OSRS scams: The TOA plugins scam

TOA scam, skull, maenmiu logo

Old School RuneScape is a very captivating MMO, and like in any MMO where the in game currency has value outside the game, there are players who want to become wealthy the right way, and players who just want to take advantage of others. The TOA plugin scam is way older than TOA, and there are many variations of this scam. Outside of the gaming world it is known as the pig butchering scam because the scammers “use intricate scripts to <fatten up> the victim (gaining their trust over hours, days, weeks or months) before the <slaughter> (taking them for all of their money)” according to the very well documented r/scams wiki.

You might like

Understanding the scam

The scam consists of several steps, but is heavily focused on gaining the victim’s trust. Scammers generally go to popular group content hubs such as Tombs of Amascut, but before that they used the Nightmare, or even the other raids to pick their victim. They usually work in groups of two or more to make the victim feel even more comfortable. Once you respond to them they will be extra nice and friendly, but keep in mind that they are fattening you up. Many of them use discord to gain your trust further and they will make you think they are your new friends.

This doesn’t mean that anyone who PMs you at TOA or invites you over to discord is a scammer, in fact, these scammers often copy natural bonding strategies to incorporate in their fattening the victim part, so adding people on discord or voice calling them during raids or any other content is not the red flag here.

Faking legitimacy

Scammers often fake being legit on discord by copying the traits of legit accounts. For example they will name their discord accounts a real name instead of an in game name. This serves a double purpose for the scammer: knowing their fake name will give you the illusion of closeness since you think you know something about them and makes them non-trackable – you won’t be able to link their discord to their in game name.

They will often use very common names such as Jack, Ben, etc. or any variations that include these very common names so they are both easy to remember and harder to identify. They are very likely to have an actual human profile pic so you don’t doubt their identity, but keep in mind that that’s not an actual photo of them, but a small step to make you trust them. These are traits of legit accounts, so again, you won’t be able to differentiate them from a legit player at this stage.

More often than not they will have that discord account on a huge OSRS discord servers like the star mining server or the official discord server, but they won’t have their discord accounts linked to any rsn.

The date when their account was created is irrelevant since successful scammers have been doing this for years, so they can have many burner accounts.

At this point a not fail safe method to find whether they are legit or not is to ask them what clan they’re in and to join in the clan and see both the cc and the discord. It is highly unlikely they will want to bring you in a legit clan they might be in since they want to scam you, and it is also very unlikely that they have a fake clan.

Building trust

From the moment you first interact with them until the moment when they feel they have earned your trust and finally proceed with their final act their whole goal is to build trust with you, learn as much as they can about you, and win you over. They will befriend you, invite you to raid together, ask you to hang out in voice where they use fake friendliness to earn your trust further. Over voice they will fake vulnerability in any way they can, like sharing their screen or sharing fake personal stories, as well as act super interested in learning about you.

The issue

After building some level of trust whether in the same day or week or in the next, when they feel you trust them, they will then “prove” to you that you have an issue. That issue is often the lack of a plugin or client feature they will show you. They will share their screen or send you screenshots to let you know how cool that new feature looks. This is something a legit Raid teacher will do two since they want to make sure you have all the tools you need to succeed in raids. Their co-scammer will back them up about the plugin or other feature you’re missing.

Keep in mind that a legit raider will only ask you to get a different plugin from the plugin hub within the RuneLite client or to import ground markers directly in the client from the runemarkers.net website where you only need to copy them and not download anything. The scammers will always ask you to download something from a link they send you or tell you about. And this is why all the struggles to earn your trust, so when they ask you to download something you will not be suspicious of it.

Scammers might also send you unrelated legit links beforehand to test just how likely you are to click on them, how fast, and whether you question it or not. Once they think you trust them they will send you the link.

The scam

If you click on the scam link there are several scenarios that can happen. One unfortunate scenario is that they will take over your account, bring you in the Wilderness and kill you and this happened to a few players. On March 2nd this year a player posted about their friend: “He went to the website and proceeded to install the file he downloaded. The program was actually <EdgeWebView> and allowed the scammer to take over my buddys pc. The scammer then killed my buddy somewhere in wildy to get his gear (or at least our guess, based on his acc being in lumby like he was killed) before my buddy was able to force disconnect from the scammer”.

In December 2023 another player posted that they “downloaded Osbuddy and they <the scammers> changed my login and everything”. Another victim from December 2023 posted “they told me to leave the raid area. As soon as I did, the client closed on its own and the call was ended and Jack blocked me on discord. Immediately, I realized I was the biggest idiot and had just gotten scammed”.

How to avoid scammers

To avoid this scam an many other scams never download anything external or click on links sent by random players, even if you believe they are your friends. Join a clan if you want to make friends an have people to play with and remember that if it’s too good to be true, it probably is.

Further read