Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics

Itch is not a safe place. Do not download things.

A topic by redonihunter created Feb 16, 2024 Views: 2,641 Replies: 13
Viewing posts 1 to 7
(1 edit)

I am serious. The amount of fake projects is scandalous. I am talking about indexed projects that are unchallenged for months. And even reported projects stay unquarantined and sometimes indexed for weeks.

Most of those things are uploaded on obviously hacked accounts. The problem is not something simple as a try my game on discord scam, where you get a password for a rar archive. It is the let's browse shiny new games on itch minefield. The malware will take away your itch credentials (cookie theft) and not even 2fa will protect your account. And who knows what else they do.

Since some of those hacked accounts have had payment options, some of those scams have pay what you want active, sometimes even paid only. They have fake ratings sometimes and sometimes are not reported, so you can encounter a scam that is half a year old or older.

Fortunate for many players, the scammers most often target adult games. But I have also seen regular indie games, that were released on Steam.

So if you are unsure about a game, trust your scepticism. And if you are sure it is a scam, report it. I saw games with comments about it being a scam, but apparantly the users did not bother to click the report button. The scammers are experimenting with all sorts of variations in their publications. And this sometimes includes impersonating the original creator by linking sites of the original creator.

Oh the games might be real, but at the very least they are pirated, and at the worst you get infected with malware and as a bonus your itch account is used to spread more malware.

General tipps:

If it looks too good to be true, it probably isn't. Seeing a finished game here for free that is paid on Steam? Obvious fake.

Use the itch app sandbox mode. Or create your own sandbox mode (use the internet to find out how. It involves creating a new user on windows that has a password and starting the not yet trusted app as this different user. This way at least most of your stuff should be safe-ish.)

One method of detection avoidance is to not have the malware in the downloadabe, but prompt the user to download additional stuff.  So be very suspicous, if you have to download other things

While some legit games do provoke a warning message from antivirus, guess what a scammer would tell you about that message. Right. Never trust an unknown person on the internet that tells you to shut off your protection. Triple check, why the message appears. On hopefully rare occasions even legit devs could have their development computer hacked and they unknowingly uploaded malware.

There are many red flags and some green flags for games. I shall not talk about them in detail, lest the scammers upgrade their schemes. But if you regularly browse new games, you will notice patterns. Be careful. They do also appear in new&popular. And in popular if you select tags with few hundred games.

But the best green flag is a game that is alive. Not old and undeleted, not having a dozen fake ratings, not being posted on an old hacked account that still has followers and even payment possible, not having several games posted in a few days, not having links to patreon and twitter, but alive in the sense of having an active community and surroundings. 


For any admin reading this. I collect them in a private collection. Accounts get hacked right and left. Please do something, anything to protect the users of this site. Whatever you are doing now is not working good enough.

I havent been seeing scammers lately so maybe thats a good thing.

One could read your statement in three ways.  ;-)

1. You do not recognise the scams.

2. Where you look, there are no scams.

3. You look where used to be scams but are not any longer.

My list grew by 7 reports since your posting. Some were obvious malware, but sadly the scanner on my system would not have detected it. virustotal also only had a few that saw through the obfuscation. It is a variant of a known trojan. The sandbox method might have protected at least the data of the user. But I am not sure about that, because the infection method seems to exploit the update mechanism of Chrome to infect your system the next time you start. So you will not be immediatly hacked and may be not sure what infected you, afterwards.

To clarify: there is uploaded malware daily on itch. Malware that is indexed. Developers are not verified. And the scammers work very hard to overcome any obstacles like automated scans. They have a very short feedback cycle. It is trivial if you think about it. Upload malware, see if it is indexed or at least not banned. Yes, continue. No, try a different approach to hide the payload of the malware.

Itch is a honey pot for them. Lots of people trying out executeables from unknown developers. Some of the legit developers even telling the users about false positive warnings of antivirus apps. It is a minefield for users. And the scammers do experiement with AI on occasion. As long as it pays off, they will continue.

Since I doubt that itch will introduce a paywall for developers anytime soon, it might only dry out, if there are too little scam victims to justify the effort.

They kinda did dry out a certain method of scams that involved fake download buttons. Never saw one of those, after itch introduced special markings for external links (but the three reasons above apply here too ;-)

Yeah. I meant as in wherever I look there are no scams.

The sad truth is, all the people that did get infected and hacked did not recognise those scams. Obviously.

I don't blame them. Itch is a legit site. One would not expect malware here.

I do not know what can be done about it. On the cheap, that is. But I would start with better account protection, like detecting the hijack.

On client side, people can be more careful and mistrusting. But for that they have to be aware of certain facts. Really aware. Like people being too lazy to report scams and scammers being able to upload them, because developers are not verified and automated scans can only detect so much.

So my best advice is the title of this thread. Do not download things. If you are aware, you will be more sceptical about any gifted horses, there might be trojans hiding inside.

I must agree. Anyways, I have something you might like.

I'd also add that if you're a developer do not download games with your developer account, that's their jackpot, after all the best way for them to disguise their scams is when they steal a legit account.

That explains the hacked accounts with the followers and payment options cleared.

But for the methods they use for hacking, I doubt that it would make much difference. The downloaded malware is not aware that it was downloaded by any itch account. It just steals what it can get and does whatever else the malware does. It surely targets itch credentials, stealing cookies and making 2fa ineffective.

If there is no root kit and escaping with it, at least sandboxing would protect the credentials.

The collection above grew by like 50 items or so.

It is disheartening to see reported accounts publish yet another indexed game a week or more after being reported.

Or see original games here not on the index and the fake getting indexed or both appearing in search.

About 80 games on my list still exist. Oh, the older ones might be quarantined. But you can still download them, and the malware spreaders could use direct links and tell the gullible player some story as to why that message appears. It is not unusual to have false positives for indie games.

Whatever itch is doing to protect their users, it is not good enough. There are demonstrably several hacked accounts every day. It is as if there is no account protection whatsoever! And who knows what happens on the hacked systems. I have doubts that the payload is stealing credentials for an indie gaming platform.

And I shudder when I think about all the old scams that went undetected. It is a minefield.

And I shudder when I think about all the old scams that went undetected. It is a minefield....

The last weeks I saw a few that were over two years old. Sitting here, unprotested, waiting to infect a new unsuspecting user, trusting that a 2 year old game on a legit platform like itch could not be malware.

A minefield it is.

(1 edit)

This is defiantly disheartening to read ,I downloaded couple of games off here and while they are safe(because I have  semi follow the creator's work),it's definitely putting me on edge to download games anymore especially off here.It doesnt seem worth if every game has high possibility of being a virus.

The best method I have come up with when first coming across a game is to check creator's previous work or see if the game has videos on it.If it does and I like what I see.I will download it and put it through couple of antivirus scans

The scammers try to fake everything. But what is hardest to fake is an alive community. This is especially hard on new developers, since they struggle to garner a community of players.

They know why they publish their scams on hacked accounts. Those look a bit alive and are older, some even with published projects and a dozen or more followers. Payment options are also in the account, so there are paid and pay what you want scams around.

The scams uploaded here often do not get detected even on virustotal, where they use like 70 different scanners... 

Sandboxing seems the way to go for not yet trusted developers.

I am bit hesitated to use sandbox but I will keep that in mind.I also check the comments in the games though its hard for me to tell because for all I know the scammer could make fake account and fake alive community who loves this game....that's what scares me the most about downloading stuff from here

It's especially a bummer for those who like obscure games. I cannot comfortably do dumpster dives into absolute randomness with barely any ratings like I did on Newgrounds, obviously because it's web games only so comparing them is wrong. However, I have never stumbled upon malware on glorioustrainwrecks strangely enough, and I have not visited Gamejolt for a long time so I don't know if they are dealing better with viruses