{
	"id": "ae1d94db-0e9e-40c9-b02c-b9934040fa1b",
	"created_at": "2026-04-06T00:07:38.613763Z",
	"updated_at": "2026-04-10T03:21:24.571906Z",
	"deleted_at": null,
	"sha1_hash": "84c577f548143bddcfb851b18b811fd4560caa70",
	"title": "Chrome Extensions Steal Roblox Currency, Uses Discord",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 64548,
	"plain_text": "Chrome Extensions Steal Roblox Currency, Uses Discord\r\nBy By: Stephen Hilt, Lord Alfred Remorin Aug 24, 2017 Read time: 4 min (1005 words)\r\nPublished: 2017-08-24 · Archived: 2026-04-05 15:26:47 UTC\r\nWe recently discussed how cyber criminals are using the popular voice/chat client Discord to steal cookies from\r\nthe running Roblox process on a Windows PC. Since then, we’ve noticed another attack going after the same\r\ninformation, only this time it is via Chrome extensions (CRX files).\r\nWhile it currently only targets Roblox users, the same technique can be used to steal cookies from any website.\r\nThe stolen information is sent via Discord, but this could also be configured to use other chat platforms. We\r\nlearned this particular Chrome extension was, in fact, for sale on the Dream Market underground marketplace for\r\nonly 99 cents:\r\nintel\r\nFigure 1. Roblox Trade Bot being sold on the \"Dream Market\" underground marketplace (Click to enlarge)\r\nWe obtained samples of this bot using the following file names: ROBLOX BOT.zip, Crm5extension.crx, Roblox\r\nEnhancer.crx, and DankTrades.zip. The first .ZIP file contains a file named bgWork.js.\r\nintel\r\nFigure 2. ZIP file contents\r\nSearching for the terms CRM5 or bgWork.js lead right back to the forum v3rmillion.net. This underground\r\nmarketplace forum is a hotspot for Roblox hacks, where users even trade ROBUX (the in-game currency of\r\nRoblox) for other work or products.\r\nLooking into bgWork.js, there is a configured Discord webhook that sends out the stolen Roblox cookie via the\r\nDiscord API when installed. In this case, the example shows that the extension is called a Trade Bot and claims to\r\nbe a RAP (Recent Average Price) Value assistant that can help you trade your ROBUX for something else. This\r\nextension doesn’t do that; it will only send a stolen cookie to a Discord channel, leaving the user with nothing in\r\nreturn.\r\nintel\r\nFigure 3. Title and message of the malicious extension (Click to enlarge)\r\nbgWork.js will send the message via Discord using a predefined webhook, which could also be changed to use any\r\nof the other chat platforms discussed in our paper titled How New Chat Platforms Can Be Abused by\r\nCybercriminalsnews- cybercrime-and-digital-threats.\r\nintel\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/malicous-chrome-extensions-stealing-roblox-game-currency-sending-cookies-via-discord/\r\nPage 1 of 4\n\nFigure 4. Code sending stolen cookie via Discord (Click to enlarge)\r\nThe extension also sets up an alarm that will trigger an event every 15 minutes. This event will send the stolen\r\ncookie (again) through the Discord API. These alarms ensure that the updated cookie is constantly uploaded to the\r\nattacker.\r\nintel\r\nFigure 5. Alarm set for every 15 minutes\r\nAt the beginning of the bgWork.js file (where the variables are configured), the attacker can change their webhook\r\nURL, or the cookie they want to steal. This means that this could be used to steal any cookie that is in the web\r\nbrowser; this capability is new to this version.\r\nintel\r\nFigure 6. Code for configuring cookie to steal and Discord API (Click to enlarge)\r\nBecause CRX files are just ZIP files with a different extension, the malware can be easily reconfigured to steal the\r\ncookies from any website besides Roblox. Changing the extension’s manifest.json file will allow for its properties\r\nto be changed (such as its name and description), making it more likely for an unsuspecting user to fall victim to\r\nthis attack.\r\nintel\r\nFigure 7. manifest.json file of Chrome extension (Click to enlarge)\r\nUnless a user looks into the extension’s code, it looks benign. It may run for a long period of time, allowing an\r\nattacker to steal ROBUX repeatedly if the victim keeps purchasing or acquiring new ROBUX. All it takes is one\r\ntime running the extension for the ROBUX cookie to be stolen and sent to the actor.\r\nintel\r\nFigure 8. Roblox Trade Assist extension installed in Google Chrome (Click to enlarge)\r\nThe extension sends the Roblox cookie to a Discord channel like the previous malware, as seen below. We\r\nmodified the code to send it to a Discord channel of our choice:\r\nintel\r\nFigure 9. Cookies sent to Discord (Click to enlarge)\r\nUnlike previous versions of Roblox cookie stealers like TSPY_RAPID.A and TSPY_RAPID.D that were\r\ncompiled using C#, this particular malware will also work on Macintosh computers.\r\nintel\r\nFigure 10. Roblox Trade Assist extension installed in Google Chrome on an OS X system (Click to enlarge)\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/malicous-chrome-extensions-stealing-roblox-game-currency-sending-cookies-via-discord/\r\nPage 2 of 4\n\nThe version we found required the user to manually install the extension into his Chrome browser, which required\r\nDeveloper Mode to be turned on. We wondered if any of these trade bots made it into the official Chrome web\r\nstore, and found that they did:\r\nintel\r\nFigure 11. Roblox Trade Bot extensions in the Chrome web store (Click to enlarge)\r\nChecking the reviews for these add-ons, we saw that some users complained that these were stealing ROBUX.\r\nOne reviewer even stated it steals the whole Roblox account.\r\nintel\r\nFigure 12. Reviews of Roblox Trade Bot (Click to enlarge)\r\nWe looked at all the Roblox trade bots that were listed in the web store, and found that all of these were malicious;\r\nthey would send your cookies to a remote Discord webhook. One of them, once installed, even shares the same\r\nicon as the malicious extension that was discussed earlier.\r\nintel\r\nFigure 13. Malicious Chrome extension with TRADE icon (Click to enlarge)\r\nThis shows that even extensions inside the Chrome web store can be malicious and steal ROBUX from user\r\naccounts.\r\nintel\r\nFigure 14. Contents of ROBLAX Trade/Snipe BOT extension's bgwork.js file (Click to enlarge)\r\nThis is a good time to remember to always verify the permissions required before installing any Chrome\r\nextension. If you are unsure about these permissions, it’s better to not install the extension in the first place. This\r\nparticular malicious extension requires the “Read and change all your data on the websites you visit” permission,\r\nwhich should be a hint of its malicious behavior.\r\nintel\r\nFigure 15. ROBLOX Trade/Snipe BOT Permissions\r\nAnyone who has downloaded one of these extensions should delete this extension from their browser. This can be\r\ndone via the Extension Manager within Chrome; Google provides step-by-step directions on how to do so\r\nhereopen on a new tab.\r\nTrend Micro detects these malicious extensions as BREX_CUKIEGRAB.SM. We have already reported these\r\nextensions to Google; as of this time they have not yet removed them.\r\nThe following SHA-256 hashes are associated with this threat:\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/malicous-chrome-extensions-stealing-roblox-game-currency-sending-cookies-via-discord/\r\nPage 3 of 4\n\nSource: http://blog.trendmicro.com/trendlabs-security-intelligence/malicous-chrome-extensions-stealing-roblox-game-currency-sending-cookie\r\ns-via-discord/\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/malicous-chrome-extensions-stealing-roblox-game-currency-sending-cookies-via-discord/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://blog.trendmicro.com/trendlabs-security-intelligence/malicous-chrome-extensions-stealing-roblox-game-currency-sending-cookies-via-discord/"
	],
	"report_names": [
		"malicous-chrome-extensions-stealing-roblox-game-currency-sending-cookies-via-discord"
	],
	"threat_actors": [],
	"ts_created_at": 1775434058,
	"ts_updated_at": 1775791284,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/84c577f548143bddcfb851b18b811fd4560caa70.pdf",
		"text": "https://archive.orkl.eu/84c577f548143bddcfb851b18b811fd4560caa70.txt",
		"img": "https://archive.orkl.eu/84c577f548143bddcfb851b18b811fd4560caa70.jpg"
	}
}