Roblox Developers Lose Entire Games to Session-Token Theft Malware
Attackers are targeting Roblox developers with fake job offers on Discord, tricking them into installing a Python infostealer called 'robase' that steals authenticated browser sessions and hands over control of games, groups, and Robux balances.
A new wave of targeted attacks is devastating Roblox developers, with victims reporting the complete loss of their games, groups, and in-platform currency after falling for a social engineering campaign on Discord. According to a report from Malwarebytes Labs, attackers pose as recruiters from established Roblox studios, offering project-manager roles to lure developers into installing a malicious Python package named 'robase.' Once executed, the malware steals authenticated browser sessions, allowing the attackers to bypass two-factor authentication (2FA) and take full control of the victim's Roblox account within hours.
The shift from opportunistic account theft to targeted game theft marks a significant escalation in the Roblox threat landscape. Previously, so-called 'beamers' focused on stealing rare virtual items and individual player accounts. Now, attackers are going after developer accounts because the prize is the game itself—including its code, in-game purchases, and ongoing revenue streams. Ioannis Matziaris told 404 Media that his two 20-year-old sons spent five years building a game called The Shadow Network. In April, one son was approached with a job offer and convinced to run a file. Within hours, the attackers had stolen control of the game, the group's Roblox account, and their Robux balance.
Another victim, 15-year-old Jovan Rai, was earning roughly 10,000 Robux (around $38) per day from his game when he received the same project-manager pitch. This time, the attackers impersonated Cheesy Studios—the Matziaris brothers' company—to lend the offer credibility. Rai spent more than 30 days trying to recover his account through Roblox support before media attention helped move the case forward. In several cases, Roblox support reportedly failed to restore accounts until a reporter from 404 Media contacted the company for comment.
The technical mechanism behind the attacks is session-token theft rather than credential theft. Developer Mohamed Kaparoza described how attackers contacted him on Discord, dangled a project-manager role, and asked him to install a Python package called 'robase,' which they claimed was a database tool. Shortly after installing it, he was logged out of Roblox on both his PC and his phone. His Discord account went with it, and his two-step verification settings and passkey were changed. Because the attackers stole an already-authenticated browser session, they could bypass 2FA entirely—a technique that has been used in previous campaigns targeting Roblox players with fake beta-test offers.
The campaign highlights a growing trend of attackers using social engineering to deliver infostealers to developers, a group that often has elevated access to valuable digital assets. The use of a Python package named 'robase' suggests the attackers are tailoring their tools to the Roblox developer community, which frequently uses Python for scripting and automation. The malware not only steals Roblox sessions but also targets Discord and potentially other accounts, amplifying the damage.
For Roblox developers, the defensive advice is largely behavioral. Unsolicited Discord job offers should be treated with extreme caution. Developers should never run files or install software from unknown contacts, especially tools described as 'database tools' or custom installers. Testing unfamiliar software in an isolated environment, such as a virtual machine, can prevent session theft. Regularly reviewing active Roblox sessions and signed-in devices, and enabling Roblox's Enhanced Protection features, can help mitigate some risks, though they won't stop session-stealer malware.
If the worst happens, documenting everything as early as possible—messages, screenshots, account changes, and support requests—can aid recovery. Using security software with real-time protection can detect and block infostealers before they compromise accounts. The incident underscores a broader pattern: as platforms like Roblox grow into economic ecosystems, the attackers follow the money, and developers—often young and less security-aware—become prime targets.