If you were scammed by malware hiding in your Steam games, the FBI wants to hear all about it
If you are one of many who happen to have downloaded malware through Steam games in the last few years, the FBI wants to hear from you. Reported by The Times of India, the FBI has issued a public call for victims of malware on Steam to come forward. The specific games identified in this case are BlockBlasters, Chemia, Dashverse / DashFPS, Lampy, Lunara, PirateFI, and Tokenova.
As noted by the FBI, these games primarily operated between May 2024 and January 2026. If you have been affected, you can contact the FBI at "Steam_Malware@fbi.gov" to report your experience.
You can also fill out a form on the FBI site to provide your information, including your Steam ID, which game you downloaded, and when you downloaded it. It also asks if you were contacted to play the game, and how much money you lost as a result. It seems like the goal is to gather as much information as possible and link timelines, wallets, and any other related information together.
The FBI recommends never giving financial or personal information to accounts you don't know, to "treat any investment advice from people you meet online with extreme caution", do not pay any additional fees if you have been scammed, and don't pay for services that claim to recover lost funds. Basically, be very cautious online. In this case, the ability to download malware from the official Steam marketplace lent undeserved credence to the games, which could help users ignore those red flags.
In February last year, PirateFi managed to pick up over 7,000 players whilst masquerading as a free-to-play survival web3 game. In response, it was taken down, and Valve encouraged users to reformat their operating system. A Telegram account was reportedly paying users to play and moderate the game, explaining those download figures. This malware was reportedly active for six days.
Months later, in September, BlockBlasters was shared with a streamer raising money for cancer treatment, and it then took over $32,000 from their crypto wallet. That game had a malicious 'game2.bat' file injected into it a month prior, and estimates suggest hundreds of users had the game installed.
In the case of BlockBlasters, one of the perpetrators was reportedly caught sharing pictures of cars on social media, whilst linking to their YouTube and X channels. X user VX Underground reportedly identified this scammer by simply following where hacked data was sent, identifying Telegram accounts, then collecting data willingly shared on those accounts.
Though the streamer in the BlockBlasters case was reimbursed, the fact that a bad actor could inject files into a Steam update to steal users' money was certainly a worrying precedent for Valve to grapple with. The fact that the FBI is looking for information up to January this year is a sign we haven't seen active scams in a while, but these cases will no doubt be on the minds of Valve engineers going forward, and me when I open the free-to-play tab.