Termination Exploit (2-3 Accounts Deleted) Verified Groups Stolen

Bug Reports Other Bugs
,
1

Case Summary

Several Verified Roblox developers have been illegitimately terminated due to a coordinated attack that utilizes remote access malware and Zoom vulnerabilities. The attackers plan to gain access, view data, and inject malicious content designed to elicit immediate, irreparable account bans.

The primary actor featured in these attacks is:

  • Username: @svrals (User ID: 4012661469)
  • Observed behavior: Exploiting vulnerabilities and malicious code to get into, without permission, the computers and Roblox accounts of verified developers. Having entered, they knowingly alter personal information and inject reportable content (like CSEM references) for the sole purpose of having the account owner terminated.

Case 1: FiitOnHoldn (User ID: 2786940754)

  • Victim: @FiitOnHoldn
  • Group Affected: Fiit Cutz (Verified UGC group)
  • Date of Incident: August 16th
  • Exploit Method: Attacker hijacked 2FA using malware and remote take-over.
  • Impact:
    • The account was hijacked by the attacker.
    • Assets of the user were maliciously edited, including inappropriate and bannable content..
    • The account was inaccurately terminated for “Child Exploitation.”
    • The group Fiit Cutz was also stolen.
  • Notes: This is a textbook case of the “False Termination Exploit.” The attacker added CSEM references expressly to trigger automatic moderation without review.

image
image1019×1562 102 KB

1
11298×1808 113 KB

image
image1255×1327 78.1 KB

image
image1226×1651 106 KB

Case 2: TreeFitten (User ID: 1651941615)

  • Victim: @TreeFitten (Verified Developer)
  • Affected Group: Draytsn Association (ID: 34441942)
  • Incident Details:
    • Victim’s machine was taken over by a Remote Access Trojan (RAT) exploiting a Zoom vulnerability.
    • Attacker remotely took over the account.
  • While taking control, the attacker injected malicious content (CSEM references) into account fields.
  • This led to permanent account suspension.
  • Group ownership was stolen during this period.
  • Follow-up: Victim attempted to contact Roblox Support, but support messages exhibited refusal to help despite clear evidence that the account got hijacked from outside. The screenshots attached show dismissive or poor replies from Roblox Customer Support.

Wider Implications

  • It’s not an isolated incident. A number of established creators are being targeted, namely those with valuable groups, visibility of UGC, or access.
  • The attack relies on malware and RATs to bypass 2FA protections, making legacy account recovery channels insufficient.
  • By their means of access, attackers deliberately plant high-severity bannable content to exploit Roblox’s automated mod tools against the victim.
  • Roblox’s current support system fails to deal with malicious terminations, where innocent creators are inappropriately banned and their groups taken over.

2
21170×2532 171 KB

3
3696×223 5.81 KB

4
4714×190 3.57 KB

42 Likes
2

I mean what should roblox do in this case? The moderation system correctly terminated them for the content flagged. (And there are no device/ip ways for this to be checked by roblox as the PC itself was hacked) An argument that could be made is, a UGC group which uploaded legitimate content for years probably wouldn’t randomly upload highly inappropriate content and at the same time transfer the group to someone random. This could be looked in a case by case basis. (Which may be difficult for support to do)

I think this is more of an awareness problem, maybe roblox could put warnings popups with common scams on the creator dashboard? Or just enforce authenticator app (And no email backup way) for things like UGC, group transfer, games etc. as that would require the phone too for 2FA stuff

3 Likes
3

The real issue isn’t moderation catching bad content, it’s attackers weaponizing moderation via hijacking accounts and planting it. Roblox Support has no recovery path for this, so innocent devs get banned and the attacker walks away with their group.

14 Likes
4

This is moreso an issue that should be forwarded to law enforcement rather than roblox, all these incidents occured off the roblox platform and no vulnerability was abused in roblox’s systems to terminate these accounts, these accounts were correctly banned by roblox’s systems.

3 Likes
5

So sorry you had to go through this, this isnt the first time this same bad actor does something like this, and certainly wont be the last. I hope you get your account and group back as soon as possible.

8 Likes
7

This will not be addressed.

1 Like
8

I’m very sorry this happened to you. Unfortunately, the DevForum team has nothing to do with this kind of issue, so they can’t help resolve it. The right step is to contact Roblox Support directly: Roblox Support

If you’ve already reached out and only received an automated reply, your best option is to message a Roblox admin here on the DevForum so they can personally look into your case.

2 Likes
10

Wow, this is horrible. It seems like Tree is the only one who has gotten their account back so far.

2 Likes
11
12

How stupid can you be to get your device ratted, completely the user’s fault. ROBLOX has no part in this. If the Device was getting controlled remotely, why couldn’t you shut it down or force shutdown?

:slight_smile:

1 Like
13

This is a matter outside of the platform, this will be most likely ignored and most likely only end up as a warning to Developers instead.

1 Like
14

As someone who knows a lot about desktop software development, it’s insanely easy to get a RAT

All it takes is running 1 (one) vulnerable piece of software before an attacker can install malware. It can be a malicious website abusing a browser CVE, it can be a malicious Zoom call (this specific instance used a Zoom RCE vulnerability), it can be a malicious Word document, it can be a bad MP4 file, it can literally be ANYTHING

4 Likes