details help investigators trace infrastructure, laundering paths, and developer accounts behind the scheme.
What It Means For Platforms And Digital Storefront Security
This incident underscores a broader trust challenge for digital storefronts: when distribution is frictionless, verification must be relentless. Stronger developer onboarding, mandatory two-factor for publishers, signed and attestable builds, and behavior-based malware screening can shrink the window for abuse. Faster kill-switches for delisting and forced uninstalls, paired with account protection nudges, would further reduce downstream harm.
For now, the FBI’s investigation is a reminder that even legitimate channels can deliver tainted code. Gamers should treat cold DMs and off-platform key offers as red flags, and platforms need to meet attackers’ creativity with equally adaptive defenses.
