Malware Hidden in Steam Games, Valve Struggles to Halt It
Steam malware campaigns hit four games across 2024-2025, compromising hundreds of accounts. Breakdown of how the attacks worked and how to protect yourself.
By:
John Langan
Key Takeaways
- In September 2025, streamer RastalandTV lost $32,000 in crypto after downloading BlockBlasters on Steam — a game that had been patched to include a crypto-stealing payload.
- At least 261 Steam accounts were compromised in the BlockBlasters incident; total confirmed losses across all victims exceeded $150,000.
- Four games confirmed to carry malware: BlockBlasters (Sept 2025), PirateFi (Feb 2025), Sniper: Phantom's Resolution (March 2025), and Chemia (July 2025).
- Steam lets developers push post-launch updates with minimal oversight — a legitimate feature that malicious actors have exploited to inject payloads after initial review.
- The FBI's Seattle Division opened a formal investigation in March 2026, covering Steam malware campaigns dating to May 2024.
- Valve removed all four games after the malware was discovered, but the damage to affected users was already done before removal.
The following sections detail how these campaigns worked, which games were involved, and what structural gaps in Steam's architecture made them possible.
Steam's Malware Problem
A streamer known as RastalandTV was fundraising for cancer treatment when they downloaded a game from Steam called BlockBlasters. A malicious patch, pushed to the game after its initial release, contained an info-stealer that drained $32,000 from their crypto wallet. RastalandTV was one of at least 261 Steam accounts compromised in that single campaign, with total losses across all victims estimated at over $150,000 by on-chain investigator ZachXBT.
This incident, which came to light in September 2025, is one in a string of confirmed malware campaigns on Steam. A formal FBI investigation opened in March 2026 covers seven named games across a campaign stretching from May 2024 to January 2026. The scale and duration of the campaign raises direct questions about how Steam's update policies enable this kind of attack.
How This Affects Steam and Its Users
Steam has been the dominant PC gaming platform for two decades, giving developers direct access to hundreds of millions of players. That reach and its developer-friendly update model are core to what makes Steam valuable. Those same advantages become liabilities when a bad actor exploits the post-launch update window to push malware after their game clears the initial store review.
The consequence is not just financial. Users who lose trust in the platform's safety change their behaviour — avoiding new releases, disabling auto-updates, or abandoning the platform entirely. If enough players respond that way, Steam's foundation as an open publishing platform comes under pressure.
The Four Confirmed Malware Campaigns
The FBI's named list covers seven games. Four have been widely reported with verified details:
- BlockBlasters: Developed by Genesis Interactive, released July 31, 2025. A malicious patch (Build 19799326) was deployed on August 30, 2025. The info-stealer hit at least 261 accounts and stole over $150,000 in total. RastalandTV's $32,000 loss was the highest-profile single incident. Security firm G DATA published a full technical breakdown of the payload.
- PirateFi: Added to Steam on February 6, 2025 and removed around February 10. Marketed as a low-poly survival game, it carried the Vidar info-stealer, identified by SECUINFRA Falcon Team. Valve notified affected users directly. Approximately 51 reviews were visible before removal.
- Sniper: Phantom's Resolution: Flagged in March 2025. The malware was not bundled in the Steam build itself — instead, the game's demo directed players to a GitHub repository where an executable named Windows Defender SmartScreen.exe delivered the payload off-platform. Valve removed the demo after users reported the suspicious activity.
- Chemia: A survival game pulled from Steam around July 2025. Security researchers attributed it to the EncryptHub threat group (also known as Larva-208). The payload included three simultaneous malware strains: Hijack Loader, Fickle Stealer, and Vidar Stealer.
All four games were removed from Steam after their malware was publicly reported. In none of the four cases did Valve's systems catch the threat before users were affected.
Vulnerabilities in Steam's System
Steam's review process is focused on the initial store page submission. Once a game is live, developers can push game updates with significantly less scrutiny than the launch review — and in some cases, with no re-review at all. This architecture is what the malware campaigns exploited.
- Steam's initial review checks the store page at launch, not the ongoing game builds pushed after release.
- Console platforms like Nintendo require certification for updates, adding a verification layer that PC storefronts generally do not have.
- The Sniper: Phantom's Resolution case went further — the malicious payload was hosted entirely off-platform on GitHub, sidestepping even Steam's limited post-launch monitoring.
None of this means Steam is uniquely dangerous. The overwhelming majority of its 50,000+ games are clean. But the structural gap between launch review and post-launch updates is a documented attack surface, and threat groups are aware of it.
How Steam's Update Policy Compares to Console Platforms
| Platform | Update Process | Security Protocols |
|---|---|---|
| Steam | Developer-controlled post-launch updates; minimal re-review | Initial store-page review only; relies on algorithm flags and community reports |
| Nintendo Switch | Certification required for all updates | Detailed Nintendo review for each patch submission |
| PlayStation / Xbox | Certification required for major updates | Platform holder review; similar to Nintendo in rigor |
Steam's developer-first flexibility is a genuine competitive advantage for indie publishing. The question is whether that flexibility can coexist with a more robust post-launch monitoring layer — and what form that monitoring needs to take to be effective against info-stealers.
Valve's Review System: A Double-Edged Sword
Valve's hands-off philosophy has been foundational to Steam's growth. The model works as follows: an initial review of the store page before launch; once live, developers have significant latitude to update their game's content without further platform intervention. Reactiveness replaces prevention — Valve acts when games are flagged, not before.
- Initial review: Valve reviews the store page before the game goes live.
- Post-launch freedom: Developers can change game content with limited oversight.
- Algorithm reliance: Steam's systems and community reports are the primary detection mechanism for problematic games.
- Reactive removal: Once flagged, Valve acts to remove malicious games from the platform. In the four cases above, removal was confirmed within days of public reporting.
Valve has imposed more targeted restrictions in specific contexts — adult games now release new content as DLC, triggering a review each time. Whether similar measures make sense for the broader catalogue is a policy decision Valve has not yet made publicly.
Those advantages come with tradeoffs that make a clean solution harder to design than it appears.
Challenges with Universal Content Updates
A mandatory re-review for every post-launch update would add friction for the thousands of legitimate developers who ship patches regularly. The tradeoff is real:
- Adult game restrictions model: New content must ship as DLC, triggering a review. This works for a defined category but does not scale universally.
- Malware prevalence: Affected games represent a small fraction of Steam's catalogue — but a fraction capable of causing significant financial harm to individual users.
- Potential solutions: A certification system for post-launch builds, an approved-developer whitelist, or automated binary scanning for known malware signatures could reduce the attack surface without blocking legitimate updates.
Valve's challenge is designing a system that catches campaigns like BlockBlasters without creating a 72-hour bottleneck for every indie developer shipping a patch.
Looking Ahead: What Needs to Change
The FBI investigation — covering seven named games and at least 20 months of activity — signals that this is no longer a series of isolated incidents. It is a documented campaign against Steam's update architecture. Valve's response will likely include some combination of the following:
- Automated binary-level scanning for post-launch game builds, flagging known malware signatures before they reach users.
- A verified-publisher programme giving faster update paths to established studios, with more scrutiny applied to new or low-history accounts.
- Proactive user notification when a game in their library is flagged — going beyond the current model of removing the game and expecting players to notice.
The Steam malware problem is solvable without dismantling open publishing. The four confirmed campaigns share a common thread: all involved small, low-review-count games with minimal prior history. A risk-scoring model applied to post-launch updates from accounts matching that profile would catch most of them before deployment.
Frequently Asked Questions
Which Steam games had malware in them?
The FBI named seven games in their March 2026 investigation. The four most widely reported are BlockBlasters, PirateFi, Sniper: Phantom's Resolution, and Chemia. All were removed from Steam after their malware was discovered.
Is Steam safe to use?
Steam's library of 50,000+ games is overwhelmingly clean. The confirmed malware cases represent a tiny fraction of the catalogue. That said, the risk is not zero — particularly for newly released games from unknown developers with few reviews. Disabling auto-updates for games you are not actively playing is a reasonable precaution.
What type of malware was found in Steam games?
The most common payload was info-stealers — malware designed to extract credentials, browser cookies, crypto wallet data, and saved passwords. Chemia deployed three simultaneous strains: Hijack Loader, Fickle Stealer, and Vidar Stealer. PirateFi carried the Vidar info-stealer specifically.
How did the Steam malware steal crypto?
Info-stealers scan the infected machine for crypto wallet files, browser-stored private keys, and clipboard contents. Cryptocurrency transactions can be intercepted by swapping wallet addresses copied to the clipboard. In RastalandTV's case, the stealer accessed the wallet directly from stored data on the machine.
Did Valve catch the malware before users were affected?
In none of the four confirmed cases did Valve's systems catch the malware before users were exposed. All four games were removed only after community members or security researchers reported the issue publicly.
What is Valve doing to improve Steam security?
Valve has not announced specific new measures in response to the FBI investigation. Historically, Valve operates reactively — removing flagged games quickly once reported. The platform has expanded its review requirements for adult content as a precedent for category-specific update controls.
How can I protect myself from malware in Steam games?
Keep a reputable anti-malware tool active. Review newly released games with few ratings before downloading. Disable automatic updates on games you are not actively monitoring. If you hold crypto, use a hardware wallet for large amounts rather than storing keys in software wallets on a gaming PC.
What happened to the streamer who lost $32,000?
RastalandTV — who was fundraising for cancer treatment at the time — had the $32,000 loss covered by crypto influencer Alex Becker, who sent $32,500 after the incident gained public attention. The original stolen funds were not recovered.