Tradecraft - How cheat vendors rely on counterintelligence to stay in business

The battle against cheating is often compared to a game of cat and mouse, with the cheat developers as the mouse, and Game Security the cat. 

Most of the time this is a fair description. But it’s only half the picture. 

As the cheat industry becomes ever more professional and savvy, the tables are often turned with Game Security teams forced to hide their tracks and sneak around, as the cheat developers become the hunter.

Because while publishers pour resources into detecting and banning cheaters, the cheat developers are playing their own game of counterintelligence, staying one step ahead with methods that look more like cyber warfare than selling aimbots.

The business of cheating

As discussed in previous blogs, cheat development isn’t just a hobby - it’s a lucrative business. Popular multiplayer games like Escape from Tarkov, Valorant, and Counter-Strike 2 face constant waves of players using wallhacks, aimbots, and even subtle “soft aim” tools that are nearly impossible to detect by human observers. 

Even so, cheating operates in a legal grey zone, where the act of cheating is usually not in of itself illegal, but messing with game code to inject cheats into the game is, as it infringes Intellectual Property Rights. So whilst cheat development can lead to Cease and Desist notices, and if those are ignored, getting taken to court, this is still relatively rare.

Because of this, commercial cheat developers, particularly when operating through resellers,  tend to operate more openly than other cyber criminals, either on the web or in widely used chat applications. These online channels are used for sales, marketing, and customer support channels for the cheaters who make up their client base. 

All of which goes to make these ‘brands’ seem as legit as any; particularly when you go to pay for your cheat and get to choose between using Apple Pay, Visa or PayPal.

But there’s another side to the business.

Counterintelligence tactics

Behind the scenes, these operations are more akin to the organizations found in other black-market sectors - the kind you’d expect to only find on the dark web. And just like other digital bad actors, their survival depends on outwitting their victims - the game publishers and their anti-cheat partners. So, to avoid detection and stay profitable, cheat developers engage in sophisticated counterintelligence operations. 

Before looking at the steps they take, it’s worth reminding ourselves why they go to such great lengths. After all, if cheating is a legal gray area, with serious legal ramifications for cheat development rare, why bother? 

As for any business, it’s about money. 

For serious cheat developers, revenue and profit rely on your reputation for providing cheats that are reliable and deliver on the features they promise; cheats with decent ‘uptime’ that aren’t constantly crashing or being detected by the publisher’s anti‑cheat.

That’s why they go to lengths like these:

1. The basics

   
   

Cheat developers will create fake identities, false trails, and even dummy companies to confuse investigators. They register websites through offshore shell companies, privacy-protected WHOIS records, or with stolen identities. They might seed fake clues pointing to someone else or to a country with weak enforcement to throw off legal action.

Coupled with this, they will often change their brand name. As well as helping from an opsec point of view, this anonymity has also helped a few devs when the time comes to pull an exit scam.

2. Infrastructure and hosting

   
   

Something that often surprises people is that cheat developers and vendors aren’t hiding out on the dark web with .onion addresses. This is simply because it would limit their sales as the majority of gamers, even cheaters, don't want the hassle of hunting round the dark web. Remember the devs are in it for the money, which usually depends on reach (unless, as we’ll see, they’re aiming for a more exclusive user)

To compensate, the security-conscious will use Virtual Private Servers to host their sites and register their domains with providers focused on privacy such as Njalla.

3. Private forums

   
   

Many of the most respected and reliable cheats are sold through private forums who won't let just anyone join and start buying cheats. Often referred to as slotted cheats, these are sold to a limited number of people - e.g. 30-50 slots only.

They sell via word of mouth rather than YouTube. New users are vetted, sometimes interviewed, and asked to share real world ID. And unlike the large resellers, they only accept payment in crypto.

4. Reverse engineering anti-cheat software

   
   

Cheat developers frequently analyze anti-cheat systems to understand how they work, often using reverse engineering. Whilst anti-cheats like BattleEye and Riot’s Vanguard run deep scans on players’ systems, cheat creators disassemble these binaries, trace system calls, and learn how detection is triggered.

Decoy environments like virtual machines or sandboxes, are used to run anti-cheat tools safely and see how they react to specific cheats.

5. Code obfuscation and encryption

To prevent detection, cheat code is heavily obfuscated and often encrypted. This means even if anti-cheat software scans a player’s memory or running processes, it may not recognize the cheat due to its scrambled nature.

Some cheat loaders use polymorphic code - programs that constantly rewrite themselves to avoid pattern-based detection, whilst others inject code dynamically and unload it from memory after execution.

6. Kernel-Level access

Many cheats now run at the kernel level, the same level as the operating system itself. This allows them to hide from user-level anti-cheat systems. Kernel drivers can read memory, modify processes, and evade traditional detection.

Several anti-cheat systems have also moved to the kernel level. This is effective but as has been reported elsewhere, it raises security and privacy concerns which are much debated in player communities.

7. Hardware spoofing and serial masking

In earlier blogs, we’ve talked about how cheat developers often bundle hardware ID (HWID) spoofers with their tools to help users avoid permanent bans. These spoofers change or mask hardware serial numbers, allowing banned players to return without buying a new computer.

Some users claim they are just protecting their secrecy when using a spoofer, but the bulk are used by experienced cheaters. They’re either hiding an original HWID that has already been banned and logged on the game server, or they are simply savvy enough to hide their HWID in the first place. Either way, they’re unlikely to be first timers.

As more players get banned due to improving anti-cheats, spoofers have become a critical product in cheat marketplaces, often sold separately for use after a ban.

8. Insider intelligence and honeypots

In some cases, and demonstrating classic double agent moves, the cheat developers try to infiltrate cheat detection teams or forums where game developers monitor activity. 

We’ve even seen instances where they’ve set up honeypots to catch investigators or game company employees pretending to be customers.

This is one reason we would always caution against publishers doing too much of this infiltration themselves - it’s just too risky and easy to get a persona burned.

9. Update lag and "Silent Periods"

Cheats will often go offline during major game or anti-cheat updates. These “silent periods” are used to analyze new patches without triggering detections. Cheat developers often recommend users wait before playing again to avoid mass bans after updates. Fortunately they don't always listen!

What goes around…

 The good news is devs will sometimes make mistakes.

From stupid things like reusing aliases from hacking and cheat forums that are tied to real accounts on other platforms, to registering the domain under their real name or using traceable hosting. And of course, there's just selling to customers who shouldn't have passed vetting and end up sharing screenshots as they brag!

In at least two cases,  renowned cheat developers were brought down as a result of some operators reusing personal emails and user names. In another, investigators were able to trace domains, payment addresses, and activity on public forums to identifiable individuals.

After all, good opsec only buys you time — it doesn’t make you immune.

Conclusion: a never-ending cyber arms race - aka Spy vs Spy

Cheating in online games has evolved far beyond simple hacks and trainers. Today’s cheat developers are more like cybersecurity adversaries, using reverse engineering, obfuscation, and counterintelligence to stay ahead.

For game developers, maintaining fair play isn’t just about banning cheaters, it’s about winning an ongoing war in the code.

So long as there’s profit to be made and players willing to pay, the fight between cheat developers and anti-cheat systems will continue and grow ever more sophisticated.