Roblox, Minecraft, and the Insidious Internet for Children

Internet Intelligence

There was a child went forth every day,
And the first object he look’d upon, that object he became …
The early lilacs became part of this child,
And grass and white and red morning-glories, and white and red clover, and the song of the phoebe-bird

Walt Whitman, 1855

In 1855, American poet Walt Whitman observed how a child’s identity grows with their world: walks through apple orchards, the tumbling ocean waves, the strata of color’d clouds, and their parents’ love all play a part in their identity.

In the 21st century, the Internet, too, becomes an inevitable part of a child’s world. And what kind of Internet have we made for them? Why have we filled their classrooms with computers and tablets if not for them to visit it?

Children are a uniquely profitable audience for low-grade Internet fraud. They have unfettered time, they are easy to excite with the promise of in-game currency, and they are far less likely than adults to recognize a manipulative funnel for what it is. 

Two games sit at the center of this economy: Roblox, whose in-game currency is Robux (“R$”), and Minecraft. Both have enormous under-13 player bases (see the kid’s clothing section of your nearest department store for evidence), both have currencies or perks kids desperately want, and both have spawned a sprawling ecosystem of websites that promise those rewards “for free” — or, more precisely, for “completing a few simple tasks.”

This research measures that ecosystem using Internet-wide scan data from Censys. Rather than chase individual bad domains, I built best-guess content fingerprints for two specific lure categories and then asked a simple question: how much of this infrastructure is actually out there?

I focus on two categories:

  1. Offerwall / “get-paid-to” reward sites: sites that don’t claim to magically generate currency, but to pay you in Robux or Minecraft perks for completing offerwall tasks (surveys, app installs, watching videos). 
  2. Phishing and generator lures: the more straightforward malicious end of the spectrum. Credential and private data harvesting.

The goal of this research is defensive: to characterize and measure a category of infrastructure that isn’t well covered by conventional threat intelligence.

Some defenders I had in mind:

  • School districts and education ministries that operate DNS filtering and acceptable-use controls.
  • Telecommunications providers offering family-safety products.
  • Gaming platforms whose brands are being systematically impersonated.
    Regulators with mandates over children’s data and dark-pattern advertising. 

If any of those descriptions fit your organization, the data and detection logic below are a starting point for something more sustained.

But First: What Is an “Offerwall” Reward Site?

There is an entire genre of website, much of it visibly built from a handful of templates, that markets itself to children with a single promise: earn real in-game currency by completing simple tasks. You enter your Roblox username (no password required, emphasized!), then you’re funneled into an “offerwall.”

Or — a third-party marketplace of surveys, quizzes, game installs, and videos. Each completed task pays the operator an affiliate commission. Some fraction of that revenue is (in theory) passed back to the user as Robux.

The model is distinct from the cruder “free Robux generator” scams. There’s no fake “human verification” loop promising instant currency from nothing. Instead, the value proposition is framed as legitimate work-for-pay; as one site bluntly puts it, it “connects users with advertisers who want them to play games, answer surveys, and do quizzes.”

The harms are real but different from credential phishing:

  • Data harvesting and trial traps. The offerwall tasks collect personal information and enroll minors in app installs, paid SMS subscriptions, and “free trials” that may require payment info and future auto-charges.
  • Terms-of-service violation and account risk. Payouts are typically routed through Roblox’s own monetization plumbing (Game Passes, private-server pricing). Any third-party “free Robux” arrangement violates Roblox’s terms and can get a child’s account banned.
  • Monetizing children’s attention at scale. The entire model converts kids’ time and data into affiliate revenue. One site advertises “100,000,000+ [Robux] paid out since 2020”; another claims hundreds of thousands of users.
  • Under-maintained, exposed infrastructure handling kids’ data. As the data below shows, these sites overwhelmingly run on cheap, disposable, and frequently vulnerable hosting.

Crucially, almost nobody has rigorously studied this category. Coverage to date is fragmented between low-authority “scam-or-legit” review mills (which contradict each other), affiliate marketing dressed as reviews, and parent-safety explainers. There is no serious academic or vendor threat-intelligence mapping of the offerwall reward-site ecosystem.

Offerwall — Roblox: A Specific Example

To anchor the category, follow a single thread. I started from one site, Rocash (rocash [.] co), whose page title — “Earn R$ Gift Cards by doing simple tasks!” — became the seed for everything that followed.


Rocash and its hidden origin. Rocash presents to the world through Cloudflare, behind a clean certificate. But pivoting on its page content turned up a second machine serving the identical Rocash application directly on its raw IP — the unproxied origin server sitting behind Cloudflare. That gave up something Cloudflare was hiding: its TLS certificate wasn’t for Rocash at all, but for a gambling-adjacent brand (joinbetme [.] com). 

One backend, two brands. A strong signal of shared operation between a children’s reward site and a betting property.

Rocash → RbxBest: an explicit handoff. The same title pivot surfaced a different brand on a different technology stack — RbxBest (rbx [.] best), a Laravel application whose exposed origin lives on a DigitalOcean box in Amsterdam. 

RbxBest is not a clone of Rocash’s code, but it is unmistakably linked to it: the site ships a modal titled “Welcome ROCash users!” announcing that Rocash has shut down and inviting its users to keep earning here, complete with an old Rocash logo and a built-in handler that auto-displays this pitch when a visitor arrives with a ?ref=rocash link. 

What could this mean? The same operator rebranding? A close successor harvesting the audience? RbxBest claims Rocash “has shut down,” yet Rocash was still live with a freshly issued certificate during our research. 

The shared plumbing. Beneath the branding, RbxBest exposed its operator’s fingerprints — the same Google Analytics tag, AdSense publisher ID, and NitroPay ad-unit across properties, plus a shared avatar/back-end service (rbx[.]how) used to render Roblox profile pictures in a fake “recent payouts” ticker. These monetization identifiers, not the page title, are the high-fidelity way to tie one operator’s brands together.

Poor hygiene. The exposed RbxBest origin also ran an outdated SSH service on an end-of-life operating system, served an expired TLS certificate, and shipped a login page with no content-security policy. 

Rocash, its hidden gambling-linked origin, and the RbxBest migration: this is a microcosm of the whole sordid category. Copied branding, disposable infrastructure, shared monetization backends, brand churn, and a disregard for the safety and privacy of children’s data.

⚠️ These examples have mixed, but ultimately disappointing results in common threat intelligence sources.

Offerwall — Roblox: Aggregated Values

To measure the category, I generalized the lure into a content fingerprint and ran it across Censys’ web-property dataset. The fingerprint requires two things to co-occur:

  1. A Roblox-currency target (Robux, “ROBLOX Username,” R$ in Roblox context) 
  2. An earn-by-tasks mechanic (offerwall, withdraw, complete offers, earn gift cards, a live feed) 
(
  web.endpoints.http.html_tags: "robux"
  or web.endpoints.http.html_title: "robux"
  or web.endpoints.http.body: "ROBLOX Username"
  or web.endpoints.http.body: "robux"
)
and
(
  web.endpoints.http.html_tags: "earn robux"
  or web.endpoints.http.html_tags: "gift cards"
  or web.endpoints.http.body: "offerwall"
  or web.endpoints.http.body: "simple task"
  or web.endpoints.http.body: "withdraw"
  or web.endpoints.http.body: "complete offers"
  or web.endpoints.http.body: "live_feed"
)

Result: 437 web properties matched the Roblox offerwall fingerprint in our June 2026 snapshot. This is a floor, not a ceiling. It’s a snapshot of a category with high domain churn.

A fragmented cottage industry, not a few clones. Grouping the 437 by page title, no single title covered more than 6 properties. Similar results for favicons. The takeaway: this is not one operator running a thousand mirrors. It’s a broad, fragmented industry of mostly-distinct brands, lightly clustered into template families like the Rocash/RbxBest lineage.

Certificate consistencies. Effectively the entire population uses free, domain-validated certificates — about 99% DV, with only two properties showing an unknown validation level. Issuer breakdown:

IssuerCountShare
Let’s Encrypt17954.6%
Google Trust Services8525.9%
Sectigo Limited5717.4%
ZeroSSL30.9%
GoDaddy20.6%
Cloudflare10.3%
Starfield Technologies10.3%

This is the certificate profile of throwaway infrastructure: no organization-validated or extended-validation certs, no real corporate identity behind any of it.

Behind Cloudflare, exposing a login. About 300 of the 437 carried a Cloudflare fingerprint of some kind, and 153 were labeled as sitting behind a WAF.

This is consistent with operators using Cloudflare both for free TLS and to mask their origin. 136 were labeled by Censys as login pages, presenting the worrisome data-collection front door.

An off-the-shelf template stack. The technology mix points to a dominant, commodity reward-site codebase: 177 properties ran PHP and 165 ran the LiteSpeed web server. A possible signature of cheap-shared-hosting. A minority were on modern JavaScript stacks like the Next.js Rocash build.

Exploitable stacks handling kids’ data. Among the properties where Censys detected known CVEs, the maximum-present severity distribution skewed high:

SeverityCountShare
Medium5732.0%
High5530.9%
Critical3318.5%
Low3318.5%

Roughly half of the flagged properties carried multiple High- or Critical-severity vulnerabilities. These are sites collecting usernames, emails, and other personal data from children, running on infrastructure with serious known weaknesses.

Half of every resolved IP (50%) belongs to a single network, Cloudflare, with Namecheap (14%) and Amazon (~8%) making up most of the remainder. US-registered anycast space. The map is therefore a picture of which CDNs and US-based budget hosts these sites hide behind, not where their operators sit. 

The honest geography only leaks through in the long tail, where sites that aren’t CDN-fronted expose their true origins: European budget VPS providers like Hetzner (Germany/Finland), Contabo, netcup, and DigitalOcean, plus the occasional DDoS-Guard host. 

This is the same Cloudflare-and-Vercel concealment pattern seen firsthand when Rocash’s and RbxBest’s real origins turned out to be European boxes sitting behind a US-looking edge.

A Censys collection tracking websites coming and going

Offerwall — Minecraft: Aggregated Values

The same fingerprint, adapted to Minecraft, returns a far smaller population: 20 web properties, of which 6 also appear in the Roblox set. That overlap is the story in miniature — multi-game operators (GameTame is the clearest example) run Roblox, Minecraft, Steam, and other reward pages off a single platform, so the same infrastructure shows up in both categories.

The query has to be built differently because Minecraft’s currency-delivery model is different. 

Minecoins lack the same rails: they’re Bedrock-only and can’t be traded or transferred between accounts, so these sites can’t “pay” a username directly. Instead they promise a gift-card or Minecoins code emailed after the offerwall tasks are done. The fingerprint therefore drops the Roblox username anchor entirely and keys on the currency and reward unit instead, paired with the same earn-by-tasks mechanic.

Phishing — Roblox: a Specific Example

Where the offerwall sites monetize a child’s attention, the phishing end of the spectrum goes after the account itself. The cleanest way to show how this works is to look at a single machine.

One box, many masks

A host at 179.43.150[.]242 tells the whole story. Its hosting is the first tell, and it flips the offerwall pattern on its head. 

It sits on a bare, exposed origin belonging to Private Layer INC (AS51852), a provider registered in Panama and geolocated to Switzerland that Censys has tagged with the host label BULLETPROOF (abuse-tolerant hosting that ignores takedown requests). It has an elevated Reputation Score. There is no CDN in front of it. 

Follow Along in Censys

Offerwall operators want to look trustworthy; phishing operators want to be un-takedown-able, and they pay for hosting that delivers it.

On that one IP sits a rotating wardrobe of Roblox disguises. A snapshot of the names resolving to it:

HostnameDisguise
roblox[.]et, www.roblox[.]etBrand name registered under Ethiopia’s ccTLD; visually passes for roblox.com to a child skimming a URL
robiox.com[.]ua, robiox.com[.]ps, robiox.com[.]grthe l→i typosquatting, mimicking profile URLs
r.oblox.com[.]et, www.r.oblox.com[.]etdot-insertion: reads “r.oblox,” registered as oblox.com.et
verify-bloxlink[.]cfd, verify-bloxlink[.]siteimpersonating Bloxlink, a real Roblox verification bot (blox.link)
shortsurl[.]bio, shortsurl[.]space, shortsurl[.]cfd, shorturls[.]funshort-link front doors
beamers[.]si, splunk[.]meInfrastructure cover hosting panel and relay traffic, under names that don’t trigger brand-based detection

The first-seen dates cluster in late April and May 2026 and the last-seen timestamps all land within the same day or two of each other (many are still active). This is a single, actively maintained operation cycling domains as older ones get flagged.

The kit itself is deliberately thin. shortsurl[.]bio is an 869-byte skeleton: an HTML page whose title is simply “Roblox”, which pulls the genuine Roblox favicon, and whose entire body is one full-screen <iframe> pointed at r.oblox.com[.]et (a sibling domain on the same box) — with a sandbox that permits forms, scripts, and popups. The short-link domain is the clean-looking entry point dropped into a Discord server or a direct message; the iframe quietly loads the actual fake Roblox profile page, which does the credential capture.

The verify-bloxlink domains deserve their own note, because they show the operator thinking about where children already are. Bloxlink is a widely used bot that links a player’s Roblox account to their Discord identity, and “verify your account to continue” is a message kids in Roblox Discord servers see constantly and trust. A domain that promises that verification and then asks for a Roblox login is grooming the exact reflex the real tool trained.

⚠️ While many of these do appear with detections in VirusTotal, the verdict appears inconsistent when the brand spoofing is less clear, or when the domains are newer. 


The fingerprint comes in two complementary forms. The first keys on the wrapper kit’s page structure, to find the same shell on other hosts:

web.endpoints.http.html_title: "Roblox"

and web.endpoints.http.body: "rbxcdn.com"

and web.endpoints.http.body: "iframe"

and web.endpoints.http.body: "oblox"

The second keys on the resolved names, to find sibling infrastructure by the typosquat pattern itself:

host.dns.names: "robiox" or host.dns.names: "oblox" or host.dns.names: "bloxlink"

The pattern scales

The name-based pivot above returns roughly 37 hosts, but that number pales in comparison to the catalogue of domains those hosts expose:

On the order of 350 or more distinct hostnames built purely to deceive children with the Roblox brand. Again, these are floors not ceiling, but the shape is clear. It falls into recognisable families:

  • Free-Robux generators and credential-harvest kits — the largest band, well over 100 hostnames across roughly fifteen brands (freerobux[.]top, robbux[.]com, oblox[.]shop, rblox[.]shop, zblox[.]shop, blxup[.]shop, robuxcity[.]icu/.world, robuxstorm[.]top, rollbux[.]top, robloxgift[.]live, robloxiuty[.]top, robuxlive[.]sbs, and more).
  • Brand typosquats — roughly fifty (robiox.*, ro-blox, ro-blocks, rowblox, roeblocks, robobricks, gooblox, goroblox).
  • Verification-bot impersonation — around twenty-six, splitting across the two big Roblox verification bots: Bloxlink (verify-bloxlink.*, bloxlink[.]net/.site/.xyz/.pro, blox[.]ink) and RoVer (rover-ify[.]com, ro-verify[.]org/.net/.ink, rover-linked.*, roverifly[.]com).
  • Address-bar spoofs — around twenty that attack what a child sees in the URL bar (httpss--roblox[.]co, htps-www-roblox[.]co, www-roblox[.]pw, wvvw-roblox.com[.]ru, roblox-com[.]com).
  • Brand-spoof support, CDN, and “corporation” domains — around forty (robloxsupport[.]com, robloxmail[.]com, robloxcommunity[.]com, robloxcorporation.*, robloxcdn[.]com/.net, rbxcdn-cn[.]com).

Ten that illustrate the range of technique:

  1. freerobux[.]top — a free-Robux generator whose subdomains arkoselabs.freerobux[.]top and twostepverification.freerobux[.]top clone Roblox’s real CAPTCHA and two-step-verification screens to capture the login during the fake “reward.”
  2. robuxstorm[.]top — one of ~15 generator brands carrying the identical subdomain kit, showing this is mass-produced, not bespoke.
  3. verify-bloxlink[.]cfd — impersonates the Bloxlink verification bot; the “verify to continue” hook is tailored to kids in Discord.
  4. rover-ify[.]com — the same play against RoVer, the other major Roblox verification bot.
  5. r.oblox.com[.]et — the dot-insertion trick; the page the bulletproof host frames inside its short-link shell.
  6. robiox.com[.]ps — the l→i misspelling on a throwaway ccTLD, dressed as a Roblox profile.
  7. httpss--roblox[.]co — bakes “https” into the hostname so a glance at the address bar reads “https…roblox.”
  8. wvvw-roblox.com[.]ru — a vv-for-w homoglyph (wvvw ≈ www) spoofing www.roblox.com.
  9. robloxsupport[.]com — fake Roblox support, the “your account is suspended, verify here” angle.
  10. robloxgift[.]live — free gift-card bait carrying the same credential-harvest subdomains.

The most useful artifact here is a structural one. The generator brands repeatedly stand up the same set of subdomains: auth., games., arkoselabs., twostepverification., thumbnails., and metrics., replicated across more than a dozen otherwise-unrelated domains. That repetition is a far stronger operator signal than any single brand name, and it yields a precise kit fingerprint that survives the constant domain rotation:

(host.dns.names: "arkoselabs" or host.dns.names: "twostepverification")
and (host.dns.names: "robux" or host.dns.names: "roblox" or host.dns.names: "blox")

The lesson mirrors the offerwall findings but inverts the mechanics. The page bodies are nearly empty, which is exactly why content keywords fail here and the hostname, cert names, and the repeated kit skeleton become the detection surface. 

Impersonating the tools children already trust is the shortest path to the children themselves.

Minecraft Phishing: A Different Target

Minecraft phishing exists too, but it aims somewhere else, because the account model is different. Minecraft accounts migrated to Microsoft logins years ago, so stealing one means stealing a Microsoft account.

Minecraft phishing is, in practice, Microsoft-credential phishing wearing a Minecraft skin. The bait is Minecraft-flavored (claim a free cape, get free Minecraft Java or a free alt, “verify your account or lose it,” buy a discounted server rank), but the page it leads to is a clone of the Microsoft sign-in flow, or a Discord “verification” bot that asks for the Microsoft email and the one-time code it triggers — capturing the session rather than a password. 

The end product is the account-stealer logs that circulate on paste sites, listing each compromised account’s email, capes, and Hypixel stats for resale.

Two things shift the detection surface compared with Roblox. First, the trusted-ecosystem lever isn’t Bloxlink or RoVer; it’s Hypixel — by far the largest Minecraft server — whose store, rank, and Discord-verification flows are the most impersonated

Second, much of the worst account theft happens entirely inside Discord through one-time-code social engineering, with no durable web property to scan, so Internet-wide scanning catches the landing pages, fake sign-ins, and server-store spoofs but not the pure-Discord OTP flow.

“Free cape” sites are rampant, but it’s hard to tell if they’re all legitimately threatening, or something else. Narrow searches get closer to session theft.

This hunting approach surfaces a notably more sophisticated example of what Minecraft account fraud can look like when an operator puts real effort in. 

On 45.11.229[.]230 — a Luxvps VPS in Frankfurt with no CDN fronting and no forward DNS names — a Node.js application answers on port 3001 under the brand autosecure.cy, presenting itself as a “leading protection platform for Minecraft accounts” offering “automated security setup, continuous monitoring, and intelligent verification.” 

Rather than promising free currency, it promises safety, a more sophisticated social-engineering angle. The architecture confirms it isn’t a static lure. 

Conclusion

Typosquats, offerwalls, and bulletproof hosting all predate Roblox and Minecraft by decades. 

What is novel is the targeting precision and the scale. These ecosystems have been purpose-built around the specific mechanics of two games played predominantly by children: their currencies, their payout rails, their verification bots, their Discord communities, their servers. The operators understand their audience and have engineered around it, and they have done so largely below the detection threshold of conventional threat intelligence.

The Censys data makes three things clear. 

First, the offerwall category alone — just Roblox reward sites — amounts to at least 437 web properties in a single snapshot, fragmented across hundreds of distinct operators, nearly all running on cheap disposable infrastructure with serious security vulnerabilities, and all moderately evasive of old-fashioned threat feeds. 

Second, the phishing end of the spectrum is structurally more sophisticated than the offerwall end in one way: it has adapted to the platforms children already trust. The Roblox phishing cluster on Private Layer hosting doesn’t just spoof Roblox. It spoofs Bloxlink and RoVer, the verification tools Roblox players use daily. 

Third, across both categories, the detection gap is consistent: threat feeds are either semi-blind to these, or can’t keep up with infrastructure churn. Defenders who wait for a vendor to flag these domains are waiting for something that isn’t coming quickly enough.

The practical implication is that measuring and disrupting child-targeted fraud requires content fingerprinting and infrastructure analysis, not passive IOC consumption.

If you run DNS filtering for a school network, these fingerprints are operational today. If you work in trust and safety at a gaming platform, this is your brand being harvested at scale and your users being phished through the tools they trust most. If you’re a carrier with a family-safety product, the intelligence you’re buying may not be enough. If you’re a regulator or enforcement body looking at COPPA, GDPR-K, or DSA violations involving minors and dark-pattern advertising, this research documents a measurable, live instance of exactly that. 

Here is the point where most write-ups encourage teaching children preventative measures. The value of a strong password, or not to give out their personal information.

That’s been done, so instead I’ll say to the adults enabling these operations: do better.

Indicators of Compromise (IOCs)

This category rotates infrastructure aggressively: the disposable domains below were live in the May–June 2026 snapshot and many will be dead or re-registered by the time you read this, so the detection logic (the queries and structural patterns) outlasts the atomic indicators (the specific domains and IPs).

Network

IndicatorTypeNotes
179.43.150[.]242IPv4Bulletproof Roblox phishing host; AS51852 Private Layer INC; Censys label BULLETPROOF
AS51852 (PLI-AS — Private Layer INC)ASNAbuse-tolerant hosting; characterizing, not blocking, signal
141.253.96[.]84IPv4Exposed Cloudflare origin behind the Rocash offerwall
167.71.73[.]127IPv4RbxBest offerwall origin; DigitalOcean Amsterdam
45.143.198[.]6IPv4Lead, not confirmed — leaked via the Plesk resolvableHostname on 179.43.150[.]242; likely sibling box
45.11.229[.]230IPv4Minecraft phishing host (autosecure[.]cy); Luxvps Frankfurt; game servers co-located

Domains and hostnames; confirmed Roblox phishing cluster (on 179.43.150[.]242)

roblox[.]et                 www.roblox[.]et

robiox.com[.]ua             www.robiox.com[.]ua

robiox.com[.]ps             www.robiox.com[.]ps

robiox.com[.]gr             www.robiox.com[.]gr

r.oblox.com[.]et            www.r.oblox.com[.]et

verify-bloxlink[.]cfd       verify-bloxlink[.]site

shortsurl[.]bio             shortsurl[.]space           shortsurl[.]cfd

shorturls[.]fun             www.shorturls[.]fun

gateway.beamers[.]si        app.beamers[.]si

beta.splunk[.]me            app.splunk[.]me

Domains; broader Roblox-abuse families (representative, not exhaustive)

These are sampled from the wider name pivot and illustrate each technique class. They are representative seeds for the detection queries below, not a complete blocklist.

  • Free-Robux generator / credential-harvest brands: freerobux[.]top, robbux[.]com, oblox[.]shop, rblox[.]shop, rblxo[.]shop, zblox[.]shop, blxup[.]shop, robuxcity[.]icu, robuxcity[.]world, robuxstorm[.]top, rollbux[.]top, robloxgift[.]live, robloxiuty[.]top, robuxlive[.]sbs, robloxfree[.]com
  • Verification-bot impersonation (Bloxlink / RoVer): bloxlink[.]net, bloxlink[.]site, bloxlink[.]xyz, bloxlink[.]pro, blox[.]ink, rover-ify[.]com, ro-verify[.]org, ro-verify[.]net, ro-verify[.]ink, rover-linked[.]com, roverifly[.]com
  • Address-bar / URL spoofs: httpss--roblox[.]co, htps-www-roblox[.]co, www-roblox[.]pw, wvvw-roblox.com[.]ru, roblox-com[.]com
  • Brand-spoof support / CDN / “corporation”: robloxsupport[.]com, robloxmail[.]com, robloxcommunity[.]com, robloxcorporation[.]com, robloxcdn[.]com, rbxcdn-cn[.]com

Exclude from blocklists (legitimate): roblox.com, rbxcdn.com, rblx.co, luau-lang.org, bloxlink.com, blox.link. Note that roblox.<ccTLD> registrations are mixed — Roblox Corporation defensively owns many — so verify content before blocking.

Repeated kit subdomain skeleton (high-confidence operator pattern)

Across more than a dozen generator brands, the same subdomains recur and survive domain rotation:

auth.      games.      arkoselabs.      twostepverification.      thumbnails.      metrics.

TLS / certificate fingerprints (SHA-256)

FingerprintSubjectContext
43bafe89f30afeab078d145233ba1555e7383bf0db6c6d00e4ab9915716e4403shortsurl[.]bioRoblox wrapper front-door cert (Let’s Encrypt DV)
19adf0fd2384089371ef2546a98ec0b63046b8d3bd32ff3daaabe6780b61ae89app.beamers[.]siDefault cert on bare 179.43.150[.]242:443

Content / service fingerprints

IndicatorTypeContext
r.oblox.com[.]et/communities/6628073548/unsetIframe target / community refLoaded inside the Roblox wrapper shell

Offerwall operator-clustering identifiers

Shared monetization and build artifacts that link offerwall properties to a common operator (pivot on these, don’t block them):

IndicatorType
797e433ab948586e, caa3a2e1cccd8315Shared Next.js font hashes (Rocash ↔ its exposed origin)
0_4.-4ri46ejz.jsShared Next.js build chunk (Rocash ↔ origin)
joinbetme[.]comGambling-brand SAN on the Rocash origin’s Cloudflare-Origin cert

Detection queries (CenQL)

Phishing — Roblox wrapper kit:

web.endpoints.http.html_title: "Roblox"

and web.endpoints.http.body: "rbxcdn.com"

and web.endpoints.http.body: "iframe"

and web.endpoints.http.body: "oblox"

Phishing — typosquat / brand-tool names:

host.dns.names: "robiox" or host.dns.names: "oblox" or host.dns.names: "bloxlink"

Phishing — Minecraft / Microsoft auth spoofing (narrow):

(
  web.endpoints: (
    http.redirect_chain: (
      hostname = "login.live.com"
    )
    and (
      http.uri: "/auth/minecraft"
      or http.body: "XboxLive signin"
      or http.html_title: "XboxLive signin"
      or http.body: "minecraft"
      or http.html_title: "minecraft"
    )
  )
  or
  web.endpoints: (
    (
      http.body: "login.live.com"
      or http.body: "login.microsoftonline.com"
      or http.body: "Xbox Live"
      or http.body: "XboxLive"
    )
    and (
      http.body: "minecraft"
      or http.html_title: "minecraft"
      or http.body: "mojang"
    )
  )
  or web.cert.names: "sessionserver"
  or web.cert.names: "authserver"
  or web.cert.names: "minecraftservices"
  or web.cert.names: "account.mojang"
)
and web.labels.value = "LOGIN_PAGE"
and not (
  web.hostname = "minecraft.net"
  or web.hostname = "mojang.com"
  or web.hostname = "microsoft.com"
  or web.hostname = "live.com"
  or web.hostname = "microsoftonline.com"
  or web.cert.names =~ ".*\\.minecraft\\.net"
  or web.cert.names =~ ".*\\.mojang\\.com"
  or web.cert.names =~ ".*\\.microsoft\\.com"
  or web.cert.names =~ ".*\\.microsoftonline\\.com"
  or web.cert.names =~ ".*\\.live\\.com"
)

Offerwall — Roblox reward-site category:

(web.endpoints.http.html_tags: "robux" or web.endpoints.http.html_title: "robux" or web.endpoints.http.body: "ROBLOX Username" or web.endpoints.http.body: "robux")

and (web.endpoints.http.html_tags: "earn robux" or web.endpoints.http.html_tags: "gift cards" or web.endpoints.http.body: "offerwall" or web.endpoints.http.body: "simple task" or web.endpoints.http.body: "withdraw" or web.endpoints.http.body: "complete offers" or web.endpoints.http.body: "live_feed")

and not (web.endpoints.http.body: "generator" or web.endpoints.http.body: "human verification" or web.endpoints.http.html_title: "generator")

Offerwall — Minecraft reward-site category:

(web.endpoints.http.html_tags: "minecoins" or web.endpoints.http.html_title: "minecoins" or web.endpoints.http.body: "minecoins" or web.endpoints.http.body: "minecraft gift card")

and (web.endpoints.http.html_tags: "gift cards" or web.endpoints.http.body: "offerwall" or web.endpoints.http.body: "complete offers" or web.endpoints.http.body: "complete tasks" or web.endpoints.http.body: "simple task" or web.endpoints.http.body: "withdraw" or web.endpoints.http.body: "earn points" or web.endpoints.http.body: "live_feed")

and not (web.endpoints.http.body: "generator" or web.endpoints.http.body: "human verification" or web.endpoints.http.html_title: "generator" or web.endpoints.http.body: "account generator" or web.endpoints.http.body: "alt generator")
AUTHOR
Alex Gartner

Alex Gartner has led teams to uncover novel threats and build scalable data platforms for SecOps. Previously tackling sensitive missions for the U.S. Air Force, and serving as Sr. Engineering Manager of Security Research, he brings industry-leading data practices into detection engineering. SQL everything.