The trade looked right because it was your trade
You agree on a swap with a trader you have talked to for two days. His offer arrives, you check the name, the avatar, the years on the account. Everything matches. You confirm on your phone, the app shows the familiar green tick, and thirty seconds later your knife is in an inventory you have never seen, owned by an account created last Tuesday.
Nobody guessed your password on the spot and no malware touched your PC that day. The attack happened weeks earlier, in about four seconds, when you logged into what looked like a tournament voting page. That login planted a Steam Web API key on your account, and the key did the rest.
The API key scam has been emptying inventories since the CS:GO days, and it still works in 2026 for one reason: every visible detail of the final trade is genuine. Your trade, your confirmation, your Steam Guard approval. The only fake part is the recipient. This guide walks through the mechanism, the warning signs that a key is planted on your account, and the cleanup that actually removes the attacker.
The key that can watch and cancel your trades
The Steam Web API key is a developer feature. Anyone can generate one for their own account at steamcommunity.com/dev/apikey, and it lets software act on parts of the account without logging in through the website. For trading, the relevant powers are:
- reading your incoming and outgoing trade offers in real time
- canceling and declining trade offers on your behalf
- watching your inventory and your trade partners
Here is the uncomfortable nuance: asking for an API key is not proof of a scam. Some legitimate peer-to-peer marketplaces, Waxpeer among them, genuinely use your key to track when trades complete. Traders have been trained for years to treat the key as a routine signup field, which is exactly the reflex the scam exploits.
What matters is not the key. It is where you were when the key was created. Generated by you, on the real Steam domain, for a site you deliberately chose: normal. Registered quietly after you typed your password into a page some stranger linked you to: that is the scam, already in progress.
Thirty-second check, right now: open that API key page and look. If a key exists and you never made one, or the registered domain is something like "localhost" or a string of gibberish, treat the account as compromised and jump to the cleanup section.
Anatomy: four steps, one confirmed trade
The scam is a pipeline, and the phishing site at the start is the only part you can refuse:
- The bait. A link arrives where traders live: Discord servers, trade site comments, Steam friend requests. Vote for my esports team. Claim a free case. Check this cheap knife. The page opens a pixel-perfect copy of the Steam login window, and the credentials go to the attacker.
- The plant. Using your fresh session, the attacker registers a Web API key on your account. No email, no notification, nothing visibly changes. The key can idle for weeks while you trade normally, which is why victims rarely connect the theft to the phishing moment.
- The swap. The attacker's script watches your outgoing offers through the key. The moment you send a real trade, the script cancels it and instantly sends a replacement from a bot account wearing your partner's exact name and avatar. The offer contains the same items, so at a glance nothing changed.
- The confirmation. Your phone buzzes, you approve what you believe is the trade you just sent, and Steam Guard sees nothing wrong, because the confirmation genuinely came from your account. The items transfer to the impostor.
You log in on a fake site
A lookalike Steam login page on a phishing site captures your credentials. Nothing visibly breaks, so you move on.
A key is planted
The attacker registers a Web API key on your account. It sits there silently, sometimes for weeks, watching your trades.
Your real trade is swapped
The moment you send a genuine offer, a script cancels it and a bot cloned from your partner's name and avatar sends an identical one.
You confirm, items leave
The mobile confirmation is real, so Steam Guard approves it. Your items go to the impostor, not your partner.
Notice what never happened: nobody bypassed two-factor authentication. The scam does not break Steam Guard, it launders the theft through your own approval. That is why no security setting stops it once the key is planted, and why the fix is removing the key, not adding more confirmations.
Four signs a scammer is camped on your account
A planted key produces symptoms. Most victims see at least one of these and explain it away as Steam being buggy:
- Your outgoing trades cancel themselves. You send an offer, and seconds later it shows as canceled by you. This is the single strongest tell. Steam does not cancel offers on its own, and a bug that only affects trades does not exist.
- Your partner never receives the offer. They are staring at an empty trade page while your client says the offer was sent. The real offer was killed mid-flight and replaced.
- Confirmation prompts you did not trigger. A Steam Guard request appears on your phone for a trade or market listing you never started. Someone else is driving.
- A key you never made. The API key page shows a registered key with an unfamiliar domain. Scam scripts rarely bother with plausible names.
One of these is enough. Do not finish the trade you were making, do not send a test offer with anything valuable, and go straight to the cleanup below.
Revoke, rotate, recover: the 15-minute cleanup
The attacker holds two things: your password and the key. The cleanup removes both, in this order:
- Revoke the API key. On the API key page, hit "Revoke My Steam Web API Key". This blinds the script instantly.
- Change your Steam password. The key was planted using credentials that still work. A new key can be registered tomorrow if you skip this step.
- Deauthorize all other devices in Steam Guard settings. This ends every session the attacker may still hold.
- Generate a new trade URL in your inventory's trade offer settings. The old token is in the attacker's database, and a fresh one cuts that thread.
- Recheck the API key page a day later. A key that reappears means a session or credential survived, so repeat the sequence and check the email account attached to Steam too.
- If items already left: since Valve's July 2025 update you can reverse trades of protected items within seven days, at the cost of a 30-day trade ban. How that reversal works, and what it unwinds, is covered in our trade hold guide.
The second wave is also a scam. After a public loss, accounts will message you offering "inventory recovery" for a fee or claiming to be Steam staff. Valve employees do not contact players over chat, and nobody can restore items outside the 7-day reversal window. The recovery offer exists because freshly scammed people are the easiest people to scam.
Habits that make you a hard target
Every defense against this scam happens before the phishing page, because after it, the machinery is invisible. The habits that matter:
- Type or bookmark steamcommunity.com. Never reach a Steam login through a link someone sent you, no matter how good the reason sounds. The real login flow shows the green "Sign in through Steam" flow on the genuine domain; check the address bar character by character.
- Read the confirmation like a contract. The mobile prompt lists the exact items and the recipient. Ten seconds of actually reading it defeats the visual clone, because the impostor account's registration date and level will not match your partner's.
- Treat urgency as a red flag. Vote deadlines, expiring bonuses, and one-hour knife discounts exist to make you skip the address bar check.
- Audit your API key page monthly. It takes ten seconds and catches a planted key before it fires. While you are at it, review which skin marketplaces hold your trade permissions and drop the ones you no longer use.
Scammers target liquid, high-value items because they move fast after the theft. If your inventory holds anything in this class, assume you are already on somebody's list. Current prices for these and every other skin are in our CS2 skins database:
Check any trading site before you log in with Steam
Every service on SkinJudge has a Safety Score, corporate transparency data, and reports from traders who used it. Thirty seconds of checking beats a month of recovery.
See the safest servicesCan skins be stolen with just my API key, without my password?
The key alone can watch and cancel your trades, which enables the switch, but the full scam also needs the counterfeit offer and your confirmation. In practice the question rarely matters, because the same phishing page that planted the key also took your password. Treat a planted key as proof that your credentials are burned, and run the whole cleanup, not just the revocation.
Does revoking the API key make me safe again?
It removes the surveillance, which stops the trade-switching immediately. It does not log the attacker out or change the password they captured, so they can plant a new key whenever they want. Revocation is step one of five: password, device deauthorization, and a new trade URL close the remaining doors.
Will Steam return my stolen skins?
Within seven days, you can do it yourself: Trade Protection lets the sender reverse trades of protected items, at the cost of a 30-day trading restriction. Past that window, the answer has been no for years. Valve's stated policy is that items leave through confirmations you approved, and Support does not restore them. The window is the safety net; there is no second one behind it.