If you’ve heard of Steam-key scams, you know that most of them seem too obvious to fall for. But some scammers are running sophisticated, brute force operations that blanket so many developers with so many key requests that they are likely quite profitable. And Helium Rain developer Gwennaël Arbona just broke down how the entire process works in a thread on social media.
Developers on Steam can produce an infinite number of 15-digit alphanumeric codes that anyone can redeem for access to a certain game. Valve gives everyone free rein to do whatever they want with these codes (it does have some limits that are not relevant to this topic). You can give them to friends and family. They can go out to media to help promote the game. Or you can sell them on your own website or a third-party store.
I request a Steam code for a game at least once a week for my job. Sometimes I find myself requesting multiple codes a day. It is a normal and accepted business practice, but it’s one that con artists are exploiting. Anyone can write an email just like mine requesting a Steam code. And anyone can sell a Steam code on stores like Kinguin. And that’s exactly what they do.
“As [with] most scams, they’re short, unprofessional-looking emails in approximate English,” Arbona wrote on Twitter. “Most developers will immediately weed them out.”
I’m sure, like me, you are confident you could spot an email like this from “firstname.lastname@example.org” as a scam. So why does anyone still do this? Because it works.
The reason this scam is so popular is because people can automate a lot of it. For example, you can feed developer email addresses into a bot that will then automatically send key requests from countless false accounts. Those accounts can use forms to fill in details like “%game_name%,” and they can impersonate any number of YouTubers from around the world.
Arbona saw that trend with his scammer. He found multiple emails with similar wording that all used the same Gmail tracker from a service called Deskun.
“Obviously, these email addresses are registered and used by the same bot,” said Arbona. “A single scammer is impersonating multiple public figures, requesting review keys of every Steam game, over and over, through each account.”
And it’s likely that developers ignore most of those emails. But if an automated process making potentially dozens of requests succeeds only a fraction of the time, that could still turn into real money. And if the scammer sets up their bot scripts to automatically register every Steam code developers send them with a selling service, they can generate revenue with very little effort.
Arbona was able to prove his scammer was selling keys. He responded to the request with a key for this game Helium Rain. He then checked popular key-reselling website Kinguin and found that it suddenly had a listing for Helium Rain. Previously, Kinguin didn’t have a listing for any Helium Rain codes. So Arbona bought it, and found that it was the one he just sent to “email@example.com.”
— Gwennaël Arbona (@StrangerGwenn) October 17, 2018
But c’mon — this can’t really work, right?
In the receipt for the Helium Rain key that Arbona purchased on Kinguin, it said “brought to you by Zefir.” That account had dozens of games for sale. But that account is no longer available on Kinguin. I’ve reached out to the website to ask if it deleted it or if the user deactivated it. But Arbona found multiple other accounts that all use the same icon art of a red-bearded sheriff. Those accounts, like GamesLand and KeysCrops, are still live with game keys for sale.
As Arbona notes, every game that Zefir was selling comes from indie developers. If Zefir is a legit merchant, major publishers do not work with them.
But Zefir didn’t just have keys to sell, as people are also buying them. Before closing, the account had approximately 850 user reviews. Those all came from sales. But not everyone who makes a purchase has to leave a review. That means that Zefir likely sold way more than 850 keys. If Kinuin is anything like other stores, only about 1-in-10 to 1-in-50 people leave a user review. Arbona did the math on that.
Now you usually get a customer review for about every 50 units sold, according to our research. So I’m estimating Zefir sold some 40,000 review keys since 2014. I don’t have his financials, but selling ~$10 games he didn’t bought can’t be bad business.
— Gwennaël Arbona (@StrangerGwenn) October 17, 2018
Even if Zefir has sold only 10,000 keys at an average of $5, that’s still $50,000. Of course, developers like Arbona don’t get a cut of that money. Kinguin does, however, take an 11 percent slice for itself.
So yeah, this racket works. If you spam out enough key requests, you’re bound to hit a developer who’s not at their sharpest. Maybe they are desperate for media coverage. Or they decided to go through their email after working all night. Maybe they just started doing outreach for their game and are overwhelmed by the number of requests. Or maybe English is their second language.
A swindle like this doesn’t have to work every time. It just needs to work enough to make the effort worth it. And automation and bots can make it almost seem like free money.