{
	"id": "8ef5783e-938e-40c1-8f7b-26dc2632e088",
	"created_at": "2026-04-06T00:16:21.158845Z",
	"updated_at": "2026-04-10T13:11:39.914779Z",
	"deleted_at": null,
	"sha1_hash": "b97747592711bedc1b1ce18efba5739ad80afc16",
	"title": "Attackers use JavaScript URLs, API forms and more to scam users in popular online game “Roblox”",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 788572,
	"plain_text": "Attackers use JavaScript URLs, API forms and more to scam users\r\nin popular online game “Roblox”\r\nBy Tiago Pereira\r\nPublished: 2023-11-02 · Archived: 2026-04-05 21:26:13 UTC\r\nThursday, November 2, 2023 07:58\r\nOnline video games often make use of in-game virtual currency and give players the ability to purchase,\r\ntrade or sell items. While these features are often selling points for players and potential revenue streams\r\nfor the companies that make them, they also inevitably draw bad actors and scams.\r\nOne of these games is “Roblox,” a highly popular gaming platform, especially among children. We curated\r\na short list of scams that have been reported online, such as on user support forums, YouTube videos and\r\nscammer Discord channels, explaining how they work and providing advice on how to detect and avoid\r\nthem.\r\nRoblox is a gaming platform composed of “Experiences,” which is “Roblox’s” name for user-created 3-D worlds\r\nwhere players can interact with each other and their surroundings. The creator, which can be any user, builds the\r\nscenarios, the game logic, items and overall interactivity of the experience.\r\nRoblox is free to play but contains an in-application currency called “Robux” that can be used to purchase clothes,\r\nweapons or other items for a user’s avatar, some of which exist in limited quantities and can be worth tens of\r\nthousands of real-world dollars. Items can also be traded for other items or Robux using a built-in trading system.\r\nThis creates a potentially profitable market and even though trading for real money is prohibited by the terms of\r\nservice, some users negotiate outside the platform and trade using real money.\r\nWhere there is a potential for profit there are also people trying to scam others. “Roblox” users can be targeted by\r\nscammers (known as “beamers” by “Roblox” players) who attempt to steal valuable items or Robux from other\r\nhttps://blog.talosintelligence.com/roblox-scam-overview/\r\nPage 1 of 5\n\nplayers. This can sometimes be made easier for the scammers because of “Roblox's” young user base. Nearly half\r\nof the game’s 65 million users are under the age of 13 who may not be as adept at spotting scams.\r\nHow to identify scams\r\nHaving knowledge of common scams and how they work is key to spotting them, even if you’ve never heard of a\r\nparticular tactic before. The following are some of the most common scams that have been seen targetting\r\n“Roblox” users.\r\nOffering free Robux/phishing \r\nThe scammer sends a message using “Roblox’s” in-game chat or another messaging application, to the victim\r\noffering a way to earn free Robux. In the most common variation of this scam, the user receives a link to a web\r\npage containing “Roblox”-related themes or images. The site offers the victim free Robux and asks the victim to\r\nenter their username and password so that they can receive the Robux in their account. After inserting their\r\nusername and password, instead of receiving the Robux, the scammer logs into the victim’s account and steals all\r\nRobux and valuable items.\r\nIn-experience phishing \r\nIn Roblox, any user can create experiences, including scammers. In this case, the scammer creates a malicious\r\nexperience that promises to deliver free Robux and prompts the victim to fill out a form with their username and\r\npassword. The victim’s credentials are sent to an actor-controlled server, allowing the adversary to log in to the\r\nuser’s account and steal all Robux and valuable items.\r\nsource: https://roblox.fandom.com/wiki/Scam/Gallery?file=Reward_scam.jpg\r\nJavaScript method \r\nThe scammer asks the victims to copy and paste a link containing JavaScript code into the browser’s address bar.\r\nThere are many variations that use this method. In one common variation, the scammer pretends to be developing\r\nan experience and asks the user to use their avatar image in the experience. To receive the details of the avatar\r\nautomatically, the scammer asks the victim to copy and paste the link containing the JavaScript code into the\r\nbrowser’s address bar. That code then steals the victim’s session ID, allowing the scammer to use the platform to\r\nhttps://blog.talosintelligence.com/roblox-scam-overview/\r\nPage 2 of 5\n\nlog in to the victim's account and transfer all items and Robux from the victim's account to the scammer’s\r\naccount. \r\nBookmark method \r\nThe bookmark method is a variant of the JavaScript method. Instead of asking the victim to paste a link into the\r\naddress bar, the victim is asked to drag and drop the bookmark into the bookmarks bar and then click on it. The\r\nbookmark contains JavaScript code that steals the victim’s session ID. \r\nsource: https://www.reddit.com/r/robloxhackers/comments/11eofbr/possibly_new_roblox_scam/\r\nAPI method \r\nThe scammer proposes a trade that is usually too good to be true to the victim. Then, the attacker says that before\r\ncontinuing with the trade, they would like to check if the victim’s items have not been stolen. To do this, they say,\r\nthe victim must visit a special page in Roblox and insert an ID. They then give the victim the URL for a page that\r\nis actually part of the Roblox domain and contains the following form, among other things.\r\nhttps://blog.talosintelligence.com/roblox-scam-overview/\r\nPage 3 of 5\n\nThis page is part of the Roblox API documentation and is used by developers to test the API. While talking with\r\nthe victim, the scammer creates a trade request that, if accepted, would transfer all the victim’s items to the\r\nscammer. The scammer then sends this ID to the victim and instructs him to insert the ID in the form and click\r\n“Try it out.” This will cause the user to accept a trade with the specified ID and transfer all their items and Robux\r\nto the scammer.\r\nHAR file method \r\nThe scammer offers to create a free GFX (a 3-D, realistic version of the victim’s avatar) under the pretext that they\r\nare learning to do this and could use the practice. If the victim accepts, the scammer says they need a file to\r\ncomplete the development and gives the victim a tutorial or video explaining how to obtain the file. The tutorial\r\nrequests that the victim open their browser developer tools and save the network request as a HAR file, as shown\r\nbelow.\r\nOnce saved, the victim is instructed to send it to the scammer. This file contains the session ID of the victim,\r\nwhich allows the scammer to use the platform logged into the victim’s account and steal all items and Robux.\r\nDouble trade \r\nThe scammer approaches the victim proposing two trades. One trade is good for the scammer and one is good for\r\nthe victim. The victim comes out with a clear advantage from this trade. The scammer puts the condition that the\r\nvictim either accepts both trades or rejects both trades. However, while they chat, the scammer removes some\r\nRobux from their account, making the trade that favors the victim fail for lack of Robux in the attacker's account.\r\nWhen the victim accepts both trades, only the bad trade goes through, making it a bad deal for the victim.\r\nhttps://blog.talosintelligence.com/roblox-scam-overview/\r\nPage 4 of 5\n\nMalware installation \r\nThis method is as simple as requesting the victim to install some software or a browser extension as a way to\r\nreceive free Robux or to help the scammer perform some development that is of interest to the victim. The\r\ninstalled software is malware, designed to steal the victim’s session ID, which allows the scammer to use the\r\nplatform logged in to the victim’s account and steal all items and Robux.\r\n5 ways to avoid being scammed\r\nKnowing the common scams is an important step in using the platform safely. The following recommendations\r\nhelp players not fall into scams:\r\nIf it seems too good to be true, it is: This is probably the most important recommendation. If a stranger or\r\na website is claiming to offer free currency or free items, it is almost certainly a scam.\r\nDon't open links or download files sent by unknown sources: These links can be phishing or malware\r\ndelivery lures. If you don't know the other player, it’s generally a good idea to not open the link.\r\nBe suspicious of requests to perform unusual actions: Some scams rely on the user performing more or\r\nless technical actions. These are a good indicator that it may be a scam. For example:\r\nCopy-pasting into the browser address bar.\r\nCreating and clicking in bookmarks.\r\nOpening browser developer tools.\r\nBe suspicious of unusual trades: When trading some attention to some red flags, such as:\r\nTrades that are conducted outside the platform.\r\nTrades where the trader creates unusual rules such as double trades.\r\nRequests to perform actions on the web browser during a trade negotiation, such as using the API\r\nform.\r\nUse the platform’s built-in security features: Roblox takes security seriously and provides security\r\nguides and several features to increase security. For example:\r\nEnable multi-factor authentication.\r\nConfigure account privacy.\r\nConfigure who, if anyone, can trade with the player.\r\nConfigure the trade quality filter to help avoid suspicious trades.\r\nEnable a mandatory PIN to change settings.\r\nExploring and using these can help better protect minors. The following links contain additional\r\ninformation and guidance:\r\nhttps://corporate.roblox.com/parents/ \r\nhttps://en.help.roblox.com/hc/en-us/articles/203313380-Keep-Your-Account-Safe\r\nSource: https://blog.talosintelligence.com/roblox-scam-overview/\r\nhttps://blog.talosintelligence.com/roblox-scam-overview/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/roblox-scam-overview/"
	],
	"report_names": [
		"roblox-scam-overview"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434581,
	"ts_updated_at": 1775826699,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b97747592711bedc1b1ce18efba5739ad80afc16.pdf",
		"text": "https://archive.orkl.eu/b97747592711bedc1b1ce18efba5739ad80afc16.txt",
		"img": "https://archive.orkl.eu/b97747592711bedc1b1ce18efba5739ad80afc16.jpg"
	}
}