Last week on Malwarebytes Labs:

• 3 easy-to-miss cybersecurity risks for small businesses
• Actively exploited cPanel bug exposes millions of websites to takeover
• More PayPal emails hijacked to deliver tech support scams
• Hackers stole hundreds of thousands of Roblox accounts: Here’s what to do
• Researchers built a chatbot that only knows the world before 1931
• Microsoft won’t patch PhantomRPC: Feature or bug?
• Scam-checking just got a lot easier: Malwarebytes is now in Claude
• Fake CAPTCHA scam turns a quick click into a costly phone bill
• Chinese engineer stole US military and NASA software for years

Stay safe!

---

---

A developer at an AI startup wanted to cheat at Roblox. They downloaded a dodgy script on their work laptop. That one decision triggered a cascade of failures that ended with a $2 million data breach affecting hundreds of thousands of organisations. All for some free in-game currency. Meanwhile, there's a 1980s phone protocol called SS7 that lets shadowy surveillance companies track anyone, anywhere, via their mobile phone. Governments know about it. Telecoms know about it. Nobody's fixing it. All this and more in episode 465 of the "Smashing Security" podcast with cybersecurity keynote speaker and industry veteran Graham Cluley, joined this week by special guest James Ball. Plus! Don't miss our featured interview with Rob Edmondson of CoreView, discussing how to lock down Microsoft 365 before it's too late.

Ukrainian police arrested three hackers who hijacked 610,000 Roblox accounts and sold them for $225,000 in profit.

Police in Ukraine arrested three suspects accused of hacking over 610,000 Roblox accounts and selling them for about $225,000. Officers carried out multiple searches in Lviv, seizing cash, phones, computers, laptops, tablets, and USB drives. The operation disrupted a large-scale account theft scheme targeting gamers and online platforms.

A 19-year-old from Drohobych, with two accomplices, used stolen session cookies to access accounts without passwords. They scanned over 610,000 profiles, identifying those with valuable virtual currency or rare items. Using specialized tools, they verified access and compiled 357 files of high-value accounts. The group then sold these on Russian platforms, receiving payments in cryptocurrency.

“From October 2025 to January 2026, over 610,000 user accounts were checked in this manner. They selected those that contained the most valuable digital resources. During investigative actions, law enforcement discovered 357 files with such accounts.” reads the press release published by Prosecutor General’s Office. “Subsequently, these files were sold on Russian resources, with payment made to a cryptocurrency wallet. According to preliminary information, the profit from the sale of accounts during the entire period of the group’s activities could reach nearly 10 million UAH.”

Ukrainian Police carried out 10 searches, seizing computers, phones, storage devices, bank cards, notes, and cash over €2,500 and $35,000. Suspects were charged with theft in conspiracy and unauthorized interference in information systems causing data leaks. A 44-year-old associate was also detained for drug possession with intent to sell after cannabis-like substances were found.

For these crimes, the hackers were charged under Articles 185 (theft) and 361 (unauthorized interference with IT systems) and could face up to 15 years in prison. The investigation is still ongoing to identify other possible accomplices and additional victims linked to the hacking group.

“Under the procedural guidance of the Lviv Regional Prosecutor’s Office and the Frankivsk District Prosecutor’s Office of Lviv, the group members were informed of suspicions of theft by prior conspiracy of a group of individuals, as well as unauthorized interference in the operation of information (automated) systems, which led to the leakage of information by prior conspiracy of a group of individuals (Part 4 of Article 185, Part 5 of Article 361 of the Criminal Code of Ukraine).” concludes the press release.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Roblox)

A list of topics we covered in the week of April 20 to April 26 of 2026

The post A week in security (April 20 – April 26) appeared first on Security Boulevard.

Last week on Malwarebytes Labs:

• Medical data of 500,000 UK volunteers listed for sale on Alibaba
• How cyberattacks on companies affect everyone
• Apple fixes iOS bug that kept deleted notifications, including chat previews
• Roblox clamps down on chats and age checks as legal pressure builds
• Malicious trading website drops malware that hands your browser to attackers
• Researcher claims Claude Desktop installs “spyware” on macOS
• Fake Google Antigravity downloads are stealing accounts in minutes
• Real Apple notifications are being used to drive tech support scams
• Android 17 ends all-or-nothing access to your contacts
• Big Tech can stop scams. They just don’t (Lock and Code S07E08)
• Mythos: An AI tool too powerful for public release

Stay safe!

---

Los Angeles County has sued online gaming company Roblox, adding to a series of suits that accuse the virtual worlds platform of misleading parents into thinking it’s safe while leaving children exposed to predators and sexually explicit content. The February 19 filing makes LA County the first California government body to take the company to court over child safety.

Roblox claims over 151 million daily users, most of which are kids. The company said it disputes the claims and will defend itself vigorously.

What the suit tells us about how predators operate

According to the complaint, Roblox violated California’s Unfair Competition Law and False Advertising Law. County Counsel Dawyn R. Harrison, who filed the lawsuit, said that the gaming platform has repeatedly exposed kids to sexually explicit material, grooming, and exploitation because it has chosen profit over safety.

“This is not about a minor lapse in safety,” Harrison said in a prepared press release. “It is about a company that gives pedophiles powerful tools to prey on innocent and unsuspecting children.”

Until November 2024, anyone could friend and message a child on the platform, the suit said. When Roblox changed those rules it was allegedly still possible for accounts registered with ages over 13 to message each other without having previously been connected, meaning that adults could still message teens who didn’t know them.

The suit also alleged that it’s easy for predators to masquerade as children on the site, because age has historically been self-reported with no enforcement of parental approval when kids sign up.

But Roblox’s approach to age verification changed last September, when the company announced plans to use age estimation on all users who wanted to the platform’s communication features. It then introduced the third-party Persona system, which requires a facial age check to use chat features. But Persona itself has become a problem.

Researchers recently discovered an exposed frontend revealing the tool does far more than check ages, including running facial recognition against watchlists. It can also hold on to personal data including government IDs, device fingerprints, and biometric information for up to three years. Discord has already walked away from Persona, but Roblox hasn’t.

Even setting the vendor aside, the safeguards aren’t working as advertised. When Malwarebytes researchers created an account for a child under 13 on Roblox in December 2025, it found that a child account could find communities linked to cybercrime and fraud-related keywords.

The complaint contains many allegations about the type of behavior that has occurred on Roblox, including:

• The simulated rape of a seven year-old’s avatar in a digital playground environment
• “Diddy” games that recreated some events from the imprisoned rap star’s parties
• The creation of Jeffrey Epstein-themed accounts, and the operation of a game called “Escape to Epstein Island”
• Virtual strip clubs where avatars can disrobe and give lap dances

The LA County complaint also mentioned a report from financial forensic research company Hindenburg Research published in October 2024. The company, targeting short sellers who trade by selling stocks in vulnerable companies, said that it had found multiple groups on the site trading child sexual abuse material and soliciting sexual favors. The report also alleged that Roblox was cutting safety spending even as problems mounted.

A former senior product designer allegedly told Hindenburg the trade-off was deliberate. “If you’re limiting users’ engagement, it’s hurting your metrics…in a lot of cases, the leadership doesn’t want that,” the product designer allegedly said, according to the lawsuit.

A cacophony of cases

This won’t be the only case Roblox has defended. In 2022, the Social Media Victims Law Center filed suit against the company for allegedly touting child safety while allowing the exploitation of a young girl. The following year, multiple families filed suit against the gaming company for allegedly misleading them about content harmful to children. Last year, the mother of a 15 year-old boy from Texas sued Roblox after he committed suicide. The complaint alleged that he was groomed and subsequently blackmailed over nude pictures he’d been persuaded to send a predator on the site.

Another lawsuit filed against the company in San Mateo in February 2025 claimed that a 27-year-old predator reached a 13-year-old boy through the platform’s “whisper” messaging system. That case described the platform as “a digital and real-life nightmare for children.”

The California suit joins an expanding pile of government cases against Roblox. Louisiana sued the company in August 2025, followed by Kentucky (October 2025), Texas (November 2025), and Florida (December 2025). Georgia’s Attorney General is also investigating the company. And a collection of separate private suits against the company have been consolidated into a single multi-district litigation.

What parents can do

So, what can parents do? Interestingly, one potential answer came last year when the company’s CEO Dave Baszucki spoke with the BBC:

“My first message would be, if you’re not comfortable, don’t let your kids be on Roblox.”

If you do want to let your children use Roblox (or any other site), then close monitoring is important. Restrict friend requests and disable open chat to the extent that the platform allows. Anonymize your children’s profiles to potentially avoid what one family claimed happened to them in an earlier lawsuit, , in which they had to move across the country after the predator reportedly tracked down their child’s address via Roblox.

Child education is key. Tell your children not to reveal personal information and not to take conversations off-platform, because that’s where exploitation escalates. And keep the conversation going, not as a one-time lecture, but as a regular part of talking about their day.

For more information about child safety, check out Malwarebytes’ research on the topic, which also offers useful advice.

LA County is seeking civil penalties of up to $2,500 per violation per day, plus injunctive relief that could force structural changes to how the platform operates.

---

We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.