Roblox account hijack and free Robux scams in 2026: a parent's plain-English guide

How a Roblox account hijack actually works

The scam looks different from the outside than what is happening underneath. From your child's screen, it feels like a normal day. They are in a Discord server for a Roblox game they love. Someone messages them. The message is friendly. The link looks helpful. There is no flashing warning. There is no obvious danger.

Underneath, the attacker is running a small playbook with three steps. The lure draws your child to a page. The page either captures their password or asks them to authorize a fake app. The attacker uses that access to log in, lock the real owner out, and convert the account's value into cash within minutes. Then the same account becomes the lure for the next victim.

The reason this works on kids is not that kids are careless. It works because attackers have spent years studying exactly how Roblox players talk, what they want, and where they hang out. A trade offer in a Discord channel for a popular game is a normal Tuesday for a 12-year-old. The scam fits inside that normal Tuesday so well that even adults miss it.

The "free Robux" lure: the front door to every hijack

"Free Robux" is the phrase that opens almost every Roblox scam. It shows up in YouTube comments, TikTok captions, Discord servers, Reddit posts, and Google search ads. The destination is a website that looks bright and game-themed, with a Robux icon, a spinning wheel, or a button labeled "Generate Robux Now."

Common patterns of the lure site itself:

• roblox-rewards.xyz
• freerobuxgenerator.com
• get-robux-now.app
• roblox-codes-2026.online
• robux-claim.site
• roblux-gift.com (note the missing letter)
• roblox.com.giveaway-claim.net (the real domain is what comes right before the first single slash; here it is giveaway-claim.net)

The site asks for a Roblox username, then for a password, then sometimes for a "verification" step that requires downloading an app or completing a survey. Whatever path your child clicks, the password ends up in the attacker's hands. The "Robux are loading, please wait" spinner is just a delay so they have time to log in as your child before the page closes.

Roblox states this directly on their corporate safety page at corp.roblox.com/safety: Roblox does not run any free-Robux promotions through third-party websites. Every official Robux purchase, gift card, and promo code is redeemed inside roblox.com while logged in. If a site is not roblox.com, it is not Roblox.

The Discord trade DM: the scam aimed at older kids

Kids between 11 and 17 are usually too smart for the free-Robux generator. They have seen it. Their friends have warned them. The scam has evolved to meet them where they actually trade items, which is Discord.

The setup looks like this. Your child is in a Discord server for a Roblox game like Adopt Me, Pet Simulator 99, or Murder Mystery 2. A user with a "rich" looking profile (often a fake high-Robux number in their bio, sometimes a moderator-style colored name) sends a friendly DM:

"yo, I saw your trade post, I have an extra Shadow Dragon, want to trade for any of your legendaries? let's do it on this site, in-game trades are bugged today."

The link goes to a site that looks like Roblox's trading screen or a popular third-party trading platform. The page asks your child to "log in with Roblox to verify ownership." That login button leads to a fake Roblox sign-in page on a lookalike domain such as rolbox.com, roblax.com, or rblx-trades.net.

Once the password is entered, the attacker logs into the real account. They strip Limited items first because those have the highest secondary value. They trade away rare pets and accessories to a holding account. They convert Robux to gift codes. And they often start sending the same DM to your child's friends list from inside the now-hijacked account, because a message from a known friend is the single most effective lure on the platform.

The OAuth permission trick: the version that bypasses 2FA

Roblox supports authorized third-party apps for tools like cosmetic trading sites and Roblox Studio plugin marketplaces. Attackers abuse this by registering apps with names that sound official, such as "Roblox Premium Verifier" or "Trade Confirmation Helper."

Your child clicks a link from a Discord DM. They land on a real Roblox permission screen on the real roblox.com domain. The screen says "This app is requesting permission to manage your inventory and accept trades on your behalf." Because the page is genuinely on roblox.com, your child trusts it, taps Allow, and the attacker now has the ability to move items out of the account without ever knowing the password.

This variant is the most dangerous because 2-Step Verification does not block it. 2FA only protects login. Authorizing an app is a separate action that happens after you are already logged in. The defense is teaching your child to read the permission text and to never tap Allow on a request that arrived from a Discord link.

What the attacker does in the first 10 minutes

Speed matters. Attackers operate on a checklist that takes about 10 minutes from password capture to cash-out:

1. Minute 0 to 2. Log into the real Roblox account. Change the password. Change the email to one they control. Log out all other sessions, which kicks your child out if they were playing.
2. Minute 2 to 5. Open the inventory. Move all Limited items to a "burner" account by trading at a deliberately bad ratio so the trade clears automatically.
3. Minute 5 to 8. Spend all remaining Robux on gift codes or transferable cosmetics, then move those to the burner account.
4. Minute 8 to 10. Start DMing your child's friends from the hijacked account. "Hey, I have a free Limited to give away, check this trade link." The cycle continues.

This is why fast recovery matters. Every minute the account stays in the attacker's hands is more items lost and more friends targeted. If your child tells you they think they got scammed, the first hour is when you can still save the most.

Common phishing domain patterns to watch for

Scammers cycle through hundreds of lookalike domains every month. The patterns repeat. If you teach your child to spot the pattern, they can catch a new one they have never seen.

• Subdomain trick. roblox.com.something-else.app. The real domain is the part right before the first single slash. Here that is something-else.app, not Roblox.
• One-letter swap. roblax.com, roblux.com, rolbox.com, robllox.com (double L).
• Number for letter. r0blox.com, rob1ox.com (a 1 instead of an L).
• Extra word. roblox-rewards.com, roblox-claim.com, roblox-codes.net, free-roblox.app.
• Unusual top-level domain. The real Roblox lives on .com. Anything ending in .xyz, .online, .site, .click, .app, .live, or .gift for a Roblox-themed page is almost always fake.
• Punycode and Cyrillic. A capital "o" replaced with a Cyrillic letter that looks identical to a Latin "o". Your eye cannot tell the difference. A browser-layer scanner can.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1 - Local detection: 60+ URL patterns plus 550+ brand-specific signatures (Roblox included, with Cyrillic and Punycode homograph variants) plus community whitelist and blacklist, all running directly in the extension before the page renders. Catches the roblox-rewards.{tld}, roblux.com, rblx-trades.{tld} typosquats, and the roblox.com.something-else.app subdomain trick instantly.
• Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam top-level domains for known malicious pages already reported by other researchers.
• Layer 3 - AI deep scan (Premium): 100+ language content analysis catches brand-new variants in seconds, including pages that look real but have never been reported anywhere before.

Detection signatures come from threat-intelligence research and brand database analysis, not from user browsing data. Per-user URL history is never stored.

What to do if your kid's account was hijacked

If your child comes to you and says they were locked out, or you notice their account behaving oddly, work through this checklist. Do it in order. Speed matters more than perfection.

Step 1: Try the password reset from a parent device

On your own phone or laptop, open roblox.com/login/forgot-password-or-username. Enter the email originally attached to the account, which should be your parental email if you set things up correctly. Roblox sends a reset link. If you receive the email, you can take the account back even if the attacker also changed the password, because Roblox honors the original verified parent email as a recovery anchor.

If the attacker changed the email already, this step will fail. Move to Step 2.

Step 2: Contact Roblox Support with proof of ownership

Go to roblox.com/support. Choose "Billing and Account Issues" and then "I can't access my account." Provide:

• The exact Roblox username.
• The original email used at signup.
• The date the account was created (approximately).
• The last four digits of any credit card used to buy Robux, and the date of the last purchase if you remember it.
• A screenshot of any past purchase confirmation email from noreply@roblox.com.
• If your child is under 13, mention this clearly. Roblox prioritizes recovery for accounts of minors under their Trust and Safety program described at corp.roblox.com/safety.

Response time for verified minor recovery is usually 24 to 72 hours. Be patient. Do not open a duplicate ticket every few hours; that pushes you back in the queue.

Step 3: Log out all sessions from any device still signed in

If your child is still signed in on a tablet or console that the attacker has not noticed yet, do not let them touch the account. Instead, from a parent device, sign in there using the same active session if possible and immediately go to Settings, Security, Sign Out All Other Sessions. This kicks the attacker out of the browser they hijacked from.

Step 4: Report the original scam link

Once recovery is started, report the lookalike domain to Roblox at the support address above, to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish, and to PhishTank at phishtank.org. The faster these lookalike domains get reported, the shorter the lifespan of the campaign that targeted your child.

Step 5: File at FBI IC3 if real money was lost

If real-money purchases were made on the account by the attacker after the hijack (using a stored card), or if the stolen Limited items had significant cash value on secondary markets, file a complaint at ic3.gov. The FBI's 2024 Internet Crime Report flagged a sharp rise in fraud targeting minors through online gaming platforms, and the bureau uses IC3 filings to build patterns that drive takedowns of larger scam infrastructure. Include screenshots, the lookalike domain, transaction timestamps, and the attacker's known Roblox username if you have it.

The parental setup that blocks 90 percent of this

Most of the scams above stop working if you do five things once. Sit with your child for 20 minutes, walk through these together, and treat it as part of how the family uses Roblox.

1. Turn on 2-Step Verification with Authenticator

On a device where your child is logged into Roblox, go to Settings, Security, 2-Step Verification. Choose Authenticator App, not Email. Email 2FA can be bypassed if the attacker also takes over the email account. Use Google Authenticator, Authy, or Aegis on a parent phone. Save the backup codes in a place the child cannot lose, such as a note in your password manager.

The reason to put the authenticator on the parent phone, not the child's device, is that it adds a meaningful pause. If your child cannot complete a 2FA step alone, they have to come to you, and that 30-second pause is when you can ask "where did this page come from?"

2. Set a Parental PIN

In Settings, Security, scroll to Account PIN. Set a four-digit PIN that only you know. With a PIN active, any change to settings, payment methods, or account recovery options requires the PIN. An attacker with the password cannot change the recovery email without knowing the PIN, which means even if the password leaks, your child does not lose the account.

3. Attach a parent email as the recovery address

Use a parent email, not the child's. Verify it by clicking the link Roblox sends. This is the single most useful recovery anchor you have. If everything else fails, this verified email is what Roblox Support uses to confirm you own the account.

4. Set Account Restrictions for younger kids (under 13)

In Settings, Privacy, look for Account Restrictions. Toggle it on for kids under 13. This limits chat, restricts who can send friend requests, and removes the ability to play user-created experiences that have not been moderated for younger ages. It does not stop your child from playing the games they love. It does shut down most of the direct messages that carry scam links.

5. Talk through the one rule

The single sentence that protects your child from 90 percent of Roblox scams is this: Roblox never gives free Robux through outside websites, ever. Any page that is not roblox.com and asks for your password is a scam, even if a friend sent it.

Repeat it three times together. Add a sub-rule for older kids: Never click Allow on a Roblox permission screen that arrived from a Discord link, even if the page is on the real roblox.com. Internet Matters, the UK-based parent safety nonprofit, runs an excellent shared-reading guide for Roblox at internetmatters.org that turns this conversation into an activity the whole family can do together.

What real Roblox communications look like

Roblox sends email from noreply@roblox.com. The login page lives only on roblox.com and web.roblox.com. The mobile app shows a green padlock and the bare word "Roblox" in the address area when on the real domain. Roblox will never:

• Send a private message asking you to "verify your account" on an outside site.
• Ask for your password through a chat, a DM, or a survey.
• Offer free Robux for completing offers, watching ads, or installing apps from outside the official Roblox stores.
• Threaten account deletion if you do not click a link within a set number of hours.

Anything that does these things is a scam. There is no exception, no edge case, no special promotion that breaks this rule. If a friend says "I got free Robux this way, try it," your child should still say no.

Why this matters more in 2026 than it did before

Three things changed in the last 18 months. First, Roblox Limited items have grown into a real secondary market with cash exchange rates, which makes a stolen account immediately convertible. Second, AI-generated scam pages now look exactly like the real Roblox login, with no broken English, no obvious art glitches, no clumsy translation. Third, Discord became the default hangout for Roblox traders, which means most scam DMs now arrive outside Roblox's own moderation system.

Those three shifts together are why account compromises crossed 1 million in 2024 and continue to climb in 2026. The good news is that the defense is still simple. Authenticator 2FA, a parental PIN, an account recovery email on a parent address, restrictions for younger kids, and one clear family rule cover almost every variant.

Bottom line for parents

Your child is not careless. They are being targeted by people who study them for a living. The phrase "free Robux" is the front door. The Discord trade DM is the side door. The OAuth permission screen is the window nobody watches. Close all three by spending 20 minutes on the setup above. If a hijack still happens, work the recovery checklist in order, contact Roblox Support with proof of ownership, and treat the first hour as the one where the most can be saved.

Install SafeBrowz free

Add the browser extension that catches Roblox lookalike pages and "free Robux" scam sites before the login form even loads. Works on the kid's computer in the background. Free forever.

Add to Chrome Add to Firefox Add to Edge

See Premium plans

Frequently asked questions

Does Roblox ever give out free Robux through other websites?

No. Roblox states this clearly on its corporate safety page at corp.roblox.com/safety. Every official Robux purchase, gift card, or promo code is redeemed inside roblox.com while logged in. No real Roblox promotion ever sends you to a third-party site that asks for your password. If a site is not roblox.com and asks for your Roblox password, it is a scam without exception.

My child says a friend sent them a free Robux link. Is it really their friend?

Probably not their friend typing. The most common scam pattern is that a friend's account got hijacked earlier in the day, and the attacker is now using that account to message everyone on the friends list. The friend is real, the avatar is real, the username is real, but the person sending the link is the attacker. The fix is to ask the friend in person, by text, or by voice call before clicking anything from a Roblox or Discord message.

Is 2-Step Verification on Roblox really worth the extra step?

Yes, especially the Authenticator app version. Authenticator 2FA blocks every variant of the scam that depends on stealing the password. The one variant it does not block is the fake-app OAuth trick, which is why you also need to teach your child to read permission screens and never tap Allow on a screen that arrived from a Discord link. The combination of Authenticator 2FA plus a parental PIN plus the one-rule conversation blocks the vast majority of hijacks.

What is the Parental PIN, and is it the same as 2FA?

The PIN is different and additional. 2FA protects login. The Parental PIN protects settings changes after login. With a PIN active, an attacker who somehow gets the password and bypasses 2FA still cannot change the recovery email, the password, or the payment method without the four-digit PIN. Set the PIN to something only the parent knows. Do not let the child know the PIN. That way, even a momentary account compromise does not become a permanent one.

My child clicked the link and entered their password. How fast do I need to act?

The first 10 minutes matter most. Attackers run a checklist: change the password, change the email, log out all sessions, then strip the inventory. From your own device, go to roblox.com/login/forgot-password-or-username and trigger a password reset using the email you originally attached to the account. If you set up a parent recovery email, that email beats the attacker. If the attacker already changed the email, contact Roblox Support immediately with proof of ownership; recovery is faster for accounts of minors under 13.

The attacker also drained Robux that I had bought with my credit card. Can I get a refund?

Contact Roblox Support first with the hijack details and the transaction list. Roblox's Trust and Safety team handles minor-account hijack refunds case by case, especially when the original purchase was from a verified parent payment method. If Roblox does not refund within 10 business days, you can file a chargeback through your credit card issuer citing unauthorized use, and file a complaint at ic3.gov so the FBI can include the transactions in larger pattern analysis. Internet Matters' parent guide also lists country-specific consumer protection routes for non-US families.

Should I just delete the Roblox account and start fresh?

Usually no, especially if the account is old and has Limited items, Robux balance, or significant playtime. Roblox Support can recover most accounts within 24 to 72 hours when you provide proof of ownership. Deleting the account makes recovery impossible and gives the attacker time to fully drain everything. Work the recovery checklist first. If after a week Roblox Support has not been able to recover the account and your child wants to move on, then create a new account with all the parental controls turned on from day one.

Is it safe for younger kids to use Discord to coordinate Roblox play?

Discord's minimum age is 13, so younger children should not be on Discord at all. For kids 13 and up who use Discord for Roblox communities, set their Discord privacy settings to allow direct messages only from friends, not from server members. Most Roblox trade scams come through DMs from "server members" that are not actually friends. Cutting off that channel removes the main delivery path. Combine that with the one family rule about never clicking outside-site links for Robux or trades, and Discord becomes much safer.

Related reading

• Discord Nitro free scam: how fake gift link DMs steal accounts and crypto in 2026 - same DM pattern, different platform, similar fix
• Instagram verification badge scam - how kids and creators get phished through fake brand outreach
• Steam trade hijack scam - the older sibling of the Roblox trade scam, targeting CS2 and Dota skins
• Fake Microsoft popup tech support scam - the family-computer scam that targets parents while kids target Roblox

Bottom line: Roblox scams work on kids because the attackers have spent years learning how kids actually play and talk. Free Robux is the lure, Discord trade DMs are the second door, and fake OAuth permission screens are the door that bypasses 2FA. Turn on Authenticator 2-Step Verification, set a Parental PIN, attach a parent recovery email, restrict accounts for kids under 13, and teach one rule: Roblox never gives free Robux through outside websites, ever. If a hijack still happens, the first hour is when you can save the most.