Full Report
The FBI is asking gamers who installed Steam titles containing malware to provide information as part of an ongoing investigation into eight malicious games uploaded to the gaming platform. [...]
Analysis Summary
# Incident Report: Malicious Steam Game Distribution Campaign
## Executive Summary
Between May 2024 and January 2026, a threat actor group uploaded at least eight malicious games to the Steam platform to distribute information stealers and cryptocurrency drainers. The campaign targeted gamers and streamers, resulting in the theft of hundreds of thousands of dollars in digital assets and the compromise of sensitive personal accounts. The FBI has launched a formal investigation (March 2026) to identify victims and gather evidence against the distributors.
## Incident Details
- **Discovery Date:** Initial public reports emerged July–September 2024 (BlockBlasters incident); FBI formal notice issued March 12, 2026.
- **Incident Date:** May 2024 – January 2026.
- **Affected Organization:** Valve (Steam Platform) and individual end-users.
- **Sector:** Gaming / Cryptocurrency.
- **Geography:** Global (Investigation led by FBI Seattle Division).
## Timeline of Events
### Initial Access
- **Date/Time:** Commencing May 2024.
- **Vector:** Application masquerading / Software Supply Chain.
- **Details:** Malicious games were uploaded to the Steam store. In some cases (e.g., *BlockBlasters*), the game was initially uploaded as a "clean" verified application, with malware introduced via later updates to bypass initial staging reviews.
### Lateral Movement
- **Details:** Not applicable in a traditional network sense; however, the malware performed "account jumping" by stealing session cookies to hijack social media and financial accounts.
### Data Exfiltration/Impact
- **Details:** Attackers drained cryptocurrency wallets (notably stealing $32,000 from a single streamer during a live event). Total estimated losses exceed $150,000 from hundreds of compromised accounts.
### Detection & Response
- **Detection:** Discovered through community reports from affected users, blockchain investigators (ZachXBT), and cybersecurity researchers (VX-Underground).
- **Response:** Steam removed identified games (*BlockBlasters, Chemia, PirateFi*, etc.) and issued security warnings to users.
- **Legal Action:** FBI Seattle Division opened a formal investigation in March 2026, requesting victim information via an official portal and email (Steam_Malware[at]fbi[.]gov).
## Attack Methodology
- **Initial Access:** Distribution of malicious installers via a trusted third-party store (Steam).
- **Persistence:** Installation of persistent info-stealers (Vidar, Fickle Stealer) on the victim's local machine.
- **Defense Evasion:** Using verified developer accounts; updating clean apps with malicious payloads post-approval.
- **Credential Access:** Harvesting browser cookies, saved passwords, and login tokens.
- **Collection:** Automated scanning for cryptocurrency wallet files and private keys.
- **Exfiltration:** Data sent to C2 servers managed by threat actors (e.g., EncryptHub).
- **Impact:** Financial theft and account hijacking.
## Impact Assessment
- **Financial:** Estimated $150,000+ stolen; individual losses up to $32,000.
- **Data Breach:** Compromise of browser data, cookies, and credentials for an estimated 478+ victims.
- **Operational:** Disruption to streamers and content creators; removal of multiple titles from the Steam store.
- **Reputational:** Decreased trust in Steam’s "Verified" status for indie games.
## Indicators of Compromise
- **File Indicators (Malicious Games):**
- *BlockBlasters*
- *Chemia*
- *Dashverse / DashFPS*
- *Lampy*
- *Lunara*
- *PirateFi*
- *Tokenova*
- **Behavioral Indicators:**
- Unauthorized cryptocurrency transfers shortly after game execution.
- Browser session hijacking and password change notifications.
- **Malware Families:**
- HijackLoader
- Vidar Stealer
- Fickle Stealer
## Response Actions
- **Containment:** Removal of malicious titles from the Steam store.
- **Eradication:** Steam advised victims to run full antivirus scans and, in high-risk cases, reinstall operating systems.
- **Recovery:** FBI collecting evidence for potential restitution and legal prosecution.
## Lessons Learned
- **Trust Maturity:** Even "Verified" titles on reputable platforms can be weaponized post-launch.
- **Update Monitoring:** App stores need more rigorous continuous monitoring of updates, not just the initial submission.
- **Community Alerting:** Fast-acting community investigators (like ZachXBT) are critical in identifying active financial crimes.
## Recommendations
- **Users:** Utilize hardware wallets for significant cryptocurrency holdings; enable 2FA (non-SMS) on all accounts; treat free-to-play indie titles with caution.
- **Platforms:** Implement more frequent automated scans of existing library files and scrutinize developer account changes.
- **Victims:** Contact the FBI via the official Steam_Malware[at]fbi[.]gov address and provide relevant communication/transaction logs.