In December 2021, the YouTube channel People Make Games shared new allegations claiming that the game and game-creation platform Roblox (opens in new tab) is unsafe for kids—its primary audience. For anyone not tuned into the Roblox scene, it was eye-opening: Literal children being swindled out of sometimes large amounts of money and work (opens in new tab), a situation that Roblox appeared either unwilling or unable to address.
A new Vice (opens in new tab) report digs deeper into how it all happens: How "beamers," as they're called in the Roblox community, are able to hack into Roblox accounts, strip them of valuable items, and then sell them on black markets. Phishing is a big problem, obviously, as beamers use generators to automatically create legitimate-looking pages targeting specific users or items, commonly shared with Roblox users via Discord. But there are more sophisticated schemes in play too.
One common ploy is to offer to create a new avatar for the intended target or claim they're looking for paid help to develop a game, the goal being to gain access to the victim's .HAR file, and more importantly the login token it contains. A Google Chrome extension enables those tokens to be manipulated in order to gain access to targeted accounts; .HAR files contains a warning that explicitly states the risk of sharing it, but it often goes overlooked or ignored.
Beamers have also been able to gain control of targeted accounts by using fake Paypal screenshots to convince Roblox support that they're the proper owners, similar to the takeovers of "high-profile" FIFA accounts (opens in new tab) by hackers in January. One player told Vice he believes his account was compromised via "SIM swapping," in which the victim's mobile carrier is tricked into sending texts and calls to a SIM card controlled by a hacker, enabling them to bypass 2FA protection or even change a user's password.
Once a victim's Roblox items are taken, they're typically offloaded on one of many unauthorized Roblox marketplaces, for sometimes breathtaking prices: YR, the co-founder of the Adurite marketplace said the biggest sale on the site in 2021 was a Midnight Blue Sparkle Time Fedora, which sold for $13,605.
🥳🥳🥳 pic.twitter.com/cAKmk47EAfDecember 27, 2021
YR acknowledged that the sale of stolen items through unofficial markets is a problem, but said that—much like Roblox itself—there's not much they can do to stop it. "As we are a public and easily accessible marketplace to sell on, it's surely possible that these ‘beamers’ attempt to sell items on Adurite as they would try to on any other sort of marketplace," they said. "Although we try our best to filter out these items, it's very difficult to detect/filter these items."
Roblox does offer a "rollback" option for item trades, but it's limited to one per account. It also "aggressively deters moving activity off Roblox because we cannot control activity on other applications," a rep told Vice, and offers 2FA and other features to help protect accounts.
"“We’ve spent over a decade building a stringent safety and security system and policies that we are proud of and that we are continuously evolving as our community grows," the rep said. "The Roblox InfoSec team, in particular, actively mines various sources for threat intelligence, monitoring for malicious activity and taking appropriate action."
Clearly, it's not enough: The digital frontier is a risky place for everyone, but it's not reasonable to expect children to effectively navigate those risks unaided and unprotected, especially when the amounts of money involved are bound to continue to attract predators.