A cancer-stricken streamer’s charity drive turned into a nightmare after a Steam-verified indie game stole more than $32,000 in cryptocurrency. The game, a retro-style 2D platformer called BlockBlasters, looked like a harmless indie hidden gem. But a patch hid a secret malicious update that drained victims’ digital wallets unnoticed.
BlockBlasters was first released on Steam on July 30 and remained available for almost two months before it was taken down. It even gathered 221 Very Positive reviews according to Wayback Machine. But, as noted by malware repository vx-underground and GDATA cybersecurity firm, developer Genesis Interactive pushed a malicious update on August 30. It secretly added a ‘cryptodrainer’ component that’s able to siphon cryptocurrency wallets from any PC with BlockBlasters installed.
The attack only came to light during a live fundraising stream by Latvian streamer Raivo ‘RastalandTV’ Plavnieks. Suffering from Stage-4 Sarcoma cancer, the content creator was collecting donations to pay for his life-saving treatment. However, viewers watched in shock as Plavnieks realized his crypto wallet had been emptied mid-broadcast.
“I am broken now,” Plavnieks sobbed uncontrollably as his friends tried to console him. “[…] My life was saved for the whole 24 hours until someone tuned in my stream and got me to download a verified game on @Steam,” quoting BleepingComputers. ZachXBT, a crypto investigator, told the site that a total of $150,000 might’ve been stolen from 261 different Steam accounts.
According to its report, GDATA had flagged the August patch and reported it to Steam early this month. However, BlockBlasters was still available to be bought and downloaded until after the theft became viral on September 21.
The attackers lured crypto holders by offering paid promotion to play the ‘demo’ live using hijacked X accounts, based on vx-underground’s findings. Interestingly, investigators managed to discover one of the threat actors’ Telegram credentials barely hidden inside the malware update. Within minutes after the discovery was made public, however, the Telegram group and its members were scrubbed from the internet.
“Who are these people and why do they target cancer patients?” the cybersecurity site’s X account asked.
Early this year, a game called PirateFi was pulled after a similar compromise slipped malicious code into an update. Unlike the BlockBlasters case, though, Steam moved faster. It sends warning emails to anyone who installed the game, urging a full antivirus scan and even recommending a complete OS reformat. In 2023, NanoWar: Cells VS Virus suffered a comparable breach when its developer’s Steam account was hijacked and used to push malware.
Despite this massive loss, the crypto community rallied. Influencer Alex Becker sent $32,500 to a safe cryptowallet to cover the stolen treatment funds. Meanwhile, a GoFundMe for Plavnieks has already surpassed 66% of its target.
Valve has yet to issue a detailed statement on how the malicious update slipped through its checks. And seeing that this is no isolated case, this case definitely raised urgent questions about the safety of Steam’s verification system.
