The FBI is investigating seven Steam games that secretly installed malware. The agency's Seattle Division published a victim identification notice on March 12, 2026, naming BlockBlasters, Chemia, Dashverse (also listed as DashFPS), Lampy, Lunara, PirateFi, and Tokenova. The FBI believes one threat actor published all seven titles between May 2024 and January 2026.
Valve has removed all seven games from the Steam store. The FBI's questionnaire focuses on cryptocurrency theft, compromised accounts, and stolen funds, indicating the investigation centers on financial crimes rather than just data harvesting. Agents are asking victims to share their Steam username, installed game versions, and screenshots of any communications with people who promoted the games.
Each title functioned as a Trojan horse. The games were playable, some built from a commercial template called Easy Survival RPG (licensed for $399 to $1,099), but their real purpose was to deploy infostealer malware once launched. The malicious code harvested browser cookies, saved passwords, cryptocurrency wallet keys, two-factor authentication codes, and session tokens. Stolen session tokens let attackers bypass passwords and 2FA entirely, hijacking email, social media, and financial accounts without triggering login alerts.
The FBI confirmed to BleepingComputer that all victim identities will remain confidential. Victims may be eligible for restitution under federal or state law. The agency verified that the victim portal and the email notification sent on March 12, 2026, are official channels.
BlockBlasters produced the most visible damage. The free-to-play 2D platformer appeared on Steam between July and September 2024. It initially passed Valve's checks as a clean build, but a patch on August 30 introduced cryptodrainer malware.
On September 21, 2025, Twitch streamer Raivo Plavnieks (RastalandTV) downloaded BlockBlasters during a livestream. Plavnieks, who was fundraising for stage-4 cancer treatment through the Solana-based platform Pump.fun, lost $32,000 in creator fees when his wallet was drained live on camera. Tom's Hardware reported that BlockBlasters stole over $150,000 from hundreds of players in total before Valve pulled it.
My life was saved for whole 24 hours until someone tuned in my stream and got me to download verified game on Steam. After this I was drained for over 32,000 USD of my creator fees.
— Raivo Plavnieks, Twitch streamer, posted publicly after the theft
PirateFi was the second most documented case. The survival game was available on Steam from February 6 to February 12, 2025, and approximately 1,500 users downloaded it before removal. SECUINFRA's Falcon Team identified the payload as a variant of Vidar, an infostealer that first appeared in 2018 and operates as malware-as-a-service on underground forums. The malware ran as Howard.exe from the user's AppData/Temp directory, and SECUINFRA concluded PirateFi was never a legitimate game but a purpose-built delivery vehicle for Vidar.
If you are one of the players who downloaded this game, consider the credentials, session cookies, and secrets saved in your browser, email client, cryptocurrency wallets compromised.
— Marius Genheimer, malware researcher at SECUINFRA's Falcon Team, posted after analyzing PirateFi's code
Vidar uses a two-stage command-and-control (C2) approach. The malware connects first to "dead drop resolvers" hosted on legitimate platforms like Telegram and Steam user profiles, which store the IP address of the real C2 server. SECUINFRA found the attackers rotated C2 IPs and changed obfuscation techniques across multiple PirateFi builds, suggesting an operator with ongoing access to Vidar's MaaS infrastructure. The remaining five games on the FBI's list (Chemia, Dashverse/DashFPS, Lampy, Lunara, Tokenova) have received less public analysis, but the FBI's use of "threat actor" in the singular suggests all seven titles trace back to the same suspect.
The pattern of trojanized Steam games has accelerated since 2024. Valve removed Sniper Phantom's Resolution Demo after users reported suspicious installer behavior. G DATA Software documented the BlockBlasters infection chain in September 2025. Kaspersky flagged similar trojans targeting gamers across PC platforms. The frequency has risen despite Valve's vetting process, in part because attackers submit clean builds for review and inject malware through subsequent patches, a technique BlockBlasters demonstrated clearly.
Valve confirmed to affected users by email that the FBI's notice and victim portal are legitimate. The company encouraged players who downloaded DashFPS to visit the FBI's page and fill out the survey. Valve did not respond to questions from BleepingComputer or TechCrunch about the investigation's scope or its own review processes.
Players who installed any of the seven games should treat their system as compromised. Remove the game, run a full antivirus scan, and change passwords for every account accessed from that machine, starting with email, banking, and cryptocurrency wallets. Move crypto funds to a fresh wallet with new seed phrases generated on a clean device. Revoke all active sessions and reset Steam Guard credentials.
The FBI's victim reporting form is at forms.fbi.gov/victims/Steam_Malware. Additional tips can be sent to Steam_Malware@fbi.gov. Anyone who fills out the form may be contacted by an FBI agent for a follow-up interview.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
