PSA: Bookmarklet & Verification Scam

Hi everyone,

We wanted to call attention to reports of a series of social engineering exploits and urge folks to:

  • Take extra precaution when interacting off-platform
  • Not execute untrusted code while logged into Roblox, whether by:
    • Clicking on a bookmark
      OR
    • Pasting code into browser dev tools

At present, we see that developers are being sent messages on Roblox expressing interest in purchasing one of their experiences. Then:

  1. The developer is directed off-platform for additional information
  2. The developer is asked to verify themselves by:
    • Dragging a bookmark containing JavaScript to their bookmark bar and clicking on the bookmark while logged into Roblox
      OR
    • Pasting code into browser dev tools while logged into Roblox
  3. The untrusted code reportedly takes over the account and steals value or other intellectual property

As a reminder, legitimate parties should NEVER require you to:

  • Execute untrusted code on the Roblox website, whether by clicking on bookmarks or pasting code into browser dev tools
  • Share your screen and perform specific actions on Roblox
  • Share security-related codes or links, which Roblox emails you, off-platform

If someone insists that you take any of these actions, even for verification or authentication, do not cooperate. Feel free to report any scams in this thread to promote community awareness.

For more information on how to keep your account safe, please visit our Help Center.

Thank you!

171 Likes

This topic was automatically opened after 9 minutes.

I really appreciate that Roblox is paying attention to this situation. However, any updates towards the AI Moderation towards these scams or either any given attention to work onto improving the moderation for the UGC accessories? I keep hearing a lot from the social media side that many accessories are just simply removed if it’s reported enough. Also why is this posted here and not in messages privately(as in to the Roblox website directly more than the DevForum / Forum)?

20 Likes

I thought not putting in code into your bookmarks was common sense, but I guess common sense aint to common anymore.

I appriciate you guys bringing attention to this, even if it was very obviously a scam.

Even though I know that it’s a scam, I’ll share this with my friends in case they don’t know of the scam.

I’m also pretty sure NTTS made a video about this more in depth, I’ll post it here if I can find it.


20 Likes

Thank you Roblox for finally talking about this issue, it’s been a standing incident since the start. And has caused damages to developers.

8 Likes

I’ve seen people talk about this issue on #development-discussion. I’m glad Roblox is addressing the issue themselves as well. Good job

10 Likes

People are less likely to read their messages on Roblox for anything, I guess.

The DevForum is way more “general” and “popularized”, so that may be the reason why.

8 Likes

I mean, that is true to some of us, though it would still be better to share the problem amongst the players more than the developers amongst the platform.
I get the part of why this is Developer-related, but on the other hand some Developers barely even pay attention to this place other than possibly the open-sources or the FAQ provided by some experiences.

5 Likes

I like how their bookmark scam doesn’t work on firefox (i can’t even put it in my bookmarks)

That most likely happens because of firefox’s character limit on bookmarks but i don’t know

4 Likes

They (Roblox), should then post it in both messages and here, because it then has a higher chance of being seen.

7 Likes

These very recently started popping up in my messages. I thought it was due to a recent update to one of my games, but it appears that it was just recent and Roblox seems to have reacted very quickly!

It’s great to see PSAs like this get posted so often and so rapidly after these situations take place. While I agree that these should be dealt with more effectively, it’s common knowledge to not follow steps such as these. Keeping developers up-to-date with recent scams is always positive.

5 Likes

Okay, if you someone asks to purchase your game, and you see Motive Studios.
IGNORE IT. IT’S A SCAM.
They’re using the roblox message system to promote the bookmark scam.

6 Likes

They also changed the name to Viks Creations something or other, so in general-if they message you saying they want to buy your game IN ANY WAY, do not listen.

5 Likes

Now that you’ve recognised these new scams, when are you going to help the victims of them?
The Motive studios hackers stole this developer’s account and support wont help them because the hackers changed their email, and the “restore account” button is broken. He’s been asking for help publicly for a week.

Some other devs have even had their accounts deleted by these hackers, too. Will they get their accounts back now that the Motive studios group has been closed & recognised as a scam?

7 Likes

How does roblox intend to recover accounts that were broken into using this bookmarklet system?

It seems like the roblox support has been very slow with getting to people, if they’ve been getting to anyone about it at all these days.

4 Likes

The bookmark scam has been around for at least 2 years and has targetted several platforms, while I respect the effort of warning users of it, (which is better than radio silence), you guys should probably be quicker on reporting this stuff.

Not running code in a browser’s devconsole that you dont trust with 110% certainty, should be a general rule of thumb.

6 Likes

It’s good that Roblox is helping out and raising awareness of these scams-though why they haven’t recovered stolen accounts is unclear.

Is there any plan for an announcement something or other in Inbox? Because I don’t believe ALL Roblox developers use the DevForum, and might not see social media posts.

2 Likes

I like to see that we’re being informed about new scams, but I think you guys should make this information available on the main website, the people effected by this will probably just be casual players, not developers like us (who quite probably already had this information to begin with), a 10 year old kid probably doesn’t know the devforums exist, and they’ll be the most vulnerable audience for scams like this, whilst if this was on the main website they’d be less likely to fall for these scams.

2 Likes

Roblox should pull out the youtube card (im referencing to youtube’s adblock detection) and detect when suspicious javascript gets injected via bookmarks (or dev console) and then immediately close the tab or crash so nothing bad happens to your roblox account

edit: thats pretty stupid tbh there is not a single website that does this so idk maybe remind people that they should set-up 2FA or even better parental PIN so malicious javascript payload can’t edit your account settings

2 Likes

Yeah, I definitely agree that such a feature would be an effective solution. Forcing 2FA + Parent Pin would be even as much effective as well.

I deleted my response about speaking with a Motive Studios incident suspect, their community notified me that it’s not the culprit. Nonetheless, I still hope Roblox cracks down on account ownership and income sources. These sorts of mass victim incidents are caused by people who have way too many accounts and income sources associated with themself. I hope to see less of these sort of PSA posts as well, it’s upsetting seeing them pop up every once in a while.

1 Like