Steam might be the most popular digital store for PC gaming, but its popularity is also what makes it an increasingly attractive target for cybercriminals. The latest security scare comes from BlockBlasters, a free-to-play game that was available on the platform earlier this year. While it seemed like a harmless 2D title, researchers discovered that a recent update had hidden malicious code capable of stealing sensitive information and draining cryptocurrency wallets. Before it was pulled from Steam, the malware had already siphoned off an estimated $150,000 from hundreds of victims.
Reports suggest that BlockBlasters was originally vetted and even verified by Steam, which makes the post-launch insertion of malware all the more concerning. Victims included everyday gamers as well as high-profile streamers, one of whom reportedly lost more than $30,000 during a cancer charity stream. According to BleepingComputer, the malicious update contained a “cryptodrainer” program that not only targeted Steam credentials but also searched for linked cryptocurrency accounts. Investigators believe that the attackers also deployed spearphishing tactics against influencers and crypto enthusiasts to maximize their take.
For Valve, this incident highlights a growing problem. BlockBlasters marks the fourth malware-laced title discovered on Steam in 2025, following earlier outbreaks in February, March, and July. Despite its scale and reputation, Steam’s current security measures seem ill-equipped to prevent malicious updates from slipping through the cracks. With no official comment yet from Valve, concerns are mounting over whether users can continue to trust even verified games on the store. Unless stronger protections are put in place, Steam risks becoming not just the biggest PC gaming platform, but also one of the most lucrative hunting grounds for cybercriminals.
