Steam game infects users through camouflaged malware

On July 30, 2025, the game BlockBlasters was released on Steam, the popular digital video game distribution platform. Weeks later, on August 30, a game update introduced malicious code into the game executable to distribute crypto-drainer malware, designed to steal cryptocurrencies, credentials, and other sensitive data from users' devices. The malware was activated when the game was launched and operated in the background, sending the stolen information to external servers controlled by the attackers.

It is estimated that the attack affected more than 260 users, with losses estimated at around $150,000. One of the most notorious cases was that of streamer RastalandTV, who lost about $32,000 that was intended for his cancer treatment. Cybersecurity researchers believe that the game developer or their Steam account was compromised by attackers, allowing them to add malicious code to a supposedly legitimate update.

After the incident became public, Steam removed the game BlockBlasters from its platform and recommended that all those affected format their computers, revoke permissions from their wallets, and change their passwords.

This incident demonstrates that Steam does not perform security checks on the code of games published on its platform. Content, metadata, prices, and copyrights are reviewed, but no in-depth security scan of the binaries is performed.