Pirated PC games are delivering password-stealing malware — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated Jun 10, 2026

Severity: High | View Full Scam Details

Beware in 2026: Pirated PC Games Delivering Password-Stealing Malware in India

Pirated PC games are being used as a trap to install password-stealing malware, putting Indian gamers and PC users at high risk of financial theft and data breaches.

What Is the Pirated PC Games Malware Scam?

This scam involves pirated versions of popular PC games available through unofficial websites or downloads. According to complaints reported to Indian cybercrime agencies, these pirated games silently install malicious software that steals users’ passwords, including credentials for internet banking, UPI apps, email, and even Aadhaar-linked services.

The scam targets the vast community of budget-conscious Indian gamers who turn to unauthorized sources to avoid paying for expensive game licenses. While pirated games have been an issue for years, recent trends show a dangerous increase in malware infections disguised as game cracks or key generators.

Indian cybersecurity bodies like CERT-In and the Indian Cyber Crime Coordination Centre (I4C) have issued general warnings against downloading software from untrusted sources. Although no specific advisory names this malware package, the risk is rated high because stolen passwords can lead to massive identity theft and financial fraud in India’s heavily digital economy.

How This Scam Works — Step by Step

1. User Searches for a Popular Game’s Pirated Version: The fraud typically starts when a user looks for a free or cracked version of a trending PC game online.
2. Download from an Unofficial Site: The user downloads a seemingly legitimate installer or a software “crack” tool from a website that mimics real gaming sites but hosts malware.
3. Installation of the Game and Hidden Malware: During or after installation, the game setup silently installs a password-stealing malware called “Firecrawl” or similar variants, running in the background without user knowledge.
4. Malware Harvests Passwords: This malware monitors keystrokes, captures saved passwords from browsers, and extracts credentials from installed apps—targeting internet banking portals, UPI apps, email accounts, and digital wallets linked to Aadhaar.
5. Attackers Access Financial Accounts: Using the stolen passwords, fraudsters may initiate unauthorized UPI transactions, withdraw funds from linked bank accounts, or misuse Aadhaar-based services.
6. Victim Notices Financial Loss: Often, victims realize the fraud only after UPI transactions or withdrawals are detected, or unauthorized loan applications are filed in their name.

Real Warning Signs to Watch For

• Download sites that offer games for free or at suspiciously low prices.
• Requests to disable antivirus or firewall during game installation.
• Installation files with unusual extensions like .exe, .bat, or .scr bundled covertly.
• Unexpected pop-ups asking for admin permissions or password entry right after installation.
• Slow computer performance or unknown network activity soon after installing a game.
• Unusually frequent OTP/SMS alerts from your bank or UPI app hours after downloading new software.
• Notifications of unauthorized transactions or login attempts on banking apps linked to your mobile number.

What Happens to Victims

Victims of this malware often face severe financial losses, as UPI transactions cannot always be reversed easily once authorized, and banks typically require immediate reporting. The stolen credentials may also enable fraudsters to misuse Aadhaar-based KYC services, causing identity theft or fraudulent loan applications under the victim’s name.

Emotionally, victims suffer stress and anxiety from the ordeal of regaining control — dealing with multiple bank visits, changing SIM cards due to SIM swap fraud, or waiting weeks for police investigations. The financial and procedural burden is heavy for many Indian users, especially those unfamiliar with digital security norms.

What RBI and CERT-In Say

The Reserve Bank of India (RBI) regularly advises users to never share OTPs or passwords with anyone and to be cautious about downloading apps and software from unknown sources. CERT-In’s cybersecurity framework also emphasizes installing software only from trusted sources and keeping antivirus tools updated.

For help with cybercrime, users can call the 1930 National Cybercrime Helpline, a government-supported number dedicated to assistance and reporting. The RBI likewise runs a helpline for banking fraud concerns.

Though there is no single official advisory on this malware yet, these existing RBI and CERT-In guidelines apply strongly to such scams involving password theft via malicious software.

How to Protect Yourself

1. Only download games and software from official sources or verified app stores.
2. Avoid pirated or cracked game versions — they often carry malware.
3. Keep your antivirus and anti-malware software up to date.
4. Never disable your security settings or firewall to install software.
5. Do not enter banking or Aadhaar details on unexpected pop-ups or after new game installs.
6. Regularly check your bank and UPI transaction history for unauthorized payments.
7. Use strong, unique passwords and enable two-factor authentication for financial apps.
8. Keep your phone’s SIM secure by registering for mobile number portability blocks or anti-SIM swap protections available from operators.

What to Do If You’ve Been Targeted

1. Immediately change passwords on your banking, UPI, email, and Aadhaar-linked accounts.
2. Contact your bank or UPI app support and request blocking of transactions or temporary account freezes.
3. Lodge a complaint with local police cyber cells and file a report on cybercrime.gov.in.
4. Call the 1930 National Cybercrime Helpline for guidance and support.
5. Inform your mobile operator if you suspect SIM swap or unauthorized SIM activity.
6. Scan your PC with a reputable antivirus to remove malware and avoid using infected devices for financial transactions.

Frequently Asked Questions

Q: Can pirated games really steal my passwords without me knowing?
Yes, many pirated games come bundled with hidden malware that can quietly capture passwords and credentials from your system and browser without obvious symptoms.

Q: Is it safe to use UPI apps after downloading a cracked PC game?
It is risky. Malware on your PC can steal your UPI credentials, leading to unauthorized transactions. Always avoid using financial apps on compromised devices.

Q: How quickly should I report suspected fraud from this scam?
Report immediately to your bank and cybercrime authorities. The sooner you act, the better the chances of minimizing financial loss and tracing the fraud.

If you receive suspicious messages or downloads claiming to offer free games, always verify their authenticity on BharatSecure.app and report fraud incidents to the 1930 cybercrime helpline to protect yourself and others.

Disclaimer: This article describes a pattern of fraud reported in public sources for public-safety awareness. It is not legal, financial, or medical advice. To request correction or removal of any content, write to hello@bharatsecure.app.