My Roblox Game or Script Got Leaked — What to Do

Step 1: Trace the source — if you watermarked it

Before anything else, find out who leaked it — because that changes every step after. This only works if the leaked copy was watermarked before you distributed it. A watermark can't be added retroactively to a file that's already loose.

If you sold or shared the script with a per-buyer watermark: download the leaked copy and upload it to the watermark scanner in the dashboard. If a mark survives, it resolves to the license and the buyer handle that copy was issued to. That's your leaker, with evidence attached. (There's no automatic web scanning — you bring the file you found, and the scan names the buyer.)

If it was never watermarked — for example, a live-game script pulled by an exploiter, or a file you handed out clean — the scan can't identify anyone, and that's expected. You can't fingerprint a copy after it's already out. Skip to building your evidence package; you still have real recourse through takedowns, authorship proof, and the blacklist, and you'll watermark everything going forward.

Step 2: Contain the damage

While the trail is fresh, limit how much further it spreads and how much it can hurt you:

• Rotate anything sensitive the script exposed — API keys, webhook URLs, datastore keys, or admin passwords baked into the code. Treat every secret in a leaked file as compromised and replace it now.
• Revoke the leaker's access if you know who it is: revoke their license in the dashboard, and pull any collaborator/team-create or group permissions they hold.
• Don't tip them off mid-collection. Screenshot and save the leak's location before you report it — leakers delete fast once they sense a takedown coming.

Step 3: Build your evidence package

Every takedown and every report rests on two things: proof the work is yours, and proof of what happened. Assemble both before you contact anyone.

• Proof of authorship: your dated source files, and especially your git commit history if you version-controlled the code — timestamped commits are strong, near-unfakeable evidence of when you wrote it. Roblox place version history and dated exports help too.
• Proof of the leak: screenshots of the leaked file and where it's hosted (the server, the listing, the file host), the URL, and the account name distributing it. Capture the publish/post date if it's visible.
• Attribution, if you have it: the watermark scan result naming the buyer the copy was issued to.

Step 4: File takedowns

Leaked code is a copyright matter, and your recourse runs through each host's own takedown process — VerifyUGC supplies the evidence, but the platform is who removes the content.

• Roblox: if a clone of your game or a reupload of your asset is on-platform, file through Roblox's official DMCA / IP-infringement form with your authorship evidence.
• Discord: a leaks server distributing your file violates Discord's policies — report it to Discord Trust & Safety with a DMCA notice.
• GitHub / file hosts: most honor DMCA notices through a dedicated copyright form; use it rather than a generic contact.

Keep it factual: a DMCA notice is a sworn legal statement you file under your own name. State that you own the work and what was taken; attach the evidence. If a watermark named a specific leaker and the case is serious enough to escalate, a cease-and-desist from an IP attorney is the next step.

Step 5: Blacklist the leaker

If you identified the leaker — through the watermark scan or otherwise — add them to VerifyUGC's blacklist with your evidence. This is what stops it from happening to the next creator: the flag is cross-community, so the person who leaked your work walks into the next server or deal already carrying that history. Communities running the VerifyUGC bot see the flag automatically. A takedown removes one copy; a blacklist entry follows the person.

Step 6: Close the hole for next time

Once the fire's out, make the next leak traceable and the one after that less likely:

• Watermark every copy before you sell or share it. A per-buyer mark turns the next leak from a whodunit into a lookup. See how to watermark your scripts so leaks trace back to the buyer.
• Keep secrets out of client code. Move keys and webhooks server-side; never ship them in a Luau file a buyer or exploiter can read.
• Vet buyers and collaborators against the blacklist and their trust score before you hand over anything.
• Version-control everything so your authorship timeline is automatic, not something you scramble to reconstruct after a leak.

A leak feels like the end of the story. Handled right, it's the moment you stop being an easy target.

Can VerifyUGC tell me who leaked my script?

Only if that copy was watermarked before you distributed it. Upload the leaked file to the scanner and, if a mark survives, it names the buyer the copy was issued to. A file that was never watermarked — like an exploiter-pulled live-game script — can't be traced after the fact.

My script was never watermarked. Do I still have options?

Yes. You can't identify the leaker by the file, but your dated source and git history still prove the work is yours — enough to file a Roblox/Discord DMCA — and you can blacklist the leaker if you identify them another way. Then watermark everything going forward.

Does VerifyUGC scan the web to find leaks for me?

No. There's no crawler or monitoring service. Tracing is manual: when you find a suspected copy, you upload it and the scan names the buyer it was issued to.