The FBI's Seattle Division announced this week that it's investigating seven malware-infected games that were published on Steam between May 2024 and January 2026. The games, BlockBlasters, Chemia, Dashverse, Lampy, Lunara, PirateFi, and Tokenova, were laced with Vidar, an infostealer that harvests browser passwords, cryptocurrency wallets, Discord tokens, and system data from every device that runs it.
The FBI believes a single individual published all seven titles. The investigation is active. Victims can report to Steam_Malware@fbi.gov.
That's the story everyone is covering. Here's the story they're not: how did one person run a 20-month malware campaign on the world's largest PC gaming platform, and why is the FBI the one cleaning it up instead of Valve?
The $400 Attack
The economics of this attack are almost comically accessible.
A Steam developer account costs $100. Vidar, the infostealer used in these games, is available as a malware-as-a-service product for a one-time payment of $300. That's the full investment: $400 gets you a distribution channel with over 130 million monthly active users and a ready-made credential harvester that's been actively developed since 2018.
For context, Vidar 2.0 became the most widely used infostealer among threat actors after law enforcement dismantled the Lumma stealer infrastructure in May 2025. The attacker didn't need to build custom malware. They didn't need technical sophistication. They needed a credit card and a few hours.
I wrote about this dynamic when researchers discovered VoidLink's 88,000-line AI-generated malware framework: the barrier to creating malicious tooling has collapsed. But VoidLink at least required someone to architect a complex system. The Steam attack required nothing more than purchasing off-the-shelf malware and uploading it inside a game binary. The platform did the rest.
The Update Loophole
The most concerning detail in this investigation is how BlockBlasters operated.
The game launched clean on July 30, 2025. It passed whatever vetting Steam performs at submission. Players downloaded it, left positive reviews, and recommended it to friends. Then, on August 30, the developer pushed an update that injected a cryptodrainer into the game files.
The malware-laden version stayed live on Steam for nearly two months before Valve removed it on September 21. During that window, security researchers estimate it drained over $150,000 from hundreds of accounts.
This is the update-as-attack-vector pattern, and it has no systemic fix on Steam today. Valve implemented SMS-based two-factor authentication for developer updates in October 2023, but that addressed a different problem: attackers hijacking legitimate developer accounts to push malware into existing, trusted games. It does nothing when the developer themselves is the attacker. The attacker simply authenticates with their own credentials and pushes the malicious update through the front door.
The parallel to marketplace trust failures in development tools is striking. When malicious VS Code extensions compromised 1.5 million developers earlier this year, the pattern was identical: a trusted distribution platform, minimal binary analysis, and attackers exploiting the gap between submission review and ongoing monitoring.
The Human Cost Behind the Statistics
Among those statistics is Raivo "RastalandTV" Plavnieks, a Latvian Twitch streamer battling Stage IV sarcoma. During a fundraising stream for his cancer treatment, a viewer offered a donation in exchange for playing BlockBlasters live. The game's cryptodrainer activated on his machine and drained $32,000, funds earmarked for keeping him alive.
That $32,000 was later replaced through community donations, including $32,500 from crypto influencer Alex Becker. But the incident exposes something that raw statistics obscure: infostealer campaigns don't just steal credentials. They intersect with real human vulnerability in ways that can be devastating.
How many other victims across these seven games had similarly consequential losses? The FBI is asking them to come forward, which suggests the bureau doesn't know yet.
The Platform Accountability Question
Here's where the conversation needs to shift.
Valve takes up to 30% of every transaction on Steam. In return, it provides a distribution platform, community features, DRM, and discovery. What it apparently does not provide is meaningful automated security scanning of game binaries at submission or update time.
Compare this to how mobile platforms operate. Apple's App Store runs automated static analysis, behavioral testing, and manual review on every submission and update. Google Play scans APKs for malware signatures and runs them through behavioral analysis. Neither system is perfect; malware still slips through both stores. But the baseline expectation is that the platform operator, the entity profiting from every download, invests in scanning the software it distributes.
Steam publishes over 15,000 new games per year. Valve's position has consistently been that the volume makes comprehensive review impractical. But impractical and impossible are different things, and the mobile platforms process orders of magnitude more submissions at comparable scale. Apple reviewed over 6.9 million app submissions in 2023 alone.
The question isn't whether Valve can catch every piece of malware. It's whether Valve is trying at all. When your recommended remediation for affected users is full operating system reinstallation, you're admitting the threat is severe. When seven malware-infected games survive on your platform for 20 months before the FBI steps in, you're admitting your detection capabilities are insufficient.
The Downstream Damage No One Is Discussing
The direct theft, drained crypto wallets, stolen Steam accounts, is only the beginning.
Vidar harvests browser passwords, authentication cookies, and session tokens. Every credential stolen from those seven games is now a potential entry point for downstream attacks: account takeovers on banking platforms, unauthorized access to corporate systems through reused passwords, identity theft built on harvested personal data.
This connects directly to what I covered in my analysis of the infostealer epidemic and its 149 million stolen credentials: infostealers don't just create a single breach. They feed an industrial supply chain where stolen credentials are packaged, sold, and exploited across dozens of downstream attacks. The 2025 Verizon DBIR found that 86% of breaches now involve credential theft. Every one of those seven Steam games contributed new credentials to that ecosystem.
The FBI is investigating who published the games. No one is investigating how many downstream breaches those stolen credentials have already enabled.
What Needs to Change
The fix isn't complicated in concept, even if it's expensive in execution.
Binary scanning at submission and update. Static analysis for known malware signatures and behavioral patterns should be table stakes for any platform distributing executable software to millions of users. This is solved infrastructure; the tooling exists and is actively used by Apple, Google, and enterprise software distribution platforms.
Continuous monitoring, not just submission review. The BlockBlasters pattern, clean submission followed by malicious update, means submission-time scanning alone is insufficient. Game binaries should be re-scanned with updated signatures on a rolling basis.
Transparency about detection capabilities. Valve has never publicly described what security scanning, if any, it performs on submitted games. For a platform with 130 million monthly active users, this opacity is indefensible.
Developer identity verification. A $100 fee and a Steam account is insufficient vetting for someone who will distribute executable software to millions of people. Stronger identity verification wouldn't stop all malicious actors, but it would raise the cost and create accountability.
None of this is novel. These are baseline expectations for any software distribution platform in 2026. The fact that we're discussing them as aspirational for the world's largest PC gaming platform tells you everything about where Valve's priorities have been.
The Real Investigation
The FBI will likely identify and prosecute the person behind these seven games. That's important, and victims should absolutely report to Steam_Malware@fbi.gov.
But catching one attacker doesn't fix the structural problem. For $400, the next person can do exactly the same thing tomorrow. And the day after that. And the platform that profits from every download will continue to treat security scanning as someone else's problem.
The FBI is investigating the hacker. Someone should be investigating why the platform made it so easy.
