Twitch streamer raising money for cancer treatment has funds stolen by malware-ridden Steam game — BlockBlasters title stole $150,000 from hundreds of players
Valve has since pulled "BlockBlasters" from its marketplace.
It has been 0 days since the Steam marketplace has been used to deliver malware to unsuspecting gamers who download titles from Valve's long-running platform.
Twitch streamer Raivo "RastalandTV" Plavnieks said on Sept. 30 that over $32,000 worth of cryptocurrency—which had been donated to him to help pay for cancer treatments—was stolen after he installed a Steam game called "BlockBlasters" when someone in his stream chat recommended it to him.
"BlockBlasters" debuted on Steam in July and was malware-free until an August 30 update that, according to the independent SteamDB tracker of all things Steam, added the crypto- and credential-stealing malware. That means the game was actively being used to deliver malware for nearly a month before the RastalandTV hack.
BleepingComputer reports that RastalandTV's live hacking prompted security researchers to investigate the game. "ZachXBT" said that more than $150,000 had been stolen from 261 different Steam accounts; the "vx-underground" malware research group said it found evidence that the actual victim count was 478.
Another group of security researchers have published their breakdown of how the malware worked, how they identified the cybercriminals responsible for the operation, and how they disrupted it. (They also included a note to law enforcement saying they have "mountains of technical evidence surrounding individuals in this case" to share.)
Some of the discussion around this incident has focused on the claim that "BlockBlasters" was marked as "Verified" on Steam. To our knowledge, the only "Verified" label applied to games relates to their compatibility with the Steam Deck, which simply means that Valve has confirmed the title will run on the handheld. That doesn't necessarily imply that Valve has assessed the game's contents.
But that in no way negates the fact that Steam, a platform that millions of gamers have come to trust over several decades of operation, delivered malware used to steal hundreds of thousands of dollars worth of cryptocurrency for nearly a month. It took a high-profile, live-streamed incident for something to be done about this operation.
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
"This is appalling levels of vetting," the researchers who investigated this incident said. "How can you let such brazen malware exist on your platform?"
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button!
Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.
-
vanadiel007 For Valve it's all about revenue.Reply
There are many games on their platform that use the "early access" method, generate revenue and then stop development but keep the money.
I have a whole bunch of early access games in my library that are non-functioning. Never see your money back... -
RxBrad Call me a skeptical a-hole, but "Twitch streamer raising $32k in cr y pto" was the first red flag I saw.Reply
I feel like we haven't heard the entire story.
(Heck, even Toms moderation thinks it's shifty, because I had to censor my comment to post it) -
DS426 Reply
Yeah, this appears to be a very popular business model at this point. PlayWay for example has put out dozens of these games. Develop the games just long enough to get some reviews, community chatter, etc. to get the title noticeable, and then move on to something else.vanadiel007 said:For Valve it's all about revenue.
There are many games on their platform that use the "early access" method, generate revenue and then stop development but keep the money.
I have a whole bunch of early access games in my library that are non-functioning. Never see your money back...
As for the topic of malware-infused games on Steam, I'm actually surprised this isn't a bigger issue. As I say that, I'm sure there's a handful of games that have injecting info stealers. Those are types of malware that are notoriously hard to detect. Valve doesn't evaluate every line of code; anyone thinking that Valve can completely prevent Steam games for being malware-infused don't have a sufficient grasp of computer security.
As the article mentioned, I don't think there' s a "Steam-verified" badge for games, just verification for things like compatibility with the Steam Deck. -
jlake3 Reply"This is appalling levels of vetting," the researchers who investigated this incident said. "How can you let such brazen malware exist on your platform?"
This is part of the double-edged sword to the opening up of Steam back in 2017 through “Steam Direct” (although problems were already starting to show under the earlier “Steam Greenlight” program). People had been complaining about upstart indie studios and solo devs being shut out from Steam’s growing market for lack of resources and connections, and how unfair they thought it was for indie games to be judged on quality when big studios put out some buggy, derivative games without having to prove their worthiness. As a result Steam lowered the barrier to entry to almost zero and opened the floodgates, and the system has been hammered with asset flips and scams ever since.
If malware is added in a patch rather than the initial submission, isn’t in an existing database, and only triggers if a wallet program or cookies from a crypto site are present on the victim machine (which a test machine likely wouldn’t have), I can see how it would skate through. Support should have probably acted faster, but the number is small compared to the scope of Steam and I imagine not everyone made the connection and had the evidence to back it up.