Malware Hidden in Steam Games: The FBI Is Now Involved

Seven games published to Steam between May 2024 and January 2026 were secretly distributing information-stealing malware. The FBI's Seattle Division is now investigating and asking victims to come forward. This is not a phishing email. This is not a cracked copy from a shady site. These were games listed on Steam's official storefront.

On March 13, 2026, the FBI's Seattle Division published a public notice asking gamers who downloaded certain Steam titles to report their experiences as part of an active federal investigation. The notice named seven games — BlockBlasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, and Tokenova — and provided a dedicated email address, Steam_Malware@fbi.gov, along with a victim intake form. According to the FBI, authorities may have been tracking a single threat actor responsible for all seven titles, which is significant. This was not a collection of unrelated incidents. It appears to have been a coordinated campaign.

The malware in question belonged to a category called infostealers — software engineered not to lock your files or hold them for ransom, but to silently harvest everything useful on your machine and send it elsewhere. Browser-saved passwords. Session cookies that let attackers log into your accounts without needing your password. Cryptocurrency wallet keys. Screenshots. Two-factor authentication tokens from certain apps. The attackers' goal in most of these cases was not to crash your system. It was to leave it running while they quietly took what they wanted.

The Games Identified by the FBI

Each of the seven titles followed a similar playbook: present as a small, free-to-play or early access indie game, attract enough players to be useful, then deploy the payload — or wait until a post-launch update introduced one. Here is what is publicly known about the highest-profile cases.

PirateFi

PirateFi was a free-to-play survival game marketed with references to blockchain and cryptocurrency mechanics, which appears to have been intentional targeting. It appeared on Steam on February 6, 2025 and was removed on February 12, 2025 — a window of six days. During that period, as many as 1,500 users downloaded the title. Security researchers at SECUINFRA Falcon Team later identified the embedded malware as Vidar, a well-documented infostealer that has been in operation since 2018.

Marius Genheimer of SECUINFRA Falcon Team told TechCrunch: "It is highly likely that it never was a legitimate, running game that was altered after first publication." Genheimer's team found that the threat actor modified the game files multiple times, rotating obfuscation techniques and swapping out command-and-control servers for credential exfiltration. The malware was packed inside a file called Pirate.exe, with the payload carried as Howard.exe using an InnoSetup installer.

PirateFi was built on top of a commercial game template called Easy Survival RPG, which costs between $399 and $1,099 to license. This technique — sometimes called asset flipping — allowed the attackers to publish a functional, presentable game without building one from scratch. The game had a 9/10 rating on Steam at the time of removal. Several of those reviews are believed to have been fabricated to boost credibility. A Telegram account was separately found to be paying users $17 an hour to play and moderate PirateFi's in-game chat, which explains the inflated download numbers and gave the appearance of an active community. Valve later warned affected users to consider reformatting their operating systems entirely.

BlockBlasters

BlockBlasters was a free-to-play 2D platformer available on Steam from July to September 2024. Unlike PirateFi, it was initially uploaded as a clean program. The malware — a cryptodrainer — was injected later through a file called game2.bat, added to the game's files approximately one month before the incident that made it public. This post-publication injection method is particularly dangerous because it means a game can pass an initial review and then become malicious through an update.

The story became public in September 2025 during a Twitch livestream. Raivo Plavnieks, known online as RastalandTV, was raising money for cancer treatment when BlockBlasters activated the cryptodrainer on his system. He reported losing more than $32,000 in cryptocurrency in real time. Blockchain investigator ZachXBT later estimated the total damage from BlockBlasters at roughly $150,000 across 261 Steam accounts. Cybersecurity researcher VX-Underground later reported a higher victim count of 478.

Chemia

Chemia, a survival crafting game from developer Aether Forge Studios, was available through Steam's Early Access program. On July 22, 2025, threat intelligence company Prodaft discovered that the game's files had been modified to include three distinct malware strains simultaneously: HijackLoader, Vidar Stealer, and Fickle Stealer.

According to Prodaft's analysis, the HijackLoader component (delivered as CVKRUTNP.exe) established persistence on infected devices and downloaded the Vidar infostealer (v9d9d.exe). The malware retrieved its command-and-control address from a Telegram channel. Just three hours after that first injection, a second payload was added: Fickle Stealer, delivered through a DLL file (cclib.dll) using a PowerShell script called worker.ps1 to pull the main payload from an external server.

Prodaft attributed the attack to a threat group called EncryptHub, also tracked as Larva-208. Prodaft noted: "The compromised executable appears legitimate to users downloading from Steam, creating an effective social engineering component that relies on platform trust rather than traditional deception techniques." EncryptHub has a documented history of large-scale attacks. A prior spear-phishing campaign using the same malware combination compromised over 600 organizations globally. How EncryptHub gained access to Chemia's game files was not confirmed, with one explanation being insider assistance. The developer, Aether Forge Studios, issued no public statement.

How the Malware Actually Worked

The primary weapon across many of these titles was Vidar, an infostealer that has operated as a malware-as-a-service (MaaS) product since 2018. It is available for purchase on underground forums for a consistent price of around $300, which means the skill barrier for deploying it is effectively zero. Buyers do not need to write malware. They buy access to it the way a contractor buys power tools.

Vidar uses a two-stage approach to command-and-control communications. The malware's configuration holds links to what researchers call Dead Drop Resolvers — legitimate services like Telegram, Mastodon, or Google Calendar used to store the address of the actual C2 server. According to SECUINFRA's analysis of the PirateFi sample, a Steam user profile was used as a resolver, with a marker key embedded in the profile that pointed to a live C2 IP address. This lets attackers rotate infrastructure frequently without updating the malware itself.

Once active, Vidar collects passwords stored in browsers, session cookies, web browser history, cryptocurrency wallet credentials, two-factor authentication data from certain token generators, and screenshots of the infected machine. Session cookies are particularly dangerous: they allow an attacker to authenticate to a website as you without ever knowing your password, and in many cases they bypass two-factor authentication entirely because the platform sees a valid, active session.

In October 2025, researchers at Trend Micro documented the release of Vidar 2.0, a complete rewrite of the malware in C with a multithreaded architecture for faster exfiltration and enhanced evasion capabilities. The new version introduced direct memory injection to bypass Chrome's AppBound encryption — a browser security feature Google had introduced specifically to defend against credential theft. The timing was deliberate. Vidar 2.0 arrived as Lumma Stealer, the previous dominant infostealer in underground markets, was declining in activity.

Fickle Stealer, deployed in the Chemia attack, is a custom tool associated with EncryptHub. It targets the same data categories as Vidar — browser credentials, auto-fill data, cookies, cryptocurrency wallets — but its command-and-control architecture used Telegram as both a resolver and an instruction channel, giving the operator real-time control over infected systems. HijackLoader, also found in Chemia, served a different purpose: it was not designed to steal data directly but to establish persistence and download additional payloads, effectively turning an infected machine into a staging environment for whatever the attacker chose to deploy next.

Why Steam's Vetting Process Left the Door Open

Steam reaches over 132 million monthly active users. In 2025, Valve reported that users had downloaded 100 exabytes of games, averaging 274 petabytes of installs and updates every day. The platform's scale is its value proposition and its vulnerability at the same time.

Publishing a game on Steam requires a $100 fee per title, a functioning game build, store assets (screenshots, a trailer, a description), and a valid bank account for payouts. Valve's Steamworks documentation states there is a brief review process — typically one to five days — where they run the game, check the store page for policy compliance, and look for anything "doing anything harmful." After a 30-day waiting period following the fee payment, the game can go live.

This process was not designed to catch sophisticated malware. It was designed to catch obvious policy violations and technically broken submissions. SECUINFRA's researchers noted that Valve should theoretically have been able to detect anomalies in the PirateFi files through automated analysis — invalid signatures, inflated file sizes, and erratic changes to the game's repository over a short time span were all present. These are characteristics that malware detection systems are designed to flag. They were not flagged.

The post-publication update problem is harder to solve. Valve has introduced SMS-based verification to protect against unauthorized updates to live games, adding a friction point for attackers who gain access to a developer's account. But as BleepingComputer reported after the Chemia incident, this measure does not protect against a developer — or someone with legitimate access to a developer's build pipeline — deliberately injecting malicious files into a game update. The review process for updates to already-published games is less rigorous than for initial submissions.

Early Access titles appear to have been particularly targeted. BleepingComputer noted that PirateFi, Chemia, and another 2025 title called Sniper: Phantom's Resolution were all Early Access games. Early Access exists specifically to allow works-in-progress onto the platform, and the implicit understanding is that the game will change frequently. Frequent updates normalize the presence of new or modified files, making malicious updates harder to detect through behavioral patterns alone.

"The frequency of these thieving games has only gone up in the past few years despite Valve's efforts to regularly combat them. It's likely that the influx of new releases overpowers the vetting system, letting a few bad apples through. In some cases, subsequent updates or patches introduce the malware, letting the base game pass Steam's checks." — Tom's Hardware, March 2026

The Real-World Damage

The FBI's victim intake form asks specifically about cryptocurrency transactions, compromised accounts, and stolen funds — which signals where investigators believe the financial impact is concentrated. Screenshots of any communications from individuals who promoted the games are also requested, suggesting the bureau wants to follow social engineering trails back to the operators.

In the BlockBlasters case, blockchain investigator ZachXBT traced roughly $150,000 in losses across 261 Steam accounts. VX-Underground put the victim count higher, at 478 accounts. The $32,000 loss experienced by streamer RastalandTV during a live cancer fundraiser was a single incident drawn from a much larger pool of victims most of whom had no idea they had been compromised.

The theft of session cookies creates a secondary wave of damage beyond direct financial loss. When attackers have valid session cookies for a victim's email account, they can access the inbox, intercept password reset emails for other services, and work outward through the victim's entire digital life. In cases linked to PirateFi, some victims had their Microsoft accounts drained of stored funds, and were locked out when attackers disabled recovery options and blocked access to Microsoft support. The infostealer was the entry point. The cascading account takeovers were the consequence.

The use of Telegram as both a recruitment tool (PirateFi's fake job offer channel) and a malware C2 channel (Chemia's HijackLoader) is worth noting. Telegram's API-accessible infrastructure gives attackers an easily replaceable, always-on relay that does not require them to maintain dedicated servers. Law enforcement takedowns of Telegram channels do not eliminate the malware — they only sever a communication path that can be re-established in minutes by updating the resolver address.

What You Should Do Right Now

If you downloaded any of the seven identified games — BlockBlasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, or Tokenova — between May 2024 and January 2026, the FBI's guidance is to report the incident even if you are unsure whether you suffered a financial loss. The intake form at the FBI's official victim services page asks for your Steam ID, the game you downloaded, the approximate download date, and details of any financial losses. The agency has stated that all victim information will be kept confidential. Victims may be entitled to restitution under federal and state law.

Beyond reporting, the practical steps are as follows. Uninstall the game if it is still present. Run a full system scan with updated antivirus software — Valve's own advice to PirateFi victims was to consider reformatting the operating system entirely if they wanted certainty. Change passwords for all accounts you accessed from the affected device after the download date, prioritizing email, banking, and any platform with stored payment methods. Changing your password is not sufficient on its own — you need to explicitly log out all active sessions on each service, which is typically done through a security or device management page within the account settings. Enable two-factor authentication on any account that does not already have it, using an authenticator app rather than SMS where possible. Monitor bank and cryptocurrency accounts for transactions you did not initiate.

For anyone who plays games on Steam more broadly, a few practical habits significantly reduce exposure. Check the developer's history before downloading any small or unfamiliar title — a developer with no prior releases, no community presence, and a game announced only weeks before release is a pattern that appeared in multiple cases here. PirateFi's developer, Seaworth Interactive, had no verifiable online presence before the game appeared. Check community reviews and discussions, not the aggregate review score, which can be manipulated. Read what players are actually saying in the recent reviews tab. Be skeptical of any game that heavily promotes cryptocurrency or blockchain mechanics in its marketing — several of these titles used that as targeting bait.

Key Takeaways

1. Platform trust is a weapon: These games worked because Steam's reputation lowered users' guard. Downloading from an official storefront does not guarantee safety, particularly for small, newly published, or Early Access titles with little community history.
2. Post-launch updates are an attack vector: BlockBlasters was clean at launch. The malware arrived in a later update. This means even a game you installed months ago and reviewed at the time could have been modified after you last played it.
3. Infostealers are cheap and widely available: Vidar costs roughly $300 on underground markets. The barrier to deploying sophisticated credential-theft malware is not technical skill — it is a small financial investment and a $100 Steam publishing fee. That math makes gaming platforms an increasingly attractive target.
4. Session cookies matter as much as passwords: The theft of active session tokens can grant full account access without triggering password-based alerts or two-factor checks. Log out all active sessions on affected services, not just the device you used.
5. The investigation is ongoing: The FBI's use of a single "threat actor" framing suggests investigators may be working toward identifying specific individuals. If you were affected, your report contributes to that effort and may qualify you for restitution.

The campaign that the FBI is now investigating did not require sophisticated zero-day exploits, nation-state resources, or vulnerabilities in Steam's own infrastructure. It required a $100 fee, a repackaged game template, a well-known infostealer available for purchase, and the reasonable assumption that a game listed on a trusted platform is probably safe to install. That assumption is no longer one you can afford to make automatically.

Sources: BleepingComputer — FBI seeks victims of Steam games • TechCrunch — FBI investigating malware on Steam • TechCrunch — Hackers planted malware in Steam game • SECUINFRA Falcon Team — Vidar analysis • BleepingComputer — PirateFi malware analysis • BleepingComputer — Chemia / EncryptHub • Trend Micro — Vidar 2.0 analysis • Valve — Steam Direct publishing requirements