Click Adventure: Difference between revisions

In mid-2025, a game named Click Adventure, published by “Folso Dev.” on Steam, was found to have facilitated unauthorized withdrawals from users’ Steam Wallets via the Steam Community Marketplace. Players reported wallet funds disappearing after transactions of worthless items, despite having security features enabled. The game was eventually removed from Steam, but many victims have not received refunds. This case has raised concerns about gaps in Steam’s marketplace and account security. Steam, in response, has responded saying that Community Mark transactions are not possible to reverse despite the developer having already been banned from the platform by the time the refunds were sought.

The Click Adventure wallet drain controversy involves the Steam game Click Adventure compromising users' accounts to execute unauthorized Steam Community Marketplace transactions for in-game inventory items, draining Steam wallets without triggering Steam Guard alerts. Secondly, it covers the suspicious nature of the game's developer and Valve's removal of the game without providing refunds or compensation to affected users.

Click Adventure, a casual clicker game released on August 6, 2025, reportedly led to account compromises where users received emails about unrecognized Marketplace transactions for inventory items tied to the game. Affected users consistently reported that they did not own or interact with Click Adventure prior to the incidents. Losses varied, with some users reporting drains as low as $13 and others up to $205 from their Steam wallet balances. These transactions occurred without Steam Guard login alerts, suggesting a bypass of standard security protocols.

The scam, uncovered by consumer rights group Sentinels of the Store, involved a sophisticated network of hacked "seller" and "buyer" accounts. The developer, "Folso Dev", had reportedly been stockpiling these compromised accounts for up to nine months prior to the game's release.

The scheme operated in a two-step process:

1. Item Listing: The scammer used the compromised "seller" accounts to list in-game "shell items" on the Steam Community Marketplace. The price of these items was strategically set to match the exact amount of money in a victim's Steam wallet.
2. Wallet Drainage: The scammer then used the compromised "buyer" accounts to purchase these overpriced shell items. This transaction effectively transferred the funds from the victims' wallets to the scammer's "seller" accounts.

This process was repeated across numerous compromised accounts, allowing the scammer to quickly and efficiently launder stolen funds. At least 18 users worldwide have publicly reported these issues, with discussions indicating up to 25 cases, though the true number may be higher as not all victims come forward. Users described their accounts as compromised, with wallet funds vanishing through purchases of Click Adventure-specific items, despite no prior engagement with the game.

Steam Guard, Valve's two-factor authentication system, typically sends alerts for unrecognized logins to protect accounts. However, in these incidents, no such alerts were received, allowing unauthorized access and transactions. Reports suggest the compromise occurred via session hijacking or credential theft, possibly facilitated by malicious code within the game itself. The consistent targeting of Click Adventure inventory items implies the exploit was designed to launder funds through Marketplace purchases, evading detection.

The game's low-effort design—a simple clicker uncovering locations and loot—may have served as a vector for malware, extracting session cookies or login data without user awareness. This allowed hackers to maintain persistent access without re-authentication, directly draining wallets for in-game asset buys.

Valve removed Click Adventure from the Steam store following user reports, but affected users have not received refunds or compensation. One forum claim suggests some refunds occurred, but no verified cases have been confirmed, and multiple victims report Valve denying reimbursement requests. Steam's Subscriber Agreement states that users are responsible for securing their accounts, potentially shielding Valve from liability:

You are responsible for maintaining the confidentiality of your account and password and for restricting access to your computer. You agree to accept responsibility for all activities that occur under your account or password.

This clause may justify Valve's refusal, despite the compromise originating from a Valve-vetted game. No broader investigation into similar exploits across other titles has been announced.