Raivo Plavnieks, a video game streamer fundraising for cancer treatment, lost over $32,000 in cryptocurrency after downloading a compromised, verified game named BlockBlasters from the Steam platform.
Published by Genesis Interactive, BlockBlasters was a free-to-play 2D platformer available on Steam from July 30 to September 21. The game, which had accumulated hundreds of ‘Very Positive’ reviews, was altered on August 30 when a cryptodrainer component was added. The malicious software was discovered after Plavnieks, a streamer known as RastalandTV, downloaded the verified game during a live broadcast to raise funds for his treatment against stage 4 high-grade sarcoma.
“For anybody wondering what is going on with $CANCER live stream… my life was saved for the whole 24 hours until someone tuned in my stream and got me to download a verified game on @Steam,”
Plavnieks stated after the theft.
The attack drained more than $32,000 from the Latvian gamer’s cryptocurrency wallet, impacting funds intended for his medical care. In addition to his streaming fundraisers, Plavnieks had established a GoFundMe campaign to receive donations, which was at 58% of its financial goal at the time of the incident. Following the public disclosure of the theft, crypto influencer Alex Becker confirmed that he sent $32,500 to a new, secure wallet for Plavnieks, an amount intended to cover the full sum that was stolen.
The attack’s scope extended beyond this single incident. Crypto investigator ZachXBT reported to BleepingComputer that the perpetrators stole an estimated total of $150,000 from 261 separate Steam accounts. The security group VXUnderground, which also monitored the malicious campaign, documented a higher victim count, identifying 478 affected users. VXUnderground subsequently published a list of the compromised usernames and issued a public warning urging all individuals on the list to immediately reset their account passwords to prevent further unauthorized access.
Research into the attack indicates that the victims were not chosen at random. Reports suggest the attackers specifically targeted individuals after identifying them on Twitter as managers of significant cryptocurrency holdings. These users were then presumably sent direct invitations to try the BlockBlasters game. A technical report from researchers detailed the malware’s function, identifying a dropper batch script that performed environment checks on a victim’s system. This script collected Steam login credentials and the user’s IP address, uploading the data to a command-and-control server.
Further analysis from GDATA researcher Karsten Hahn documented the use of a Python backdoor and a StealC payload, which were deployed in conjunction with the batch stealer. During the investigation, security experts noted a significant operational security failure by the attackers, who left their Telegram bot code and authentication tokens exposed. Unconfirmed reports from open-source intelligence experts claim the primary threat actor has been identified as an Argentinian immigrant residing in Miami, Florida. The BlockBlasters incident is one of several recent cases of malware distributed on Steam, following similar attacks earlier in the year involving the games Chemia, Sniper: Phantom’s Resolution, and PirateFi.
