How does it work?
This scam is based on fake websites that use a phony “Sign in through Steam” form. These sites are often promoted through search engine ads and can completely copy the design of well-known, legitimate websites.
When you try to log in on such a site, you’re shown a fake Steam login page. It asks for your username, password, and Steam Guard code. Once you enter this information, scammers gain access to your account and create a Steam Web API key, which allows them to fully control your trades.
When you receive a trade offer, the bot instantly cancels it, then renames its account to imitate the original sender. After that, it sends you a new trade offer for the exact same skins.
If you accidentally confirm this trade in the Steam mobile app, your skins will be sent to the scammer. Once this happens, it is impossible to recover them.
How to protect yourself?
If a trade offer cancels itself automatically, that means your account has already been compromised and a scammer is interfering with your trades.;
If you see any active Steam Web API key listed on your account and you didn’t create it yourself, that means a scammer has access to your account;
In this situation, you should immediately change the password for your Steam account;
Next, go to the Steam Web API page and revoke the existing API key. Only create a new one if you personally use it for legitimate purposes.);
After that, change your trade offer link to invalidate the old one;
Finally, update your new trade link on all websites and services where you previously used it.