It’s Not Phishing, It’s UX: How Platform Design Pushes Users Toward Malware

When security teams think about credential theft, the mental model is almost always the same: a user gets tricked. A convincing email, a spoofed login page, a moment of inattention, and the attacker wins.

But what if the infection isn’t the result of deception?

What if platform design choices are systematically contributing to high-risk user behavior?

That’s the question we started asking when we noticed something unusual in Zynap’s leaked credentials database.

An Unexpected Finding

At Zynap, we monitor compromised credentials across a wide range of platforms. Our top three, at the moment we looked at them, by volume, were Google (99M), Facebook (83M), and (unexpectedly) Roblox (48M).

Roblox is a gaming platform. Seeing it alongside Google and Facebook already raises eyebrows, but the real signal emerges when you normalize the numbers. Monthly Active Users for Google sit at around 4 billion; for Facebook, around 3 billion. Roblox has roughly 380 million MAUs. Proportionally, the picture shifts dramatically:

More than one in eight Roblox users has compromised credentials in our dataset: five times the rate of Google or Facebook. That raised an immediate question: was this statistical noise, or was something structural driving it?

Building the Hypothesis

Our initial question was whether Roblox users were simply more careless than average internet users. But that framing didn’t hold up to scrutiny. The more interesting hypothesis pointed in a different direction:

To explore this, we needed to understand who Roblox users are and how the platform works.

The Platform, the Users, and the Economy

Roblox isn’t just a game: it’s a full ecosystem combining a game engine and a distribution platform, often described as “the Netflix of gaming.” It operates as a UGC (user-generated content) platform: Roblox provides the engine and the infrastructure, users create and publish games, and revenue is shared between creators and the platform. Almost everything you find inside Roblox was built by its own user base.

With 151M daily active users and 380M MAUs, Roblox generates more monthly engagement hours than Steam, Epic Games, and all three major gaming consoles combined. Its primary demographic is Gen Z: roughly 56% of users are under 17, with the largest single cohort being 17–24 year-olds (approximately 50M of the DAUs). This matters because of how this generation relates to the platform. Roblox is not just entertainment: it’s the primary social space. One quarter of Gen Z’s free time goes to gaming, which has overtaken social media as the main socialization channel.

Inside Roblox, every game is played through a personal, customizable avatar. That avatar is the user identity. According to Roblox’s own research, 56% of users consider their avatar’s appearance more important than their physical appearance. Half would rather go shopping for virtual items with friends than physical ones. 84% say their digital self influences how they dress in real life.

What amplifies this dynamic considerably is that real-world brands have moved aggressively into that avatar economy. According to GEEIQ data, 88% of brand activations in 2025 took place in metaverse platforms, with Roblox as the dominant venue. Nike, Gucci, Adidas, H&M, Zara, Levi’s, and dozens of others have run experiences and sold virtual items inside the platform. Gucci, a brand not typically associated with youth culture, ranks as the second most desired brand among Gen Z in recent surveys, a position researchers attribute in large part to its volume of virtual activations. To put the scale in perspective: one Adidas virtual collar for a Roblox avatar sold as a single limited unit for $20,000.

The mechanism behind this is straightforward: brands use limited virtual items the same way they use exclusive physical drops, generating scarcity and status signaling. For a generation that considers its avatar more important than its physical appearance, a rare virtual item from a real brand carries the same social weight as its physical equivalent. The Roblox Marketplace, where these items are bought and sold, records 18.8 million daily visitors, up 17% year over year.

The mechanism that monetizes all of this is a proprietary virtual currency: Robux. Every cosmetic transaction on the platform goes through Robux. Roblox controls the supply and takes a minimum 30% cut of every transaction. The conversion rate is structurally asymmetric: putting money in costs roughly $0.0125 per Robux unit, but converting earned Robux back into dollars requires approximately 3.5× as many units per dollar on the way out. Limited-edition UGC items create real scarcity, speculative pricing, and FOMO. Some items only become available through resale, at exponentially inflated prices.

The result, as our research suggests, is a user base with a strong structural incentive to seek out more Robux, to keep up with the trends, the FOMO, and the social pressure to look a certain way in a space where appearance genuinely matters. And that pressure does not stay contained within the platform.

With that understanding of the platform and its users, we refined our hypothesis:

But that still left a question open: is this just an unintended side effect of a platform that happens to create economic anxiety, or is there something more structural at play?

Platform Design and Risk Exposure

This is where the design dynamics we examined connect to the infection question.

According to Roblox’s own documentation, game discovery algorithms use revenue as one of the primary ranking signals. Our review of platform mechanics found that safety, age-appropriateness, and user preference signals do not appear to be primary factors. Parental controls were introduced progressively but were not applied retroactively to existing accounts. Until January 2026, adult users could initiate private chats with minors. The platform disclosed 13,000 cases of child exploitation in 2023, data that came to light in the context of external regulatory proceedings. A 2025 paper presented at CHI (the leading international conference on human-computer interaction) concluded that Roblox’s monetization model “normalizes risk and financially incentivizes creators to deliberately insert harmful mechanics.”

Mandatory age verification (via ID or facial scan) was introduced in January 2026. By that point, the platform already had over 80M daily active users.

Beyond the Platform Boundary

Roblox has progressively introduced safety measures within the platform. What our data suggests, however, is that the relevant threat surface extends well beyond it.

The demand for Robux that the platform’s design dynamics appear to generate doesn’t stay inside the app. It follows users onto the open internet, where they search for free Robux through unofficial channels.

“Free Robux” scores a Google Trends average of 70/100, reflecting a consistent, sustained search pattern. Estimates put it at around 640,000 monthly searches. On YouTube, bots produce automated Shorts targeting this search intent, with comments disabled. On TikTok, the hashtag #robux has accumulated 15.1 billion views.

A single query on urlscan.io (2024) returned 2,700 structurally identical fraudulent sites using SSL certificates containing “roblox.com.”

Inside Roblox itself, bots post in public game chats with messages like “5,000 free Robux at [site]”, evading the platform’s URL filter by spelling out addresses with spaces or characters, a well-documented evasion technique discussed on Roblox’s own developer forums.

Having mapped the platform’s design, its user base, its security track record, and the external threat landscape, we arrived at the final version of the hypothesis:

That’s the hypothesis we took to the data.

Validating with Data

To test whether this translated into actual infection patterns, we analyzed our database of Roblox credentials using Zynap and our workflow automation tool, NINA.

Starting from 48M compromised Roblox credentials, we filtered for hashes with 5 or more associated active sessions, giving us a statistically meaningful sample of 253,000 hashes (for us at Zynap, one hash equals one victim, with all their active sessions linked).

Then, we built a hypothetical infection journey based on our research:

The results were striking:

• 82% of hashes matched this exact funnel, passing through a discovery platform before ending in a file download from services like MediaFire, Mega, or GitHub.
• 27% of hashes (roughly 3 in 10 of those that matched) also involved Roblox-specific executors or script repositories. This subset deserves a closer look, because it reveals a particularly insidious design of the attack.

How Roblox Executors Work, and Why They’re So Effective as a Delivery Mechanism

Roblox runs its game scripts inside a custom virtual machine called Luau, which lives in the RAM of the game process. That VM maintains an internal permission list (a sandbox) that defines what scripts are and aren’t allowed to do. Under normal conditions, user-created game scripts can’t access system resources, other processes, or the network beyond what Roblox explicitly permits.

Executors break this by injecting directly into the running Roblox process, locating the Luau VM in memory, and patching that permission list in place. Sandbox eliminated. Maximum permissions granted. The executor can now run arbitrary code with the same trust level as the game engine itself.

Roblox has a kernel-level anti-cheat system called Byfron that actively tries to detect this. The executor ecosystem has evolved in direct response: tools like Synapse, KRNL, Solara, and JJSploit use techniques designed to leave no detectable trace, and are continuously updated to evade new Byfron signatures. It’s a classic cat-and-mouse dynamic, with the added dimension that the “mouse” is a commercial market of malware-as-a-service tools targeting minors.

What makes executors particularly dangerous as an infection vector isn’t just the technical bypass: it’s the UX. When a user downloads and runs an executor following a “free Robux” tutorial, something visibly happens inside the game. Items appear, scripts run, the in-game environment visibly changes. The user receives immediate positive feedback that the method is working. That feedback loop keeps them engaged and lowers their guard while the executor runs its real payload in the background: extracting credentials, session cookies, browser data, and anything else the bundled infostealer is configured to collect.

The stealer families present in our data were: RedLine (39.9%), LummaC2 (34.9%), Vidar (17.8%), and StealC (5.6%).

There was one additional finding worth highlighting. Roblox reports that 80% of its users play on mobile, but our forensic data shows infections happening almost exclusively on Windows. This points to a device migration pattern: a user encounters the scam on their phone, follows instructions that require a desktop download, and executes the malware on a family computer. To validate this, we filtered the executor/script user journey hashes for indicators of adult usage (corporate environments, financial services, professional platforms): 14% showed at least three such indicators (a strong signal), suggesting the child infected a shared family device, or a household member’s machine.

How Do We Patch This?

The attack vector here wasn’t a sophisticated APT group or a spear-phishing campaign. It was a 15-year-old who wanted a virtual Adidas hoodie for their avatar.

Traditional reactive security (analyzing malware post-infection, responding to individual incidents, patching vulnerabilities) is structurally misaligned with this threat. The vulnerability isn’t technical. It’s behavioral, and it appears to be rooted in platform design dynamics that operate at massive scale. While this research focused on Roblox specifically, the underlying dynamic is not unique to one platform: any ecosystem that combines a young user base, identity-driven consumption, artificial scarcity, and a proprietary currency carries a version of this risk profile.

Addressing it requires a different approach: profiling behavioral patterns rather than just malware signatures, mapping platform design dynamics as threat predictors, and intervening before the infection rather than after it. If you can identify which platform design characteristics predict high compromise rates, you can anticipate the next high-risk ecosystem before the incidents start confirming it.

This is precisely the kind of intelligence Zynap is built around. Our platform connects external attack surface data, leaked credentials monitoring, and threat intelligence feeds into a single orchestration layer.

It changes what questions you can ask: not only “what happened?” but “what conditions make this likely to happen?” And it changes when you can act on the answer. A 15-year-old looking for a free virtual hoodie is not a threat actor. But there may be a platform design that puts them on that path, and the criminal ecosystem waiting at the end of it, absolutely is.

What this research points to is the need for a preemptive security posture: one where organizations don’t just monitor for known threats or respond to confirmed incidents, but actively build the capacity to anticipate attack conditions before they materialize. The threat actors behind the stealer ecosystem documented here have already industrialized their operations, compressed their timelines, and automated their distribution. A reactive defender will always be a step behind. Preemptive security means investing in behavioral pattern profiling, ecosystem-level threat mapping, and the automation infrastructure to act on that intelligence at scale, before the damage reaches the organization. That shift in posture is what Zynap is built to support.

Keep Reading

This article was written by Elena Flores, Head of Product at Zynap, based on research she presented alongside María Lázaro of Zynia Labs at RootedCON Madrid, March 2026.

If this raised questions about where stolen credentials go after harvest, we documented the underground markets that trade them in Inside the Dark Web Marketplace Economy.

For more on how Elena thinks about AI and product at Zynap, read her piece on AI agents and product workflows.

Sources

Roblox Official Data

• Roblox Year in Review 2025
• Roblox Digital Expression Report 2025
• Roblox Q4 2025 Earnings (Stakeholders)
• Roblox 2024 Annual Report
• Roblox Platform Documentation (Algorithm Behavior)

Market and Audience Research

• Epyllion Analysis (Gaming Engagement Benchmarking)
• GEEIQ, 2025
• GEEIQ, 2026
• Newzoo
• DemandSage
• Statista
• Statista Brand Tracker 2025 (1,000 Gen Z Respondents)
• Meta (MAU Public Data)

Academic and Regulatory Sources

• CHI 2025, ACM Digital Library. DOI: 10.1145/3706598.3713170
• Florida Attorney General Lawsuit, 2025
• FTC Hearing Transcript, June 2025
• Florida AG Complaint / COPPA Analysis

Threat Intelligence and OSINT

• Zynap Internal Analysis: Hashes associated with filtered roblox.com credentials (≥5 active sessions)
• urlscan.io / Van den Hout (2024)
• Cisco Talos (2023)
• MalwareTips (2026)
• NCMEC CyberTipline (2024)
• TikTokHashtags.com
• Google Trends
• SEMrush