Over the past two years, millions of dollars worth of CSGO items were stolen and sold off, both by, and in conspiracy with, Steam Support staff, it has been alleged in a series of videos.
Skins and other items in Counter-Strike: Global Offensive range from a value of $0.03 to millions in real-life currency. As such, it is a space rife with scammers and thieves.
However, a very concerning set of allegations have been released, alerting CS:GO players with high-value inventories that Steam Support itself has been complicit in the theft of expensive items.
It is important to note at the outset that Valve employees are not implicated, but rather support staff working for companies to which Valve has outsourced support. At least over $1 million in items has been stolen, but the value could be much higher.
Steam Support allegedly uses account data to steal items
First brought to light by Russian YouTuber Mzkshow, it is alleged that an initial hacker, given the fake name ‘Alexander’, coordinated with at least one member of Steam Support to gain access to, typically inactive, Steam accounts with at least $100,000 in their inventory. It is alleged:
Using information about the account from an accomplice at Steam Support, ‘Alexander’ would pose as the account owner to Steam, claiming that he had lost the login details and would provide the necessary security information. Once access had been granted, he would move all the high-value skins to another account and proceed to sell them.
The items would be sold on third-party websites or to cash traders (professional CS:GO traders and middlemen), who were unaware that the items were stolen. These traders included popular CS:GO content creators Anomaly and zipeL.
Once the heist was complete, Alexander would delete the original hacked account and the account to which he transferred the items before moving on to the next victim. Note: video is in Russian but has been given a full English translation using YouTube closed captions.
It didn’t take long though until other Steam Support staff apparently caught on to the scam – and exploited it themselves. Alexander said that in some cases, before he was able to gain access to a victim’s account, it was already recovered by someone else, indicating another person pulling the same scam.
What CSGO skins were stolen?
Some of the stolen skins include a famous M4A4 Howl with iBUYPOWER and Titan Holo stickers from Katowice 2014. The skin belonged to a high-tier investor from China, and after it was stolen, it was sold for $35,000. It is currently in the inventory of NAVI player Valerij ‘b1t’ Vakhovsjkyj, who is borrowing it from the new owner – who bought it full price, unaware it was stolen.
Countless Dragon Lore AWPs, Case Hardened AK-47s, gloves, knives and stickers were also stolen. Some of these items are worth over $100,000 individually.
Other famous CS:GO skins worth tens or even hundreds of thousands were also stolen or attempted to be stolen. In some cases, Steam would be alerted to an inventory hack and delete all the items temporarily before restoring them.
Valve itself is said to have been made aware when an account whose owner had connections to Steam was hacked. It was quickly resolved, and Valve asked the outsourcing company to investigate suspicious activities. According to Mzkshow, this company fired every employee who worked in Steam technical support.
Subscribe to our newsletter for the latest updates on Esports, Gaming and more.
One of the hacked accounts was that of HFB – a Saudi national famous in the skins community who has an estimated inventory value of over $3 million and owns some of the most well-known items in existence. In this case, Valve was able to recover the items and reversed the trades, admitting fault on their behalf.
Steam sent a message to users who had bought the skins, many of which had spent thousands and now had nothing to show for it: “The items in question were removed from your account because they were received from an account that was compromised through a support help request, for which the CS:GO team takes responsibility. We have reversed the trades and removed them from any account which received them.”
Other high-tier investors were not as fortunate as HFB, however. One in particular, named Qkss, had their account with over $1 million in rare and expensive items hacked and then community-banned. All of the items were lost and the account was deleted.
This is consistent with Alexander’s method as accounts would typically be deleted after the hack was complete.
How can the hack be prevented?
Mzkshow argues that in order to fully prevent this type of attack from being possible, Valve would need to stop outsourcing support. However, this is would be a nearly impossible task, given it would require thousands of employees working in many regions and languages. There are a total of 1.5 billion registered accounts on Steam – a mammoth task for Valve to provide support in-house.
If you are worried about your own Steam inventory, though, the alleged criminals would typically target only six-figure accounts, and those that were inactive. If an account was not logged into for a hundred days or more, it was much easier to pretend to be the owner who had just forgotten their password.
CS:GO trader and Twitch streamer zipeL recommends that players log in to their accounts regularly but also avoid buying Steam accounts. It is common for high-tier skin investors to buy ‘OG’ Steam accounts, to get a desired username or to have a coveted ‘years of service’ badge with over 10 years.
These accounts are then easy targets for scammers, as it’s unlikely that the new owner of the account will know all of the security details to regain access because they simply bought the account. It is also against the terms of service to buy or sell accounts, making the owners potentially reluctant to contact Steam support.
What action Valve has taken or will take remains unknown, and is likely to remain so, to prevent other loopholes or exploits from being found. But outsourced support is certain to continue, meaning more checks and balances may be required for account recovery.