The 1st “Smart” Steam Key Giveaway Bot

Sure, you see BOTs that randomly select a winner, but who are publishers giving away keys to? The answer is usually bots.

If you ever wonder why all your giveaways end within minutes, it may be disappointing to discover that this may not necessarily mean your game is going to burst with popularity.

Prelude: “Why make a smart giveaway bot”?

My name is Dylan Hunt, founder/developer of Throne of Lies: Medieval Politics on Steam. As an online social deduction game, we need players to survive when queueing to find 16 players per match.

Claiming bots are smart. Giveaway bots are dumb.

Over time, bots have become smart: I mean really smart, while key giveaways remain the same (well, not smart). If you ever wonder why all your giveaways end within minutes (despite, sometimes, offering 1000’s of keys), it may be disappointing to discover that this may not necessarily mean your game is going to burst with popularity.

Heck, even worse: You may see Steam charts exploding with 1000’s of CCU — only to be back down to normal the next day. Most people don’t realize there are two kinds of claiming bots (that are likely against Steam’s terms of service):

1 — Reseller Bots

The average bot will sniff for giveaways and keys on various websites by scanning for the normal formatting you’d see in a Steam key, then instantly either claim it to an account for resale on “gray market” websites (you know the ones I’m talking about). Heck, even the key listing and delivery is automated!

2 — Trading Card Bots

Instead of reselling the key, they’ll automatically apply obtained keys to a dedicated Steam account to “play” the game for 5 hours to claim trading cards, then auto-list cards/booster packs for sale. While pennies may not sound worthwhile, imagine thousands of trading bots automating this 24/7: Suddenly, this ends up painting quite the picture of moneybags.

Notice our public stats from 176 CCU -> jump to 1,381 (trading card bots) -> Jump back down to 156 (Normalized):

The “Smart” Steam Key Giveaway Bot

Back to the main topic, thus came the smart giveaway bot. Imagine a bot that, in 3 clicks, can:

1. Pass initial moderation setup by Discord and other mod bots such as Dyno (my favorite).
2. Verify the user is within your Discord guild and not banned.
3. Verify a linked Steam account with Discord.
4. V̶e̶r̶i̶f̶y̶ ̶t̶h̶a̶t̶ ̶S̶t̶e̶a̶m̶ ̶t̶r̶u̶s̶t̶s̶ ̶t̶h̶i̶s̶ ̶a̶c̶c̶o̶u̶n̶t̶ ̶(̶h̶a̶s̶ ̶s̶p̶e̶n̶t̶ ̶m̶o̶n̶e̶y̶ ̶w̶i̶t̶h̶ ̶a̶ ̶c̶a̶r̶d̶ ̶a̶n̶d̶ ̶i̶s̶ ̶a̶l̶l̶o̶w̶e̶d̶ ̶t̶o̶ ̶c̶o̶n̶t̶i̶n̶u̶e̶ ̶m̶a̶k̶i̶n̶g̶ ̶p̶u̶r̶c̶h̶a̶s̶e̶s̶)̶.̶ EDIT: It seems that "trust" checks, according to public Steamworks documentation, fails when the user is not logged in. Hopefully they, one day, add a check for "isTrusted" to perfect this bot.
5. Verify with our own game servers that there are no duplicate alts detected based on the information provided in a similar way ooes.

…all while not even requiring an email address to protect user privacy and hassle! We wanted to make the process incredibly easy for the end-user without being tedious or asking for too much data like most other sites do.

Other Bots

We are not the first to make a general giveaway bot. The most famous, currently, is probably GiveawayBOT.party — these folks inspired me to go with the “emoji click” start approach. However, they are limited to selecting winners and that is all. Thronebot first allows automated setup by loading keys via a text file, saves to DB, vets users upon giveaway request, and delivers the actual keys from the database en bulke. The bot has survived a 1k key giveaway ending within minutes.

End-User (Claimer) Perspective

After clicking the enter emoji, the user is then DM’d by the bot with a uniquely-generated URL to verify themselves via Discord’s oAuth2:

Thronebot DMs the user after clicking on the “enter” emoji to verify linked connection (Steam)

Upon clicking the link, they would simply verify the “Connections” scope to allow the bot to see the SteamID:

^ Discord’s oAuth2 “Authorize” page. After that, Thronebot simply replies with the key:

For the end-user, it’s that simple: 3 clicks.

The Backend

For the developer creating this, the backend does quite a lot. We use the Steamworks API to make calls back-and-forth to further verify the user’s identity, ensure they do not own the game, and pass them to our own server to cross-reference known “alt” accounts to ensure someone is not hoarding keys for whatever purpose. This also prevents banned alts from simply claiming a new key and hopping back into the game when there’s normally a paywall.

<- Example blacklisted throwaway acct. Ignore the WIP "whitespace ".

To accomplish this, we use Node.js and MongoDB for long-term and Redis for temporary “quick” read/writes, such as saving unique codes to assist with anti-spoof checks that are immediately discarded once verified.

Admin Commands

What about setting up the BOT? We use three admin commands:

1 — Setup

2 — Display

3 — End

While giveaways can be ended by other means, such as running out of keys, they can be manually ended cleanly via the ".endGiveaway" command to update the database, stop listening for reactions, and updates the embed:

Summary

With the simplicity of its use to end-users, I would be able to funnel potential players to our Discord server — real players, rather than bots and key hoarders (as Discord, itself, is a nice tool to ensure humanity is present) with only a few clicks to self-claim giveaway keys.

Since we vet the player to have a valid Steam account (+hopefully a future addition to see if they are trusted or not by Steam, itself), verified by Discord, and present within our Discord guild, this should hopefully reduce the chance of bot claims significantly.

Dylan Hunt, "Xblade" (Developer)

https://discord.gg/tol

https://www.linkedin.com/in/dylanhuntdeva

2023 Update: This later turned into Dragonclaim

‍