# roblox-rocash.pages.dev — SUSPICIOUS

> roblox-rocash.pages.dev is a live credential theft scam impersonating Roblox, with 0/95 VirusTotal detections. Immediate block recommended.

## Summary
PhishDestroy identifies roblox-rocash.pages.dev as an active credential theft campaign impersonating the Roblox gaming platform. The domain leverages a Pages.dev subdomain under Cloudflare’s infrastructure to host a fraudulent login portal designed to harvest Roblox account credentials. The page is likely weaponized with a credential-harvesting kit, possibly repurposed from known open-source phishing templates or custom-coded. No evidence of a crypto drainer script was observed in initial scans, suggesting a focus on account takeover for resale, in-game currency theft, or further social engineering exploitation. The campaign targets Roblox users through social media, gaming forums, or phishing emails, exploiting trust in the platform’s brand identity.  

This domain was flagged with the following technical indicators: it resolves to IP 172.66.44.99 and is registered via Cloudflare, Inc. It uses a Google Trust Services SSL certificate, indicating basic HTTPS compliance to appear legitimate. As of current checks, VirusTotal shows 0 detections out of 95 engines, placing it below detection thresholds. While the SSL issuer is legitimate, the domain’s creation date and subdomain structure (pages.dev) suggest recent, opportunistic deployment—common in short-lived phishing operations. At this time, there is no confirmed presence on Google Safe Browsing (GSB) or major blocklists, but the lack of detections may reflect delayed signature updates rather than benign behavior. The absence of historical data reinforces its likely transient nature.  

The campaign remains active as of the latest intelligence (seed 3d2514). Immediate response actions include blocking the domain and IP at the network/firewall level and flagging the SSL certificate fingerprint. Users should be warned not to enter credentials on any roblox-rocash.pages.dev page and to verify URLs via official Roblox domains (roblox.com). Given the unblocked status and low detection rate, the risk to uninformed users is assessed as elevated. While technical takedown is likely, the domain may relocate under a different subdomain or domain. Continuous monitoring is advised due to the credential theft objective and potential for escalation into secondary attacks such as account selling or malware delivery.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 172.66.44.99

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/5c95b72a-65a2-4ded-b3b0-00881413ecb2
- PhishDestroy: https://phishdestroy.io/domain/roblox-rocash.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/roblox-rocash.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/roblox-rocash.pages.dev/
Last updated: 2026-03-22