Click Adventure Scam Game: Draining Consumer Wallets and Bypassing Steam Security

In mid-2025, a game named Click Adventure, published by “Folso Dev.” on Steam, was found to have facilitated unauthorized withdrawals from users’ Steam Wallets via the Steam Community Marketplace. Players reported wallet funds disappearing after transactions of worthless items, despite having security features enabled. The game was eventually removed from Steam, but many victims have not received refunds. This case has raised concerns about gaps in Steam’s marketplace and account security. Steam, in response, has responded saying that Community Mark transactions are not possible to reverse despite the developer having already been banned from the platform by the time the refunds were sought.

Background[edit | edit source]

The Click Adventure wallet drain controversy involves the Steam game Click Adventure compromising users' accounts to execute unauthorized Steam Community Marketplace transactions for in-game inventory items, draining Steam wallets without triggering Steam Guard alerts. Secondly, it covers the suspicious nature of the game's developer and Valve's removal of the game without providing refunds or compensation to affected users. The incident involves money laundering, bot networks, stolen accounts, and fake marketplace items.

Unauthorized transactions without account ownership[edit | edit source]

Click Adventure, a casual clicker game released on August 6, 2025, reportedly led to account compromises where users received emails about unrecognized Marketplace transactions for inventory items tied to the game. Affected users consistently reported that they did not own or interact with Click Adventure prior to the incidents. Losses varied, with some users reporting drains as low as $13 and others up to $205 from their Steam wallet balances. The total amount across all account comes to a loss of ~$830. These transactions occurred without Steam Guard login alerts, suggesting a bypass of standard security protocols.

The scam, uncovered by consumer rights group Sentinels of the Store, involved a sophisticated network of hacked "seller" and "buyer" accounts. The developer, "Folso Dev", had reportedly been stockpiling these compromised accounts for up to nine months prior to the game's release.

The scheme operated in a two-step process:

1. Item Listing: The scammer used the compromised "seller" accounts to list in-game "shell items" on the Steam Community Marketplace. The price of these items was strategically set to match the exact amount of money in a victim's Steam wallet.
2. Wallet Drainage: The scammer then used the compromised "buyer" accounts to purchase these overpriced shell items. This transaction effectively transferred the funds from the victims' wallets to the scammer's "seller" accounts.

This process was repeated across numerous compromised accounts, allowing the scammer to quickly and efficiently launder stolen funds. At least 18 users worldwide have publicly reported these issues^[1], with discussions indicating up to 25 cases, though the true number may be higher as not all victims come forward. Users described their accounts as compromised, with wallet funds vanishing through purchases of Click Adventure-specific items, despite no prior engagement with the game.

Bypass of Steam Guard security[edit | edit source]

Steam Guard, Valve's two-factor authentication system, typically sends alerts for unrecognized logins to protect accounts. However, in these incidents, no such alerts were received, allowing unauthorized access and transactions. Reports suggest the compromise occurred via session hijacking or credential theft, possibly facilitated by malicious code within the game itself. The consistent targeting of Click Adventure inventory items implies the exploit was designed to launder funds through Marketplace purchases, evading detection.

The game's low-effort design—a simple clicker uncovering locations and loot—may have served as a vector for malware, extracting session cookies or login data without user awareness. This allowed hackers to maintain persistent access without re-authentication, directly draining wallets for in-game asset buys.

Developer and publisher analysis[edit | edit source]

The game was developed and published by "Folso Dev.," an entity with no prior Steam history beyond Click Adventure. The name "Folso Dev." raises suspicions, phonetically resembling "false dev," and no verifiable social media, support contacts, or external presence exists for the developer outside automated Steam crawls. The game's SteamDB page shows it achieved a peak of only 4 concurrent players before removal on or around September 15, 2025, further indicating it was not a legitimate commercial release but potentially a vehicle for scams. The earliest wallet-drain reports appeared after the initial release, but before the build pushed on September 12, 2025, just before the game was banned.^[2]

Steam's Terms of Service require developers to maintain accurate contact information and adhere to security standards. Valve's review process failed to detect the exploit prior to launch, allowing the game to go live for over a month.

Valve's response[edit | edit source]

Valve removed Click Adventure from the Steam store following user reports, but affected users have not received refunds or compensation. One forum claim suggests some refunds occurred, but no verified cases have been confirmed, and multiple victims report Valve denying reimbursement requests. Steam's Subscriber Agreement states that users are responsible for securing their accounts, potentially shielding Valve from liability:

You are responsible for maintaining the confidentiality of your account and password and for restricting access to your computer. You agree to accept responsibility for all activities that occur under your account or password.^[3]

This clause may justify Valve's refusal, despite the compromise originating from a Valve-vetted game. No broader investigation into similar exploits across other titles has been announced.

Security Concerns[edit | edit source]

The most significant consumer rights issue highlighted by this incident is the failure of Steam's security measures. Reports from victims indicate that the unauthorized transactions occurred without triggering the typical Steam Guard alerts, which are designed to notify users of any suspicious activity on their accounts. When victims attempted to seek refunds for the stolen funds, Steam Support reportedly denied their requests, citing a lack of grounds for a refund.

This incident has prompted calls for greater transparency and accountability from Valve regarding the security of its platform and the fairness of its refund policy for users who are victims of fraud and highlights gaps in Steam's game approval process for detecting malicious software. Consumers are left vulnerable to wallet drains from ostensibly legitimate titles.

Reported impacts and recommendations[edit | edit source]

Complete list of reported impacts[edit | edit source]

• Account compromise without login alerts.
• Unauthorized Marketplace purchases of Click Adventure inventory items.
• Wallet drains ranging from $13 to $205.
• At least 18-25 confirmed victims worldwide.
• No automatic refunds; manual requests denied.

Recommendations for users[edit | edit source]

• Monitor purchase history and enable Steam Guard mobile authenticator.
• Avoid adding significant funds to Steam wallets; use direct payment methods.
• Report suspicious games via Steam discussions and contact support immediately upon detecting unauthorized activity.
• Deauthorize all devices and change passwords if compromise is suspected.

Conclusion[edit | edit source]

The Click Adventure case underscores possible vulnerabilities in Steam's systems that enabled malicious actors to drain funds from users without triggering standard security alerts. While Valve has taken steps (removing the game), many affected users have not received recompense. Whether this incident prompts broader policy or security changes remains to be seen.

References[edit | edit source]