Steam has delisted the game BlockBlasters, published by a developer using the name Genesis Interactive, after researchers uncovered a malicious update that deployed an info‑stealer and backdoor. The campaign led to losses of at least $150,000 and impacted hundreds of users, with one high‑profile victim—streamer RastalandTV—losing $32,000 in donations raised for cancer treatment after installing the game on stream.
Timeline: malicious update and removal from Steam
According to SteamDB, BlockBlasters was available from 30 July to 21 September 2025. Until 30 August, the title appeared benign; a subsequent update introduced a payload aimed at stealing cryptocurrency and account credentials. Steam has since removed the game, though archival references remain in monitoring databases.
Attack chain: dropper, StealC infostealer, and Python backdoor
Security analysis of the game package revealed a batch dropper that first performed anti‑virtualization and anti‑analysis checks to evade sandboxes. It then harvested the victim’s Steam login data alongside their IP address and exfiltrated this information to a remote command‑and‑control server.
Researchers at G DATA additionally observed a Python backdoor and the StealC info‑stealer. StealC is known for extracting stored secrets from web browsers (such as passwords, cookies, and autofill data) and from selected desktop cryptocurrency wallets, enabling attackers to hijack sessions and drain funds. In plain terms, a dropper is the initial script that plants malware, while an info‑stealer like StealC quietly copies saved credentials and wallet data; both then send the loot to the attacker’s server.
Impact and targeting: streamers and crypto holders in focus
Blockchain analyst ZachXBT estimates losses of at least $150,000 across 261 Steam users. The VXUnderground community reported up to 478 potentially compromised accounts and shared affected nicknames, urging immediate password resets and stronger account protection.
The adversaries reportedly used targeted social engineering. They searched the social network X (formerly Twitter) for users publicly associated with crypto assets, contacted them via direct messages, and suggested installing the game—often asking for on‑stream promotion to maximize reach and pressure. During a live session, RastalandTV installed the title and subsequently lost $32,000 in donations. Following the incident, crypto influencer Alex Becker transferred $32,500 to the streamer’s secure wallet, while the associated GoFundMe campaign, previously at 58% of its goal, accelerated.
Operator mistakes and ongoing investigation
The campaign’s operators committed several operational security errors. Parts of a Telegram bot’s code and access tokens were exposed publicly. Open‑source intelligence enthusiasts suggest the evidence may point to an Argentinian immigrant residing in Miami, and claim to have relayed findings to U.S. authorities. These assertions require official confirmation by law enforcement and should be treated as preliminary.
Steam malware in 2025: growing platform risk
BlockBlasters marks the fourth notable malware incident linked to the Steam ecosystem in 2025. Earlier in the year, Steam removed Sniper: Phantom’s Resolution and PirateFi, and an info‑stealer was found in Chemia in July. The trend underscores structural risks in content moderation, especially around post‑release updates that can introduce malicious changes after initial review. For marketplaces, this elevates the need for continuous monitoring, rapid takedowns, and tight telemetry sharing with the security community.
Practical defense: securing Steam and crypto environments
The primary risk arises when unknown executables run on systems where Steam, exchanges, or crypto wallets are already authenticated. To reduce exposure: 1) enable Steam Guard and mandatory 2FA everywhere possible; 2) separate gaming from finance—store wallet seed phrases offline and transact on an isolated device or OS profile; 3) avoid installing games from unsolicited DMs or just before a livestream; 4) rotate strong, unique passwords and use a reputable password manager; 5) on compromise suspicion, log out of all sessions, reset passwords, revoke application tokens, and scan with an updated antivirus or EDR.
The BlockBlasters case is a reminder that game distribution platforms are attractive delivery channels for malware, particularly in targeted operations against visible crypto holders and creators. Users should strengthen operational hygiene and treat unsolicited “promo” opportunities with caution. Platforms, in turn, should harden update pipelines and prioritize rapid response to researcher reports to shrink attackers’ dwell time.
