Published on

The Malicious Market of ROBLOX

Authors
  • avatar
    Name
    n0sec
    Twitter

Introduction

This investigation is far off from all other previous investigations conducted thus far. This is a far less technical market and is much less criminal, but nonetheless it is a complex greyhat market that is popular, especially amongst kids. The ROBLOX market not only involves some crime, but is an introduction to a wider field of fraud that connects to things like cracking.

V3rmillion

Initially registered in 2013, V3rmillion has been around for a respectable amount of time and has sustained high user activity from my observations. V3rmillion has gone through several phases of development and has stayed consistent with its on-site leadership. The market operates similar to other blackhat markets, allowing users to conduct peer-to-peer deals with administrators taking action among scammers. V3rmillion typically has on-site deals pertaining to ROBLOX assets like "limiteds" and "robux" - where users can obtain ROBLOX items in exchange for real world money, outside of the ROBLOX economy. For instance, I could buy 10,000 Robux, ROBLOX's currency, from a user for 60 USD, while on ROBLOX.com I would get charged closer to 100 USD. To better expand upon this, a formal explanation of the ROBLOX economy must be established.

The ROBLOX Economy

The average ROBLOX player is only able to generate Robux a few select ways, they are able to pay for it via USD through ROBLOX, have it distributed from the owner a group on ROBLOX, sell a piece of ROBLOX clothing, or make a game and charge ROBUX to play it or to get special items in it, similar to how some games charge for DLCs. Robux from these activities go to the creator, at least a majority do, with ROBLOX wiping 30-70% of the Robux from the economy after every purchase.

Buying Robux is rather straightforward, it typically cost a user about 10 USD per 1,000 robux if the user was to buy the Robux from ROBLOX. Having Robux distributed by the owner of a group is a feature within ROBLOX's group system, as groups in ROBLOX can generate revenue. A group can sell clothing and receive a commission of the sales of the clothing to a group bank, where the ROBUX can be distributed to a person within the group. Selling a piece of clothing is simple, ROBLOX has an open marketplace for its upgraded members (who pay a monthly subscription) and these users can sell clothing to anyone, which the users have to graphically design themselves. The seller makes a commission on the sale of the clothing - a rather straightforward peer-to-peer sales mechanism. After this comes to the option to make a game and sell access to the game or sell add-ons to the game, typically to give the player an advantage. The game developer takes a commission of the sale of the access or add-on sold to the user.

Robux isn't the only currency used to measure wealth on ROBLOX's economy though, there are 'limited items'. These limited items are limited because they are only held by a certain amount of users at a time, they are released with a static amount of copies and those who buy the item will be the only owners, that is, until they are traded. After an limited comes out, the owners of this limited item can trade their limited item with other user's limited items, typically with the goal of getting a more valuable item or an item they anticipate will increase in value. A limited's value is normally indicated by the amount of copies available when initially released, the initial cost of the item (the price ROBLOX sold the limited to for the initial purchasers), and just the appearance of the item. Limiteds can range from hundreds of Robux to millions of Robux, meaning some of the most valuable limiteds are sold for thousands of real world dollars on markets like V3rmillion.

How P2P Transactions Work

ROBLOX has avoided making this off-site market too profitable and has controlled their growth via on-site mechanisms. To begin, it is important to mention that all of these off-site transactions are disallowed and if users are caught partaking in these terms of service violating actions like buying and selling Robux off-site that the user can be terminated with all of their assets. ROBLOX is directly competing with these markets to sell Robux to consumers, and additionally has a program where people can sell their robux for similar rates they would receive on forums. ROBLOX offers about 345 USD for 100,000 Robux, which means that 1,000 robux is worth about 3.45 USD when selling Robux. This rate is low relative to rates people will pay on forums or markets for Robux, and thereby developers also frequently sell their Robux that they earn from their games to off-site markets, against the ROBLOX terms of service. ROBLOX clearly has all the reason to compete with these markets, and does so by imposing taxes on the players. ROBLOX takes away 30% of the Robux involved in each peer-to-peer transaction excluding limiteds, meaning that if someone on ROBLOX buys my asset, for instance a ROBLOX t-shirt for someone's in game character, I only make 70% of what I was selling the shirt for, 30% being voided. This eliminates Robux from the economy and damages seller's profit, but that still hardly makes the market between ROBLOX and these off-site markets competitive.

Most Robux transactions can be categorized as "B/T" or "A/T", before tax or after tax respectively. To understand the relevance of these terms, it must be established how deals are done for Robux. The first common way is to put a ROBLOX shirt asset for sale on the market, sell it for the amount that the transaction is for, say 10,000 Robux, and the person selling the Robux will buy the shirt. The buyer will then receive 7,000 Robux from the transaction, 30% removed due to the tax. The seller has given the buyer his Robux via buying the shirt, and the buyer can release the real-world funds to the seller. This is categorized as a "B/T" transaction, and the two consequences are the 30% tax amongst a 5-day waiting period ROBLOX instills for the buyer to receive the Robux to his account (ROBLOX does this as a mechanism to prevent releasing funds in the case of an account being compromised). The alternate way, however, has no waiting period and additionally has no taxes. ROBLOX has a group system, where groups can pool funds from selling assets like shirts, and these funds can be readily distributed. The seller will invite the buyer to the ROBLOX group, distribute the Robux to the buyer, and then the buyer the releases funds to the seller. When doing transactions this way, there is no taxes on the buyer and there is no hold period, creating an ideal situation for both parties. The rates for these two kinds of transactions very, with B/T being cheaper per thousand Robux due to its slow nature along with the taxes.

As for the sales of limiteds, the system is rather simple. A seller typically sends a trade via ROBLOX's trading system, where they give all of the limiteds the buyer is requesting, and the buyer provides the cheapest limited on the market, typically worth about 2 USD, as ROBLOX requires both parties provide at least one thing in the trade.

ROBLOX Items, OG, "namesnipes", etc.

ROBLOX has other valuable assets aside from discrete limiteds and robux. Like all social media platforms, there is a market for OG usernames on ROBLOX, albeit a much cheaper and less sketchy one. Typically OG usernames are a result of cracked accounts or phished accounts for ROBLOX, and they hold far less value. It is much easier to get in contact with ROBLOX support than it is Instagram or Twitter to reverse account compromises, so all ROBLOX accounts sold or bought are at risk of being taken back by the original owner. The act of taking back a ROBLOX account is called, "pulling back", and is sometimes done by the actual account owner of a compromiesd account, but also sometimes done by a seller who is attempting to scam the buyer of an account, who will claim it was the OG owner. Those who do this sometimes get caught when they go to sell the account again. ROBLOX gives special value to "spaced users", usernames with a space, as ROBLOX only allowed spaces in usernames in 2006 and has since removed this feature, meaning any account with a spaced user is one of the first accounts on the platform and is extremely rare.

ROBLOX shows the registration date of users on their profile, so another valuable parameter an account can have is an early join date, typically 2006-2009 are the commonly valuable years amongst buyers and sellers. Namesnipes and having an OG username are synonyms for each other in this market. These older accounts also tend to have items that ROBLOX no longer sells, sometimes ROBLOX releases assets like hats, for people's avatars, that they take off the market forever, meaning only the people who bought the item when it was out will be able to wear the asset. These older accounts tend to have them, but any account with a lot of valued off-sale items tend to hold value in the market.

An important factor when buying a ROBLOX account is whether the account is 'verified' or 'non-verified', referring to the status of the e-mail verification. An e-mail verified account tends to be less secure and is easier to be pulled back, while an unverified account is easier for the buyer to secure permanently as their account. It essentially requires less trust to buy an unverified account.

Rolimons, a ROBLOX limited analytics website.

"Poison" Limiteds

ROBLOX assets are cheaper on the blackmarket for a few reasons, one because the blackmarket pays more than ROBLOX does for assets in real-world currency in most situations, but also because many assets are stolen. Some users come into the ROBLOX blackmarket with intent to purely sell blackhat items (stolen items), and will advertise these items are legitimately obtained, such as obtained via a clothing items's revenue. This can cause problems as these 'poison' limiteds can result in ROBLOX accounts being terminated To clarify, ROBLOX, to counteract thieves in the community, ban accounts who interact with limiteds which are deemed as 'poison', just a marker for a stolen item. This is because nearly all poison items are sold in exchange for USD in the blackmarket, thereby ROBLOX assumes it's safe to say that anyone dealing with the item is playing a game of hot potato essentially, buying and selling the limited until eventually someone's account gets terminated with it. An item sells for a lot more if it is not marked as poison, as poison limiteds come with the risk of potential termination. An item is marked as poison by ROBLOX if the original owner of the asset/account that was stolen reports their account hacked and ROBLOX can verify their claims.

A ROBLOX termination entails more than just merely just losing the value of the asset that was being held, but also every other asset on the account. Big players in the blackmarket tend to hold lots of assets on their account, meaning if they're terminated they can lose a lot of value, and this tends to happen if a poison item was sold but not marked as poison.

How Robux Are Made

While there are natural ways of generating Robux, such as operating a popular game and selling access/add-ons, selling clothing assets, lots of other initiatives are executed to generate Robux for a player. Upon my investigation I've seen some interesting business models across big players in the ROBLOX marketplace, typically involving fooling players.

One popular way to fool players is via fake exploits for the platform. Because ROBLOX is primarily a child's game, the main demographic of people being fooled are young, vulnerable children. On ROBLOX, some people to gain unfair advantages by 'hacking' the games, injecting some sort of cheat to enhance their game play, but frequently these cheats are backdoored with malware that will log the victim's cookies. Within the cookies the ROBLOSECURITY cookie is found that the hacker can use to login to a victim's account, in-which the fraudster will then wipe the victim's account clean of assets. There have been similar tactics utilizing Chrome Extensions maliciously to advertise a browser-tool for ROBLOX that would merely log the user's cookies.

The Marketplaces

One of the first records of ROBLOX marketplaces that operated in an automated fashion, unlike the manual peer-to-peer transactions that happen on V3rmillion, was a website 'rbx.place'. This website was made in 2016 for buying and selling ROBLOX assets automatically, such as Robux and limiteds. It facilitates the sale via connecting the buyer's account to the website and automatically facilitating trade request depending on purchases that the buyer inputs. The buyer sees a catalog of items when they visit a marketplace like rbx.place, with each item being labeled a USD price. Typically the payment methods accepted are PayPal and cryptocurrencies, but some sites restricted PayPal use due to people 'carding' PayPal. This is the act of using a stolen credit card to do an unauthorized transaction that will result in a chargeback on the seller - meaning the seller loses their proceeds from the sale regardless if they delivered the item in some circumstances. These websites tend to cost more than sites that conduct peer-to-peer transactions as they have the advantage of user friendliness, reliability, and speed. The platform is fairly simple to use, sellers are vetted before they can begin selling on the site (to verify they aren't selling poison limiteds), and it doesn't require trust as the buyer and seller have the automatic escrow of the site to rely on.

The popularity of rbx.place skyrocketed and it would eventually result in ROBLOX's attention. ROBLOX would begin terminating merchants on the site, and would eventually threaten legal action against the site owners if they did not cease their operations. The site owners cooperated and took down the site, but nonetheless other sites have popped up to replace rbx.place. The new common websites that I see mentioned are https://adurite.com and https://ro.place. These websites operate identically to rbx.place - just under a new UI and new management. The sellers are guaranteed their money from the sale, the buyers are guaranteed their item, it's a relatively easy experience compared to that of a forum. Even legitimate sellers are incentivized to sell here, opposed to selling their Robux to ROBLOX via their aforementioned DevEx program that offers 350 USD for 100,000 robux. These websites bypass ROBLOX's internal taxes in some situations, pay more, and don't have as high of a waiting time as programs like DevEx.

ro.place's homepage
adurite.com's homepage

ROBLOX Casinos

Just like all other currencies have casinos, there are Robux casinos where users can gamble their Robux earnings. I would argue this to be one of the more sketchy elements of this market, as these websites are tailored towards gambling assets that primarily children hold. Developing a habit of gambling as a child can be detrimental to their development process and is generally a negative trait to have. Casinos like https://bloxflip.com/crash are unregulated yet have common games that are meant to be 'provably fair' like "crash" gambling. Another casino I encountered was https://rbxflip.com/coinflip, which appears less sketchy than Bloxflip, but nonetheless not great for the health of children.

Bloxflip's Homepage
Rbxflip's Homepage

Mining Robux / Advertisement Sites

The most interesting business model I found within the ROBLOX greyhat market was the concept of mining Robux. I encountered https://rbxidle.com in my investigation, a website that allows users to mine cryptocurrency and receive a Robux equivalent. It allows small cashouts as it pools the earnings of all the miners, at the expense of the miner's parents' electricity bill. RbxIdle also allows other payout options such as giftcards, this concept isn't unheard of by any means, but it is a fascinating business model. It does open the potential to malware and other sorts of chaos as it is unregulated widely, but it appears that the miners and the owners both get what they want in the situation.

RBXIdle Homepage

Conclusion

ROBLOX has an intricate, long standing marketplace that I would classify as greyhat. While some people are sellin stolen assets, many are just trying to monetize their legitimate earnings on the platform at a competitive rate. In my investigation I found the market to be somewhat innocent with the worst 'extent' of the platform to be the potential for tax evasion by these unaccounted forum transactions and kids potentially opening unauthorized PayPal accounts to conduct transactions. The primary focus of the market is buying and selling assets on the ROBLOX platform at a cheaper price than ROBLOX offers. ROBLOX's efforts will likely continue to combat these marketplaces by enforcing new policies to prevent off-site transactions from happening.

Discuss on TwitterView on GitHub