In December 2021, the YouTube channel People Make Games shared new allegations claiming that the game and game-creation platform large amounts of money and work, a situation that Roblox appeared either unwilling or unable to address.
A new Vice report digs deeper into how it all happens: How "beamers," as they're called in the Roblox community, are able to hack into Roblox s, strip them of valuable items, and then sell them on black markets. Phishing is a big problem, obviously, as beamers use generators to automatically create legitimate-looking pages targeting specific s or items, commonly shared with Roblox s via Discord. But there are more sophisticated schemes in play too.
One common ploy is to offer to create a new avatar for the intended target or claim they're looking for paid help to develop a game, the goal being to gain access to the victim's .HAR file, and more importantly the token it contains. A Google Chrome extension enables those tokens to be manipulated in order to gain access to targeted s; .HAR files contains a warning that explicitly states the risk of sharing it, but it often goes overlooked or ignored.
Beamers have also been able to gain control of targeted s by using fake Paypal screenshots to convince Roblox that they're the proper owners, similar to the takeovers of "high-profile" FIFA s by hackers in January. One player told Vice he believes his was compromised via "SIM swapping," in which the victim's mobile carrier is tricked into sending texts and calls to a SIM card controlled by a hacker, enabling them to by 2FA protection or even change a 's .
Once a victim's Roblox items are taken, they're typically offloaded on one of many unauthorized Roblox marketplaces, for sometimes breathtaking prices: YR, the co-founder of the Adurite marketplace said the biggest sale on the site in 2021 was a Midnight Blue Sparkle Time Fedora, which sold for $13,605.
🥳🥳🥳 pic.twitter.com/cAKmk47EAfDecember 27, 2021
YR acknowledged that the sale of stolen items through unofficial markets is a problem, but said that—much like Roblox itself—there's not much they can do to stop it. "As we are a public and easily accessible marketplace to sell on, it's surely possible that these ‘beamers’ attempt to sell items on Adurite as they would try to on any other sort of marketplace," they said. "Although we try our best to filter out these items, it's very difficult to detect/filter these items."
Roblox does offer a "rollback" option for item trades, but it's limited to one per . It also "aggressively deters moving activity off Roblox because we cannot control activity on other applications," a rep told Vice, and offers 2FA and other features to help protect s.
"“We’ve spent over a decade building a stringent safety and security system and policies that we are proud of and that we are continuously evolving as our community grows," the rep said. "The Roblox InfoSec team, in particular, actively mines various sources for threat intelligence, monitoring for malicious activity and taking appropriate action."
Clearly, it's not enough: The digital frontier is a risky place for everyone, but it's not reasonable to expect children to effectively navigate those risks unaided and unprotected, especially when the amounts of money involved are bound to continue to attract predators.
