Between May 2024 and January 2026, threat actors used free-to-play titles like PirateFi and BlockBlasters on the official Steam platform to deploy info-stealers, leading to over $150,000 in crypto theft and a federal investigation to identify victims.

Continue reading
The trusted fortress of PC gaming, Steam, was systematically breached not through a zero-day exploit, but through a far more insidious vulnerability: the trust of its users. For nearly two years, from May 2024 to January 2026, a threat actor exploited the platform’s direct pipeline to gamers, uploading at least eight malicious games designed to do one thing—empty digital wallets and compromise accounts.
The narrative is no longer about isolated incidents but a coordinated campaign so significant that the FBI’s Seattle Division has issued a public appeal to identify victims, marking a critical escalation in the fight against digital theft in gaming communities.
The investigation has pinpointed specific titles that served as the delivery mechanism for malware. If you or any known gamers installed any of the following between mid-2024 and early 2026, their systems may be compromised:
This wasn't merely about adware. The FBI's official questionnaire, seeking information on cryptocurrency transactions, compromised accounts, and stolen funds, confirms the endgame was financial. The malware embedded within these seemingly innocent games was highly sophisticated. In the case of Chemia, the threat actor EncryptHub deployed a multi-stage attack using HijackLoader to ultimately install the Vidar information stealer and its own custom Fickle Stealer.
The impact was immediate and devastating. The most emblematic case involved streamer Raivo Plavnieks (RastalandTV). While live on camera raising money for cancer treatment, he downloaded BlockBlasters—a verified Steam game. The outcome was a swift and brutal lesson in modern cybercrime: he watched over $32,000 vanish from his cryptocurrency wallet in real time. This single incident peeled back the curtain on the scale of the threat.
The statistics gathered by independent researchers paint a clear picture of the campaign's success from the attacker's perspective:
The fact that the FBI is now actively seeking victim impact statements is a powerful indicator of an active, ongoing criminal probe. They are not just counting the losses; they are building a case. The request for "screenshots of communications with individuals who promoted the games" is a classic investigative move, aiming to trace the social engineering behind the code and follow the money.
Valve, the owner of Steam, has remained silent on the matter, not replying to requests for comment. However, their actions in removing the games and, in the case of PirateFi, warning users to "consider reinstalling their operating system," underscore the severity of the compromise. This is the nuclear option in malware remediation, suggesting the infection buries deep hooks into the system.
The Steam malware campaign offers critical, validated lessons for every digital citizen:
This incident dismantles the illusion of safety within walled-garden platforms. The emerging narrative is clear: the gaming ecosystem has become a prime hunting ground for financially motivated cybercriminals, and the response now requires federal intervention to restore trust and security.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.