This is a relatively new scam method that is very effective and leaves users wondering how it even happened. I first encountered it when someone accused me of scamming them with an empty offer. I shrugged it off as one of my impersonators scamming someone, not realizing what has actually happened. The next one was very similar, we made a deal with a guy on steam and he sent the offer, that is when it happened. Instead of confirming our trade he confirmed something else. An offer with the same items as he put in from his side, but empty on the other side. It looked like he was trading it with me, but instead it was a bot that automatically canceled his offer, change the name and avatar of the bot account to mine and sent himself the offer.

For this to work someone has to have access to your account. In all cases I encountered it happened by logging into a phishing site. Once they have your login info they still have to trick you into giving them your items, this is how they do it

There are a few different ways this can happen, I will talk about three of them here. The first and most common way of getting users to give away their login info via a phishing site. These sites are set up to look legit, usually copying an existing site’s design. By the descriptions of who were scammed and by other attempted scam descriptions it usually start when a user adds you and wants one of your items. They ask you to log in to a site they link and check the pattern index of your item. By logging in however, you hand them your password and steam guard code.
Here is a pretty sophisticated one I found through a guy who got phished. I analyzed and put it on Youtube so you can see how good they can get.


The second one is used to be more common, but can still occur. The developer of a browser extension goes rogue and decides to scam it’s users. Depending on what’s granted they most likely have permission to modify data in the browser, essentially handing them access to the account, they can do anything that a user would on the steam web platform, including accepting and canceling steam trade offers. The third is by infecting the user with a malware that can, for example log their keystrokes when entering passwords and sending it to the scammers.

Once the scammers have access to the account they can wait for the user to try to make a legit trade with another user or a service like csmoney or bitskins. If they don’t want to wait they can also quicken it by offering the user a too-good-to-be-true trade or offering to buy some item on an absurdly high price on bitskins. In any case, once a user sends an offer to anyone they immediately cancel it and resend and accept their own without anything on their side. The user expects the confirmation on mobile so he or she accepts it blindly, essentially giving away their items.

2019 December Update:
I encountered a new method of trying to make a user do a trade. I struck a deal with a guy that we would trade our knives. I sent him the offer, his response was:
"Something went wrong with it. Your knife isn't appearing in the trade.
When i go to confirm your knife doesn't show up...".
I immediately knew what was going on so I told him that he is hacked and sent him this very guide. His response was very unexpected and was not clear at first what he was experiencing:
"Ok so i declined the trade but now my account is saying i violated steam TOS??"
Then I was removed from his friend list. I made a comment in his profile asking if he as the ones removing me or the hackers did. His profile name became his steam id in the meantime.

Later he readded me and explained what had happened:
"I got a random message from "VAC bot" saying i have 24 hrs to put all tradeable items to another steam account then my profile name was a bunch of random numbers and my info block read stuff like this account violated TOS agreement and i cant purchase anything and it's a perma ban and a bunch of random stuff."

He took pictures of his profile that you can see below:

This is a new way of making already hacked folks do a trade. This time it's a scarring tactic.

The best thing you can do is to not log into any shady sites, always check the domain name of where you are logging in. Also don’t install random software or browser extensions from the internet without at least a bit of suspicion or research of it’s legitimacy. What I often recommend to people who like to log in to sites with steam that open Steam in your browser, log in there and if you encounter any site that asks you to log in with entering your password then it's a scam because you are already logged in to Steam and they should not prompt you to do so again.

What you immediately want to do is logging out from every device, you can do it by going to: Steam->Settings>Accounts->Manage Steam Guard Account Security… then clicking “Deauthorize all other devices”. This will log you out of every device that you ever logged into with your account except the one you are currently using.
If you managed to do it then go back to the account settings and change your password.

Revoke your Steam API Key and don't regenerate it unless you know you need it. If you don't know what an API key is then you most likely not needed and was generated by the scammers to control your account.

If you were scammed by a phishing site then you are okay, that is pretty much all need to do to secure your account. If you were not phished then it’s tougher. I recommend reviewing your browser extensions if using Chrome then by opening chrome://extensions/ then remove suspicious ones. Google their names if you are unsure what their purpose is, if you see malware or virus in the first results then you are sniffing in the right direction. If you are still not entirely sure what gave access to your account to the scammers you should reinstall or refresh[www.onmsft.com] your operating system.

Now there is a way to check your Steam login history as well, you can open Steam Login History in your browser or go: Help->Steam Support->My Account->Data Related to Your Steam Account->Recent Login History.

Here is what a healthy login history looks like, mine:


And here is from a guy who got scammed, he lives in Montenegro, but the scammer logged into his account from Canada:

This is not the type of scam like a Paypal scam that you could screenshot and send to SteamRep and have the guy banned. What you can do however is to help take down their site.
SwiftOnSecurity has compiled a great list of companies at Got Phish[gotphish.com], you can go over the list and submit the site that has phished you. This helps to put the site on a blacklist and getting taken down eventually.
Proof that is work people! This is what one of the sites look like after three hours of reporting it: