How Riot Games is fighting the war against video game hackers

For as long as there have been video games, there have been people willing to find ways to cheat. Hobbyists have long dedicated themselves to finding vulnerabilities in games, often with the goal of developing cheats that they could share or sell. But ever since online competitive gaming became a legitimate profession, that hobby-hacking has morphed into an entire industry that aims to sell an unfair advantage to those willing to pay.

Developing and selling video game cheats can be a lucrative business, and video game developers have in recent years had to beef up their anti-cheat teams, whose mission is to ban cheaters, neutralize the software they use, as well as go after cheat developers. More companies are taking the somewhat controversial step of deploying anti-cheat systems that run at the kernel level, meaning they have the highest privileges in the operating system and can potentially monitor everything that happens on the machine the game is run on.

One of the most prominent kernel-level anti-cheat systems is Vanguard, developed by Riot Games, which makes popular titles such as multiplayer online battle arena game League of Legends and online first-person shooter Valorant.

Essentially, Vanguard “forces cheats to be visible,” said Phillip Koskinas, the director and head of anti-cheat at Riot who describes himself as “an anti-cheat artisan” who was “put on this earth for the one singular purpose of banning cheaters from online video games.”.

Thanks to Vanguard and the anti-cheat team led by Koskinas, Riot bans thousands of cheaters on Valorant every day, according to a chart shared with TechCrunch.

A chart showing the number of cheaters banned per day, and the type of bans, on riot games’ first-person shooter valorant.

Riot’s efforts seem to be working. As of early 2025, the percentage of Valorant “ranked” games — meaning competitive matches — that have cheaters is now less than 1% globally, the company says.

In an interview with TechCrunch, Koskinas detailed the various strategies that the anti-cheat team at Riot uses to fight cheaters and cheat developers: leveraging the security features in the Windows operating system, fingerprinting cheaters’ hardware to stop them from reoffending, infiltrating cheat communities, and playing psychological games in an effort to discredit cheaters.

Much of Koskinas and his team’s efforts stem from Vanguard having the deepest level of access to a gamer’s computer. To weed out cheaters, Vanguard takes advantage of some of the security features already built into Windows.

First, Koskinas explained, the anti-cheat software “almost universally” enforces some of Windows’ most important security features, such as Trusted Platform Module, a hardware-based security component, and Secure Boot. These two technologies check if a computer has been modified or tampered with, such as by malware or a cheat, and prevents it from booting if so. Then, Vanguard checks that all of the computer’s hardware drivers, which allow the operating system to communicate with the hardware, are up to date to identify additional hardware that can enable cheating. Finally, Vanguard prevents cheats from loading and executing code in the kernel’s memory.

“Basically, all the security features that Microsoft and hardware manufacturers have leveraged to protect the operating system, we use or enforce,” Koskinas told TechCrunch. “We have to have a playground where we can play. We have to enforce a certain level of security.”

But fighting cheaters is not just about technology; it’s also about understanding the cheaters themselves and how they operate.

Koskinas’s team has a “reconnaissance arm,” he said, whose primary responsibility is to obtain and catalog threats, which sometimes involves acquiring cheats. The team obtains cheats in part by using sock puppet identities that have infiltrated cheater and cheat developer communities for years, akin to undercover operations.

“We’ve even gone as far as giving anti-cheat information to establish credibility. We’ll masquerade as though it was something we [reverse engineered], and explain how an anti-cheat technique works to demonstrate that we know stuff,” said Koskinas. “And then leverage our way into something in development, and then sit there until it launches, allow it to acquire users and then ban everybody.”

Do you develop cheats, hack video games, or work in anti-cheat? We’d love to hear from you. From a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email .

Some cheat developers try to stay undetected by only selling to a few customers, essentially marketing their product as high-end, or “premium” cheats, as Koskinas calls them. These premium cheats can cost thousands of dollars, and are sold to only a handful of customers, said Koskinas.

Cheat makers use this strategy to reduce the risk of selling to a Riot undercover employee, but also to customers who will be more careful about blatant cheating and exposing the cheat.

These developers are essentially selling “the reputation of being undetected,” said Koskinas. One of Riot’s anti-cheat team’s “strongest weapons,” he said, is discrediting cheat developers publicly by, for example, banning all their players, or leaking screenshots showing they are inside their Discord channels.

“We can just make them look like fools,” he said.

Koskinas and his team also have to be careful not to come down too hard. By letting a little cheating happen, within reason, Riot can slow down gamers from getting better cheats. “If we hit every player every time, they will just change cheats until they find the one that isn’t detected,” he said.

“To keep cheating dumb, we ban slower,” he added.

To stop repeat offenders, Vanguard can “fingerprint” the hardware that a cheater uses — effectively uniquely identifying their device — to make it harder for that player to obtain a new cheat and continue cheating.
In a more psychological strategy, Koskinas and his colleagues also troll cheaters publicly by calling them, among other things, “a brainless pathogen,” who have an “inability to get good at this video game.”

Thanks to all these techniques and strategies, most cheaters can now be roughly divided into two categories. The first, representing the majority of cheaters, is made up by those who are “rage cheating” by using cheap tools that are easy to detect. Riot employees sarcastically call these cheats “download-a-ban,” according to Koskinas.

“A lot of cheaters, if you think about it, they’re kind of young,” he said. “A lot of them haven’t grown up yet. The way they engage with games is by cheating, and a lot of that behavior is like the power you feel when you do it.”

“They’re going to come back, they’re going to get banned, and they’re just going to do that every weekend for the next two to three years… And then, eventually they’ll hit puberty, and that’ll hopefully do,” Koskinas said, smiling.

The second category comprises those few who use premium cheats that are harder to detect. These tools are known as “external” cheats, Koskinas explains, because they depend on using actual hardware, not just software.

A schematic showing how DMA cheats work (Image: Riot Games)

One type of external cheat relies on a direct memory access (DMA) attack. DMA cheats require players to use specialized hardware — think high-speed PCI Express cards — that exfiltrates all of Valorant‘s memory to a separate computer that can scrutinize the game on dedicated hardware, outside of the purview of Vanguard.

By doing this, the cheater’s separate computer can be used to identify other players; in-game objects like walls, ammunition and weapons; and identify precisely where players and items are in the map. This can also include objects that are not visible to gamers. Then, using the firmware installed on the cards, the cheat creates a radar on a second screen that they can look at to spot rival players — even if they are hidden — to gain an unfair advantage.

A more advanced version of this type of cheat, according to Koskinas, relies on HDMI fusers, which overlay what’s read by the separate computer back on the cheater’s main screen. This way, the cheater doesn’t have to look between computer displays to see where their opponents are, letting them focus on the display they are playing the game with.

These techniques allow the cheater to see through walls — known as “wallhacks” — and grant what is referred to as “extra-sensory perception,” essentially superpowers within the game.

“I think we detect the majority of it today, but it’s kind of iterative,” said Koskinas.

Then there are screen reader cheats, where a computer’s HDMI output is sent to a second computer that detects and classifies what is on the game’s display, such as the head of an opponent player. The second computer then sends back an instruction to an Arduino mini-computer for controlling robotics, for example, which is connected to the cheater’s mouse and lets the player automatically aim at other players — a type of cheat known as an “aimbot.” As Koskinas put it, “basically the mouse, for all intents and purposes, is being governed by a machine.”

If the cheat performs well, it can be hard to detect, but Koskinas said that in the long run, the cheater “doesn’t look like a human player” because of how accurate they are aiming and shooting at their rivals.

“You have to humanize [the cheat] to a degree where the advantage is imperceptible from what a human can do,” said Koskinas. “And once you’re there, you’re not really cheating enough to make it worth it for most users.”

Even then, this technique is popular, Koskinas concedes. The downside is that it requires a potentially expensive second PC with a fast graphics processor to quickly classify what’s happening on the screen and send the instructions back.

Koskinas says he often worries about the use of AI for screen classification, to learn what human inputs look like, and how to reproduce them.

“That’s already here,” he said. “Especially in Valorant with those bright outlines, you can almost do it with just an algorithm […] You could just actually discreetly say if the percentage of this box is enough purple, press the fire key.” For context, characters in Valorant have distinct and vivid color schemes.

Despite the security and privacy risks associated with anti-cheat technology having kernel-level access, Riot has no plans to move away from its approach for its anti-cheat engine, at least for Valorant. Otherwise, it would make it too easy for cheaters to use kernel exploits, according to Koskinas.

In general, Koskinas is trying to be more transparent about Riot’s anti-cheat efforts, including publishing several blog posts on how the company goes after cheaters, as well as talking to journalists. The idea, he said, is that because Riot has “the most invasive anti-cheat by asking people to have a service running at all times,” players deserve to know how the company is using that privilege.

“The best thing I feel like we can do in asking for that level of access and being around like that, is being as transparent about the opacity as we can,” said Koskinas.

“We’re not telling you what’s under the hood, but we’ll tell you almost anything else,” he said.

Fish AI Reader

FishAI

联系邮箱 441953276@qq.com

相关标签