Cyber Attacks

Three Arrested After Using Stolen Session Cookies to Hijack and Sell 610,000 Roblox Accounts

Ukrainian police have arrested three individuals who systematically used stolen session cookies to access and sell more than 610,000 Roblox accounts, targeting profiles with accumulated in-game currency and rare items and reselling them through Russian criminal platforms for cryptocurrency.

KYIV, UKRAINE — Ukrainian law enforcement has detained three suspects in connection with a scheme to steal and resell Roblox gaming accounts, according to an announcement from police on April 28, 2026. The operation, allegedly organized by a 19-year-old resident of Drohobych who recruited two accomplices aged 21 and 22, used stolen browser session cookies to access accounts without requiring passwords, extract valuable in-game assets, and resell the compromised accounts through closed online communities and a Russian-registered website. The suspects face up to 15 years in prison if convicted and have been placed in pretrial detention while the investigation continues.

Incident Overview: Roblox Account Theft Operation
Field	Details
Suspects	Three Ukrainian nationals — 19-year-old organizer and two accomplices aged 21 and 22, met on gaming forums
Method	Stolen session cookie files — allowed account access without re-entering passwords; automated checking tool to assess account contents
Accounts Checked	610,000+ accounts checked between October 2025 and January 2026
Accounts Sold	357 high-value accounts selected for resale based on in-game currency and rare item holdings
Revenue	$225,000 USD equivalent in cryptocurrency
Sales Channels	Closed online communities; Russian-registered website; cryptocurrency payments
Potential Sentence	Up to 15 years; suspects placed in pretrial detention

What Happened

The scheme operated between October 2025 and January 2026. The suspects acquired stolen session cookie files — technical authentication data that keeps a user logged in to a service and allows account access without re-entering credentials — and fed them through a custom-built automated program designed to check each cookie's validity and assess the contents of the associated Roblox account. The program evaluated accounts for accumulated Robux (Roblox's in-game currency), rare limited-edition items, and other valuable digital assets with real-world monetary value.

From the 610,000+ accounts checked, investigators say 357 files containing the highest-value accounts were selected for resale. These were sold through closed online communities and a website with a domain registered in Russia, with payment processed entirely through cryptocurrency wallets to obscure the money trail. Victims included both Ukrainian and foreign Roblox players.

Ukrainian law enforcement located and seized equipment used in the scheme during investigative searches and placed all three suspects in pretrial detention. The case was developed by the Lviv region cyber division of Ukraine's National Police. The suspects are charged under provisions that carry maximum sentences of up to 15 years imprisonment.

Scope and Impact

The session cookie attack method used in this case does not require the attacker to know or steal a victim's password. Session cookies — the authentication tokens that browsers store to keep users logged in — can be harvested through a range of vectors including infostealer malware, browser extensions, phishing attacks, and public Wi-Fi interception. Once obtained, they allow an attacker to authenticate as the victim for as long as the session remains valid, bypassing even multi-factor authentication in many cases because the session was already authenticated when the cookie was issued.

Roblox's user base skews heavily toward younger players, many of whom have invested significant real-world money in Robux and limited-edition items that carry substantial resale value in secondary markets. The platform reports over 85 million daily active users globally. This arrest follows a broader pattern of Roblox credential theft — a January 2026 infostealer leak exposed nearly 150 million login records across multiple platforms including millions of Roblox accounts, and a separate March 2026 database listing offered 50 million alleged Roblox credentials for sale. Understanding account takeover attacks and how session-based authentication can be exploited is increasingly relevant as virtual economies grow in value.

Response and Attribution

Ukrainian police attributed the operation to the three detained suspects based on equipment seized during searches, including 357 documented account files and cryptocurrency transaction records. The primary organizer allegedly developed the automated checking system himself and recruited the other two participants through gaming forums. The Russian-registered sales domain is under investigation. Roblox has not issued a specific statement regarding this particular case at time of publication.

For players concerned about account security, the most effective defense against session cookie theft is combining regular session invalidation — logging out of devices that are no longer in use — with strong endpoint security to prevent infostealer malware that harvests cookie files from browsers. For a full guide on protecting your accounts, see our account takeover prevention guide. The broader criminal ecosystem targeting gaming and crypto accounts continues to be a significant and growing threat.

The CyberSignal Analysis

The method used in this case — stolen session cookies bypassing password requirements — deserves more attention than it typically receives in enterprise security conversations. Session cookie harvesting is a standard capability of virtually every infostealer malware family currently in active circulation, including Redline, Raccoon, and Lumma. The scale of this operation — checking 610,000 accounts over four months — reflects how automated and industrialized this attack type has become. Enterprises that rely on persistent session tokens without session lifetime limits or device binding are exposed to the same class of attack as Roblox players.

Signal 02 — Virtual Economies Create Real Criminal Economics

The $225,000 USD equivalent extracted from selling 357 Roblox accounts is a meaningful criminal revenue stream from a relatively modest operation. The economics of virtual asset theft are maturing: rare in-game items, digital currencies with fiat exchange rates, and creator revenue accounts all represent liquid, transferable value that is increasingly attractive to organized criminal groups. Law enforcement in multiple jurisdictions is now treating virtual asset theft as a serious financial crime — the 15-year maximum sentence in this Ukrainian case reflects that shift.

Signal 03 — The Arrests Matter Even When They're Downstream

The suspects in this case were not operating the infrastructure that originally harvested the 610,000 session cookies — they were buyers operating downstream from the initial theft. This reflects a key feature of the modern cybercrime economy: specialization and layering. One group harvests credentials; another group buys and monetizes them; another group operates the resale infrastructure. Law enforcement action at any layer of this stack matters. Disrupting the monetization layer removes the economic incentive for the initial harvesting operations.

Sources

Type	Source
Official	The Record (Recorded Future) — Ukrainian Police Detain Hackers Suspected of Stealing Roblox Accounts
Reporting	Mezha — Prosecutors Uncovered Scheme Stealing and Selling Roblox Accounts
Background	The CyberSignal — What Is Account Takeover (ATO): Prevention & Detection Guide

Reporting Connects Amazon CEO Andy Jassy to Anthropic Model Concerns Raised Before Government Action

Anthropic Disables Fable 5 and Mythos 5 Worldwide to Comply with US Export Controls

Chinese APT Backdoors Linux PAM Login Software for Nearly a Decade

US Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals