We wanted to call attention to reports of a series of social engineering exploits and urge folks to:
Take extra precaution when interacting off-platform
Not execute untrusted code while logged into Roblox, whether by:
Clicking on a bookmark OR
Pasting code into browser dev tools
At present, we see that developers are being sent messages on Roblox expressing interest in purchasing one of their experiences. Then:
The developer is directed off-platform for additional information
The developer is asked to verify themselves by:
Dragging a bookmark containing JavaScript to their bookmark bar and clicking on the bookmark while logged into Roblox OR
Pasting code into browser dev tools while logged into Roblox
The untrusted code reportedly takes over the account and steals value or other intellectual property
As a reminder, legitimate parties should NEVER require you to:
Execute untrusted code on the Roblox website, whether by clicking on bookmarks or pasting code into browser dev tools
Share your screen and perform specific actions on Roblox
Share security-related codes or links, which Roblox emails you, off-platform
If someone insists that you take any of these actions, even for verification or authentication, do not cooperate. Feel free to report any scams in this thread to promote community awareness.
For more information on how to keep your account safe, please visit our Help Center.
I really appreciate that Roblox is paying attention to this situation. However, any updates towards the AI Moderation towards these scams or either any given attention to work onto improving the moderation for the UGC accessories? I keep hearing a lot from the social media side that many accessories are just simply removed if it’s reported enough. Also why is this posted here and not in messages privately(as in to the Roblox website directly more than the DevForum / Forum)?
I mean, that is true to some of us, though it would still be better to share the problem amongst the players more than the developers amongst the platform.
I get the part of why this is Developer-related, but on the other hand some Developers barely even pay attention to this place other than possibly the open-sources or the FAQ provided by some experiences.
These very recently started popping up in my messages. I thought it was due to a recent update to one of my games, but it appears that it was just recent and Roblox seems to have reacted very quickly!
It’s great to see PSAs like this get posted so often and so rapidly after these situations take place. While I agree that these should be dealt with more effectively, it’s common knowledge to not follow steps such as these. Keeping developers up-to-date with recent scams is always positive.
Okay, if you someone asks to purchase your game, and you see Motive Studios.
IGNORE IT. IT’S A SCAM.
They’re using the roblox message system to promote the bookmark scam.
They also changed the name to Viks Creations something or other, so in general-if they message you saying they want to buy your game IN ANY WAY, do not listen.
Now that you’ve recognised these new scams, when are you going to help the victims of them? The Motive studios hackers stole this developer’s account and support wont help them because the hackers changed their email, and the “restore account” button is broken. He’s been asking for help publicly for a week.
The bookmark scam has been around for at least 2 years and has targetted several platforms, while I respect the effort of warning users of it, (which is better than radio silence), you guys should probably be quicker on reporting this stuff.
Not running code in a browser’s devconsole that you dont trust with 110% certainty, should be a general rule of thumb.
It’s good that Roblox is helping out and raising awareness of these scams-though why they haven’t recovered stolen accounts is unclear.
Is there any plan for an announcement something or other in Inbox? Because I don’t believe ALL Roblox developers use the DevForum, and might not see social media posts.
I like to see that we’re being informed about new scams, but I think you guys should make this information available on the main website, the people effected by this will probably just be casual players, not developers like us (who quite probably already had this information to begin with), a 10 year old kid probably doesn’t know the devforums exist, and they’ll be the most vulnerable audience for scams like this, whilst if this was on the main website they’d be less likely to fall for these scams.
Roblox should pull out the youtube card (im referencing to youtube’s adblock detection) and detect when suspicious javascript gets injected via bookmarks (or dev console) and then immediately close the tab or crash so nothing bad happens to your roblox account
edit: thats pretty stupid tbh there is not a single website that does this so idk maybe remind people that they should set-up 2FA or even better parental PIN so malicious javascript payload can’t edit your account settings
Yeah, I definitely agree that such a feature would be an effective solution. Forcing 2FA + Parent Pin would be even as much effective as well.
I deleted my response about speaking with a Motive Studios incident suspect, their community notified me that it’s not the culprit. Nonetheless, I still hope Roblox cracks down on account ownership and income sources. These sorts of mass victim incidents are caused by people who have way too many accounts and income sources associated with themself. I hope to see less of these sort of PSA posts as well, it’s upsetting seeing them pop up every once in a while.
