Riot Games vs. Hackers: How They're Protecting Players

The Persistent Battle Against Cheating in Video Games

Throughout the history of video gaming, individuals have consistently sought methods to gain an unfair advantage. Initially, this took the form of hobbyist efforts to identify and exploit game vulnerabilities. These findings were often shared or sold amongst enthusiasts.

However, with the rise of professional competitive gaming, this practice has evolved into a substantial industry. This industry focuses on selling cheats to players willing to pay for an illicit edge.

Escalating Anti-Cheat Measures

The development and distribution of video game cheats has proven to be a profitable venture. Consequently, game developers have significantly expanded their anti-cheat teams in recent years.

These teams are tasked with identifying and banning cheaters, neutralizing cheat software, and actively pursuing cheat developers.

A growing number of companies are implementing anti-cheat systems that operate at the kernel level. This grants them the highest level of access within the operating system.

Such systems have the potential to monitor all activity on the machine where the game is running.

Riot Games and Vanguard

Vanguard, created by Riot Games, is a leading example of a kernel-level anti-cheat system.

Riot Games is well-known for popular titles like the multiplayer online battle arena game League of Legends and the online first-person shooter Valorant.

According to Phillip Koskinas, Director and Head of Anti-Cheat at Riot, Vanguard essentially “forces cheats to be visible.” He describes himself as dedicated to banning cheaters from online video games.

Effectiveness of Vanguard

Riot’s anti-cheat team, led by Koskinas, reportedly bans thousands of cheaters on Valorant daily, as illustrated in a chart provided to TechCrunch.

The company’s efforts appear to be yielding positive results.

As of early 2025, less than 1% of Valorant “ranked” games – competitive matches – globally contain cheaters.

Strategies Employed by Riot’s Anti-Cheat Team

In a TechCrunch interview, Koskinas outlined the diverse strategies utilized by Riot’s anti-cheat team.

These include leveraging Windows security features, hardware fingerprinting to prevent repeat offenses, infiltrating cheat communities, and employing psychological tactics to undermine cheaters’ credibility.

The team’s approach is multifaceted, aiming to disrupt the ecosystem of cheating and maintain a fair gaming environment.

‘We can just make them look like fools’

A significant portion of the work undertaken by Koskinas and his team is rooted in Vanguard’s extensive access to a player’s computing system. To effectively identify and eliminate cheaters, Vanguard utilizes pre-existing security functionalities within Windows.

Initially, Koskinas clarified that the anti-cheat software consistently reinforces key Windows security protocols, including the Trusted Platform Module – a hardware-based security feature – and Secure Boot. These technologies verify the integrity of a computer, checking for modifications or tampering, such as those introduced by malicious software or cheating programs, and prevent startup if issues are detected. Subsequently, Vanguard validates that all hardware drivers, essential for operating system-hardware communication, are current, thereby identifying potentially cheating-enabling hardware. Ultimately, Vanguard obstructs the loading and execution of cheat code within the kernel’s memory.

“Essentially, we leverage and enforce all the security features that Microsoft and hardware manufacturers have implemented to safeguard the operating system,” Koskinas explained to TechCrunch. “Maintaining a secure environment is paramount for fair play; we must enforce a specific security baseline.”

However, combating cheating extends beyond technological solutions; it necessitates a deep understanding of cheaters and their methods.

Koskinas’s team maintains a dedicated “reconnaissance arm” focused on acquiring and documenting emerging threats, which occasionally involves obtaining cheat software directly. This is achieved, in part, through the use of fabricated online personas that have been embedded within cheater and cheat developer communities for years, functioning similarly to undercover operations.

“We have even provided anti-cheat information to gain trust. We might present it as something we independently discovered, explaining how an anti-cheat technique functions to demonstrate our expertise,” Koskinas stated. “This allows us to gain access to projects in development, monitor them until launch, and then ban all users.”

Some cheat developers attempt to evade detection by limiting sales to a select clientele, positioning their products as exclusive, or “premium” cheats, as Koskinas describes them. These high-end cheats can command prices in the thousands of dollars and are distributed to a limited number of users.

This strategy aims to minimize the risk of selling to an undercover Riot employee, as well as to customers who are less likely to engage in overt cheating or expose the cheat’s existence.

These developers are, in effect, selling “the assurance of remaining undetected,” Koskinas explained. A key tactic employed by Riot’s anti-cheat team is publicly discrediting these developers, for instance, by banning all their players or releasing screenshots revealing their presence within developer Discord channels.

“Our goal is to expose them as fraudulent,” he said.

Koskinas and his team also exercise caution in their enforcement approach. Allowing a degree of cheating, within reasonable limits, can hinder the development of more sophisticated cheats. “If we were to ban every player immediately, they would simply switch cheats until they find one that evades detection,” he noted.

“To maintain a low level of cheating sophistication, we implement bans at a slower pace,” he added.

To prevent recurring offenses, Vanguard can create a “fingerprint” of the hardware used by a cheater – uniquely identifying their device – making it more difficult for them to acquire a new cheat and continue their activities.
Furthermore, Koskinas and his team employ psychological tactics, publicly deriding cheaters with terms like “a brainless pathogen” and highlighting their “inability to improve their gameplay skills.”

The Spectrum of Cheating in Online Games

Modern cheating methodologies within online gaming broadly categorize players into two distinct groups. The larger segment engages in “rage cheating,” employing readily detectable, unsophisticated tools. According to Koskinas, Riot Games personnel colloquially term these instances “download-a-ban” due to their swift identification and subsequent account restrictions.

Koskinas observed that a significant proportion of these cheaters are younger individuals whose gaming experience is intertwined with the act of cheating itself. The perceived empowerment derived from circumventing game rules fuels this behavior.

He postulates a pattern of repeated offenses, with these players frequently returning after bans to resume cheating on a recurring basis. Koskinas humorously suggests that maturity, specifically reaching puberty, may eventually curtail this cycle.

Conversely, a smaller, more sophisticated group utilizes premium cheats that present a greater challenge to detection. These are classified as “external” cheats, as they rely on dedicated hardware rather than solely software-based solutions, as explained by Koskinas.

One prevalent form of external cheating involves a direct memory access (DMA) attack. Such attacks necessitate specialized hardware, including high-speed PCI Express cards, to extract Valorant’s complete memory data to a separate computer for analysis, bypassing Vanguard’s protective measures.

This secondary computer can then identify the locations of other players, in-game elements like walls and weaponry, and even objects not normally visible to legitimate players. Utilizing firmware on the cards, a radar display is generated on a second screen, providing the cheater with real-time awareness of opponents, even those concealed from view, thus conferring an unfair advantage.

An even more refined iteration of this technique employs HDMI fusers, which project the information gleaned by the secondary computer directly onto the cheater’s primary screen. This eliminates the need to constantly shift focus between displays, allowing for uninterrupted gameplay.

These methods effectively grant the cheater the ability to see through walls – commonly known as “wallhacks” – and bestow what is described as “extra-sensory perception,” essentially providing superhuman abilities within the game environment.

“We currently identify the majority of these instances, but it’s a continuous process of adaptation,” Koskinas stated.

Another approach involves screen reader cheats, where the game’s HDMI output is routed to a second computer. This computer analyzes and categorizes the visual information, such as identifying an opponent’s head. Subsequently, it transmits instructions to a microcontroller, like an Arduino, connected to the cheater’s mouse, enabling automated targeting – a type of cheat referred to as an “aimbot.” In essence, the mouse movements are dictated by a machine, as Koskinas described.

While effective, these cheats can be challenging to detect. However, Koskinas notes that over time, the cheater’s performance deviates from typical human capabilities, revealing their artificial assistance through exceptionally precise aiming and shooting.

“The cheat must be refined to a point where the advantage is indistinguishable from human performance,” Koskinas explained. “At that level, the benefits may not justify the effort for many users.”

Despite this, the technique remains popular, Koskinas acknowledges. A significant drawback is the requirement for a potentially costly second PC equipped with a powerful graphics processor to rapidly analyze the screen’s content and transmit control signals.

The Evolving Landscape of Cheating in Games

Koskinas expresses frequent concern regarding the potential for artificial intelligence to be utilized in screen analysis. This involves learning to identify genuine human input patterns and subsequently replicating them.

“This capability is already present,” he stated. “Particularly within Valorant, given its prominent character outlines, algorithmic replication is becoming increasingly feasible. A system could conceivably determine whether a sufficient percentage of a defined area displays the correct color, and then automatically trigger the firing mechanism.” It’s important to note that characters in Valorant are distinguished by their vibrant and unique color palettes.

Despite acknowledged security and privacy concerns stemming from the kernel-level access required by anti-cheat systems, Riot Games currently has no intention of altering its strategy for its anti-cheat engine, specifically concerning Valorant. According to Koskinas, such a change would unduly simplify the process for cheaters to exploit kernel vulnerabilities.

A broader initiative undertaken by Koskinas involves increased transparency surrounding Riot’s anti-cheat measures. This includes the publication of multiple blog posts detailing the company’s methods for identifying and addressing cheaters, alongside engagement with media outlets.

He explained that, given Riot’s implementation of “the most intrusive anti-cheat by requesting a constantly running service,” players are entitled to comprehensive information regarding how this access is utilized.

“Our approach centers on maximizing transparency regarding the inherent complexities of our system, acknowledging the level of access we request and maintain,” Koskinas elaborated. “While we won’t disclose the internal workings, we are committed to providing clarity on all other aspects.”