Key Highlights
- Hackers are using malicious Roblox modifications and script executors to infiltrate and drain cryptocurrency wallets.
- The malware is primarily spread through Discord and Telegram.
- This campaign marks a shift from stealing in-game items to targeting high-value digital assets like MetaMask and Coinbase accounts.
In November 2025, Kaspersky researchers uncovered a Windows-based information stealer named Stealka that targets users by masquerading as game cheats, cracks, and pirated software. The malicious campaign exploits the demand for popular digital assets by luring victims through fake websites and platforms like GitHub and SourceForge.
According to Kaspersky, the attackers are using malicious software hidden within third-party game modifications and “executors” to gain unauthorized access to digital wallets. It primarily targets younger users who download unofficial software to gain competitive advantages or aesthetic upgrades in Roblox, providing a gateway for hackers to drain funds from browser-based crypto extensions.
Mechanism of the Roblox crypto-theft scripts
The malware is designed to look for sensitive cryptocurrency data on infected computers. In the case of the compromised Roblox utility, after a user downloads and installs it, the script works in the background, looking for private keys and phrases for MetaMask and Coinbase Wallet browser extensions.
The malware is spread through Discord servers and Telegram. Disguising themselves as legitimate gaming tools, the software bypasses initial suspicion by users until attackers can intercept transaction information and send funds to their addresses.
The evolution of gaming-based cybercrime
The incident is the latest in a growing trend of gaming platforms serving as an avenue for financial cybercrime. Roblox, home to millions of daily active users, has long been a target for “phishing” and account takeovers, but this shift toward crypto theft presents a more lucrative pivot for scammers.
Scams on the site previously were largely confined to pilfering in-game items or Robux. However, with the maturation of its user base and a growing number of players interacting with web3 technologies, the stakes have increased. Past breaches in similar gaming ecosystems have shown that hackers often leverage the trust in community-driven forums to distribute infectious links.
Security implications for the Metaverse and DeFi
This malware indicates that more concrete security integrations are required between gaming platforms and digital asset managers. According to security experts, as the “metaverse” encroaches further on the world of decentralized finance, the landscape of attack surfaces for retail investors will only continue to grow.
Parents and adult users are advised to exercise caution while using third-party executors and tap into hardware wallets that institute physical confirmation for transactions. In the near future, developers may be made to implement stricter code-signing requirements for any kind of external software interacting with game clients, which blocks such exploits from becoming commonplace.
Escalating supply chain threats
In an escalation of supply chain threats, the “Shai-Hulud” malware campaign has recently compromised approximately 400 npm packages, including several popular libraries used in cryptocurrency development. This attack exploits the trust within developer ecosystems by injecting malicious scripts, specifically the “setup_bun.js” and “bun_environment.js” files, into legitimate software packages.
The emergence of crypto-stealing malware in the Roblox community serves as a demonstrator of the risks associated with downloading unverified software. While the platform itself remains secure, the surrounding ecosystem of third-party mods presents a major vulnerability.
Users are advised to stick to official sources for enhancing video games and stay vigilant against offers that seem too good to be true.
Also Read: Copy-Paste Error Costs Crypto User $50 Million in Wallet Scam