Twitch streamer raising money for cancer treatment has funds stolen by malware-ridden Steam game — BlockBlasters title stole $150,000 from hundreds of players
Valve has since pulled "BlockBlasters" from its marketplace.
It has been 0 days since the Steam marketplace has been used to deliver malware to unsuspecting gamers who download titles from Valve's long-running platform.
Twitch streamer Raivo "RastalandTV" Plavnieks said on Sept. 30 that over $32,000 worth of cryptocurrency—which had been donated to him to help pay for cancer treatments—was stolen after he installed a Steam game called "BlockBlasters" when someone in his stream chat recommended it to him.
"BlockBlasters" debuted on Steam in July and was malware-free until an August 30 update that, according to the independent SteamDB tracker of all things Steam, added the crypto- and credential-stealing malware. That means the game was actively being used to deliver malware for nearly a month before the RastalandTV hack.
BleepingComputer reports that RastalandTV's live hacking prompted security researchers to investigate the game. "ZachXBT" said that more than $150,000 had been stolen from 261 different Steam accounts; the "vx-underground" malware research group said it found evidence that the actual victim count was 478.
Another group of security researchers have published their breakdown of how the malware worked, how they identified the cybercriminals responsible for the operation, and how they disrupted it. (They also included a note to law enforcement saying they have "mountains of technical evidence surrounding individuals in this case" to share.)
Some of the discussion around this incident has focused on the claim that "BlockBlasters" was marked as "Verified" on Steam. To our knowledge, the only "Verified" label applied to games relates to their compatibility with the Steam Deck, which simply means that Valve has confirmed the title will run on the handheld. That doesn't necessarily imply that Valve has assessed the game's contents.
But that in no way negates the fact that Steam, a platform that millions of gamers have come to trust over several decades of operation, delivered malware used to steal hundreds of thousands of dollars worth of cryptocurrency for nearly a month. It took a high-profile, live-streamed incident for something to be done about this operation.
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
"This is appalling levels of vetting," the researchers who investigated this incident said. "How can you let such brazen malware exist on your platform?"
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button!
Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.
-
vanadiel007 For Valve it's all about revenue.Reply
There are many games on their platform that use the "early access" method, generate revenue and then stop development but keep the money.
I have a whole bunch of early access games in my library that are non-functioning. Never see your money back... -
RxBrad Call me a skeptical a-hole, but "Twitch streamer raising $32k in cr y pto" was the first red flag I saw.Reply
I feel like we haven't heard the entire story.
(Heck, even Toms moderation thinks it's shifty, because I had to censor my comment to post it) -
DS426 Reply
Yeah, this appears to be a very popular business model at this point. PlayWay for example has put out dozens of these games. Develop the games just long enough to get some reviews, community chatter, etc. to get the title noticeable, and then move on to something else.vanadiel007 said:For Valve it's all about revenue.
There are many games on their platform that use the "early access" method, generate revenue and then stop development but keep the money.
I have a whole bunch of early access games in my library that are non-functioning. Never see your money back...
As for the topic of malware-infused games on Steam, I'm actually surprised this isn't a bigger issue. As I say that, I'm sure there's a handful of games that have injecting info stealers. Those are types of malware that are notoriously hard to detect. Valve doesn't evaluate every line of code; anyone thinking that Valve can completely prevent Steam games for being malware-infused don't have a sufficient grasp of computer security.
As the article mentioned, I don't think there' s a "Steam-verified" badge for games, just verification for things like compatibility with the Steam Deck. -
jlake3 Reply"This is appalling levels of vetting," the researchers who investigated this incident said. "How can you let such brazen malware exist on your platform?"
This is part of the double-edged sword to the opening up of Steam back in 2017 through “Steam Direct” (although problems were already starting to show under the earlier “Steam Greenlight” program). People had been complaining about upstart indie studios and solo devs being shut out from Steam’s growing market for lack of resources and connections, and how unfair they thought it was for indie games to be judged on quality when big studios put out some buggy, derivative games without having to prove their worthiness. As a result Steam lowered the barrier to entry to almost zero and opened the floodgates, and the system has been hammered with asset flips and scams ever since.
If malware is added in a patch rather than the initial submission, isn’t in an existing database, and only triggers if a wallet program or cookies from a crypto site are present on the victim machine (which a test machine likely wouldn’t have), I can see how it would skate through. Support should have probably acted faster, but the number is small compared to the scope of Steam and I imagine not everyone made the connection and had the evidence to back it up. -
Giroro Mostly, I'm just sad for all the people on Twitch who will never make a cent from their work.Reply -
Alvar "Miles" Udell Heh, Steam be like "Yeah, we just sell a license to use a product, not a product, so we're not responsible."Reply -
Amdlova Gaming it's almost dead. Every game take piece of your soul with some kind contract..Reply
It's why I have build a old machine... abandowares games don't need a lawyer to use it. -
atomicWAR If Valve was smart they'd cover the loss and match the donations as an apology. Valve needs to do more to ensure things like this don't happen. They need stricter rules for early access honestly. So many games never make full release and folks just waste their money for nothing. I think they need to freeze funds to a dev until the game hits 1.0 release or a dev has a proven track record for finishing games while not having issues like this malware pop up. If they hold back funds or at least a large portion therein, it would encourage devs to complete their products while decreasing the likelihood they pull schemes like this crypto/credential theft. I truly hope they ban this dev unless the dev can prove they were hacked and this wasn't their fault.Reply -
PixyMisa ReplyatomicWAR said:If Valve was smart they'd cover the loss and match the donations as an apology.
Apparently a cry pto bro jumped in and covered the loss next day, and his fans have raised more. A donation from Steam - or Gabe Newell personally - would still be welcome. -
atomicWAR Reply
Glad to hear it but yes Valve still needs to contribute. Now a simple matching of funds would go far. Regardless though Valve needs to work on their early access. I, for the most part, refuse to buy games on it as I have gotten burned before. If we are going to pay to be alpha/beta testers than Valve should protect that consumer base. If a dev fails to hit a full release on more than one occasion, they should be banned from future early access titles. If they have a malware laden game that isn't the result of the dev being hacked, again they should be banned from early access or access to the store at all for that matter.PixyMisa said:Apparently a cry pto bro jumped in and covered the loss next day, and his fans have raised more. A donation from Steam - or Gabe Newell personally - would still be welcome.