To start off, what the CSGO community calls “API-scam” is actually a phishing scam method. Phishing scam means by definition to track a users activity and use this information to trick their victim into giving them something of value which in this case is skins. The api itself is of no use for the intruder, but we will come back to that later. For the simplicity, we will call this API-scam instead of phishing scam since that is the known word throughout cs communities. For an API-scam to be possible, the intruder needs access to your steam account.

How does the intruder gain access to my account?

The intruder will trick you into entering your steam credential into a fake authorization window, a perfect imitation of Steam’s real login page. This situation arises when you want to login to a third party site, the difference is that legit third party sites such as CSMiddler sends you to the real steam authorization site while the intruders site sends you to their imitated login page. When you verify your login with the steam authenticator to what you think is a legit third party site the intruder has a parallel login process at Steam’s real login page. This means that when you verify your login through your steam mobile app, you give the intruder access.

At this point, the intruder will most likely create an api key. The “Domain Name” row will not be blank anymore but instead have a domain name or a row of numbers.

The api key enables the intruder to track your tradeoffer activity, to see what offers you receive and send. But just because there is no api-key does not with certainty mean you’re safe. The intruder could instead have a bot constantly updating your trade offer page looking for incoming trade offers. This is more or less exactly what the api key does but from your perspective, the api-key row will be empty as the picture shows below.

*It is not dangerous to have an api as long as you, or a trusted party have put it there. For example we, CSMiddler just like all other marketplaces need to have the api key to know when you have sent/received your skins.

The actual scam

Imagine this scenario: You sold a knife, the buyer sends you an offer for the knife and you are about to go on your mobile steam app to accept. The intruder who has access to your account, will with the api-key or their bot be alerted that you have received an offer for your knife. They will within a few seconds have denied the trade offer you received from the real buyer, often copy the profile picture and name of the real buyer and send you an exact copy of the original offer. Since you do not need to authenticate denial of offers, the intruder can do it by just having your password. All this is done automatically within seconds, which is why it does not raise any red flags whatsoever for the average trader.

As you, the seller, login to see your trade offers, you will only see one tradeoffer for the knife the buyer bought. The only issue is, that this offer is from the intruder and the real offer is denied and gone. As you accept this imitated offer, your knife will be gone forever as well.

The biggest misconception about api scam

The intruder does not need your api-key to be able to do an API-scam. It is the access to your account that is decisive since the intruder needs to be able to deny the real offer for his fake offer to seem legit. If the intruder only have your api-key and not access to your account he will be able to send a look-alike offer at the same time you receive the real offer. Only now - since he can not deny the real offer - you will see two offers which should raise enough red flags for you to understand what happened.

How to prevent being API-scammed

1. See if you have an api-key neither you or a trusted party (for instance CSMiddler) put there.
2. Login here and go to “Recent login history” and look for anything suspicious.
3. Change password from time to time (especially if you have logged in to unfamiliar websites). Changing password is the only way to be fully assured that API-scam is not possible. All other logged in devices will be logged out, with this the potential intruder. It does not matter if you even let an intruder’s api-key remain on your account since without access to your account, he will not be able to deny the real trade offer which is a key factor in tricking you.
4. Do research about the authenticity of a third party site before logging in. Make a post in a facebook group to see if others can vouch for the specific third party site, ask around!
5. When you do log in to a third party site, double check that the URL of the steam-login portal starts with https://steamcommunity.com/;. This, and only this is steam’s real url.

There will always be scammers, they will always find new ways of tricking people, but educating yourself in how their methods work will improve your odds of escaping scams big time!

Think like a scammer to avoid one ;)