The FBI’s Seattle Division is actively seeking victims of eight malicious Steam games distributed between May 2024 and January 2026, focusing on cryptocurrency theft and account compromise. The campaign involved multiple infostealer families including Vidar, HijackLoader, and EncryptHub’s custom Fickle Stealer, with confirmed losses exceeding $150,000 across hundreds of victims. The investigation highlights how threat actors exploited consumer trust in established gaming platforms to deploy credential-harvesting and cryptodrainage tooling at scale.
The FBI’s public victim outreach confirms what threat intelligence researchers flagged across 2024 and 2025: Steam was systematically abused as a malware distribution channel, not through a single opportunistic campaign but through at least eight coordinated or parallel operations spanning nearly two years. The FBI’s questionnaire focuses specifically on cryptocurrency theft and account hijacks, indicating investigators have already established a financial crime nexus and are now building victim counts to support prosecution. The named games, BlockBlasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, and Tokenova, span different genres and release windows, suggesting either multiple threat actors using Steam opportunistically or a coordinated campaign testing different social engineering lures across game categories.
The technical tradecraft across these cases shows deliberate layering. The Chemia game, attributed to the threat actor EncryptHub, deployed HijackLoader as a first-stage loader to retrieve Vidar, then also installed EncryptHub’s proprietary Fickle Stealer. This two-stealer approach, a commodity tool plus a custom payload, is consistent with threat actors who want both broad credential harvesting (Vidar’s established C2 infrastructure) and a bespoke capability that is harder to detect and attribute. Fickle Stealer targets credentials, browser data, cookies, and cryptocurrency wallets, meaning a single infection could yield session tokens for enterprise SaaS platforms, not just personal accounts. The BlockBlasters case introduced cryptodrainer malware post-upload: the game passed initial review as clean software and was later modified, indicating the threat actor understood and bypassed Steam’s verification timing.
The victim count discrepancy in the BlockBlasters case is worth noting. Blockchain investigator ZachXBT estimated 261 victims with approximately $150,000 stolen; researcher VX-Underground later reported 478 victims. This gap likely reflects different counting methodologies, on-chain transactions versus endpoint telemetry, and suggests the true victim population across all eight games could be significantly higher than current public estimates. The FBI’s outreach to individuals with minor dependents who installed these games also suggests the agency has evidence of household device compromise, broadening the potential scope beyond individual gamers.
For enterprise security teams, the direct threat vector is the personal device risk that crosses into corporate exposure. Employees who installed these games on home machines running browser profiles synced to work accounts, or on machines used for VPN access, may have unknowingly handed attackers valid session cookies or credentials for enterprise environments. Vidar and Fickle Stealer both target browser-stored credentials and cookies, which can bypass MFA depending on session token validity. The FBI’s focus on cryptocurrency theft should not obscure the broader credential exposure risk that infostealers of this class represent. Security teams should treat this as a credential hygiene event and consider whether recent unexplained account access anomalies warrant re-investigation.
A significant gap in the available reporting is the absence of specific IOC hashes, C2 infrastructure, or network indicators for the Fickle Stealer or the HijackLoader variants used in the Chemia campaign. The FBI notice does not publish technical indicators, and Valve has not responded publicly. Until EncryptHub’s infrastructure is more fully documented in public threat intelligence feeds, hunting for Fickle Stealer activity requires behavioral detection rather than signature-based approaches, specifically watching for browser data exfiltration patterns, credential store access, and anomalous outbound connections from gaming-adjacent processes.
- Takeaway 1: Review authentication logs for accounts that may have been accessed from personal devices between May 2024 and January 2026, Vidar and Fickle Stealer both harvest browser-stored credentials and session cookies that can bypass MFA.
- Takeaway 2: The BlockBlasters case proves clean-at-upload software can be weaponized post-review; treat gaming platform binaries as untrusted code and enforce application allowlisting on any device with access to corporate resources.
- Takeaway 3: EncryptHub’s use of HijackLoader plus a custom stealer (Fickle Stealer) signals a threat actor investing in proprietary tooling, generic AV signatures for Vidar alone will not catch the full infection chain.
- Takeaway 4: Employees who installed any of the named games (BlockBlasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, Tokenova) should be treated as potentially compromised; prompt credential rotation and session invalidation across all accounts accessible from those devices.
- Takeaway 5: Report confirmed victims or relevant information to Steam_Malware@fbi.gov, FBI victim identification supports prosecution and may yield additional IOCs or infrastructure details through the investigation’s progress.
