December 19, 2016
Czech Republic 
 This topic has been pinned, so it's probably important
What you should know about "Steam web API" scam. How not to lost your skins!
Mostly used scam method today is the so-called "Steam web API key" scam. Unfortunately, we get several requests daily from our users who lost skins due to this.

In this post, you will know, how not to lose your skins.

This method used a phishing website with the fake "Login with Steam" button.
Usually, this website advertised in the search engine and impersonating some popular service.
When you push this button you get a fake "Steam login" form asked for your login, password and 2FA code later.
Hacker's script use this data to log in to your Steam account and set Steam web API key on this page: Using this API, the script can monitor all your trade offers and if where is offer with valued skins - this trade offer will be canceled and you will get absolutely similar-looking offer but for hacker's account.

To protect your skins, always follow the next rules:

1. Try not to use a search engine to find service you already know. Or not use results from the "advertising" section. use direct address. For example https://loot .farm

2. NEVER enter your Steam login data while "Login with Steam" process. You should have an active session in Steam and just push "Login" button on the Steam website. If you asked for login data - load website and log in here.

3. When you request a trade offer on LOOT Farm you will get a direct link to the trade offer created. Always use this link to accept a trade offer. Don't search fo ar trade offer in Steam or Steam application.

4. Additionally, make simple checks. In every trade offer, we show bot's registration data. Check this data of your counterpart in trade offer. Also, all our bots have level 10 in Steam.

5. We have created a simple Google Chrome extension. This extension will check your trade offers and will notify you if you opened a fake trade offer from our service.
Install our extension from here:

Using these five rules you will never be scammed using Steam web API scam.

What should you do if you already was scammed?

Unfortunately, you can not return your skins. You should write a report to the hacker's Steam account. Most likely this account will be banned, but trades will not be reversed.
To make your account secure you should:

1. Change your Steam password.
2. Go to this page: and "Revoke" Steam web API key. (Create new one if you need this key).
3. Change your TradeURL.
4. Update your new TradeURL on the LOOT Farm and other services.

Last edited by $ LOOT.Farm; Dec 27, 2019 @ 5:43am
< >
Showing 1-2 of 2 comments
Sandokan Apr 22, 2020 @ 6:10am 
Hello, yesterday one of your "reliable" trade bots scammed my inventory and i lost all of my skins. I got the screenshots (it was a trade wich i never saw and never accepted on steamguard or anything.) at the time of the "trade" i wasnt online. So it could not be a real trade. The "scambot" is a member of your group and the loot farm bots group.
Unfortunately, this is another scam method. Your phone account ( or AppleID) or your phone with Steam mobile authenticator was hacked and all your skins were stolen. We can not help in this situation because all trades in Steam are final. You should pay attention to your phone security.
< >
Showing 1-2 of 2 comments
Per page: 15 30 50