Recently a clanmate has shared an unsuccessful scam attempt executed against them. Scams on Steam are pretty common, and normally quite boring: most of them follow the same exact formula where a scout account adds you, tells you about an "accidental report" or invites you to a "game tournament" and then passes you along to the scammer's primary account that instructs you to open a fake website and log in with your Steam credentials leading to the loss of your account.

This one caught my eye however since it was a bit different. As per the scam report, my clanmate was added by a scout account, but instead of impersonating a Valve employee or a competitive player, the main account masquerades as a leader of a big Steam group and the hook of the scam revolves around the threat of being mass reported by the scammer's group members.

Investigating further I stumbled across a large group indeed, 1579 members at the time of writing. That set off some alarm bells, because its rare to see that many alts being used in a single scam attempt at once. The group itself was nothing of note, all the comments were locked, and the discussion posts and group picture were generated with ChatGPT. Looking at the members list reveals there are 202 members in-game, and 203 members online (the one extra being the owner not having a game running).

Looking further, all 202 accounts are running the same few games at once -> all idle clickers. The games in question being Bongo Cat, Amarillo's Butt Slapper and Banana. So what does this mean and why does it matter?

Steam has always had issues with botnets farming items. This isn't a secret, and is also not an issue exclusive to Steam, but one that runs absolutely rampant and unchecked there. Games that have economies will be botted -> this has been the case for games with many different genres, my beloved Team Fortress 2 included. Recently though, idle clicker games have become more popular and mainstream thanks to just how easy it is to make such a game and integrate with Steam economy.

Banana specifically was at the center of this controversy a little while ago. It's really easy to notice massive botnets going online and offline, padding player numbers and crashing the item economy with the oversupply of farmed items. Copycats have sprouted, copying Banana's success (and problems), giving these botnets more grounds to stomp. This wasn't really a big problem for players, since unless you've invested large sums of money before the botnets arrived, you could enjoy cheaper prices and larger availability of in-game items. Additionally, unlike Team Fortress 2, idle-clicker games typically make their items untradable, so you can't snipe gifts.

Now, however, we're starting to see the larger issue at hand as these botnets get weaponized by their owners to scam people. Whether or not the scammer in question was the owner of the botnet or intentionally bought an "infected" group is hard to say, what's clear is that its easy for said scammer to take advantage of the situation. Valve's impotent reaction towards swathes of botnets infesting their service has been very disappointing to see. The vast, vast majority (if not all) of the accounts that are part of the botnet are stolen. Scammers don't just automate farming game items, they automate stealing accounts too, and there are thousands of accounts, and hundreds of groups.

So what's my point anyway? What I'm trying to say is: Valve needs to moderate their store and their community better. For a company that rakes in cash by the billions each year, their handling of Steam in that regard has been very disappointing. Steam economy and Community Market have been and are subject to rampant abuse. Steam's own report system is archaic and ineffective. When malicious actors run their botnets out in the open and risk their whole operation to steal a blank account from some newbie, you know they have gotten way too comfortable with Valve's laziness.

This entire post can easily be the length of a thesis paper if I were to mention the other issues with Steam that tie into this incident or are otherwise closely related, but those are best left for later. What you can do as a user is nothing actually. Avoiding those games and items will not make a dent in Valve's massively padded pockets and it will not affect scammers because scammers diversify as we've learned throughout this post and reports do not work either. Do better, Valve.

Deuces.