Steam accounts don't get hacked. If they did, we'd here a lot more about it. Your brother got phished; he gave his username, password, and Steam Guard code out to someone, likely a fake site with a fake Steam login page.

What? he told me was he never went to any external websites at all or anything before the hacking, he just went on a trade request and was instantly hacked.

The first things i asked him when he told me when he was hacked is if hes been sent any links and or gone to any websites or clicked on any shady things like emails, but the insists the only thing he did was click on a trade request from a bot

Hijacked, not hacked. You leaked your account credentials somehow.

Do not trade until your account is secured.

Take the following steps to secure your account:

1. Scan for malware. https://www.malwarebytes.com/
2. Check that the email and phone number on the Steam account are still yours.
3. Deauthorize all other devices. https://store.steampowered.com/twofactor/manage
4. Change passwords from a clean computer.
5. Generate new backup codes for your Mobile App. https://store.steampowered.com/twofactor/manage
6. Revoke the API key (there should be no key). https://steamcommunity.com/dev/apikey

Steam does not return inventory items or wallet funds: https://help.steampowered.com/faqs/view/3B6E-B322-2400-8D24

If you no longer have access to your account, read this:
https://steamcommunity.com/sharedfiles/filedetails/?id=1126288560

Messaggio originale di qwertyuiopasdfghjklzxcvbnm:

The first things i asked him when he told me when he was hacked is if hes been sent any links and or gone to any websites or clicked on any shady things like emails, but the insists the only thing he did was click on a trade request from a bot

That's the thing with phishing sites. They make an effort to look like a legitimate Steam login page, so people don't realize that it's fake if they don't take a deeper look at it before logging in.

Messaggio originale di qwertyuiopasdfghjklzxcvbnm:

My brothers account was hacked and all that happened before was a trade request from a bot. Is that even possible thats what caused it? We checked have i been pwned and his pass was never breached, his email was on random websites years ago, but just after that trade request he was quickly hacked. Does anyone know what could have happened?

If he uses Discord and allowed a Steam API key (connected Discord to Steam) that's all the hacker needed. A bot can be created, programmed, to use Discords API piping to hijack an account and have full control of that account, or just steal things from it including Steam Wallet funds or use a stored credit card/bank account.

Get off of and stay off of Discord. Delete your Discord account permanently. It is not even remotely a safe and secure place to be.
Before anyone argues this Google discord exploits. The results of that search makes any argument against what I said here completely null and void. After you do this search if you decide to continue using a site like that at least you know the risks you're taking by using it.

The best form of prevention is avoidance.

Messaggio originale di Jack Schitt:

Messaggio originale di qwertyuiopasdfghjklzxcvbnm:

My brothers account was hacked and all that happened before was a trade request from a bot. Is that even possible thats what caused it? We checked have i been pwned and his pass was never breached, his email was on random websites years ago, but just after that trade request he was quickly hacked. Does anyone know what could have happened?

If he uses Discord and allowed a Steam API key (connected Discord to Steam) that's all the hacker needed. A bot can be created, programmed, to use Discords API piping to hijack an account and have full control of that account, or just steal things from it including Steam Wallet funds or use a stored credit card/bank account.

That is not true, and would be a serious security breach in steam.

Messaggio originale di qwertyuiopasdfghjklzxcvbnm:

What? he told me was he never went to any external websites at all or anything before the hacking, he just went on a trade request and was instantly hacked.

If he got a trade request from a bot he obviously logged in a webiste that utilizes such bots. You never actually insert your details in any links or buttons.
Only on the original homepage of the account.

Messaggio originale di Muppet among Puppets:

Messaggio originale di Jack Schitt:

If he uses Discord and allowed a Steam API key (connected Discord to Steam) that's all the hacker needed. A bot can be created, programmed, to use Discords API piping to hijack an account and have full control of that account, or just steal things from it including Steam Wallet funds or use a stored credit card/bank account.

That is not true, and would be a serious security breach in steam.

Messaggio originale di Jack Schitt:

Before anyone argues this Google discord exploits. The results of that search makes any argument against what I said here completely null and void.

Messaggio originale di Jack Schitt:

Messaggio originale di Muppet among Puppets:

That is not true, and would be a serious security breach in steam.

Messaggio originale di Jack Schitt:

Before anyone argues this Google discord exploits. The results of that search makes any argument against what I said here completely null and void.

Can you show a result?
If connecting your steam account with discord leaves your steam account vulnerable to hacking, that would be a steam exploit.

Discord only get a OpenID token, nothing more. No way to "hack" a Steam account through that.

Messaggio originale di Cathulhu:

Discord only get a OpenID token, nothing more. No way to "hack" a Steam account through that.

Wrong.

Messaggio originale di Jack Schitt:

Messaggio originale di Cathulhu:

Discord only get a OpenID token, nothing more. No way to "hack" a Steam account through that.

Wrong.

Great proof. Just for ♥♥♥♥♥ and giggles, I "google'd discord exploits". The only things I found were an old Malwarebytes article about an Electron exploit that was patched that could have been used for RCE, a number of github repos with mostly patched out "exploits" that only gleaned Discord-specific information or allowed you to control Discord remotely if someone on the other end manually activated Discord's dev console and input a provided link code, and a slew of SEO/AI-generated content mill sites.

Linking Discord with Steam does not utilize a user-actionable API key. As already said, Discord gets an OpenID token which cannot be utilized to attack, modify, or steal an account. All it can be used for is reading API-available data.

If you're going to spread lies, at least come up with believable "proof".

Messaggio originale di Jack Schitt:

Messaggio originale di Cathulhu:

Discord only get a OpenID token, nothing more. No way to "hack" a Steam account through that.

Wrong.

Not wrong:
https://partner.steamgames.com/doc/features/auth#website

Hmm, I will look in further to see if he ever had to log back into steam for some reason and it was a phishing website, but luckily is account is back now with the only thing being a bunch of items being sold which sucks, but at least the account is back.

Messaggio originale di qwertyuiopasdfghjklzxcvbnm:

Hmm, I will look in further to see if he ever had to log back into steam for some reason and it was a phishing website, but luckily is account is back now with the only thing being a bunch of items being sold which sucks, but at least the account is back.

Please make sure all of the steps detailed by Cat were completed. If not, the account could remain compromised and could be stolen again in the future without needing to give out info again.