Spotting Fake Indie Game Key Requests

, updated 12 October 2021 🔖 game-development ⏲️ 2 minutes to read

If you're an indie game developer, you will very likely see key requests from bad actors trying to get game keys to sell. It's par for the course unfortunately, but it's increasingly difficult to distinguish genuine review requests from fake ones (especially when juggling a game release).

I recently released a game on Nintendo Switch after releasing it on Steam a year prior, and I noticed a big increase in how sophisticated the illegitimate requests were for the Switch release.

  1. Fake Review Sites
  2. Mimicked Email Addresses

Fake Review Sites

Fake review sites are websites which look like real news sites at a glance, however on closer inspection include copied and pasted content from other websites. This is especially hard to tell when the website uses a foreign language, such as Persian or Russian.

A fake Belarusian game review site

If you're not expecting these they're harder to spot, because the content looks real. However, there are few tell-tale signs the site is not a real review site:

  • There are no references to it on social media, no official accounts for the site
  • Googling phrases in content on the site yields results from other, similar fake websites

Another fake review site in the Persian language

I received a few of these requests from the below domain names, always via email, all fake sites:,,,,,,

At the time of writing, if you look up the domains on, you'll see that:

  • The hidden contact information for the domains is identical (in this case an address in Malaysia)
  • The DNS information for the domains is also the same (CloudFlare for HTTP, Rackspace for email)
  • The email requests usually look identical, with a small contact card at the footer:

I contacted the abuse departments for CloudFlare and Rackspace with the domains I received fake key requests from, though got no response.

Mimicked Email Addresses

Scammers will register an email address which looks visually identical to an official email address. For an extreme example, compare



The first email address uses the domain The second email address appears to use the same domain, but if you try to search this page (CTRL + F for, the second email address doesn't match.

That's because it uses the Cyrillic version of е, instead of the Latin version of e (which are visually identical in most fonts).

To identify this scam, always copy the email address you receive the key request from, and verify it's the same email address listed on the YouTube channel/Twitch profile using CTRL + F.

🏷️ website email fake domain game key release indie switch language persian official cloudflare rackspace scam

⬅️ Previous post: Jenkins Library for Unreal Engine 4

➡️ Next post: Thread Safe Random in C♯

🎲 Random post: Automating macOS Notarization for UE4


Please click here to load comments.