A coordinated campaign of attacks is targeting Roblox developers with a precise goal:

the entire ownership of video games,

not just individual accounts. The mechanism is documented by an investigation by 404 Media, which names three victims and includes an official communication from the company.

How the attack works

The first contact occurs on Discord, where attackers present themselves as project managers or contractors with fake collaboration offers. Once trust is gained, the victim is invited to install a Python package called robase, presented as a database and project management tool. It is an infostealer.

The relevant technical feature is the type of data stolen: authenticated session tokens from the browser. With an already authenticated browser session, attackers can bypass two-factor authentication. One victim reported being logged out of their Roblox account on PC and phone immediately after installation, with two-step verification methods and passkeys modified without authorization.

In at least one case, attackers used the identity of a previous victim to enhance their own credibility: they posed as collaborators of “Cheesy Studios” and the game “The Shadow Network,” two already compromised entities, to approach a new developer.

The victims and Roblox's response

Among the documented cases, that of the Matziaris family is emblematic: their two twenty-something children had built “The Shadow Network” over five years, amassing over 12,000 members. In just a few hours, the attackers gained ownership of the Roblox group, transferred the game to a new group under their control, and stole the accumulated Robux. Roblox initially dismissed the family's complaint, claiming there was no indication that the transfer was due to an account compromise.

A similar situation occurred for Rai, a 15-year-old Canadian developer whose game “Overcoding Overseers” was their only source of income: it generated about 10,000 Robux a day and had reached 1,100 concurrent users. After over 30 days of unproductive contact with Roblox support, the game was recovered only after 404 Media contacted the company. Kaparoza, the third victim, had not yet recovered their game at the time of publication.

In its official response, Roblox stated that it had restored the game to its rightful owner and cited protective mechanisms already in place for all users, including “Enhanced Protection” and “Account Session Protection.” However, it acknowledged that none of these systems can completely eliminate the risk when attackers convince users to execute malicious software on their devices.

The attackers' strategy marks a sharp change in target compared to the past: previous attacks on Roblox targeted ordinary players to steal rare items or individual accounts. Now the target is developer accounts, and the loot is the entire video game. A similar campaign had already been reported in January 2025, aimed at players with fake beta test offers: it distributed infostealers to steal Discord and Steam sessions and cryptocurrency wallet data. A technical analysis of the current campaign and defensive recommendations for developers is available in the Malwarebytes post.