Everyone wants more Robux, the in-game currency for the hyper-popular Roblox ecosystem. Players can earn that digital cash by trading items they’ve acquired, playing certain Roblox games, or creating new cosmetics to sell to other players. Players can also buy Robux from Roblox itself with real money.

Some websites offer an enticing, and unauthorized, alternative: tools that claim they can mine Robux using the player’s computer. “Make ROBUX whenever you want at the push of a button,” the website for Buxify, one of the miners, reads.

In reality, these miners are doing something a little different. They use a player’s computing power to mine cryptocurrency, and then automatically trade that currency for Robux. The tools are essentially cryptominers that we’ve seen hackers deploy, but specifically marketed towards Roblox players, some of which are children. (Roblox told Motherboard its “largest growing population” of players are 17-24 years old, and that most of its players are over 13.) Sometimes the miners do make this cryptocurrency mining explicit. In Buxify’s case, it did not.

Do you know anything else about the Roblox underground? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email [email protected].

Gaming platform Roblox is valued at over $60 billion and is played in some form by over half of all children in America. At least some of the people who have downloaded Robux mining software do appear to be children, according to posts on social media.

Buxify’s website did not make the cryptocurrency mining clear to users. In Motherboard’s own tests with downloading the software, the program itself never mentioned that it mined cryptocurrency.

A screenshot of Buxify. Image: Motherboard.

However, PD, the pseudonymous owner of Buxify, readily told Motherboard how the app works and mines cryptocurrency when asked.

“Basically it utilizes the user’s PC to mine cryptocurrency at a purposely conservatively safe, default setting (both temperature and % usage limits) and uses API's to automatically convert that earned crypto to Robux,” PD told Motherboard in an online chat.

PD said that Buxify gets a slice of the cryptocurrency mined by the program. “It's actually a really fair split for the user,” they said.

PD added “we're doing our best to be as transparent as possible and reward the user for that sort of trust relationship using our software.” The tool also has a “daily jackpot,” where users can earn entries into a lottery to win more Robux by keeping Buxify running.

A screenshot of BloxCrusher's website. Image: Motherboard.

Before PD confirmed to Motherboard that Buxify mines cryptocurrency, Motherboard provided a copy of the Buxify software to cybersecurity firm Kaspersky. 

“According to the website, after the installation of the app, the user will be able to mine Robux coin. Instead, once the user launches the mining function in the app, it starts mining Etherium, Ravencoin and Ergo coins for specific wallets (one wallet for each cryptocurrency),” Kaspersky told Motherboard in an email.

Before receiving the Buxify file from Motherboard, Kapersky did not flag the software as malicious, according to scan results on malware search engine Virus Total. Now, Kaspersky identifies this version of Buxify as a malicious miner. Since then, other cybersecurity companies such as Alibaba, Checkpoint, and Lionic have also marked Buxify as malicious.

Beyond Buxify, BloxCrusher and RBXIdle were two other similar apps that mined cryptocurrencies on users’ computers in exchange for Robux, but these were more transparent about how they worked.

“BloxCrusher allows you to easily mine the most profitable crypto for your GPU. Then, we automatically convert each share solved by your GPU to the equivalent R$ amount.” BloxCrusher’s website reads. BloxCrusher also lets users share their internet connection as a proxy for other users in exchange for more Robux.

“I showed my dad bloxcrusher and he said that it has Bitcoin miner feature that uses power and gives people online Crypto,” one person wrote on Reddit in the past few weeks.

A screenshot of a Virus Total scan after Motherboard sent a copy of Buxify to Kaspersky. Image: Motherboard.

Thousands of people were online in the Discord server for RBXIdle when Motherboard joined on Friday. Here people uploaded screenshots of how much Robux they had allegedly made while mining, and discussed what graphics card they were using.

“how much could i make in a day with my gtx 1650 ti,” one user in the Discord asked.

“probably 100+ or so you kind of just have to find out by running it, depends on a lot of factors, most of which are outside your control,” another replied, adding that they use a GeForce RTX 2060 Super.

Roblox said that using these Robux mining tools is against its terms of service.

“This is against our Terms of Service. Roblox maintains many systems to keep our users safe and secure, and we prohibit attempts to bypass these systems or otherwise violate our platform requirements. Roblox maintains the Robux system for everyone’s benefit and enjoyment. To keep it secure, some uses of Robux are not permitted, including using third-party services to sell, trade, or give away Robux,” a Roblox spokesperson told Motherboard in an email.

When asked if Roblox has taken any action, legal or otherwise, or plans to do so against these sorts of mining tools, the spokesperson said that “It is our policy not to comment on active or potential litigation.”

Updated: This piece has been updated to add additional information on what Roblox says is its largest growing population of players.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.

The Tragic True Story Behind ‘WAGMI,’ Crypto's Most Positive Catchphrase

Crypto has a lingo all its own. One popular catchphrase uttered ad nauseum is WAGMI, short for “we’re all gonna make it,” referring to the idea that anyone can achieve financial independence (or fuck you money) from cryptocurrency trading. 

And as crypto becomes more mainstream, its language also spreads—corporations like Pepsi and Budweiser tweet out WAGMI in an attempt to appeal to the crypto crowd, and Randi Zuckerberg went viral for a crypto-themed parody of “We’re Not Gonna Take It” replacing the iconic chorus with “We’re all gonna make it / Yeah, we’re all gonna make it.”

Although the crypto crowd popularized the WAGMI meme—and its polar opposite, NGMI, for Not Gonna Make It—its origins lie elsewhere, as many in crypto found out after Statelayer, a pseudonymous advisor at NFT swapping platform Sudoswap, tweeted last week: “Just learned that WAGMI and NGMI don't even come from crypto. This space is a sham.”

The phrase originates from Aziz “Zyzz” Shavershian, an Australian online fitness sensation who frequently posted content on bodybuilding.com and 4chan around 2010 (when content-generating influencing hadn’t fully yet blossomed as a career path) encouraging fellow young men to transition from skinny "sad cunts" to jacked “sick cunts” and gaining a substantial online following along the way. 

"You gotta be a ripped cunt. You gotta be a shredded cunt. You gotta go to the gym. You gotta fuck bitches. You gotta not give a fuck. Because that's what we do bro, that’s what the Zyzz cunts do. That's what the revolution is. None of this sad cunt shit. We're all going to make it bro, that's it," Shavershian said in a video.  Shavershian inspired many young men across the world to improve their physical health, but his brash style–perhaps what his fans find so captivating–also made him a controversial figure, an example of what critics call toxic masculinity.  

That video was posted posthumously in 2012, because one year earlier Shavershian died from a heart attack in a sauna in Thailand at age 22. His family said that he suffered from an undiagnosed heart condition that was revealed by a post-mortem examination. After his passing, the personality cult around Shavershian continued to develop, with online communities dedicated to his legacy still going strong. Tribute videos referring to him as an angel get millions of views, and his legion of fans aim to get shredded and “make zyzz proud.”

Lewis, a self-described “Zyzz fanboy” who only goes by his first name, told Motherboard that when Shavershian said “we're all going to make it bro, he was talking to all the RuneScape and WoW nerds,” like him who were “young, had no friends, no sports, no girls or muscles.”

“He was telling us that he had made it—having started just like us—and that we could too,” Lewis told Motherboard. Many people like Lewis “fell in love with Zyzz and idolized him,” he said, precisely because he was a “rags-to-riches story.”

But how did the phrase travel from the niche online fitness subculture of young nerdy men to become the most relentlessly positive catchphrase in crypto?

Memes from one subculture travel to another together when an influx of participants occurs, and this is what likely happened.

Lewis frequented bodybuilding.com forum, where Shavershian was active alongside 4chan, from 2009 to 2014. He later got fully immersed in crypto, starting in 2017. That’s when he believes WAGMI made its way into crypto before really taking off in the last two years.

Many gamers like him migrated from WoW and RuneScape culture first, to online fitness communities, and later to crypto, Lewis said. That migratory flow makes sense, he explained, since these online communities are conducive to “introverted nerds.”

Dr. Asaf Nissenbaum, post-doctoral fellow at the Hebrew University of Jerusalem who published academic research on online memes, told Motherboard that there’s appeal for niche online communities in aligning themselves with with “a more exclusive community–or more ‘hardcore,’ ‘OG’ and so on.”

“The stakes are high, we need all the memes we can get”

“This is of course true for communities that value the authentic or original in internet culture. Using 4chan lingo won't get you much social credit in a group of elderly cat lovers on Facebook,” Nissenbaum said. “I think it's safe to assume crypto is very much one of these communities, as it tends to be composed of young, nerdy people with available income and free time. WAGMI embeds the claim to being an authentic, informed member of ‘hardcore’ internet culture, aligning yourself with its subcultural and exlusive origins (even if you're not completely aware of its full geneology), which is something the crypto crowd values.”

For some in crypto, WAGMI isn’t necessarily a financially-motivated meme, and retains the generally positive bent of Shavershian’s original usage. 

“WAGMI to me is about shifting from a hyper-individualistic mindset. It’s about recognizing we are all riding on the same piece of rock,” Sean MacMannis, marketing lead at Gitcoin, crypto's largest public goods funding organization, told Motherboard. MacMannis, who sports a WAGMI profile picture, says the meme is “about collective consciousness and interconnectedness for pessimistic internet-native generations.”

“People lose money in crypto so the idea that we're all gonna make it can influence irresponsible behavior”

“It’s a rallying cry to work together to solve the world's problems. The stakes are high, we need all the memes we can get,” MacMannis said. “Seizing the memes of production and using them for good, to solve the world’s biggest challenges. With language that resonates with internet natives, with degens.”

But for others like Joseph “Hutch” Dahari, business advisor at crypto token project $WGMI (intentionally spelled without the A) and former professional trader in traditional finance, WAGMI expresses “toxic positivity" and "false hopium.” Indeed, WAGMI is often explicitly a promotional slogan, deployed to boost confidence in the frothy crypto market, where financial ruin is just as common as success, if not more. 

“Especially for younger investors, false hopium is risky, people lose money in crypto so the idea that we're all gonna make it can influence irresponsible behavior,” Dahari said. “I dig a good rap hit as much as the next guy, but am old enough to look out for those short on experience and education, which the crypto industry sorely needs more of.”

“When Zyzz said ‘we're all going to make it bro,’ he meant it,” Lewis told Motherboard. “Crypto Twitter says it and hopes to pull more naive dumb money into the ecosystem.”

If it feels like every other day there’s some hacker who steals millions of dollars in cryptocurrency it’s because, well, that's pretty much what's happening.

In the last few months alone, hackers have stolen $600 million from Poly Network, $320 million from cross-chain bridge Wormhole, $30 million from popular exchange Crypto.com, around $4 million from users of Multichain, $140 million from a crypto gaming company, almost $120 million from visitors to the website of a DAO, and $150 million from a crypto exchange that bills itself as the “most trusted” out there. 

That’s $1.3 billion (with a “b”) right there. 

That’s not an exhaustive list, but only the incidents Motherboard has covered. According to blockchain analysis firm Elliptic, DeFi protocols have lost $12 billions to date. And that’s not counting the slow but constant drip of regular users getting their six-figure ape JPEGs stolen. The variety of hacks is stunning, from smart contract exploits executed by hackers with monkish commitment to simple web attacks and phishing. 

In other words, the crypto world—or “web3” if you like that nebulous and buzzy term—has a cybersecurity problem, and it’s going to be a challenge to fix it. According to cybersecurity professionals, there’s one thing that web3 can really use right now: more friendly hackers and people who truly understand how to secure software. 

That may be a hard fix. There’s a lot of cybersecurity professionals who are resistant to joining an industry that they see as generally immoral, or even worthy of ridicule. And transitioning from securing traditional software to securing blockchain or cryptocurrency software is far from seamless. 

A pseudonymous researcher who goes by "Jazzy," and is the co-founder of Zellic a cybersecurity firm that focuses on cryptocurrency and blockchain, said that “there's an insane shortage of crypto auditors” and that people who get into the business need to understand how it’s different from traditional cybersecurity. 

“The stakes are a lot higher, because if you make a mistake in a traditional pentest,” Jazzy said in an online chat, referring to penetration testing, an industry term for testing the security of a system, “it probably won't cost the project all its money.”

“A lot of these smart contracts are like trying to launch a rocket into space. And if you miscalculate it's gonna blow up.”

A core issue is that writing and publishing the smart contracts that many cryptocurrency or DeFi projects rely on is not the same as writing a web or mobile app. You can’t just put it out and bolt security onto it as you go, according to Dan Guido, the co-founder of Trail of Bits, a 10-year-old cybersecurity consulting firm that’s been dabbling in auditing smart contracts (vetting the code for flaws before it goes live, which is itself a burgeoning industry) for around five years, and has also published several open source tools to analyze and audit software used in the crypto world.

“A lot of these smart contracts are like trying to launch a rocket into space. And if you miscalculate it's gonna blow up. And there isn't really a recovery process. You can't snap your fingers and get another rocket on the launch pad to send up tomorrow,” Guido said in a phone call. 

Smart contracts are highly complex pieces of self-executing code that live on the blockchain. They can't be deleted, and like with anything else on the blockchain, operations can't be reversed. Because smart contracts are public and, generally, hard to change, they are “high assurance” software, Guido added, which means they are “software that has catastrophic issues and fails, and that you can't easily fix when you find issues.”

Do you work at the intersection of cybersecurity and crypto? Do you research vulnerabilities on cryptocurrencies and their networks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email [email protected]

That’s not the same as more traditional software, which the cybersecurity industry has become very good at squashing bugs in, and which developers have also learned to make more secure over the years. 

“All software has flaws, and the web3 premise that ‘code is law’ raises the stakes by making these mistakes immutable. It’s all fun and games until you lose half a billion dollars due to a single software vulnerability,” Jennifer Fernick, the senior vice president and global head of research at cybersecurity firm NCC Group, told Motherboard in an email. 

“A dangerous belief among web3 evangelists seems to be that blockchain is intrinsically and universally secure. This is categorically false. Not only are there several types of blockchain-specific security vulnerabilities, but decentralized systems are also subject to most of the same security risks as other computer systems," she said. 

Tal Be’ery, a cybersecurity veteran who now works as the CTO of the crypto wallet app ZenGo, is one of a few cybersecurity people who are now focused on the crypto industry. As Be’ery put it, web3 security is in “dire straits.” One of the problems, Be’ery said in an online chat, is that while in theory it’s not harder to secure smart contracts compared to other kinds of code, “it's much easier to monetize smart contracts exploits as they deal with cash money.”

The other challenge, Jazzy said, is that “a lot of bugs in smart contracts come from external interactions with other contracts, so even if the code for your application is secure, if anything you interact with is vulnerable/broken, it can lead to catastrophic losses.”

With the increasing popularity of cryptocurrency and DeFi, there are some established cybersecurity companies that have either pivoted to securing the newly popular industry, or straight up new companies dedicated exclusively to blockchain security. There's Zellic and Trail of Bits, of course, but that's not all. NCC Group, a consulting firm founded in 1999, now offers blockchain and smart contracts reviews, Paradigm, an investment firm focused on crypto and web3 has an internal security research team—and they are hiring. There’s also Dedaub, the company that found a serious flaw in a crypto protocol that led to hackers stealing a few millions of dollars from users. Other companies in this space are Peckshield, Slowmist, Consensys Diligence, Immunefi, Paladin Blockchain Security, Certik, and Sigma Prime. 

“For the short term we will see more web3 hacks,” Be’ery said. “However, there's a lot of VC money looking for web3 security solutions and talented teams starting to work on such.”

The crypto world’s cybersecurity problems, however, go beyond smart contracts. Hackers have also targeted and exploited the Discord channels that virtually all crypto organizations and companies use to interact with their user base. That’s usually done with good ol’ phishing. The websites connected to crypto projects are also useful targets, and they can be hacked by exploiting a third party internet infrastructure company. NFTs have proven to be particularly vulnerable to old-school social engineering or phishing attacks, since all a hacker needs is someone's MetaMask wallet permissions to steal their tokens. 

Marcus Carey, a veteran  cybersecurity expert, has recently launched a consulting firm specifically for individuals in the crypto space such as artists, creators, and investors, called Metaversable. His goal is to help people who “don't understand basic cybersecurity hygiene” and may be targeted by hackers. His other goal is to encourage more people in cybersecurity to stop being skeptical and come to help.

“There are so many applications of the technology that could be good. And that's why we need people to understand it and be able to secure it as soon as possible,” Carey told Motherboard in a phone call. “This is the way it's going. This is the future.”

Carey argued that cybersecurity people are skeptics by nature, and “resistant to change.” But cryptocurrencies, smart contracts, and DeFi aren't going away, and it eventually will intersect with more traditional companies. So even cybersecurity experts who don’t want to get into NFTs or crypto will have to understand it and help their companies get into this space securely. 

“It’s all fun and games until you lose half a billion dollars due to a single software vulnerability”

Kimber Dowsett, another cybersecurity expert who’s worked in the industry for a decade, has publicly criticized hackers and other colleagues in the industry who mock NFTs and people involved in that space. 

“A lot of infosec people are just shitting on it and it feels gatekeepy and elitist,” she tweeted recently.

The right attitude, she told Motherboard in an online chat, would be to use empathy and education instead. 

“I'm as guilty as the next person of making an NFT joke here and there, but I started sitting in on twitter spaces with musicians and artists and other types of creators and it was tough to hear that security people just shut them down and make fun of them when they try to ask questions,” she said. “I just don’t want to make people feel like shit for trying to learn about blockchain and figuring out how to make NFTs. I’d rather spend my energy trying to teach them how to avoid scams, be safe, and protect their crypto wallets. I stopped treating users like idiots a long time ago and found ways to support their curiosity while educating them about the risks. I mean, it is part of the job, right?”

Another problem at this point is that there’s people building projects and protocols as fast as possible to secure investment and be the first to market, which leads to poor cybersecurity practices. That’s why the crypto world doesn’t just need cybersecurity people, it needs more security built in from the beginning, Carey said. 

For now, however, it’s the “Wild Wild West,” he said. 

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.