Counter-Strike 2 is one of the world’s most popular games, with over a million players online at virtually every moment of the day. However, if you go beyond the exciting 5v5 action and bustling esports scene, you may find a dark underworld of scammers, money launderers, and illegal casinos.
In this article, I explore the grey areas surrounding the world’s top first-person shooter, how they can affect you and your family, and why Valve hasn’t solved the issue yet. But to do that, let’s go back where it all began and how we got to this point.
Counter-Strike skins explained: how Valve turned in-game customization into a multi-million dollar business
Counter-Strike is one of the oldest gaming franchises, launching in 1999 as a mod to Valve Software’s hit game, Half-Life, before becoming a full game in 2000. The series went through a few iterations, launching one of the biggest esports scenes in the world, leading up to the 2012 launch of Counter-Strike: Global Offensive.
While Global Offensive had quite a rocky start, 2013 saw the introduction of The Arms Deal update, which is where our particular story starts. The update introduced a relatively novel concept of microtransaction-based decals for in-game weapons called skins to a wide audience. Skins are purely cosmetic and don’t give any sort of gameplay advantage.
Using the fact that the game’s developer, Valve, owned the world’s largest online game platform, Steam, the developers decided to make the skins tradeable in the app. This was revolutionary, as for the first time, digital in-game items from a mainstream game had tangible value, as they could be exchanged not just for other in-game items, but actual games.
These skins could be acquired through normal gameplay or by opening loot boxes, which required purchasing keys on the Steam marketplace. Thus, you could potentially spend $3 opening a case and find a $200 skin waiting inside, which you could easily turn into games, while Valve would keep a 15% “tax” on every transaction.
As Steam, the Counter-Strike skin market and Counter-Strike itself grew, so did the secondary market built around skins. You see – selling skins for Steam currency wasn’t the only way to earn money off in-game items. Since players are able to trade skins with each other, third parties noticed that they can use skins as a form of currency, exchanging them for real money, other services, or currency in online casinos.
Counter-Strike casinos: how Valve accidentally enabled an underage gambling market
Since Valve wanted to make Steam accessible to developers, it developed an API allowing easy trading access. This, in turn, allowed for the automatization of skin trading, which meant that third-party developers could easily create websites based around Counter-Strike skins.
Many of these websites were pretty benign and sensible. Marketplaces that offer better prices for skins, websites that allow instant payouts to services like PayPal, and so on. Others, however, were focused on making the most money possible through creating online casinos, where skins were used as the buy-in and payout.
As you can imagine, these casinos are hardly controllable. They exist outside of regulatory bounds, as many countries still refuse to accept in-game items like skins as items of actual value. This also meant no regulations on user age, anti-addiction safeguards, or fairness guarantees.
The ghost of Counter-Strike gambling past: CSGOLotto
In short, Counter-Strike skins unwittingly enabled the creation of a scattered web of unregulated and often underage gambling. This first came to light in 2016, when it was discovered that two popular YouTubers, Trevor “TMartiN” Martin and Steven “Syndicate” Cassell, were owners of a gambling website they were promoting called CSGOLotto. This led to a wide scandal in the community and led Valve to take steps to reduce third-party skin trading.
Unfortunately, Valve’s restrictions didn’t do much to limit the presence of gambling websites. The market was worth approximately $5 billion in 2016, and while current day estimates are hard to come by, some sources point to the number being closer to $20 billion in 2024.
The ghost of Counter-Strike gambling present: CSGORoll vs CSGO Empire
Recently, Counter-Strike skin gambling once again came to the forefront due to what can be best described as a casino war. Two gambling owners known only by their nicknames – Monarch from CSGOEmpire and Killian from CSGORoll escalated a public campaign against each other. The whole affair included death threats, public stunts, and doxxing. The conflict was eventually covered by investigative journalist Coffeezilla in a widely watched YouTube series.
To give you the abridged version (though I do encourage you to watch the entire investigation), two former business partners have turned their cooperation into an all out war, where no one really comes out a hero.
In essence, Coffezilla shows that, despite Monarch, the owner, grandstanding on his morals, ran what can generously be described as a shady gambling business. Meanwhile, his former business partner turned competitor, Killian, ran a shady gambling business without even caring about the ethical implications of his actions.
While in 2024 CSGORoll has taken steps to verify the identity of their customers and ensure that they’re all over 18, they still only perform KYC (know your customer) procedures after you purchase their internal currency, meaning an underage person that wants to play on the website will lose their money, with nothing to show for it. Many other websites also join in on this practice, which is just inherently unethical.
In short, while some restrictions apply, underage kids may still end up giving hundreds of dollars to a casino owner. The only difference is that they won’t be able to play.
The ghost of Counter-Strike gambling future: Valve’s decisions
The truth, however, is that skin gambling is only possible because Valve indirectly enables it. Despite more and more trading restrictions, as long as peer-to-peer trading exists, it will be used by third-party websites to make money.
Valve outrightly bans gambling and does not see itself responsible. But the truth is, blocking gambling and other dangers described here will only be possible if Valve follows the example set by EA in 2014, when they banned direct item exchange in their FIFA series (now EA FC) after it was abused by third-party websites.
What’s more, Valve also directly profits from gambling-like mechanics with no KYC whatsoever. While the game is rated 18+, Valve allows any user above 13 to use their services. On top of that, except for jurisdictions that require ID verification to buy mature games like Germany, age is verified based on self-declaration, which can be essentially outplayed by any semi-attentive teen armed with a calculator. Of course, similarly to the casinos, Valve has a distinct financial incentive to keep its lootboxes and virtual items widely available, making over $1 billion from cases in 2023 alone.
While this will be frustrating to legitimate users, the truth is that the last 12 years of skin trading show that it’s impossible to terminate the market in any other way. And gambling isn’t the only problem with it, either.
Money laundering with Counter-Strike skins
Money laundering is another topic that has been heavily linked with Counter-Strike skin trading. In 2019, reports showed that cybercriminals have started using the Steam market to launder money, leading Valve to make further changes to their systems. However, many users continue to speculate that high-value collector’s items are being used by criminals to launder money.
Prices of Counter-Strike skins have skyrocketed in recent years, leading many to speculate that top-tier skins are being used to launder money discreetly. Since the most expensive skins are often sold directly, or through trusted intermediaries, it may seem so.
That’s because most leading Counter-Strike markets instituted KYC features to help reduce the risk of being accomplices in major fraud. Unlike casinos, these markets rarely operate in the grey zone, and are mostly legitimate businesses operating within the legal bounds of their jurisdictions. However, with specialists now recording transactions in excess of 1 million dollars for rare knives, it’s pretty easy to see why some users cry foul.
Game imitates art
It’s no surprise, either, given that Counter-Strike skins follow a similar pattern to art, and other collectibles, which are being used to launder money all over the world. Since every Counter-Strike item is wholly unique, owing to how they’re generated in-game, the potential to elevate the rarest patterns as collector items is incredible.
This isn’t a rare occurrence either, Japanese crime syndicates have been found using Pokemon trading cards to launder money, while other collectibles have also been used to legitimize stolen funds. With Counter-Strike items having similar features, and having the advantage of being virtual, thus allowing for even more obfuscation, they’re a perfect target for crime rings.
Despite a multitude of regulations, Valve still isn’t held responsible for the items it generates and profits from. This means that Steam items continue to have the potential to be used for money laundering as long as Valve allows peer-to-peer skin trading. Whether it’s because Valve wants to give users the option to monetize their engagement in its games, or because they simply profit from rising skin prices through the Steam Marketplace tax, Valve refuses to limit peer-to-peer trading on Steam, opening the door to money laundering and gambling.
Unfortunately, money laundering is just another piece in the puzzle of the dangers of the CS2 skins market. Where there’s a lot of money and lax security, there are scammers.
CS2 skins market scams explained
To function well, all these third-party sites require a few technically complex solutions. First off, they require Valve API access to be able to check user inventories and launch trade requests. To manage these trades without involving a load of employees, these third-party websites also use a wide array of bot accounts to perform the trades. These setups can be impressive in their complexity, but their nature inherently endangers users who can get scammed in a variety of ways. Sometimes, without even knowing, they’re exposed to a scam for years.
The phishing epidemic
Phishing is probably the most basic scam on the internet. It’s designed to steal your data by combining website spoofing and social engineering. In the Counter-Strike world, however, avoiding phishing attacks can be much more complicated than in other cases.First, there are two types of phishing in Counter-Strike-related cybercrime. The first attack is the traditional phishing attack. This involves simply swapping a Steam community login page for a fake one. With automation, even 2FA won’t really save you since you will be prompted for your Steam Guard login and promptly accept it, giving cybercriminals access to your account.
Cybercriminals use many different methods to phish, but the simplest one is using people's laziness and inattentiveness. They buy ads targeting certain keywords on Google that redirect the user looking for their favorite market to a spoofed website. For example, while researching this article, I accidentally stumbled upon a series of ads targeting the Chinese skin market, Buff.
As you can see, Google shows you three different scam websites as the top results, while the actual Buff market websites require scrolling to get to. The latter two ads on this screenshot had been flagged as phishing by Cloudflare by the time I clicked them, but the first website did not have a warning when clicked. To check how exactly it scams its victims, I launched a Virtual Machine and created a fake Steam account to play the innocent skin trader.
And let me tell you, this website is a wonder of phishing. Conventional wisdom says, "look at the address bar," but when I verified it, everything checked out. No typos in the address or anything like that. The only suspicious behavior was that I was prompted for another login despite being logged in to my Steam account. However, when I pasted the address in another tab, I logged in as if nothing ever happened.
So what is the trick?You're not opening another window. The window is actually part of the website rather than a separate popup, with the address bar made to look legitimate. When I made my browser window smaller and tried to drag the pop-up out of the website, it wouldn't budge. This method is called the BitB (browser in the browser) attack and has become pretty popular among scammers.
That said, wanting to see the mechanics of the scam with my own eyes, I proceeded to log in, verified my identity using a code sent to my email address, and was redirected to the real Buff website as soon as the process was over.
After logging in, I checked my account's authorized devices and found two phones logged in from Saint Petersburg, Russia, minutes after my very own login.
The example I’ve found wasn’t the only one, either. I found an identically spoofed websites pretending to be a case-opening website Hellcase and skin market SkinsMonkey. After I ended up getting phished, I got redirected to Hellcase’s real website. Interestingly enough this time, the phisher realized what was going on and logged out of my account after I authorized the login via email (the location of the login was, once again, Russia).
Now, luckily, Steam has some safeguards that won't really let cybercriminals do anything overtly costly from your account, as long as you don't have a lot of money in your Steam wallet. Unfortunately, if you do, a scammer might buy a worthless item they listed for your entire balance without any additional confirmation. Luckily, if your account is just games and skins, the worst they can do is play some of your games, which would get them noticed really fast or send some nasty messages to your friends.
Unfortunately, even having Valve’s proprietary 2FA solution Steam Guard installed won’t mean that you're safe. Quite the contrary, they can hide a backdoor in your account and launch it at the worst possible moment.
The API scam – a silent CS2 killer
As I mentioned before, third-party websites use a variety of tools to transfer skins from account to account. These include Steam bot accounts to serve as their skin storage, and the Steam API (application programming interface) that enables their websites to quickly send trade requests via Steam.
Every user who spends at least $5 on Steam can create their own Steam API Key, which lets software developers interact with Steam by using code rather than clicks. This allows cybercriminals to have a constant stream of information from all the accounts they've phished in the past to see whether they're trading any high-value items.
Cybercriminals use this fact to spoof transactions using their very own bots. The process is simple. The API left behind on a victim's account spots a high-value trade happening with either a bot or another account. The perpetrator's script quickly changes one of their bot's name and avatar to that of the account you’re trading with, cancels your trade, and sends an identical offer to get you to accept the transaction in your Steam mobile app.
This is particularly useful when targeting third-party website bots since they often send “empty” transactions to facilitate top-up payouts, or trades with a different bot. A cybercriminal isn’t likely to be able to hijack your swap with a friend, but a bot is quite simple to catch. If you’re trading with bots, remember to triple-check their creation date, and level, as these cannot be spoofed as easily as the account name and avatar.
To Valve's credit, they instituted a lot of safeguards to limit the power of this API, including removing the option to cancel a trade from the API level, and giving a scam warning if a trade is canceled by a scammer from the account level. They also instituted an additional mobile app confirmation when adding a new API key, making it much harder for cybercriminals to insert their own, although if you’ve created one for your own trading, they can still easily access it if they log into your account. These restrictions did reduce the number of API scams in recent times, however, some people are still being caught victim, as the API keys can lie dormant for years before you trade something of high enough value to pique a scammer’s interest.
Easy to spoof
With the way Counter-Strike third-party websites operate, creating a spoof website that will steal your skin is quite easy. Essentially, if you miss the initial redirection from a search engine being a fake one, the cybercriminals don’t even steal your login information to get you to trade your skin.
This is because the user's path to depositing a skin on a gambling site or using a skin for instant sales has only one potential roadblock – the Steam OpenID login page, which shows the website you’re logging into. When it comes to markets, this is usually simply an address in the domain you’re currently on. For example, here’s a login screen from SkinBaron, a legitimate marketplace:
SkinBaron’s login screen uses a company domain, so you should feel pretty safe logging in there. But that’s not the case for every legitimate trading website. For example, if we head to CS.Money, we’ll find that its login screen redirects you to login to a site called auth.dota.trade.
While, in this case, I know the website is legitimate since I entered the address directly in my browser, these discrepancies really make it hard to catch a spoofed website.
This is even more true for gambling websites. Having tested logins to three: hellcase.com, CSGOEmpire.com, and CSGORoll.com, none of them had a login address associated with their website. That’s because Valve technically doesn’t allow these sites access to their resources. That’s purely technically speaking, though. In practice, it doesn’t verify these API addresses, and even if it does, the websites have an intricate web of backups ready to go if one is banned. This is a method that requires some luck from the cybercriminals but is another opening left in Valve’s system.
Cybercriminals can also use these logins to find victims for their “middle man” scam, which is essentially a chat based scam where a stranger offers you a big amount money for an item you own, offering the services of a “trusted middleman” to transfer the money and skins between the two of you. Instead, the middleman is usually an alternate account of the cybercriminal, that keeps the skin.
How to avoid CS2 skin market scams
Being on the internet, we’re almost constantly exposed to scams. These range from simple phishing, through Nigerian princes, all the way to intricate refund scams run by gigantic call centers.
Cybercriminals love to prey on people’s blindsides. These are different for everyone. Unfortunately, the Counter-Strike skins market opens a big backdoor for many hackers, as despite being populated with tech-savvy individuals, the constant grey-market feel of basically every third-party website, makes it much harder to catch a scam.
Luckily, there are steps you can take to remain safe in the Counter-Strike world. Here they are:
- Do not click on Google links for third-party websites. Instead, enter their domains manually in the address bar, or save them to your bookmarks.
- If you’re logged out of Steam, always log-in in your browser before making any third-party authorizations. Note that if your browser has an active Steam session, you will never be asked to log in again. If you are, you can safely assume it’s a scam.
- Regularly check whether you have any active API keys on Steam. If you do, and they weren’t set up by you, revoke them as soon as possible.
- Regularly check your authorized devices in your settings to see whether any cybercriminals have logged into your account. If you see any unauthorized devices, remove all credentials and relog in.
- Research every website you use before depositing moneyor skins into your account.
- Do not hold unused wallet funds on your account. They are at risk of being stolen if you get phished.
- Before confirming a third-party website trade double check that the account you’re trading with has the same information as the ones indicated on the website to avoid your transaction getting hijacked.
- If trading with trusted friends, never make “empty” trades where only one side is offering a skin. Add a $0.03 sticker or different item to the trade for added security.
- Never accept any “middleman” offers for skins from strangers. If you trade skins, trade skin for skin.
As long as you stay vigilant, you should be able to avoid cybercriminals in the Counter-Strike space. However, I would like to note that nothing is safer than sticking to Valve’s intended market mechanics and using the Steam Market system. Any visit to a third-party website can expose your private information. If you need to do so, be sure to use a trusted website with good reviews.
Conclusion
Valve is the first mainstream gaming company to date to create an economy that treats in-game items as objects of real value, which I actually find great. In fact, I’ve gone through a bunch of skins, and used plenty of skintrading sites when playing Counter-Strike, so I really understand the appeal.
Skins make Counter-Strike rewarding not just when it comes to gameplay but also in a monetary sense. Unfortunately, with great power comes great responsibility, and Valve’s open approach to skin trading has resulted in a whole grey and black market being built around it.
Despite many crackdowns and attempts at regulating it, Counter-Strikes skins are still used to lure children into gambling, launder money, and scam victims. That’s why, while I truly appreciate the economy of the Valve market, I think we all have to ask ourselves the question whether the benefits outweigh the risks brought on by it.
Your email address will not be published. Required fields are markedmarked