Verified Steam Game BlockBlasters Steals $150,000 in Cryptocurrency Through Malicious Update

TL;DR: BlockBlasters, a verified Steam game, secretly installed malware that stole $150,000 in cryptocurrency from 261 accounts after a malicious patch was released in August 2025. This incident highlights why businesses must restrict unapproved software installations on company devices.

The gaming industry suffered a devastating blow when BlockBlasters, a seemingly innocent 2D platformer on Steam, transformed into a cryptocurrency-draining nightmare. What started as a legitimate game with positive reviews became one of the most sophisticated malware campaigns targeting gamers and, by extension, any business environment where employees might install unauthorized software.

The BlockBlasters incident serves as a stark reminder that cybercriminals are becoming increasingly creative in their attack methods. Rather than relying on obvious phishing emails or suspicious downloads, they’ve learned to exploit trusted platforms and legitimate software distribution channels.

 The Severity and Scale of the Attack

The BlockBlasters malware campaign represents a high-severity threat that demonstrates the evolution of modern cyber attacks. What started as a single compromised game quickly escalated into a global cryptocurrency theft operation affecting hundreds of victims.

• Financial Impact: Crypto investigator ZachXBT reported that perpetrators stole an estimated $150,000 from 261 separate Steam accounts
• Victim Count: VXUnderground documented an even higher victim count, identifying 478 affected users across multiple countries
• High-Profile Cases: Video game streamer Raivo Plavnieks lost over $32,000 during a live cancer treatment fundraising broadcast
• Targeted Approach: Attackers specifically identified victims on Twitter as managers of significant cryptocurrency holdings
• Platform Exploitation: The campaign exploited Steam’s trusted verification system to distribute malware through legitimate channels

This sophisticated operation combined social engineering with technical exploitation, proving that even verified software platforms can become vectors for large-scale cybercrime.

 How the Exploit Was Executed

The BlockBlasters attack showcased remarkable sophistication through a carefully orchestrated multi-stage malware deployment. The attackers waited over a month after the game’s initial release to implement their malicious payload, allowing the title to build credibility and positive reviews.

• Timeline Strategy: Game was safe from July 30 to August 30, when Build 19799326 introduced the cryptodrainer component
• Multi-Stage Process: Attack began with batch file (game2.bat) collecting IP addresses, location data, and Steam login credentials
• Evasion Techniques: Malware checked for antivirus products and only proceeded if only Windows Defender was detected
• Hidden Payloads: Used password-protected archives (password “121”) to conceal malicious executables from detection
• System Compromise: Added malware folders to Microsoft Defender exclusion lists and deployed VBS loader scripts
• Data Exfiltration: Uploaded collected information to command and control servers while maintaining game functionality
• Persistence Mechanisms: Established backdoor access through Python compiled executables and StealC stealer malware

The technical implementation demonstrated advanced knowledge of Windows security systems and successful exploitation of Steam’s patch distribution mechanism.

 Who Was Behind the Attack

Investigation into the BlockBlasters incident has revealed significant details about the threat actors, though the case demonstrates both sophisticated planning and critical operational security failures. Security researchers have made substantial progress in identifying the cybercriminals responsible for this cryptocurrency theft operation.

• Operational Security Failures: Attackers left Telegram bot code and authentication tokens exposed during their campaign
• Geographic Location: Open-source intelligence experts identified the primary threat actor as an Argentinian immigrant residing in Miami, Florida
• Social Media Exposure: Poor operational security included sharing personal information through social media platforms and communication channels
• Technical Sophistication: Despite security failures, attackers demonstrated advanced knowledge of malware deployment and Steam platform exploitation
• Financial Motivation: Campaign specifically targeted cryptocurrency holders identified through Twitter activity and social media presence
• Campaign Duration: Maintained malicious operations for several weeks while avoiding Steam’s security screening processes

The combination of technical expertise and poor operational security ultimately led to the threat actors’ identification, highlighting that even sophisticated cybercriminals can make critical mistakes.

 Who Is at Risk

The BlockBlasters incident exposes vulnerabilities that extend far beyond individual gamers to encompass virtually any organization that allows unrestricted software installations. The attack’s success through a trusted platform demonstrates that traditional security assumptions no longer provide adequate protection.

• Houston Area Businesses: Companies allowing employees to install entertainment software or games on company devices face immediate risk
• Remote Workforce: Organizations with work-from-home policies where employees may use business devices for personal activities
• Financial Services: Businesses in cryptocurrency, banking, or investment sectors face heightened targeting due to valuable digital assets
• Small to Medium Enterprises: Organizations lacking comprehensive endpoint security solutions and strict software installation policies
• Technology Companies: Firms with employees who regularly download development tools, games, or software from various platforms
• Healthcare Organizations: Medical facilities where staff may install unauthorized applications on systems containing sensitive patient data
• Educational Institutions: Schools and universities where students and faculty install software on institution-owned devices

This incident proves that cybercriminals are successfully exploiting trusted software distribution channels, making it impossible for end users to distinguish between legitimate and malicious applications without proper security controls.

 How CinchOps Can Help Secure Your Business

CinchOps understands that preventing incidents like the BlockBlasters attack requires a comprehensive approach to cybersecurity that goes beyond traditional antivirus solutions. Our managed services provider approach ensures that your organization has the robust security infrastructure necessary to prevent unauthorized software installations while maintaining productivity. We implement enterprise-grade endpoint protection that can detect and block sophisticated malware campaigns before they compromise your systems.

• Application Control and Whitelisting: We establish comprehensive policies that prevent unauthorized software installations while ensuring legitimate business applications remain accessible
• Network Security Monitoring: Our SD-WAN and network security solutions provide real-time monitoring for suspicious activities and unauthorized connections to command and control servers
• Cybersecurity Awareness Training: We educate your employees about the latest threat vectors and social engineering tactics used by cybercriminals
• Incident Response Planning: Our team develops and implements comprehensive incident response procedures to minimize damage when security events occur
• Managed IT Support: We provide 24/7 monitoring and support to ensure your systems remain secure and compliant with industry best practices
• VOIP Security: We secure your communication systems to prevent them from being compromised as part of broader attack campaigns

CinchOps serves as your dedicated cybersecurity partner, providing the expertise and resources that small and medium-sized businesses in Houston need to defend against sophisticated threats. Our computer security solutions are designed specifically for organizations that require enterprise-level protection without the complexity of managing it internally.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: The 2025 Midyear Cyber Risk Report: Houston Businesses Face Evolving Ransomware Threats
For Additional Information on this topic: BlockBlasters Steam Game Downloads Malware to Computer Disguised as Patch

FREE CYBERSECURITY ASSESSMENT