The discovery of a trojan hidden inside the Steam game BlockBlasters is the latest reminder that even trusted digital platforms are not immune to abuse. The free-to-play game, which had been live on the store for only a couple of months, reportedly delivered a malicious update that installed a cryptodrainer on players’ PCs. Security researchers estimate that the attack managed to steal around $150,000 in cryptocurrency before the game was removed, with one streamer alone losing over $30,000 during a live fundraising event.
While malware on PC isn’t new, the disturbing trend is that attackers are increasingly exploiting platforms like Steam as distribution hubs. Because BlockBlasters was verified and passed Steam’s checks, its malicious code went undetected until real financial damage had already occurred. According to security analysts, the malware harvested login data, located linked crypto wallets, and drained funds directly — a tactic that appears to have been reinforced by targeted spearphishing campaigns aimed at streamers and social media users known to hold digital assets. A suspect based in the U.S. has reportedly been identified through leaked Telegram chats, though authorities have yet to confirm an arrest.
This incident is the fourth major case of malware infiltrating Steam this year, raising uncomfortable questions about the platform’s security. Valve has not issued a statement, but critics argue that the company’s current verification and monitoring systems are inadequate in the face of increasingly sophisticated threats. With rivals like Epic Games Store touting tighter curation, Steam’s more open-door policy is beginning to look like a liability. For players, the message is clear: even the most trusted digital marketplaces require caution, as cybercriminals are treating them as entry points for financial theft on a massive scale.