FBI Asks Steam Players to Report Malware Hidden in Seven Games

Seven games on Steam were secretly harvesting players' cryptocurrency wallets, login credentials, and sensitive personal data for nearly two years, and the FBI's Seattle Division is now asking anyone who installed them to come forward.

The bureau identified the infected titles as BlockBlasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, and Tokenova. The malware embedded in these games was designed to steal credentials, drain crypto wallets, and compromise digital accounts. BlockBlasters stands out as the most damaging case on record so far: the game was reportedly responsible for $150,000 in cryptocurrency stolen from a single user's infected computer.

The FBI believes a threat actor primarily targeted Steam users between May 2024 and January 2026. Not all of the games arrived on the platform already compromised. Some were clean at release and only became dangerous after an update quietly introduced the malware, making them harder to flag as suspicious. The infected titles spanned shooters and platformers, and while many attracted relatively small audiences, the damage they caused was not proportional to their popularity.

Mass notifications went out on March 12, 2026, directing affected players to a short online form and a dedicated contact address. "If you and/or your minor dependent(s) were victimized from installing one of these games or have information relevant to this investigation, please fill out this short form," the FBI notice states. Anyone aware of other potential victims is asked to direct them to Steam_Malware@fbi.gov.

The questionnaire asks for a Steam username, which games were downloaded and when, whether anyone made contact promoting the game or reached out unsolicited afterward, and whether losses occurred across bank accounts, cryptocurrency holdings, Steam inventory items, or other digital accounts. The FBI also requests screenshots of any communications with those who promoted the titles. Based on responses, investigators may follow up for additional information, and victim identities will be kept confidential. Victims may be eligible for restitution and other services under federal or state law.

Steam pulled the infected titles from the platform once the malware was discovered and advised affected players to check for malicious files, run antivirus scans, review all installed software, and consider fully reinstalling their operating system. Valve did not respond to press inquiries about the investigation.

This is not an isolated pattern. In 2025, hackers similarly managed to publish malware-laced games on Steam before they were detected and removed, pointing to a recurring vulnerability in how third-party titles get onto the platform and stay there undetected long enough to cause significant financial harm.