Asil, a player on mega-popular gaming platform Roblox that lets creators make their own games, was at home when something odd happened. Roblox, for some reason, logged him out of his account. Asil tried to log back in, but his password didn’t work. Fortunately, he was able to reset his password, create a new one, and log back in.
But as soon as he did that, Roblox kicked him back out. Asil contacted Roblox support, but it didn’t help; someone had removed the email address from the account, meaning he couldn’t prove the account actually belonged to him. Whoever was in control of Asil’s account then started trading with another player, and sent some of Asil’s valuable in-game items to the second account. It was clear: A hacker had broken in, and was emptying Asil’s pockets.
Each Roblox account has an individual character they can earn or buy new clothes for, and which they then use inside Roblox’s virtual worlds. The hacker targeting Asil stole a rare skin that makes their Roblox avatar look like it’s licking its lips, as well as some Robux, Roblox’s currency. Limited items in Roblox come with unique serial numbers, adding to their prestige. Asil’s item was numbered #918. Asil said a friend originally gave it to them, and added he originally shared the account with a friend before they gave him full control of it.
A day later, a friend of Asil’s found someone selling that same rare face item for Bitcoin in a Discord channel where users peddled Roblox items. The item this person was selling had the exact same serial number as Asil’s: #918. It was his stolen item, now being sold on the Roblox underground.
Asil, it turned out, had been “beamed”—Roblox slang for getting hacked and your items stolen.
“There’s a whole community where people beam, steal limiteds and sell them for USD or cryptocurrency,” Asil told Motherboard in an online chat. So-called beamers are able to profit from stolen Roblox items via massive dedicated marketplaces that handle at least tens of thousands of underground transactions and which take a cut of each sale too. Some of the items sold on these marketplaces likely include hacked items.
Motherboard spoke to 11 people connected to Roblox beaming, including victims, the people who administer the marketplaces where people then sell Roblox items, and hackers themselves. There’s a ballooning and highly profitable ecosystem where hackers stand to steal tens of thousands of dollars worth of items in minutes, with many victims including children. The sketchy, and sometimes illicit, economy sits in the shadow of Roblox’s legitimate business, which is worth $68 billion and which half of all children in the U.S. play on in some form.
One beamer called Max told Motherboard how he targets many of these victims. “I go to servers with rich idiots, then message every single one of them,” he said.
Roblox isn’t a single game but a free application players download onto their PC, phone, or Xbox games console. From there, they can access tens of millions of different games, or as Roblox calls them, “experiences,” made by members of the wider Roblox community and player base. At the time of this writing, popular Roblox games include Murder Mystery 2, where players try to identify the killer; Pet Simulator X, for players who want to take care of and trade pets; and Hide and Seek Extreme.
Roblox’s popularity has generated a vast and complex economy. Developers of Roblox games can monetize their creations by selling in-experience purchases such as special abilities, or by creating and selling items for players’ Roblox avatars. The developers sell these creations for Robux, with earnings split between the creator getting 30 percent, the seller getting 40 percent, and Roblox receiving 30 percent. Sometimes the creator and the seller are the same person, meaning they would get 70 percent. Once a developer has at least 50,000 Robux in their account, they can exchange the Robux for real currency using Roblox’s Developer Exchange Program. The exchange rate for legitimately sourced Robux is $0.0035 cents per 1 Robux. That doesn’t sound like a lot, but professional developers can rake in over $1 million a year, with some people starting dedicated gaming studios focused on making games for Roblox. As of June last year, 1.3 million creators were earning Robux, and were on track to earn $500 million that same year, according to Roblox’s website.
Do you know anything else about Roblox beaming? Or Roblox marketplaces? Do you work at Roblox? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email email@example.com.
Roblox itself sells rare items known in the community as “limiteds,” which are available in a finite quantity. By playing certain Roblox games, players can also earn game specific rare items, such as “Ancient Weapons” from the Murder Mystery 2 game. Players can then trade limiteds with one another for other items or Robux, with Roblox displaying an item’s Recent Average Price (RAP) in Robux. Depending on how in demand or rare an item is, its value can fluctuate. Crucially, Roblox prohibits people from selling items directly for fiat currency.
Below those Roblox-sanctioned systems sits an off-platform shadow economy of hackers and underground traders, some of whom steal and peddle items for cash and cryptocurrency in violation of Roblox’s terms of service and sometimes the law. This collection of websites, companies, and Discord servers includes online casinos where players can gamble items on a coin flip or on a game of rock, pepper, scissors, and digital marketplaces for selling the limiteds.
Asil, who lost his avatar item with the serial number #918, wasn’t exactly sure how the hacker managed to take over his account. But Motherboard found beamers are using a wide selection of creative and varied ways to break in and steal items from unsuspecting victims. Beamers are constantly registering new phishing domains to use against targets. One beamer who goes by the name Stoevsky recently obtained the domain röblox.com for their own phishing attempts.
“It’s god [sic],” he told Motherboard in an online chat when asked whether it was an effective phishing domain. Phishers appear to have used domains such as www—roblox.com, site-roblox.com, and www-roblzx.com, according to chat messages in Discord channels Motherboard accessed.
Beamers use gens, or generators, to quickly and automatically create phishing pages for specific targets, according to the messages. In Motherboard’s own test of using a generator to make a Roblox phishing page, some of these pages look like Roblox user profiles, which beamers then send to targets in the hopes of harvesting their password.
“OP DOMAIN,” one beamer wrote in Discord when sharing a generator for the especially convincing domain roblox.com.af. OP refers to overpowered, a common term in gaming for a weapon or ability that gives users a potentially unfair advantage.
The hackers’ Discord channels often share lists of other servers where unsuspecting users are likely waiting, such as servers dedicated to particular Roblox Twitch streamers, or general servers geared toward people who play Roblox. The hackers then link their phishing page to a Discord server of their choice, which automatically and conveniently informs them when a victim has entered their details.
Hackers can also pick specific targets based on the items they possess. Various websites let users see what items are in players’ inventories. Headr0ws, another victim Motherboard spoke to, said beamers tend to target high-value accounts.
“My roblox account was extremely valuable since it held limited items and a lot of Robux that was earned from developing,” headr0ws said in an online chat.
Headr0ws believes they were compromised because of SIM swapping, where a hacker tricks a victim’s carrier to reroute their text messages or calls to a SIM card that the hacker controls. Armed with this, a hacker can receive multi-factor authentication tokens or change a user’s password, depending on the site targeted. Headr0ws said their phone displayed a ‘no SIM’ message during the attack, a telltale sign of SIM swapping.
Beamers also use various tricks to get a victim to hand over their .har file, a chunk of JSON data that contains a user’s Roblox login token. Web browsers legitimately use these to keep a user logged into their account. Once a hacker has it, though, they can use a Google Chrome extension to load in the token themselves, and then use it to log into the target account and start emptying its item inventory. Before the token itself, Roblox includes this text:
Multiple Discord channels Motherboard joined even have rooms where beamers casually copy and paste the login tokens from victims they either don’t want or no longer have use for.
Despite that warning from Roblox, the tricks can be too enticing, though. The beamers will say they’re making a game and are looking for paid help; or they’ll offer to make in-game art for the target’s avatar, but they need their “appearance renderer” to do so. The victim then unknowingly hands over their .har file.
Some of these tricks aren’t limited to Discord chats. The beamers also find targets inside the virtual worlds of Roblox games themselves and approach them.
“If it's a girl, say ‘oh my god, your outfit is so pretty :D’ If it's a boy, say ‘your avatar is sick’,” one set of instructions Motherboard found reads, referring to how to start a conversation with potential targets during a Roblox game.
In other cases, beamers will find out what PayPal account belongs to the victim, then contact Roblox support and claim the associated Roblox account actually belongs to them by providing a fake screenshot of the associated PayPal account. Some beamers have automated tools for generating these fake screenshots of PayPal payments they can then send to Roblox support. The tools do quickly and effectively create a convincing PayPal payment confirmation screen, Motherboard found in its own tests.
The beamers try to keep their various methods private, with some only providing them to others in exchange for cash.
“Dont fucking leak it pussy,” one set of instructions on a particular method in a Discord channel reads.
Motherboard previously reported that a scammer bribed a Roblox insider to access a backend, internal Roblox tool and interact with certain player accounts.
Sometimes after beaming a target, hackers will deface the victim’s profile. “beamed by exodus beamed by exodus beamed by exodus,” reads the description on one apparently hacked Roblox user’s profile. Hackers also upload videos to YouTube of their beaming in action, stealing item after item, in some cases harassing the child victim over Discord, and uploading audio of them crying and with the hackers telling the victim to kill themselves.
“These are satisfying as hell to watch,” one YouTube comment reads on one beaming video.
Rachel Tobac, CEO and co-founder of cybersecurity firm SocialProof Security, told Motherboard in an online chat that “It’s always tough to hear social engineering victim’s stories, but it’s extra sad when that victim is a child.”
“I go to servers with rich idiots then message every single one of them.”
Once a hacker has broken in and stolen the victim’s items by starting a trade with another account the hacker controls, they need somewhere to pawn the items. Some of the beamer Discord servers have channels for trading. But they can also turn to unauthorized third-party marketplaces that allow trades with real money and cryptocurrency, something that Roblox itself does not allow.
“From my experience, yes, the main reason hackers target limited items is to sell them on one of those marketplace websites,” high profile Roblox YouTuber Linkmon99, who is known as being the “richest” Roblox player in the world for trading limiteds, told Motherboard in an email. One reason for hackers selling the limiteds is that Roblox will typically terminate the hackers’ accounts or try to recover the items, so the hacker is unable to keep the limiteds themselves, Linkmon99 said. Instead, the hackers will try to sell the items as quickly as possible; that is what hackers who previously targeted him and stole limiteds did, Linkmon99 added.
Linkmon99 provided screenshots of what he said were two trades made by hackers when they compromised his account. The screenshots show the theft of items with a total value of 24,355,855 Robux, which converts to just over $85,000 using Roblox’s exchange rate. Linkmon99 said that the total value of stolen items beyond these two trades was closer to $500,000. Linkmon99 said Roblox banned accounts that were holding his items.
YR, a co-founder of one of the unauthorized marketplaces called Adurite, told Motherboard in an online chat that “anyone can sell, anyone can buy.” Adurite’s digital product pages look much like any other online marketplace—some items are featured giving them a more prominent spot on the homepage, and each listing includes a price in U.S. dollars and RAP. As part of the legitimate trading system, Roblox itself does calculate and provide the RAP for its users to make a more informed decision on how much to pay for or sell an item for. And Adurite appears to operate at scale: YR claimed that the site has over 25,000 registered sellers.
Plenty of items on Adurite sell for just a few dollars, or $50, or perhaps a few hundred dollars. Others sell for thousands. YR claimed the biggest sale on Adurite was for a Midnight Blue Sparkle Time Fedora item, which sold for $13,605 last year. Fedoras, in general, are some of the highest-valued items on Roblox marketplaces, with other fedoras such as the Green Sparkle Time and White Sparkle Time versions being advertised for $5,063 and $3,000, respectively. Users can also trade Robux for cash.
YR said they, along with second co-founder PD, created Adurite after chargebacks became a problem on another marketplace called Place. At the time of writing, over 2,300 people were online in the Discord server for Place. Chargebacks are generally where a buyer of an item reverses the transaction with their bank or credit card provider, meaning the seller loses both their item and the cash. Chargebacks are less common on Adurite because it handles some transactions with cryptocurrency, which are non-reversible. The marketplace recently started accepting PayPal, which can be abused, however.
Clearly, if some users are carrying out chargebacks, there are users who lean toward fraud using marketplaces. When Motherboard asked YR if Adurite vendors sold items obtained from beaming, YR said, “As we are a public and easily accessible marketplace to sell on, it's surely possible that these ‘beamers’ attempt to sell items on Adurite as they would try to on any other sort of marketplace.” When asked if Adurite can detect if an item listed for sale was obtained through hacking, YR told Motherboard, “Although we try our best to filter out these items, it's very difficult to detect/filter these items.”
PD, the second co-founder, also owns part of RBX.Flip, the largest Roblox online casino, which has allegedly handled over $100,000,000 worth of items; and is involved with Bloxxers, an NFT project that plans to sell NFTs similar in style to Roblox’s distinctive blocky aesthetic. PD told Motherboard in an online chat that “While no longer my main focus time or resource wise, the third-party ecosystem projects were definitely main focus throughout university besides my studies in order to kinda put what I was learning to use.”
When asked how much income they made from these various projects, PD told Motherboard, “Nothing crazy but enough to support my family as I was growing up, pretty similar situation as a lot of other people you'll see in this space. A lot of folks started to just make some extra dough to help around the house at a really young age.”
YR declined to tell Motherboard how much they personally make from Adurite sales.
YR was particularly guarded in his responses to Motherboard. But in an August interview with Roblox-focused YouTube channel RoZone, he was much more blunt.
“There’s no way to detect if it’s poisoned or not, and it’s a 95% chance that it will be poisoned,” he said. Poison is another term for hacked items. YR did not respond to Motherboard when asked to clarify this remark.
“If it's a girl say ‘oh my god, your outfit is so pretty :D’ if it's a boy say ‘your avatar is sick’.”
Roblox for its part has seemingly taken action against the underground marketplaces. Adurite’s Discord server was recently removed. Place temporarily shut down after allegedly receiving a legal threat from the company. The owner of RBX.Flip, the gambling site, previously told RoZone that Roblox sent a legal demand to Amazon Web Services and their subsequent host, which both took the site down. RBX.Flip then moved to another “offshore” host “who doesn’t really care” about the DMCA copyright law, they said.
Roblox does offer users the ability to “rollback” an item trade, which can be used if a hacker stole their items. But Roblox only offers one rollback per account, which isn’t helpful to people who had items stolen across multiple trades. Roblox told Motherboard that it has limitations on its restore policies to prevent abuse, but reviews inquiries on a case-by-case basis.
A Roblox spokesperson told Motherboard in an emailed statement that it “aggressively deters moving activity off Roblox because we cannot control activity on other applications, which rarely have comparable safety policies, account restrictions, parental controls, and other protections.”
“Users cannot exchange in-game virtual currency for real-world currency on Roblox outside of our developer exchange program and we specifically ban the use of third-party trading sites. We constantly monitor our platform to ensure that our users have a safe experience and will take appropriate action to address any issues that could have an impact on safety, and offer one-time recovery of any inventory lost,” the statement added. Roblox also said it offers users two-factor authentication, where players need to input an extra code from a smartphone app or their email to login in the hopes of keeping some hackers, and that if the company detects suspicious activity on a Roblox account, it prompts the user to change their password.
“We’ve spent over a decade building a stringent safety and security system and policies that we are proud of and that we are continuously evolving as our community grows. The Roblox InfoSec team, in particular, actively mines various sources for threat intelligence, monitoring for malicious activity and taking appropriate action,” the spokesperson added.
For Asil, the measures in place were not enough. At the time of writing, he is still locked out of his account, and hasn’t had his Roblox items returned. He’s lost motivation with Roblox in general, he said.
“I lost so much,” he said.
Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.