Hackers have long targeted Roblox accounts to steal a player’s valuable items, which can sometimes be worth many tens of thousands of very real dollars. But that wasn’t enough for some. Now, hackers are taking over Roblox developer accounts and stealing ownership of entire video games and digital worlds.
Multiple Roblox developers—that is, people who make games for others to play on the Roblox platform, and sometimes make their livelihood doing so—told 404 Media about this happening to them. In multiple cases, the developers said Roblox support did not help them get their games back until 404 Media contacted Roblox for comment.
Ioannis Matziaris said his two 20-year-old sons spent five years building a game called “The Shadow Network” with more than 12,000 members. In April, someone approached Christos, one of the sons, with a job offer and convinced him to run a particular file. It was actually malware.
“Within hours, they had taken ownership of our entire Roblox group, transferred our main game to a new group they created, and stolen our Robux,” Matziaris said. He said the family contacted Roblox support and filed a DMCA takedown request with Roblox and got no response.
“This isn't just beaming,” Matziaris said, referring to when hackers “beam” or hack a victim to steal their items. “This is an organized group that steals games, republishes them, and recruits unsuspecting developers to build on stolen work.”
Roblox is much more than a game to many people; it is a business. While Roblox the company maintains the Roblox platform itself, essentially anyone can make a game built on top of it. Some of these games go massively viral, like Grow a Garden, which isn’t just a massively popular Roblox game but a huge video game in its own right. In turn, developers of these games monetize their creations with in-game transactions. Some Roblox developers make millions of dollars and open dedicated studios.
It’s not entirely clear what the hackers planned to do with the games, be that just steal the Robux or try to monetize their popularity. But you can see why a hacker might want to commandeer a game for themselves. Matziaris said that after the hack, Roblox denied the family’s claim over the game because “there is no indication that group ownership was transferred due to your account being compromised.”
When 404 Media contacted Roblox for comment, the company changed its stance. “We were troubled to hear of this specific incident and have restored the game to its owner,” the company said in a statement. Roblox added it has “several safety mechanisms in place, including Enhanced Protection, the most secure version of 2-step verification, which is designed to eliminate ‘point-of-authentication’ attacks like phishing and credential stuffing. Account Session Protection is also enabled by default for all users and helps secure web sessions by binding them to a specific device. Unfortunately none of these methods can completely eliminate the risk of account theft, particularly when bad actors convince users to run malicious software on their own devices or execute untrusted code. We continue to work on new ways to prevent these occurrences and actively encourage users to follow security best practices, including not clicking on links or downloading anything from unknown senders.”
Matziaris’s family is not the only person impacted. Mohamed Kaparoza, another developer, told 404 Media he was hacked “after I was contacted through Discord by individuals claiming they wanted to hire me as a project manager for their game. During the conversation, they asked me to install a Python package called ‘robase,’ which they described as part of their database/project tools.”
“Shortly after installing it, I was logged out of my Roblox account on both my PC and Phone. I also noticed my Discord account was compromised around the same time. Afterwards, my 2-step verification and passkey were changed without my permission, and my game/group were transferred to another user. I never received any notification about a login from a new location or device before this happened,” he added. Kaparoza said Roblox has not returned his game.
Jovan Rai, another developer, said they were also offered a project manager role and asked to run a file. Ironically, this time the attackers presented themselves as Cheesy Studios and working on the game The Shadow Network, which belongs to the Matziaris brothers. The hackers stole ownership of Rai’s game, called Overcoding Overseers.
“The game was generating ~10,000 Robux daily, had reached 1,100 concurrent users, and was my primary, only source of income. I am a minor, a 15-year-old Canadian who made this game independently,” Rai said.
Rai told 404 Media he had been “fighting” Roblox support for more than 30 days. Roblox only restored his game after 404 Media contacted Roblox for comment.
When 404 Media relayed details of Kaparoza and Rai’s cases, Roblox said in a statement “The Roblox support team investigates all claims and restores ownership if they can validate it.”
