On July 30, 2025, BlackBlasters, a retro-style 2D platformer, was uploaded to Steam by Genesis Interactive. Initially a safe option, on August 30, an update to the game added a crypto-draining malware, and people lost their money.
It took Steam a whole 22 days to remove BlockBlasters after the malicious update was released on August 30. The game was pulled from the platform on September 21, marking a 22-day window during which users were exposed to the crypto-draining malware.
The game stole cryptocurrency from players’ wallets, and some of the victims included streamers and crypto holders. One of the worst-hit was Raivo Plavnieks (RastalandTV), a Latvian streamer raising money for stage 4 cancer treatment. He lost $32,000 during a live fundraiser.
Here’s the streamer’s video, but it’s not for the fainthearted:
The attack was exposed live on stream when Raivo’s funds vanished. Based on the investigation that happened, a batch script collecting Steam credentials and IP addresses was found along with a Python backdoor and StealC payload. The Telegram bot code was left exposed by the attackers.
OSINT researchers linked the malware to a Telegram ID tied to fraud chatrooms and social media accounts. One suspect is reportedly an Argentinian immigrant in Miami, though this remains unconfirmed.
But that wasn’t the first time malware slipped through Steam’s defenses. There have been several alarming incidents over the years where malicious code was embedded in games distributed directly through Steam.
An example is Chemia: In July 2025, a Trojan downloader was embedded in the game files. Basically, it added Fickle Stealer, HijackLoader, and Vidar, which, in short, are stealers that target crypto wallets, browser data, and system files. It seems that the developer, EncryptHub, added the malware during Early Access.
And we have many similar instances, such as with PirateFi in June 2025, Sniper: Phantom’s Resolution in March 2025, and Team Fortress 2 in March 2023.
Now, Valve typically (and as expected) removes the games quietly when they get lots of reports or third-party investigations, and they don’t really issue public alerts. Unfortunately, they also rely heavily on the community and external researchers to detect threads, which isn’t really a method that can save players from getting hacked.
To be fair, though, the malicious update in BlockBlasters remained undetected for weeks, and it wasn’t until Plavnieks lost the $32,000 live on Steam that made the malware gain widespread attention. Steam quickly removed it.
But how can a game developer upload malware without getting detected by Valve? Well, that’s actually an interesting question.
You see, once you submit your game to Steam for the first time, you’ll have to pay Valve a total of $100, which is a direct fee for the company to manually review and ensure your game meets their basic standards (such as malware, offensive content, or obvious scams). That money is refundable, though, but that’s only if your game earns $1,000 in revenue.
What’s the problem with that process? There isn’t; the actual issue starts after your game gets verified and published to Steam’s catalogues. As a developer, you have to use SteamPipe, which is Valve’s content delivery system for new builds (updates).
You can switch your test build to the default branch and make it live without further approval, and while Valve likely uses some automated scanning, there’s no public evidence of robust malware detection or code auditing after launch.
Many solo devs and security researchers have flagged this as a major vulnerability. The recent BlockBlasters and Chemia incidents show how malicious updates can bypass Steam’s defenses, even weeks after release. Suggestions like a $20 update fee or mandatory re-verification for major updates have been floated by developers, but Valve hasn’t implemented such measures.
With tens of thousands of available games with so many frequent updates, reviewing manually every patch will either require massive staffing or much slower releases. Steam needs to build an automated system that can easily detect malware, trojans, and other types of viruses or scamming techniques.
So, how do you stay protected from a malicious game found on Steam or any other similar platform?
- First and foremost, do not keep your crypto wallets active on your gaming PC. If you have to, then just create another account on Windows and use that one for playing games, keeping your admin privileges locked.
- Download and install Malwarebytes, which will add an extra layer of protection against known malware.
- Use VirusTotal or Hybrid Analysis to inspect .exe or .dll files before downloading them.
- Before downloading a game, always check the developer’s reputation and read the most recent reviews (sort them if needed).
If you want to stay completely safe, you can always use a sandbox or a virtual machine for new games. You can use Sandboxie or VirtualBox, both of which will isolate the software from your main system. Of course, don’t expect huge performance, but it’s a nice way to test new games.
Want to go to another level? Try cloud gaming, which seems to be the future of gaming. Or, install (here’s how) a gaming Linux distro on another hard drive and use it only for gaming, without connecting any of your online accounts.
If you suspect that you already have malware, disconnect from the internet, run a full scan with your antivirus, check for startup persistence using the Task Manager (Startup), in AppData, and in the Registry. Then change your Steam password, enable 2FA, and move your crypto assets to a secure wallet.
Steam may be the most popular gaming platform to buy and play games, but that doesn’t mean it’s the safest, too. With so many people using it, it has become one of the main targets for hundreds of hackers.
Until Valve finds a way to protect users even more, you need to be careful what you install from the marketplace, and more importantly, to take all the steps needed to avoid such a situation in the future.
