Gamers lose $150,000 in Crypto after downloading a Steam game

Hundreds of users reported stolen funds from their crypto wallets after downloading the game Block Blasters from Steam. Despite having passed Steam’s review process, the title contained a malicious component.

Block Blasters is a free 2D platformer developed by Genesis Interactive. The game launched on July 30 and remained available until September 21. According to researchers, on August 30 a malicious module was added to the game, designed to steal cryptocurrency.

The issue was first spotted by streamer RastalandTV, who lost about $32,000 in crypto during a charity livestream to raise money for sarcoma treatment.

Blockchain analyst ZachXBT told BleepingComputer that attackers ultimately stole around $150,000 from 261 accounts. However, research group VXUnderground claims the real number of victims is higher — 478 people.

• Analysts described how the dropper worked: it scanned the environment, collected Steam login credentials along with the victim’s IP address, and sent the data to a remote server.
• Experts also found evidence of a Python backdoor and the StealC infostealer. They noted the attackers made serious security mistakes, leaving the code of their Telegram bot exposed along with API tokens.
• OSINT researchers suggest, though unconfirmed, that the attack may be linked to an Argentine immigrant living in Miami.

Experts criticized Steam for failing to properly vet games on its platform. They advised users to be cautious when installing games with few downloads and reviews, especially those still in beta testing.