Steam trade hijack scam: how fake CS skin trade DMs drain inventories in 2026

How Steam trade scams work in 2026

The scam has three stages: the lure DM from a real friend, the trap page that captures credentials or session tokens, and the inventory drain inside the Steam client itself. Each stage is engineered to look like normal Steam behavior.

Stage 1 - the lure DM from a hijacked friend

The opening message arrives through Steam chat or a connected Discord. The sender is a real friend on your Steam friends list. Their account was already taken over earlier in the same campaign, and the attacker is working through that friend's friends list one DM at a time. The wording rotates through patterns that match normal CS and Dota player behavior:

"yo can you vote for my team in this tournament bracket? closes in 1 hour, free key giveaway after"

"hey wanna trade? I have a stat-trak AK Redline I will swap for your karambit any pattern"

"bro this third-party marketplace is paying 20 percent over Steam price for my skins, check it out"

"got banned by mistake, can you screenshot my profile on this Steam tool so I can submit an appeal?"

The lure works because friends genuinely do trade skins, vote in community tournaments, and ask for profile screenshots. The attacker hides inside a normal weekly pattern. The first instinct of most players is to help.

Stage 2 - the trap page on a lookalike domain

The link lands on a page that mimics Steam's login or trade confirmation. The domain is the tell, and the patterns rotating in 2026 are documented in the Steam Support guides on phishing and in Valve's own warning posts on the Steam Community. The link reads as steamcommunity.com/tradeoffer/new/ in the visible text but resolves to a domain that is not steamcommunity.com. The fake page either asks for a fresh login or shows a "confirm trade" interstitial that pulls a session cookie.

If credentials are captured, the attacker proxies them to real steamcommunity.com in real time, triggers a real SteamGuard prompt on your phone, and harvests the 5-character code the moment you type it. If session tokens are stolen via a malicious extension or a "trade confirmation viewer" page, no password and no SteamGuard code is needed. The Steam session cookie is a bearer credential. Whoever holds it is logged in as you, on any device, until you explicitly invalidate sessions.

Stage 3 - the inventory drain

Inside Steam, the attacker initiates trade offers from your account to attacker-controlled accounts or to third-party CS marketplaces. If your Steam Mobile Authenticator is on the same device as the stolen session, the attacker confirms trades directly. If you confirm a single "test trade" yourself thinking it is a friend confirming legitimate exchange, that single confirmation is the only one needed. The trade window opens, and within seconds CS2 knives, AWP skins, gloves, Dota 2 Arcanas, Immortal cosmetics, and TF2 unusuals move out. High-value items typically land on a fence account within minutes and are listed on a third-party marketplace at 60 to 80 percent of Steam Market price for fast liquidation.

Lookalike Steam domains 2026

Read the domain letter by letter. The real domain is what sits immediately before the first single slash after https://. Real Steam lives only on a small handful of domains:

• steamcommunity.com
• store.steampowered.com
• help.steampowered.com
• steamgames.com (corporate)

Anything else is suspect. The patterns in active rotation across Steam Support phishing advisories and third-party trackers in 2026 include:

• Character substitution: steamcomnnunity.com (extra n hidden between m and u), steamcommumity.com (m for n), stearmcommunity.com (extra r), steam-community.com (hyphenated)
• TLD swap: steamcommunity.link, steamcommunity.app, steamcommunity.net, steamcommunity.gift
• Subdomain trick: steamcommunity.com.tradeoffer-view.app, tradeoffer.steamcommunity.help-portal.net (real domain is whatever sits before the first single slash)
• Brand-plus-keyword: csgo-trade.com, cs-marketplace.app, steam-skins.gg, steamtrade-viewer.net
• Tournament-bracket lures: csgo-tournament-vote.com, fnatic-vote.net, steam-cup-2026.com
• Free hosting: steam-trade.vercel.app, steam-confirm.netlify.app, steamcommunity-view.pages.dev
• Punycode and Cyrillic homographs: Cyrillic а, е, о, and с rendering as Latin-looking characters in the URL bar

The hardest variants to catch by eye are the homographs and the subdomain tricks. In steamcommunity.com.tradeoffer-view.app the eye reads "steamcommunity" first and stops there. Train yourself to read the domain backward starting from the first slash.

CS skin and Dota cosmetic theft economics

The Steam economy is the reason this scam scales. Steam reports more than 132 million monthly active users and the third-party cosmetic market sits on top of that base. Skin-economy industry analysis from outlets including PC Gamer, Polygon, and skin-marketplace research reports has placed the CS and broader Steam cosmetic economy in the tens of billions in cumulative gross merchandise value, and Counter-Strike alone reliably ranks among the top Steam games by concurrent player count. Single items sit at real-money prices well into the thousands. Public Steam Community Market and third-party marketplace listings have shown:

• CS2 knives and gloves: Karambit Doppler, M9 Bayonet Marble Fade, Specialist Gloves Crimson Kimono regularly listed in the $1,500 to $8,000 range on Steam Market, with rare patterns reaching five figures on third-party brokers
• CS2 AWP skins: AWP Dragon Lore, Medusa, and Gungnir in factory-new commonly listed from $5,000 into the tens of thousands depending on float and sticker craft
• StatTrak rares and souvenir items: Souvenir AWP Dragon Lore with major-tournament autograph stickers has sold above $100,000 in private broker deals reported across the CS press
• Dota 2 Arcanas and Immortals: rare retired Arcanas, Couriers from old Compendiums, and signature items run from low hundreds into the thousands
• TF2 unusuals: high-tier effects (Burning Flames, Scorching Flames) on rare hats trade hands at thousands of dollars
• Rust skins: rare AK and bolt-action rifle skins reach the hundreds, occasionally low thousands

A single successful hijack on an experienced player can clear an inventory worth more than a year of average wages in many regions. That return profile, combined with the friend-graph propagation of the lure, is why the Steam trade hijack scam has been continuously active for more than a decade and why FBI IC3 annual reports continue to call out gaming and virtual-asset fraud as a growth category.

Why SteamGuard alone is not enough

Steam Guard is Valve's two-factor system. The mobile authenticator is solid in design, and Valve's documentation correctly states that SteamGuard makes credential-only theft much harder. Players relying on it assume their account is therefore safe. The hijack still works because attackers in 2026 do not target the password and the SteamGuard code in isolation, they target the session token that those credentials produce.

The two bypass paths in active rotation are:

Real-time relay of the SteamGuard code. An adversary-in-the-middle (AiTM) proxy forwards your typed password to real steamcommunity.com, which generates a real SteamGuard prompt on your real phone. You see what looks like a normal login, you approve or type the 5-character code, and the proxy relays that code back to Steam. The attacker now has a fresh authenticated session. The Cybersecurity and Infrastructure Security Agency (CISA) issued a 2023 advisory describing AiTM phishing kits as a primary technique against time-based 2FA across major brands - the same kit class is rented for Steam.

Direct session-token theft. A malicious browser extension installed under the cover of "Steam trade viewer," "CS inventory analyzer," or "case opening simulator" requests permission to read data on steamcommunity.com. Once installed, it reads the Steam login cookie out of the browser and exfiltrates it. The attacker imports the cookie into their own browser and is logged into your account with no password and no SteamGuard prompt. The same outcome arrives via malware in pirated games, "Steam desktop authenticator" forks distributed outside official channels, and clipboard-hijacker stealers from the RedLine and Lumma families that explicitly target Steam session files.

Once the attacker has a live session, the only barrier left is the mobile-authenticator confirmation on individual trades. If the attacker also compromised the phone (via malicious app, SIM-swap, or remote-control bypass) they confirm trades themselves. If not, they wait until you confirm a trade you initiated yourself and slip their drain trades into the same queue.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1 - Local detection: 60+ URL patterns + 550+ brand-specific signatures (including Cyrillic and Punycode homograph variants) + community whitelist/blacklist, all running directly in the extension before the page renders. Catches the steamcommunity.{link,app,gift,net} TLD swaps, the steamcomnnunity / steamcommumity character substitutions, the tournament-bracket vote lure domains, and the steam-trade-viewer / csgo-marketplace brand-plus-keyword family instantly.
• Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam TLDs for known malicious Steam-impersonating domains.
• Layer 3 - AI deep scan (Premium): 100+ language content analysis catches novel variants in seconds, including pages that serve Steam UI from any domain other than the canonical four.

Detection signatures come from threat-intelligence research and brand database analysis, not from user browsing data. Per-user URL history is never stored.

What to do if your Steam account was compromised

Speed matters. Most drains are complete within ten to twenty minutes of the trap page loading. Move through the sequence below even if you are not yet sure the account is hijacked, because the first three steps are reversible and the cost of acting on a false alarm is zero.

1. Within 60 seconds, deauthorize all other devices. Open the Steam client on a device that you are still confidently logged into. Go to Steam → Settings → Account → Manage Steam Guard, and choose "Deauthorize all other devices." This invalidates every active session except the one you are using and forces a fresh SteamGuard challenge on every other device. If the attacker is logged in on stolen cookies, this kicks them out.
2. Within 2 minutes, change your password. Steam → Settings → Account → Change Password. Use a long unique password not reused anywhere. Steam's password change automatically triggers a 15-day trade hold on any unfamiliar device, which is by design.
3. Within 5 minutes, file a Steam Support ticket. Go to help.steampowered.com, choose the affected account, choose "I think my account has been stolen," and follow the recovery flow. Valve's published Steam Support policy is clear: items traded away with the user's own SteamGuard confirmation are generally not restored, but Valve does sometimes intervene where the trades were completed via a stolen session within a very short timeframe and where the recipient account was already flagged. Filing fast and accurately is what gives Valve the option.
4. Within 10 minutes, revoke OAuth and third-party logins. Visit steamcommunity.com/my/apipage and revoke your API key (the API key can be used to confirm trades remotely if the attacker captured it). Visit steamcommunity.com/my/preferences and review every "third-party app" or "OpenID login" with access.
5. Check the Steam Mobile Authenticator binding. If the attacker re-bound SteamGuard to their own phone, your normal authenticator will stop generating valid codes. Steam Support has a phone-removal flow for this case - it triggers a 15-day account lock during which no trades are possible. The lock protects what is left.
6. Remove any browser extensions installed in the last 30 days. Pay special attention to anything named "Steam trade viewer," "CS inventory tool," "case opener," "skin price checker," or generic "shopping helper." Read each extension's permissions in your browser's extensions page and remove anything that has permission to read steamcommunity.com or all sites.
7. Run a full malware scan. RedLine, Lumma, and StealC stealers specifically target Steam session files alongside browser cookies. Use Malwarebytes, Bitdefender, or Microsoft Defender Offline. If a stealer is on the machine, every credential the browser holds is already gone, not just Steam.
8. Notify your Steam friends. Post in any Steam group you moderate and DM close friends through a separate channel (Discord, phone) to ignore any "vote for my team" or "trade with me" messages from your account in the last hour. The faster the lure DM is reported and ignored, the fewer of your friends get hit.
9. File at FBI IC3 if the loss is significant. ic3.gov aggregates gaming and virtual-asset fraud and the totals feed into the FBI Internet Crime Report each year. Including the stealer name, the trade partner Steam IDs, the lookalike domain, and the timestamps gives investigators something to correlate.
10. Consider a Steam Family steward. If your account holds high-value inventory, Steam Families allows a trusted parent or co-account to act as a recovery anchor. The family feature was rolled out in 2024 and updated through 2025; check the Steam Support family page for the current policy.

Protection guide

The Steam trade hijack defeats password-only protection, defeats SMS 2FA, and partially defeats SteamGuard. The defenses that actually hold up are layered.

Treat every unsolicited DM with a link as hostile until verified. Tournament votes, trade offers, "screenshot my profile" requests - if it arrived as a link in a message you did not ask for, verify the friend through a separate channel (voice call, Discord ping, in-game chat) before clicking anything.

Read the domain letter by letter, backward from the first slash. The real domain is what sits immediately before the first single slash. steamcommunity.com.gift-view.app is the gift-view.app domain. steamcomnnunity.com has an extra n hidden in the middle. steamcommunity.link is a TLD swap. Only steamcommunity.com, store.steampowered.com, and help.steampowered.com are real.

Never log in to Steam from a link in a message. If you need to act on something - confirm a trade, vote in a community event, check an offer - close the message, open the Steam client manually, and act from there. The Steam client and the Steam Mobile App show every legitimate event natively.

Use the Steam Mobile Authenticator, not SMS 2FA. The mobile app is the only first-party SteamGuard implementation with full trade-confirmation support. Email-only SteamGuard is the weakest of the supported options.

Disable third-party extensions on Steam pages. Browser extensions with permission to read steamcommunity.com are a session-token theft vector. If you must use a CS inventory tool, use the desktop client version that does not need browser session access, or pin the extension and disable it by default.

Set Steam Guard trade hold to the maximum. Steam → Settings → Family Library → Trade and Market → Hold period. Maximum hold lengthens the window during which a trade can be canceled before completion.

Use a hardware-backed password manager. Bitwarden, 1Password, KeePassXC with a long unique Steam password that you never type by hand. Most credential phishing fails the moment your password manager refuses to autofill because the domain does not match.

Audit your Steam friend list quarterly. Old inactive accounts are the most likely to be hijacked first and used as launchpads. If you do not recognize a name or have not interacted in a year, remove the friendship.

Install a browser-layer scanner. SafeBrowz is a free Chrome, Firefox, and Edge extension that recognizes Steam lookalike domains by URL pattern and page content before the login form or trade confirmation interstitial renders. 550+ brands, 60+ patterns, full-screen warning on detection. Free forever.

Install SafeBrowz free

Add the browser extension that runs every check in this article automatically, on every page, before it renders. Free forever.

Add to Chrome Add to Firefox Add to Edge

Upgrade to Premium for AI deep-scan on novel Steam-impersonating domains the moment they go live.

Frequently asked questions

Will Valve restore my CS2 skins if my account got hijacked?

In most cases, no. Steam Support's published policy on item restoration is that items traded away under the user's own Steam Guard confirmation are generally not returned. Valve has stated this position consistently across years of support documentation. There are narrow exceptions where Steam Support intervenes (for example, when the trade was completed via a stolen session within a very short window and the recipient is already flagged for fraud), but the safest assumption is that drained inventory is gone. File a ticket fast at help.steampowered.com to keep the slim recovery option open.

How did the attacker get into my account if I have SteamGuard turned on?

Two common paths in 2026. Adversary-in-the-middle (AiTM) phishing proxies relay your password and the SteamGuard code in real time, producing an authenticated session before you realize anything is wrong. Or session-token theft via a malicious browser extension or infostealer malware (RedLine, Lumma, StealC) reads the Steam session cookie from your browser, lets the attacker import it into theirs, and logs them in as you with no password or SteamGuard prompt needed. CISA's 2023 advisory on AiTM kits applies directly to the Steam case.

The friend who sent me the link swears they did not send it. Are they lying?

Almost certainly not. Their account is hijacked the same way yours nearly was. The Steam trade hijack scam spreads worm-style by walking the friends list of each compromised account. By the time the DM reaches you, your friend has lost control - the attacker is operating the account with the real avatar, real username, and real chat history. Tell your friend to run the recovery sequence: deauthorize all sessions, change password, file a Steam Support ticket.

I clicked the link but did not enter my password. Am I safe?

Probably yes, but check two things. First, did the page prompt you to install a browser extension or download a "trade viewer" tool? If yes, remove the extension and run a full malware scan - some of those tools install infostealers that quietly read your Steam session cookie days later. Second, did the page load any download dialog automatically? Cancel any downloads and scan for malware. If neither happened and you only saw the page, close the tab and move on, but consider deauthorizing all sessions as a precaution.

What is the difference between SteamGuard mobile and SteamGuard email?

The Steam Mobile Authenticator generates a fresh 5-character code every 30 seconds inside the official Steam Mobile App, and it is also what produces trade confirmations. SteamGuard via email sends a code to your registered email each time you log in from a new device. The mobile app is significantly stronger because email accounts are themselves a common phishing target, and email-only SteamGuard does not support trade confirmations. Valve recommends the mobile authenticator for any account that holds tradeable items. Switch in Steam → Settings → Account → Manage Steam Guard.

I confirmed a trade on my phone but the item that left was different from what I expected. What happened?

You were almost certainly trade-window-swapped. The attacker initiated a trade offer where the displayed item matches a high-value item from your inventory, then changed the offer at the last second on their side. Your mobile confirmation went through on the swapped offer. This is why the Steam Mobile App now shows full item names on the confirmation screen and why you should always read the confirmation text carefully before tapping confirm. Trade-window-swap is documented in Steam Support's phishing guidance.

Does Steam Family help recover stolen accounts?

Steam Families (rolled out in 2024 and updated since) lets a trusted family member share library access and act as a recovery anchor. It does not directly restore stolen items, but a family-steward setup can preserve account access and library entitlements even when the primary account is locked during a Steam Support recovery review. For high-value inventory accounts, a Steam Families setup is a reasonable additional layer alongside the mobile authenticator. See help.steampowered.com for the current Steam Families policy.

How do I report the phishing domain so it gets taken down?

File at Steam Support (help.steampowered.com → Steam Community → Report a Phishing Site) with the full lookalike URL. Valve files takedowns with registrars on confirmed Steam-impersonating domains. Also file at the FBI IC3 (ic3.gov) if you lost items, and at PhishTank (phishtank.com) so the URL feeds into community blocklists used by browsers and security tools worldwide. Each takedown report shortens the lifespan of the campaign by hours or days.

Related reading

• Discord Nitro free scam - same DM-from-a-friend playbook on Discord, often the upstream lure for the Steam wave
• Coinbase account suspended scam email - the AiTM and session-relay pattern in the crypto-exchange variant
• Stable.xyz lookalike wallet drainer - lookalike-domain detection applied to the Web3 wallet world
• Fake Microsoft popup - brand-impersonation phishing in a different brand surface, same defense rules

Bottom line: The Steam trade hijack scam works because the lure looks identical to normal gamer behavior, the bypass quietly steals the session token rather than fighting SteamGuard head-on, and Valve's own policy means most drained inventory is not coming back. The defense is the same as it has been for a decade plus the new layer of session-token discipline. Verify every DM through a separate channel. Read every domain letter by letter. Only log in through the Steam client itself, never through a link. Use the Steam Mobile Authenticator. Audit your browser extensions. And add a browser-layer scanner like SafeBrowz so the lookalike steamcommunity page never gets a chance to load.