Trojan Horses in Your Game Library: How Malware-Laced Indie Games Slipped Past Steam's Defenses — and Why the FBI Is Now Involved

The FBI's Seattle Division announced this week that it is actively investigating a coordinated malware campaign that used Valve's Steam platform — the world's dominant PC gaming storefront — as a delivery mechanism for data-stealing software. At least seven games published on the platform between May 2024 and January 2026 have been identified as vehicles for infostealers, cryptodrainers, and credential-harvesting trojans. The bureau is now seeking victims, and the case raises urgent questions about the security architecture of digital distribution platforms that serve over 130 million users monthly.

The FBI Steps In

On March 13, 2026, the FBI's Seattle field office published a public notice titled "Seeking Victim Information in Steam Malware Investigation," requesting that anyone who downloaded a list of specific games — or whose minor dependents did so — come forward with information [1]. The FBI has set up a dedicated form on its website and an email address (Steam_Malware@fbi.gov) for reports [2].

The bureau identified seven titles it believes were created by the same threat actor: BlockBlasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, and Tokenova [1][3]. All have since been removed from the Steam store. The FBI believes the campaign primarily targeted users between May 2024 and January 2026, a window spanning nearly two years during which the games appeared as ordinary indie titles in Steam's vast catalog of over 120,000 games [4].

Valve confirmed the legitimacy of the FBI's notice and suggested that affected gamers assist with the investigation, though the company has not issued a detailed public statement about its own review processes or what security measures failed [5].

Anatomy of the Attack: From Free-to-Play to Full Compromise

The campaign's sophistication lay not in the malware itself — much of which relied on well-known infostealer families — but in the social engineering and distribution strategy that exploited one of gaming's most trusted platforms.

PirateFi: The Opening Salvo

The first widely reported incident involved PirateFi, a free-to-play survival game published by a studio calling itself Seaworth Interactive. The game appeared on Steam on February 6, 2025, and remained available until February 12, when Valve pulled it after security researchers identified that its executable contained a payload delivering the Vidar infostealer [6][7].

Vidar is a well-documented malware-as-a-service tool first observed in 2018. It harvests browser credentials, cookies, cryptocurrency wallet seed phrases, Discord tokens, and Steam account data, packaging stolen information into ZIP archives and exfiltrating them to command-and-control servers [8]. The malware was hidden inside the game's main executable (Pirate.exe) as a secondary payload (Howard.exe) packed with the InnoSetup installer framework [7].

Up to 1,500 users downloaded PirateFi before its removal. Valve took the unusual step of advising affected users to "consider fully reformatting your operating system" — an acknowledgment of the severity of the compromise [9]. Blockchain investigator ZachXBT estimated that the attackers drained approximately $150,000 from 261 Steam accounts in subsequent attacks linked to the same actor [10].

The game's developers had no prior presence in the gaming industry, and security researchers found evidence that PirateFi was promoted through Telegram channels targeting U.S. users, including fake job postings offering $17 per hour for "in-game chat moderator" positions [6].

BlockBlasters: Stealing from a Cancer Patient

The campaign's most devastating human toll came through BlockBlasters, a 2D platformer available on Steam from July 30 to September 21, 2025. Unlike PirateFi, BlockBlasters initially contained no malicious code. The game operated normally for a full month before an August 30 update introduced a cryptodrainer component — a tactic that exploited Steam's update pipeline, where patches to existing games receive less scrutiny than new submissions [10][11].

The malware deployed scripts to disable antivirus detection, harvest credentials, extract cryptocurrency wallet keys, and transmit stolen data to external servers [11]. The most publicized victim was Raivo Plavnieks, a Twitch streamer who goes by RastalandTV, who was battling stage 4 high-grade sarcoma. During a live fundraising stream, the malware drained $32,000 in cryptocurrency donations that viewers had contributed toward his cancer treatment [11][12].

ZachXBT estimated total losses from BlockBlasters at approximately $150,000 across 261 confirmed victims, though the security collective VXUnderground reported a higher count of 478 affected accounts [10][11]. Several victims appeared to have been specifically targeted after being identified on social media as managing significant cryptocurrency holdings and then sent invitations to try the game [11].

Crypto influencer Alex Becker publicly sent Plavnieks $32,500 to a secure wallet after the theft gained attention, but the incident underscored the human stakes of what might otherwise seem like an abstract cybersecurity problem [12].

The Technical Underpinnings: Vidar and the Infostealer Economy

The malware deployed across these campaigns belongs to a broader ecosystem of information-stealing tools that have become increasingly commoditized. Vidar, the primary tool identified in the PirateFi case, exemplifies this trend.

Vidar operates on a malware-as-a-service model, meaning its developers sell access to the tool and its infrastructure to other criminals. The latest version, Vidar 2.0, features a complete rewrite in C with a multithreaded architecture that automatically scales its data-harvesting operations based on the victim's hardware — stealing from multiple sources simultaneously on powerful machines [8][13].

The malware employs sophisticated evasion techniques, including control flow flattening that transforms program logic into complex switch-case structures, making reverse engineering significantly more difficult [13]. Its command-and-control infrastructure uses an indirect approach: rather than hardcoding server addresses, the malware retrieves C2 IP addresses from social media profiles on platforms like Telegram and Mastodon, allowing operators to change infrastructure on the fly by simply editing a profile description [8].

Enhanced credential extraction methods in Vidar 2.0 can bypass advanced browser security features such as Chrome's AppBound encryption through direct memory injection, making it capable of stealing passwords, session cookies, and autofill data from virtually any modern browser [13].

Source: FBI / BleepingComputer / Tom's Hardware

Data as of Mar 14, 2026CSV

Steam's Open Door: How Malware Gets Published

The central question raised by the FBI investigation is how seven malicious games operated on the world's largest PC gaming platform — some for months — without detection.

Steam's developer onboarding process, known as Steam Direct, requires a $100 fee per game, identity verification, and completion of tax and banking paperwork. There is a mandatory 30-day waiting period between paying the fee and releasing a first title [14]. But critics argue these measures are designed primarily to deter spam and ensure tax compliance, not to prevent malware distribution.

Steam's Early Access program has drawn particular scrutiny. The program allows indie developers to publish unfinished games for public testing, creating a pathway where frequent updates are expected and normalized — making it easier for a threat actor to introduce malicious code in a later patch, as happened with BlockBlasters [5][15].

The scale of the problem compounds the challenge. With over 120,000 games on the platform and thousands of new titles and updates arriving regularly, manual review of every executable is impractical. Valve has implemented some automated scanning measures, but security researchers and industry observers have argued these are insufficient [15].

This is not the first time Steam has faced scrutiny over malicious content. In 2023, the accounts of multiple legitimate game developers were compromised and used to push malware-laden updates to existing games, prompting Valve to add SMS-based verification for developer accounts pushing builds [16]. That measure did not prevent the current campaign, in which the threat actor simply registered fresh developer accounts rather than compromising existing ones.

Gaming as a Malware Vector: A Growing Trend

The Steam investigation exists within a larger pattern. According to research by Flare, a cybersecurity firm, gaming-related files account for 41.47% of all infostealer infections — making gaming the single largest lure category for information-stealing malware [17]. This figure encompasses not just Steam but also cracked game installers, cheat tools, and unofficial patches distributed through various channels.

The gaming industry was the most targeted sector for HTTP DDoS attacks in 2024, with Layer 7 incidents rising 94% year over year [18]. Cybercriminals exploit the gaming ecosystem because it combines several attractive properties: large userbases with minimal security awareness, valuable digital assets (in-game items, cryptocurrency wallets, marketplace credentials), and a culture that normalizes downloading and running executable files from relatively unknown developers.

Steam's userbase makes it a particularly high-value target. The platform recorded 147 million monthly active users in 2025, with 69 million daily active users and a record 42 million concurrent users in January 2026 [19]. Steam controls approximately 74% of the global PC digital distribution market, meaning a compromise on the platform has outsized reach [19].

Source: DemandSage / Steam Statistics

Data as of Mar 14, 2026CSV

What Victims Should Do

The FBI's notice applies to anyone who installed any of the seven identified games — BlockBlasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, or Tokenova — between May 2024 and January 2026. The bureau is asking affected users to submit information through its official victim form or by contacting Steam_Malware@fbi.gov [1][2].

Security experts recommend the following steps for anyone who may have been affected:

• Check your Steam library for any of the named titles, including previously uninstalled games that may appear in purchase history
• Run a full system scan with updated antivirus software
• Change all passwords stored in your browser, particularly for email, banking, and cryptocurrency accounts
• Enable two-factor authentication on all critical accounts
• Monitor financial accounts and cryptocurrency wallets for unauthorized transactions
• Consider a full OS reinstall if any of the named games were installed, as Valve itself recommended in the PirateFi case [9]

The Bigger Picture

The FBI's involvement marks an escalation from what has historically been treated as a platform moderation problem into federal criminal territory. The investigation suggests law enforcement believes a single, identifiable threat actor is behind the campaign — a conclusion that, if correct, could lead to prosecution.

But the systemic issues extend beyond any individual criminal. The Steam investigation highlights a fundamental tension in digital distribution: platforms like Valve's profit from an open ecosystem that minimizes barriers for developers, but that openness creates attack surface. The $100 fee and 30-day waiting period that constitute Steam Direct's primary barriers are trivial obstacles for a threat actor who stands to steal hundreds of thousands of dollars in cryptocurrency and credentials.

Valve has not announced any changes to its security review processes in response to the FBI investigation. The company's historically hands-off approach to content moderation — rooted in a philosophy that positions Steam as a neutral marketplace rather than a curated storefront — faces its most serious stress test yet. With federal investigators now involved and victims spanning a two-year window, the pressure for meaningful reform is mounting.

The case also serves as a reminder that the most effective malware campaigns don't require zero-day exploits or nation-state resources. They require trust — and few digital environments cultivate trust as effectively as a verified game listing on the world's most popular PC gaming platform.