Steam Game Hid Cryptomining Malware, Stole $150K in Crypto

Another Steam game has been found to be carrying a crypto-ransomware scam. BlockBlasters, a 2D action game, got an update with malware that drained players’ wallets to the tune of over $150,000 and at least 261 installations connected to the campaign, according to security researchers.

The fallout played out in public on the internet, as a live streamer saw about $32,000 disappear from a pot meant to pay for cancer treatment after he created the game. Renowned blockchain sleuth ZachXBT and malware archivists at VX Underground flagged the operation, with multiple researchers providing supporting confirmation of its scale and modus operandi.

How the BlockBlasters Trojan Operated on Steam

Investigators said the developer had pushed an update that surreptitiously included a stealer, effectively turning the game into a Trojan. Upon installation, the payload enumerated browser extensions and searched regular directories for wallet artifacts such as credentials, seeds, or session tokens connected to popular Chromium-based browsers and browser wallet extensions.

To seed victims, the operator purportedly reached out to cryptocurrency holders with “paid promotion” pitches that encouraged them to test the game, VX Underground told us — using social engineering combined with storefront visibility, not just the latter. The malware also exfiltrated harvested data to remote infrastructure — researchers mention messaging bots and web endpoints as potential exfiltration channels — enabling faster hot wallet takeover.

What investigators uncovered about the BlockBlasters hack

The technical breadcrumbs that security teams participating in the review have started to see suggest a high confidence level of attribution — including build artifacts and direct communications over Telegram — connecting the operation, known as Ghostwriter, to one specific actor. Although the complete indicators of compromise were not publicly listed, those independent data points line up: the same game update, similar victim behavior, and theft patterns matching on-chain.

BlockBlasters has been removed from the store by Valve. One researcher at cybersecurity company G Data, who reported the title to Valve roughly a week before it got taken down, wonders how long it takes before something gets detected once a game goes live. Representatives at Valve did not respond to requests for comment cited by researchers.

How malware slipped into Steam through obscure game updates

The attack is at least the fourth time malware has gotten into Steam through obscure games, researchers said. The pattern isn’t initial submission so much as the post-release patch. If a binary is introduced as malware in a subsequent update, it can sail right past the more lightweight checks that are sometimes applied to incremental builds — especially when a game is small and doesn’t get much attention from large communities.

The economics support the attackers: a dirt-cheap list, a bit of outreach to crypto users, and a payload designed to convert assets into cash rapidly. A couple dozen compromises — even if wallets are hot and no one checks approvals — can net five to six figures.

Why desktop crypto wallets are lucrative targets for theft

Wallet-stealer malware lives off the convenience features that make it easy to use crypto on the desktop. Browser extensions cache secrets, sign transactions, and store sessions; if an attacker exfiltrates recovery phrases or cookies, they can recreate the environment elsewhere to steal all of a victim’s funds in minutes. Unlike bank transfers, crypto theft is difficult to roll back and can be laundered through mixers or cross-chain bridges.

What players should do now to protect crypto and PCs

If you installed BlockBlasters, disconnect from the network and scan your systems with a reputable endpoint security product. Transfer any remaining funds to fresh addresses generated by a brand-new seed with a device you trust. Check your browser extensions, unapprove tokens in a reputable dashboard through your wallet provider, and rotate exchange-associated API keys. It is important to watch for on-chain activity relating to your addresses and configure alerts where available.

In the future, do your business in a new or unvetted game on another Windows account — or better yet, a virtual machine — and leave wallets in another profile or device. Use hardware-based 2FA wherever supported, and do not store large amounts of value in browser wallets; long-term holdings should be stored on a hardware wallet that is securely put offline. Basic hygiene also counts: update OS and browsers, manage startup apps — only grant file-, network-, or overlay-related access if a game actually requires it.

What Valve could tighten to stop malicious game updates

Experts mention a few practical defenses for game platforms: mandatory malware scanning at update time, not just on initial submissions; stronger developer identity vetting; signed and reproducible builds; behavioral telemetry to flag when processes enumerate browser extensions, access wallet directories, or beacon to known exfiltration services.

Even just a short quarantine window for new patches could provide enough time for automated systems and community reports to identify problems.

The takeaway is grim: One bad patch turned a niche title into a magnet for fleecing its user base.

Unless and until storefronts firm up their upgrade pipes, and players segregate game playing from financial interactions, criminals will continue to test this vector. The BlockBlasters affair demonstrates how fast little concessions can multiply into actual money losses, and how the ecosystem needs defensive structures in place on both platform and player levels, as soon as possible.