Roblox-themed malware campaigns are increasingly targeting gamers with fake mods and cheats designed to steal cryptocurrency credentials, resulting in significant financial losses including a six-figure theft in December 2025. The operations blend social engineering, supply-chain abuse and advanced persistence mechanisms to compromise both custodial and self-custody setups.
Stealka and fake packages at the core of the campaigns
The campaigns distribute malicious files masquerading as unofficial Roblox modifications, cracks and cheats across GitHub, SourceForge, Softpedia, YouTube and community forums. Attackers rely on typosquatting and brandjacking in npm and PyPI registries by publishing packages that imitate legitimate Roblox API libraries such as noblox.js variants, with malicious npm packages observed as recently as August 2024 and similar combinations documented since October 2021.
Community channels on Discord and YouTube amplify reach by promoting “Unlimited Robux” cheats and instructing users to disable antivirus tools, dramatically increasing infection rates among less security-aware players. Checkmarx has linked the npm/PyPI vector to infostealers delivered via fake libraries that exploit developer trust in open-source ecosystems.
Stealka, first reported by Kaspersky in November 2025, is described as a broad-spectrum infostealer capable of harvesting data from over 100 Chromium and Gecko-based browsers, 115 crypto-related browser extensions, major password managers, 2FA apps, local wallet applications, messaging clients and gaming services. The malware specifically targets extensions linked to Binance, MetaMask, Crypto.com, Trust Wallet and other crypto wallets to exfiltrate authentication material and session data.
For persistence, Stealka manipulates the Windows registry key HKCU\Software\Classes\ms-settings\Shell\Open\command so its payload executes whenever the Windows Settings app is opened. Its evasion techniques include terminating security tools such as Malwarebytes and adding drives to Windows Defender exclusion lists to degrade endpoint protection coverage.
Other malware families are woven into the same ecosystem. Skuld Stealer, written in Go, focuses on Discord accounts, browsers and crypto wallets while abusing fodhelper.exe to bypass User Account Control. Blank Grabber, developed in Python and C++, appears as an additional infostealer that can be chained with remote access Trojans like Quasar RAT or even ransomware, expanding the impact from credential theft to full device compromise.
These campaigns disproportionately impact younger Roblox users who are more inclined to download unofficial mods and cheats without scrutinizing provenance or security warnings. A December 2025 incident saw a Singapore-based entrepreneur lose a six-figure cryptocurrency portfolio after installing a file tied to an elaborate game-testing scam, demonstrating how social engineering can bypass standard user safeguards.
Taken together, the convergence of social engineering, repository abuse and advanced persistence mechanisms creates a sustained, high-severity risk for cryptocurrency holders active in gaming communities and third-party package ecosystems. Security teams should monitor package registries and social channels for brandjacked artifacts and harden detection around infostealers and RAT payloads, while end users must recognize that any compromise of wallet or credential data can translate directly into total and irreversible asset loss.
