CS2 scam protection
Nearly every stolen inventory is taken with one of six vectors, and every one of them has a recognition sign that fires before the items leave. This page documents all six, with defense steps and Valve’s own pages as sources. The one hard rule up front: Steam Support does not restore items that have left your account, for any reason, so prevention and the 7-day reversal window are all you get.
1. The API key scam
You sign in on a phishing site with your real Steam credentials, and the kit silently registers a Steam Web API key on your account. From then on a bot watches your trades: when you send a real offer to a real marketplace, the bot cancels it and instantly re-sends an identical-looking offer from a cloned bot account. You confirm it on your phone because it looks exactly like the trade you just created.
Recognition
- A trade you created gets canceled and instantly reappears from a "bot" with the same avatar and name.
- The partner account in the repeated offer is days old.
- A Web API key you never created sits on your account.
Defense
- Open steamcommunity.com/dev/apikey and sign in if asked.
- If the page shows a key with a domain you do not recognize, press "Revoke My Steam Web API Key". You never lose anything by revoking: legitimate keys are for developers, not traders.
- Change your Steam password and deauthorize all other devices.
- Re-check the key page after your first login on any new site.
Sources: Steam Web API key page · Steam Web API terms · Recovering a stolen Steam account
2. Fake sites and cloned domains
Clones of real marketplaces with one changed character in the domain, "you won a giveaway" pages, and fake login popups drawn inside the page itself. Valve’s own hijack definition names the mechanism: a fake Steam or third-party trading site that convinces you to hand over your login.
Recognition
- The domain differs from the real one by one character: rn instead of m, capital I instead of l, an extra hyphen, a different ending.
- A login form asks for your Steam password anywhere other than steamcommunity.com.
- The "browser popup" cannot be dragged outside the parent window: it is drawn inside the page.
- The site reached you first: a comment, a DM, a group invite, a "giveaway you won" without entering.
Defense
- Type marketplace URLs yourself or use bookmarks; never follow login links from chats.
- Before typing a password, read the address bar character by character: real venues authenticate through Steam OpenID, so the password page is always steamcommunity.com.
- Try dragging a login popup outside the browser window; a fake one cannot leave the page.
Sources: Steam Scam FAQ · Recovering a stolen Steam account
3. Impersonation and the fake middleman
A "Valve admin" or "marketplace support" writes first: your items are duplicated or reported and must be traded to a "secure account" for verification. Or a private deal appears with a "trusted middleman" who is the scammer’s second account. Valve’s Scam FAQ lists both by name: verification accounts keep the items and block you; and if a trade fits Steam’s rules, no middleman is needed at all.
Recognition
- Anyone contacting you first about your items, with urgency and a threat of a ban.
- A request to trade items "for verification" of any kind.
- A "buyer" who pays directly by PayPal or card outside any platform: the transfer is reversed by chargeback after the skin is gone.
- Walls of +rep comments as proof of trust; the Scam FAQ notes they are generated easily.
Defense
- Valve staff never ask you to trade items. Anyone who does is a scammer; report via their profile and block.
- For deals with strangers use an escrow marketplace instead of trust: compare venues.
Sources: Steam Scam FAQ · Recommended Trading Practices
4. Trade Protection reversal abuse
Since July 15, 2025 every traded CS2 item stays Trade Protected for 7 days, and the sender can reverse all their protected trades from the last 7 days; the reverser takes a 30-day trade and market cooldown, their partners take nothing. Scammers turned the safety net into a weapon: they "sell" you a skin in a direct trade, take your money through crypto or a gift card, then reverse the trade. The item returns to them; your money does not return to you.
Recognition
- A stranger sells a skin below market for a direct trade with off-platform payment "right now".
- Payment is only accepted in irreversible form: crypto, gift cards, friends-and-family transfers.
- The seller tells you to ignore the yellow Trade Protected shield on the items.
Defense
- Treat the yellow shield as a 7-day undo button in the other party’s hand: never move money outside a venue for a directly traded item.
- Buy and sell through marketplaces that hold funds until the protection window clears; that hold is why legitimate payouts land around day 8.
- If your account is stolen, the same mechanism is your last line: reverse your protected trades within 7 days.
Sources: Trade Protected Items FAQ · CS2 trade updates timeline
5. QR and login hijack
The Steam mobile app signs you in by scanning a QR code from the login page. Phishers open the real Steam login themselves, then show you their QR on a fake voting, giveaway or tournament page. You scan and approve, and they are signed in to your account without ever seeing your password.
Recognition
- Any site or "friend" asking you to scan a QR code to vote, verify or claim something.
- A Steam Guard approval prompt for a sign-in you did not start; the prompt names the device and location.
- "Vote for my team" messages, often from a hijacked friend’s account.
Defense
- Scan sign-in QR codes only on the Steam login page you opened yourself.
- Read the device and location line in the app before approving anything.
- Deny any prompt you did not trigger, then change your password and deauthorize other devices.
Sources: Steam mobile app (QR sign-in) · Steam Guard FAQ · Recovering a stolen Steam account
6. Fake escrow and insolvent venues
Not a clone of a known site but an original "marketplace" or a Discord "escrow service" built to receive deposits. You trade skins to its bot, a balance appears in a database, and the withdrawal never works, or the site simply disappears. The soft version is a real venue that dies with your balance on it: BitSkins shut down in June 2026 with withdrawals disabled, documented in our dossier.
Recognition
- Young domain, no fee page, no company history, a handful of reviews.
- Deposits go by trading to an account that looks personal, not to a labeled venue bot.
- Withdrawal "temporarily unavailable" while deposits stay open; aggressive deposit bonuses.
Defense
- Before any deposit, read the venue’s dossier: status and shutdown flags, fees, KYC, Trustpilot score with review count, verified-at date. All dossiers.
- Deposit small first, withdraw once, and only then scale.
- Treat any on-site balance as an unsecured claim on a private company; the BitSkins case is the standing lesson.
Sources: our market dossiers (facts verified per venue) · BitSkins shutdown announcement
If you got hit: the first hour
- Revoke the rogue Web API key at steamcommunity.com/dev/apikey.
- Change your password and deauthorize all devices; if the account is locked out, start account recovery.
- If items left in protected trades within the last 7 days, reverse them from your Trade History. It costs you a 30-day trade and market cooldown and returns the items. How reversal works.
- Report the scammer through their Steam profile. Reporting steps.
- Know the limit: "Steam Support does not restore items that have left accounts for any reason." The reversal window is the only rollback that exists. Item Restoration Policy.
FAQ
Will Steam Support return my scammed skins?
No. Valve’s Item Restoration Policy states that items which left an account are not restored for any reason, because they change hands quickly and restoring them would mean duplication. The only rollback is the one you trigger yourself: reversing Trade Protected trades within 7 days.
Is logging in "through Steam" on marketplace sites safe?
The OpenID mechanism itself is safe: the site never sees your password, which you type only on steamcommunity.com. The danger is fake login windows that imitate that page. Verify the address bar reads steamcommunity.com and that the window can be dragged outside the parent page before typing anything.
I revoked the API key. Is my account clean now?
Revoking stops trade-watching bots, but the phisher also has your password. Change it, deauthorize all devices, and check your email and phone number on the account. If malware was involved, none of that helps until the machine is scanned or reinstalled.
Why do marketplaces hold my payout for about 8 days?
Because the item a buyer received can be pulled back by trade reversal for 7 days. Venues release money once the reversal window has closed and the sale is final. Some instant-sell venues pay immediately and carry that reversal risk themselves, priced into their quotes.