9 min read
Featured Blog

Protect your Steam Keys

This is the story of how shortly after releasing a tiny, $5 indie game, I was inundated by every scam imaginable to steal my delicious Steam keys. You could call it a tongue-in-cheek commentary on protecting your brand as an indie.


I reached an important milestone, lately.  I published a Kickstarter-supported indie game to Steam.  The game, now selling for $4.99 USD, was developed entirely by my best friend, my wife, and I, entirely in our free time.  As you might imagine, it's small, silly, and full of bugs. 

Unfortunately, in nearly the same breath, I became aware of the existence of Steam-key 'reselling' websites, like Kinguin, G2A, and GameFlip.  I have a particular problem with the existence of these sites, and a few of the symptoms they seem to cause.  While I acknowledge that they're not breaking any laws, I think they do a few things that are harmful to indie devs, and honestly to devs in general.  

Please bear in mind that this post is entirely opinion, and I am not offering these insights in any kind of 'official' capacity.  What follows is, I hope, a series of tips and encouragements that can help some indies keep control of their brand and retain value in their product. 

Obligatory Self Promotion

The game in question is Beans: The Coffee Shop Simulator.  It's a goofy simulator game where you run coffee shops.  It's jammed full of dad jokes, bad puns, and hamfisted social commentary set to chiptune and 'pixel art'.  We did it mostly as a hobby, partially as a way of doing 'gamedev therapy'.  By that I mean since both my day job and my hobbies include games, this gave me a creative outlet.  That's a story for another article, though. 

In any case, here's a promo video: 

The game is on Steam if you want to check it out.  It's also on Itch and Humble if you'd like to support those stores, or want a DRM-free version.  

The Story

I'm not here to talk about the very, very shady world of selling Steam keys on the gray market. There are already dozens of other tweets and articles from large publishers that detail that.  What I am here to talk about is the secondary effect on indies, especially very small indies that lack a PR rep, legal team, or any other kind of secondary support staff. 

You're probably already aware, but one of the largest issues indie developers face is promotion and visibility.  There are a lot of great games out there, and it's hard to get potential customer eyeballs on yours.  We've been fortunate to have a wonderful streaming community, and the help of awesome indie PR firm Bearded Astronaut to help us get some eyes, but sometimes it can still feel like nobody is seeing that thing you spent years on.  Take a look at the below chart of total views by day for the 10 days after launch, gathered from Google Analytics: 

This chart should make sense to anyone.  Value is total revenue / users, conversion is total visits / total units, and so on.  What you should see here is that as visitors decrease, conversion increases, on average.  That's sensible, because as time goes on, the only people who are seeing your game are the people who are already looking for it.  So, with time, visitors approach zero, while conversion approaches one. 

Anyway, another key takeaway from that chart is that our game has a visibility problem.  This isn't uncommon for indie devs, based on my discussions with friends in the business.  As a result, it's very easy to get into the mentality of any eyes on my product are of value.  You also tend to get into a mindset of I'm an indie, so I should support other small businesses.  

Given those two predicate belief sets, that you need to promote visibility, and that you should be open to the idea of small businesses, behold, what I believe to be the greatest issue posed to indies by sites like G2A, Kinguin, and the like:

Preying on Hope

The issue isn't reselling keys, the issue is that since the keys can be resold without validation, people will come up with every scheme imaginable to get your keys, sell them, and profit.  Usually, they will take the guise of promotion.  E.G., a scheme setup where you provide a number of keys to the scammer, and they will, in exchange and through poorly-worded and evasive means, 'promote' your game.  

For this reason, it's very important to keep track of every single Steam key you distribute.  Here's SplatterCat Gaming, who did an awesome video of our game near launch:

"Wait, Matt.", you say - "...doesn't that mean you have to query literally hundreds of Steam keys on a daily basis to make sure they're being redeemed?" 

Yes, yes it does.  If someone has a better solution to that, I'm willing to hear it.  Additionally this doesn't mean I immediately suspect people who don't download the game.  People are busy.  But I do flag ones that I think are suspect and then closely monitor sites like Kinguin etc. to make sure additional copies of the game haven't cropped up.  It's not a perfect system, but I'm trying to preserve the game's already low price point for as long as possible. 

Without further ado, here are the primary methods by which people seem to try to get my Steam Keys to invariably end up on sale on G2A:

Phishing Emails

Well, first of all, I have to confess.  I got a serious kick out of "Mr. Bean", as this is often what I look like working bugs out of indie games at 3AM: 

Regardless, you are going to receive literally hundreds of emails like this.  Sometimes with exactly similar copy, sometimes with creative sounding pitches, other times with really sincere pitches to get copies of your game. 

"But maybe they mean well" you say.  That's entirely possible.  The fact that I received literally two dozen of these within hours of pressing the launch button on Steam notwithstanding.  As a gag, I gave one of these guys a single Steam key (which I banned a bit later).  

Within hours...

Takeaway #1: 

Vet every email you receive with an offer to promote your game very, very harshly.  Legitimate streamers, YouTubers, LetsPlayers, Press, etc. don't mind the vetting, and will happily provide you with validation that they are who they say they are.  Alternatively, use a key request service like Keymailer, or create a webform that has the person validate themselves by providing, for example, an email address matching a domain. 

Bulk Resale Offers

You're going to get a lot of these as well.  They'll take various forms, but one way or another the entity will ask you for a large number of keys at a preposterously low price (pennies or less) and offer to use those to 'promote' or 'resell' your game.  Realistically, they are going to sell the keys at a reduced rate, usually in a gray market store, and make off with sales at your expense. 

Inevitably, when pressed, the resellers will reveal that they intend to buy them from you (for $0.03 USD, no less), usually in a huge amount (5000 here, more than our total sales to date), and then sell them at a discount, making money at your expense.  You are literally supplying people to undercut you by participating in such an activity. 

Takeaway #2: 

Don't give your keys to resellers.  Ever. 


This one irks me.  You're an indie, and scammers know that.  They probably also know, especially if you make this public, that you have a small team, and this might well be the first game you've ever worked on.  The especially scummy ones will use this to try to intimidate you.  

In order to eschew key scamming, I try my hardest to provide review copies or DRM-Free copies to reviewers where possible.  Legitimate reviewers don't care where you get your keys, and won't mind a DRM free or press version.  In fact, they've probably been in this boat before, and will understand.  

In my case, a few different versions have occurred, but the bottom line is always the same - in some way, scammer will either contribute money, a retweet, a website feature, something to your campaign.  Afterward, they will assert that you promised them keys in return.  When you say that's not the case, they'll threaten you with vague legal action, hoping you'll decide it's not worth the trouble and just give in to whatever they desire. 

I'll share with you my most egregious case: 

During my Kickstarter campaign, I had one backer who selected the $6 tier (which got him a copy of the game), but contributed $100.  Way more than he needed to.  I then got a contact from him on Kickstarter offering various things, which I made clear was probably not going to happen.  He pressed on, assuring - without me having asked - that he was going to do 'press and promotion' for my game: 

I made it pretty clear that he could pledge whatever he wanted, but I wasn't comfortable forging any kind of relationship in informal Kickstarter messages.  When he eventually came looking for keys... 

After this, I told him that using Itch keys for press and promotion protects us both, as it keeps the items off of gray market stores. 

His response - trying to vaguely intimidate me: 

Of course, googling his name reveals that he's utterly prolific in the Steam key reselling scope, with over 8000 transactions on G2A.  Thankfully, with help from our lawyer over at Thorn Law LLC, we're pretty sure we don't owe brad anything, and he can try to intimidate all he wants. 

This was unfortunately not the only case of indie intimidation we faced, but certainly it stung the most, since the person backed our Kickstarter. 

Takeaway #3: 

Don't be bullied into giving away your Steam Keys. 

Moral of the Story

I realize many of you are too busy to read a rambling diatribe, so here is the condensed version in key takeaway format: 

  • Your Steam keys should be treated like actual cash money. 
  • Every Steam key you give away is a sale you didn't make. 
  • Keep track of every single Steam key, and use the query function to make sure they're being redeemed and not resold. 
  • Swiftly ban Steam keys you suspect of being resold, and reissue a DRM free key to the person in question. 
  • Offer DRM free or Itch keys in place of Steam keys. 
  • Don't be bullied into giving away your merchandise - that's one step away from robbery. 
  • Legitimate businesses, streamers, etc. will understand you protecting your brand.
  • Vet every single email you receive with a request for a key. 
  • Use services like Keymailer that validate requests for keys. 

Happy trails, and keep making games!

Latest Jobs


Playa Vista, California
Audio Engineer

Digital Extremes

London, Ontario, Canada
Communications Director

High Moon Studios

Carlsbad, California
Senior Producer

Build a Rocket Boy Games

Edinburgh, Scotland
Lead UI Programmer
More Jobs   


Register for a
Subscribe to
Follow us

Game Developer Account

Game Developer Newsletter


Register for a

Game Developer Account

Gain full access to resources (events, white paper, webinars, reports, etc)
Single sign-on to all Informa products

Subscribe to

Game Developer Newsletter

Get daily Game Developer top stories every morning straight into your inbox

Follow us


Follow us @gamedevdotcom to stay up-to-date with the latest news & insider information about events & more