CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Cryptocurrency theft via Steam game BlockBlasters

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

A verified game on Steam, BlockBlasters, was compromised to steal cryptocurrency from users. The malware was added to the game on August 30, 2025, and was active until September 21, 2025. The game targeted users with significant cryptocurrency holdings, leading to the theft of $150,000 from 261 to 478 Steam accounts. The attacker's operational security failure exposed their Telegram bot code and tokens. One victim, a gamer seeking funds for cancer treatment, lost $32,000. The community has since rallied to cover the loss. Similar incidents involving other Steam games have occurred this year. The FBI is now investigating eight malicious Steam games, including BlockBlasters, and is seeking victims who installed these games between May 2024 and January 2026. The investigation focuses on cryptocurrency theft and account hijacks. The FBI is asking for screenshots of communications with individuals who promoted the games and is legally mandated to identify victims of federal crimes it investigates, offering potential services, restitution, and rights under federal and/or state law.

Timeline

  1. 13.03.2026 22:52 2 articles · 3d ago

    FBI investigation into multiple malicious Steam games

    The FBI is investigating eight malicious Steam games, including BlockBlasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, and Tokenova. The FBI is seeking victims who installed these games between May 2024 and January 2026. The investigation focuses on cryptocurrency theft and account hijacks. The FBI is asking for screenshots of communications with individuals who promoted the games. The PirateFi game distributed the Vidar infostealer and may have affected up to 1,500 users. The FBI's Seattle Division issued a notice in mid-March 2026, calling on impacted gamers to fill out a form to help with the investigation. The notice emphasizes the FBI's mandate to identify victims and offers potential services, restitution, and rights under federal and/or state law. The FBI is also investigating the use of Steam as a popular malware distribution channel for infostealers and social engineering attacks impersonating its brand.

    Show sources
    Open in new tab
  2. 22.09.2025 12:28 2 articles · 5mo ago

    Malicious update to BlockBlasters on Steam steals $150,000 from users

    On August 30, 2025, a cryptodrainer component was added to the BlockBlasters game on Steam. The malware targeted users with significant cryptocurrency holdings, identified via Twitter. The attack resulted in the theft of $150,000 from 261 to 478 Steam accounts. The game's dropper batch script collected Steam login information and IP addresses, uploading them to a C2 system. A Python backdoor and a StealC payload were used alongside the batch stealer. The attacker's operational security failure exposed their Telegram bot code and tokens. The FBI is now investigating eight malicious Steam games, including BlockBlasters, and is seeking victims who installed these games between May 2024 and January 2026. The investigation focuses on cryptocurrency theft and account hijacks.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

341 Malicious ClawHub Skills Target OpenClaw Users with Atomic Stealer

A security audit by Koi Security identified 341 malicious skills on ClawHub, a marketplace for OpenClaw users, which distribute Atomic Stealer malware to steal sensitive data from macOS and Windows systems. The campaign, codenamed ClawHavoc, uses social engineering tactics to trick users into installing malicious prerequisites. The skills masquerade as legitimate tools, including cryptocurrency utilities, YouTube tools, and finance applications. OpenClaw has added a reporting feature and partnered with VirusTotal to scan skills uploaded to ClawHub, providing an additional layer of security for the OpenClaw community. The malware targets API keys, credentials, and other sensitive data, exploiting the open-source ecosystem's vulnerabilities. The campaign coincides with a report from OpenSourceMalware, highlighting the same threat. The intersection of AI agent capabilities and persistent memory amplifies the risks, enabling stateful, delayed-execution attacks. New findings reveal almost 400 fake crypto trading add-ons in the project behind the viral Moltbot/OpenClaw AI assistant tool can lead users to install information-stealing malware. These addons, called skills, masquerade as cryptocurrency trading automation tools and target ByBit, Polymarket, Axiom, Reddit, and LinkedIn. The malicious skills share the same command-and-control (C2) infrastructure, 91.92.242.30, and use sophisticated social engineering to convince users to execute malicious commands which then steals crypto assets like exchange API keys, wallet private keys, SSH credentials, and browser passwords. Additionally, fake OpenClaw installers hosted on GitHub and promoted by Bing AI instructed users to run commands that deployed information stealers and proxy malware. Threat actors set up malicious GitHub repositories posing as OpenClaw installers, which were recommended by Bing in its AI-powered search results. The malicious repositories contained shell scripts paired with Mach-O executables identified as Atomic Stealer malware for macOS users. For Windows users, the threat actor delivered OpenClaw_x64.exe, which deployed multiple malicious executables, including Rust-based malware loaders and Vidar stealer. Another Windows executable delivered was the GhostSocks backconnect proxy malware, designed to convert users' machines into proxy nodes.

Open in new tab

Infostealer Malware Targeting Gamers via Roblox Mods

Infostealer malware is increasingly targeting gamers, particularly those using Roblox mods, to compromise corporate networks. Children and teenagers searching for free mods or performance boosters often download malicious executables that harvest credentials and session tokens, leading to enterprise breaches. This malware exploits user behavior rather than software vulnerabilities, making it a significant threat vector for identity theft and corporate access.

Open in new tab

ownCloud urges MFA adoption following credential theft attacks

ownCloud has advised users to enable multi-factor authentication (MFA) after credential theft attacks targeted self-hosted file-sharing platforms. The attacks, involving infostealer malware like RedLine, Lumma, and Vidar, compromised credentials and accessed accounts without MFA. ownCloud confirmed no platform vulnerabilities were exploited, emphasizing the need for MFA to prevent unauthorized access. The incidents affected multiple organizations, including high-profile entities, with threat actors selling stolen corporate data. Hudson Rock reported thousands of infected computers, highlighting the widespread impact.

Open in new tab

TikTok Videos Distribute Infostealers via ClickFix Attacks

Cybercriminals are using TikTok videos to distribute information-stealing malware through ClickFix attacks. The videos, disguised as activation guides for popular software like Windows, Spotify, and Netflix, trick users into executing malicious PowerShell commands. These commands download and execute Aura Stealer malware, which steals credentials, cookies, and cryptocurrency wallets. The campaign has been ongoing and is similar to one observed by Trend Micro in May 2025.

Open in new tab

Stealit Malware Campaign Abuses Node.js SEA Feature

A malware campaign named Stealit is actively distributing Node.js-based payloads via the Single Executable Application (SEA) feature. The malware is propagated through fake installers for games and VPN applications on file-sharing sites. The campaign offers a remote access trojan (RAT) with various capabilities, including file extraction, webcam control, and ransomware deployment. The malware performs anti-analysis checks, writes an authentication key to a temporary file, and configures Microsoft Defender exclusions to avoid detection. It targets Chromium-based browsers, messengers, cryptocurrency wallets, and game-related apps. The campaign is monetized through subscription plans for the malware's services. The threat actor has also relocated the command-and-control (C2) panel to new domains and reverted to using the Electron framework with encrypted scripts.

Open in new tab