Ukrainian cyber police have arrested three individuals who used cookie-harvesting malware to compromise more than 610,000 Roblox gaming accounts between October 2025 and January 2026, selling high-value accounts on Russian-language platforms and pocketing approximately UAH 10 million (~$225,000 USD) paid in cryptocurrency.
Roblox Account Hijacking: What We Know So Far
The operation was run out of Lviv by a 19-year-old organiser who recruited two accomplices aged 21 and 22. Rather than cracking passwords, the attackers deployed malicious software that harvested browser session cookies, allowing them to authenticate to victim accounts without needing credentials at all — a technique that bypasses passwords, SMS OTPs, and many 2FA implementations tied to the password-reset flow.
Over the four-month campaign, the group checked over 610,000 accounts for valuable in-game items and Robux balances. Investigators found 357 files containing selected high-value accounts at the time of arrest. The accounts were listed for sale on Russian-language marketplace platforms, with buyers paying through cryptocurrency wallets — a pattern investigators say is consistent with a for-profit credential resale operation rather than targeted espionage.
Law enforcement executed 10 search warrants across residences and registered addresses. Seized items included computer equipment, storage devices, mobile phones, bank cards, physical notes documenting the operation, more than €2,500 in cash, and approximately $35,000 USD.
The Lviv region Cyber Police and prosecutors led the investigation. Criminal proceedings are underway; charges have not yet been publicly confirmed, but Ukrainian law covers unauthorised access to computer systems, theft, and money laundering via cryptocurrency.
Secondary reporting from The Record (Recorded Future) confirms Ukrainian authorities classified this as a significant organised cybercrime operation rather than an isolated incident.
Why Roblox Account Hijacking Matters Beyond Gaming
For security practitioners, this arrest is a case study in the ongoing scalability of cookie-based session hijacking — an attack that has become one of the most effective credential theft vectors precisely because it sidesteps the password-centric defenses most organisations have invested in.
Platforms like Roblox are attractive targets not just for their user base, but because in-game economies are liquid and largely pseudonymous. Digital items and currency convert quickly to real money through grey-market trading sites, many of which operate from jurisdictions with limited cooperation on cybercrime extradition. The Russian-platform sales channel in this case adds an additional layer of operational insulation.
The same technique scales to higher-value targets. Infostealer malware families — including Redline, LummaC2, and Vidar — harvest session cookies from browsers as a core function. Enterprise SSO tokens, cloud provider sessions, and SaaS application cookies stored in browser profiles are exfiltrated by the same mechanisms used here against Roblox players. The difference between a stolen Roblox cookie and a stolen AWS console session token is the size of the blast radius.
Roblox Account Hijacking: What You Should Do Now
For individual users and organisations running platforms with in-game economies:
- Enable authenticator-app 2FA on gaming and consumer accounts — not SMS, which is vulnerable to SIM-swap. Roblox supports authenticator apps; enable it at
Account Settings → Security → 2-Step Verification. - Audit active sessions regularly. Roblox and most major platforms expose active session lists. Terminate any sessions you do not recognise immediately.
- Use isolated browser profiles for high-value sessions. A session cookie in a dedicated browser profile cannot be swept by infostealer malware running in your general-use profile.
- Be alert to phishing for malware delivery. The initial vector for cookie-stealing malware is nearly always phishing, malicious download, or trojanised software. Treat unexpected download prompts in gaming contexts with the same suspicion as enterprise phishing.
For security teams and platform operators:
- Implement device fingerprint binding for session tokens. If a session cookie is replayed from a different IP geolocation or device signature, require step-up authentication before granting access.
- Monitor for anomalous login telemetry. High-frequency account access from mismatched geolocations, user agents, or login timing that diverges from historical patterns are reliable signals of replayed stolen sessions.
- Apply
HttpOnlyandSameSite=Strictcookie attributes. While these do not stop malware that reads cookies from browser storage directly, they mitigate XSS-based cookie theft and cross-site request forgery.
Detection and Verification Checklist
- Check active session logs on any high-value accounts; revoke anything not your current device.
- Review browser extension permissions — malicious or compromised extensions are a common cookie-exfiltration path.
- Scan endpoints with an up-to-date EDR for known infostealer indicators; LummaC2 and Vidar IOCs from CISA advisory AA25-141b are a good baseline.
- For platform operators: verify cookie issuance policies enforce short-lived tokens (< 24h for high-privilege sessions) and server-side invalidation on logout.
- Cross-reference any recent unfamiliar logins against known infostealer C2 ranges if you have DNS/proxy logging.
Sources: BleepingComputer, The Record (Recorded Future), dev.ua, UNN (Ukrainian National News)
For any query contact us at contact@cipherssecurity.com