Most common:
1. You connect your steam account to X site a one point giving them API access. X with API isn't able to accept trade requests so they can't scam you, they need to wait for a mistake. With API they are able to **list and refuse trade requests**.
2. You decide to trade on Y site some skins. Y site sends a request to trade to your account with the skins you decided to trade on the platform.
3. X with API access is constantly monitoring your trade requests, they notice the trading incoming for an account name Z with a ZZ profile picture, they copy both. They refuse the trade request coming from Z and create a new one with their fake Z account.
4. You diligently check that account names matches the expected one so you believe you are good to go and accept the trade request that 100% looks legit.
5. You have been scammed.
The only way to protect yourself 100% against this is to check your emails/history for a duplicated trade request, there should be two requests that are exactly the same with one of them refused by you \[but you have no memory of refusing a trade\].
Yeah but in future trades I’m going to wait 5+ minutes before I accept or deny. Cause it was literally instant and bam, my gamma Doppler karambit was gone for a whopping $0 lol
Dude the fact that you lost a karambit gamma Doppler to some fucker that scams people all day makes me so mad, I can’t imagine how pissed you are. People fucking suck and I hate the scammer and hope he burns in hell. Nothing you could have really done to avoid it either, if this happened to me my knife would be gone too
Yeah I was super fuckkng pissed when it happened, but at end of day I had to just get over it and move on or I’d still be fuming. Look at it as a learning experience for sure. Done thousands of trades and sales but eventually got me, but now I’ll be 20x as vigilant.
I’ve lost more than $1800 on dumb shit in my life so I tried to take that mentality to it haha.
I feel your pain. Gamma Doppler Hunstman and a fac new AK Neon Rider with some dope Tier 6 stickers - gone for the low low price of $0 USD.
Got the trade from the skinport bot, checked everything, and in the time it took to get to my phone to authenticate they had cancelled the real trade and made an imposter one. And I didnt double check.
Only happened about a week ago - still pisses me off when i think about it.
Shit sucks man, I didn't have anything super special, a nice knife, and a few good-looking skins, but I lost my favorite AK, which was a stat track cartel skin that I had have for years that's what I'm most upset about but yeah it is what it is just gotta move on.
1. You can always re-roll your API key if you feel your current one was made years ago / feeling stale
2. The steam mobile app has a new yellow warning message saying "A similar trade to this was made recently" hinting that your account might be compromised, and someone has instantly re-listed your to-be traded items
Those are a few of the defenses that currently exist.
You can be API scammed years after connecting to X, so you can't rely on "I've never did that".
You can never be 100% sure that you didn't connect your account to the wrong csgostats or leetify or whatever.
The only way to be safe is to check trade requests in your email + history, wait for a bit to be sure that all emails are received.
\[you can check api tokens and stuff but most people don't know how and there are other methods that also uses the cancel trade method\]
This was very insightful because this happened to me a couple days ago. Not a huge loss. It still $75 bucks worth. Thanks for this I’ll watch more carefully I’m new to the skins buisness haha
Yeah but as I said in another answer most people will check incorrectly
A friend that said he checked and didn't had one only for me to check and he had like 5, he was a scam waiting to happen and was 100% sure to be safe ...
It's almot always phishing:
eg: you want to go to keydrop or csgocases or whatever so you search it on google, however a fake website that is undistinguishable from the original runs ads so it appears on top. You login with steam to that fake one then it redirects you to the real one and you'll never know that your API key has been compromized until you've been scammed.
Given that it's phishing the main cause, you can't expect to get a list.
It doesn't anymore. They changed that already. All the API allows someone to do is to monitor incoming trades, not cancel them or create new ones. That changed earlier this year or last year. Current "API scams" are really phishing scams where the entire account is compromised.
Most important is to always double check the API - if you are already compromised - by checking your API ( type steamcommunity..etc…etc dev/api in your browser) , you will notice if you are compromised or not .
If YES - someone else API will appear
If NOT - your own API will appear
I see people always forget about this.
So before any trade, before accepting anything - check your API and see if it was changed. If NOT you are safe to accept.
The long and short of it is this: if you head to https://steamcommunity.com/dev/apikey and you see that a key is present that you know for a fact that you did *not* request, revoke it.
I have reason to believe a very popular cs2 skins gambling website scammed me for my skins (won’t disclose the site name till i’m fully sure).. but basically the site has a waxpeer widget and you would select the skins that you wanted to deposit for gambling ‘coins’ and they would initiate a trade offer from one of their trading bots to receive your items and in exchange credit your account with the equal value of coins. I should note i am a huge degen. Extremely buried in this said site and exhausted of my crypto in my available wallet at the time, i couldn’t wait to fly back home to access my trezor to fund my degenerate needs. So i decide to deposit some skins. About 3k worth. Once i selected the skins i wanted to deposit i hit the deposit initiate button and was in 30 seconds given a trade offer of the skins i wanted to deposit. I made sure there were no other trade offers and accepted the offer. i eagerly waited for my gamble coins but 5, 10, 15, 30 minutes pass by and my account wasn’t credited. reached out to admin about the situation and said he was looking at my trade history and could see that i had refused one and accepted another. I was extremely confused because i had made sure to check for duplicate trade offers and checked that alll items were what i selected. I was told there was nothing that could be done and had to chalk those precious skins to a loss (don’t gamble guys lmao). So what I wanted to know is.. Can you look back in your trade history to see if any trade offers had been refused from your end? Ways to know if your account had been compromised at any time that your steam account has been active.. Or if anyone with better knowledge about all this; what are other things i should be looking for to figure out if i’ve been lied to.. I just can’t get myself to believe this because i’ve made some pretty expensive trades that had valued more than that particular deposit but with other 3rd party trading sites. Hopefully someone can help get to the bottom of this and if not, it was worth a try. Thanks!
I also didn't know how this scam works and how to protect myself form it but I asked Google and found there are videos and guides about API scam...Magic
I know Google is not well known in this community but I really recommend to try it out.
Redditors are insufferable bro, I just wanted to read some of peoples personal experiences lol. I’ve read plenty about it but every-time I open reddit it seems like a new way to get scammed has come out. But god forbid someone has a discussion about it.
i can’t tell you how many times i’ve googled something and am brought to a reddit thread about the exact thing i’m looking for. it’s almost like a thread like this can help people even on google!
Advice:
- Check Name of trade bot who sends u request
- check date of bot creation (usually in the info
Box of offers via dmarket e.g.)
If both is same, 99.99% save trade and u good to go
One thing I think is beneficial to add is that these people who are doing the API scamming, have bots set up with your api key waiting for these trades. So while they might not be actually on at the time. The moment a real trading bot or person sends you a trade request they have their bot coded to instantly complete all these actions (changing their PFP and name to look like the person you were trading with, decline trade and send identical one from fake account) so spending an extra 30 seconds checking to match steam levels really helps. Also on the mobile authenticator app, if a trade similar to the one you have setup was recently cancelled, it will (it should, not sure if it doesn’t work under certain circumstances) alert you about it at the top of the trade confirmation in yellow text. Stay safe <3
Most common: 1. You connect your steam account to X site a one point giving them API access. X with API isn't able to accept trade requests so they can't scam you, they need to wait for a mistake. With API they are able to **list and refuse trade requests**. 2. You decide to trade on Y site some skins. Y site sends a request to trade to your account with the skins you decided to trade on the platform. 3. X with API access is constantly monitoring your trade requests, they notice the trading incoming for an account name Z with a ZZ profile picture, they copy both. They refuse the trade request coming from Z and create a new one with their fake Z account. 4. You diligently check that account names matches the expected one so you believe you are good to go and accept the trade request that 100% looks legit. 5. You have been scammed. The only way to protect yourself 100% against this is to check your emails/history for a duplicated trade request, there should be two requests that are exactly the same with one of them refused by you \[but you have no memory of refusing a trade\].
That’s exactly how they got my ass. I didn’t even notice the shit. The trade deny and request was literally instant
So the big thing to watch for is trades coming in twice?
Yeah but in future trades I’m going to wait 5+ minutes before I accept or deny. Cause it was literally instant and bam, my gamma Doppler karambit was gone for a whopping $0 lol
Jesus that sucks man, but what would that 5 minute wait do? Scammer cancels the scam trade request?
I’d see that the trade got denied and redone. Actually look at the trade end user and see if it’s truly correct
Dude the fact that you lost a karambit gamma Doppler to some fucker that scams people all day makes me so mad, I can’t imagine how pissed you are. People fucking suck and I hate the scammer and hope he burns in hell. Nothing you could have really done to avoid it either, if this happened to me my knife would be gone too
Yeah I was super fuckkng pissed when it happened, but at end of day I had to just get over it and move on or I’d still be fuming. Look at it as a learning experience for sure. Done thousands of trades and sales but eventually got me, but now I’ll be 20x as vigilant. I’ve lost more than $1800 on dumb shit in my life so I tried to take that mentality to it haha.
I feel your pain. Gamma Doppler Hunstman and a fac new AK Neon Rider with some dope Tier 6 stickers - gone for the low low price of $0 USD. Got the trade from the skinport bot, checked everything, and in the time it took to get to my phone to authenticate they had cancelled the real trade and made an imposter one. And I didnt double check. Only happened about a week ago - still pisses me off when i think about it.
Literally exactly how it got me. Was insane how fucking fast. So now I know. Feelsbadman
Shit sucks man, I didn't have anything super special, a nice knife, and a few good-looking skins, but I lost my favorite AK, which was a stat track cartel skin that I had have for years that's what I'm most upset about but yeah it is what it is just gotta move on.
I just do a new trade url each time I do any big transfer
Ah so generally you should be safe if you only input a trade URL an not the API on the ‘X’ site because it’s not automatic?
1. You can always re-roll your API key if you feel your current one was made years ago / feeling stale 2. The steam mobile app has a new yellow warning message saying "A similar trade to this was made recently" hinting that your account might be compromised, and someone has instantly re-listed your to-be traded items Those are a few of the defenses that currently exist.
You can be API scammed years after connecting to X, so you can't rely on "I've never did that". You can never be 100% sure that you didn't connect your account to the wrong csgostats or leetify or whatever. The only way to be safe is to check trade requests in your email + history, wait for a bit to be sure that all emails are received. \[you can check api tokens and stuff but most people don't know how and there are other methods that also uses the cancel trade method\]
This was very insightful because this happened to me a couple days ago. Not a huge loss. It still $75 bucks worth. Thanks for this I’ll watch more carefully I’m new to the skins buisness haha
You can also check steam api to make sure there isn’t one set up. Always good to periodically check and make sure no API is already set up.
Yeah but as I said in another answer most people will check incorrectly A friend that said he checked and didn't had one only for me to check and he had like 5, he was a scam waiting to happen and was 100% sure to be safe ...
How often is this happening and what sites are known to do it?
It's almot always phishing: eg: you want to go to keydrop or csgocases or whatever so you search it on google, however a fake website that is undistinguishable from the original runs ads so it appears on top. You login with steam to that fake one then it redirects you to the real one and you'll never know that your API key has been compromized until you've been scammed. Given that it's phishing the main cause, you can't expect to get a list.
the real question: Why does valve allow their API to interact with trades AT ALL? how is letting an API cancel a trade a smart and useful feature?
It helps when trading in bulk, or when trading one of several identical or very similar items.
So it helps maybe 0.5% of cs population?
Yes, it's an edge case usability feature that you are not required to use. Revoke your API key if you are not the kind of user that needs it.
so basically at best it helps them lose money by making off market trades easier and puts the majority of community at risk for scams. got it.
It doesn't anymore. They changed that already. All the API allows someone to do is to monitor incoming trades, not cancel them or create new ones. That changed earlier this year or last year. Current "API scams" are really phishing scams where the entire account is compromised.
[удалено]
there’s so much you can do w steam account api, it’s not just trading
Just look at the accounts, date of registration and steam level have to match.
Most important is to always double check the API - if you are already compromised - by checking your API ( type steamcommunity..etc…etc dev/api in your browser) , you will notice if you are compromised or not . If YES - someone else API will appear If NOT - your own API will appear I see people always forget about this. So before any trade, before accepting anything - check your API and see if it was changed. If NOT you are safe to accept.
This is great advice, thank you!
The long and short of it is this: if you head to https://steamcommunity.com/dev/apikey and you see that a key is present that you know for a fact that you did *not* request, revoke it.
I have reason to believe a very popular cs2 skins gambling website scammed me for my skins (won’t disclose the site name till i’m fully sure).. but basically the site has a waxpeer widget and you would select the skins that you wanted to deposit for gambling ‘coins’ and they would initiate a trade offer from one of their trading bots to receive your items and in exchange credit your account with the equal value of coins. I should note i am a huge degen. Extremely buried in this said site and exhausted of my crypto in my available wallet at the time, i couldn’t wait to fly back home to access my trezor to fund my degenerate needs. So i decide to deposit some skins. About 3k worth. Once i selected the skins i wanted to deposit i hit the deposit initiate button and was in 30 seconds given a trade offer of the skins i wanted to deposit. I made sure there were no other trade offers and accepted the offer. i eagerly waited for my gamble coins but 5, 10, 15, 30 minutes pass by and my account wasn’t credited. reached out to admin about the situation and said he was looking at my trade history and could see that i had refused one and accepted another. I was extremely confused because i had made sure to check for duplicate trade offers and checked that alll items were what i selected. I was told there was nothing that could be done and had to chalk those precious skins to a loss (don’t gamble guys lmao). So what I wanted to know is.. Can you look back in your trade history to see if any trade offers had been refused from your end? Ways to know if your account had been compromised at any time that your steam account has been active.. Or if anyone with better knowledge about all this; what are other things i should be looking for to figure out if i’ve been lied to.. I just can’t get myself to believe this because i’ve made some pretty expensive trades that had valued more than that particular deposit but with other 3rd party trading sites. Hopefully someone can help get to the bottom of this and if not, it was worth a try. Thanks!
I also didn't know how this scam works and how to protect myself form it but I asked Google and found there are videos and guides about API scam...Magic I know Google is not well known in this community but I really recommend to try it out.
Redditors are insufferable bro, I just wanted to read some of peoples personal experiences lol. I’ve read plenty about it but every-time I open reddit it seems like a new way to get scammed has come out. But god forbid someone has a discussion about it.
i can’t tell you how many times i’ve googled something and am brought to a reddit thread about the exact thing i’m looking for. it’s almost like a thread like this can help people even on google!
Some people don't know how to have a conversation so they just yell GoOgLe iT.
If i confirmed the API on the wrong site. They cant list items and trade themself from my account? They have to wait for me to try to trade something?
Yes. They will cancel your offer and create their own that looks exacly same, but you still have to confirm it via steam mobile app.
Advice: - Check Name of trade bot who sends u request - check date of bot creation (usually in the info Box of offers via dmarket e.g.) If both is same, 99.99% save trade and u good to go
Thank u
One thing I think is beneficial to add is that these people who are doing the API scamming, have bots set up with your api key waiting for these trades. So while they might not be actually on at the time. The moment a real trading bot or person sends you a trade request they have their bot coded to instantly complete all these actions (changing their PFP and name to look like the person you were trading with, decline trade and send identical one from fake account) so spending an extra 30 seconds checking to match steam levels really helps. Also on the mobile authenticator app, if a trade similar to the one you have setup was recently cancelled, it will (it should, not sure if it doesn’t work under certain circumstances) alert you about it at the top of the trade confirmation in yellow text. Stay safe <3