Are gaming cheats a gateway to hacking?

There is a high chance that many of today’s cyber criminals were introduced to hacking through modifying computer games. It’s also likely that many ethical hackers, like bug bounty hunters, came into the craft the same way.

Jake Davis (alias Topiary), is a legend among hackers and was associated with the internet group Anonymous – now promoting ethical hacking in schools and elsewhere. He says modifying games got him hooked. His first experience was at 10-years-old, when playing 3D Pinball that ran on Windows XP. “I asked myself, how could I hack it. I noticed it stores a windows registry entry with the score. You can change it. From there, you learned how to access windows registry files, how the file window operates with the rest of the operating system and so forth.”

It was a valuable lesson, he argues, for any new programmer. “You’d learn how a file becomes a file and what files are detected by. That is a good basic skillset in the world of hacking. It is looking at reverse engineering”.

Many young hackers today may have encountered a similar experience. Yet the UK government increasingly sees gaming as a threat – as pathway into hacking. One post by the UK national crime agency says, “booting someone offline whilst playing online games may seem like a harmless joke but is still illegal”.

Obviously, this gaming path doesn’t always lead to life as a hacker. Davis says: “If you ask anyone who codes programs or is in the tech world about where they started, gaming modification is a part of it”.

However, the impulse to start hacking other players can originate from simple sheer annoyance and irritation. That may be as true today as it was for the young Davis, who played Diablo II in the early 2000s, an action role-playing hack-and-slash computer video game developed by Blizzard North and published by Blizzard Entertainment.

He found it painful to watch how other players hacked and destroyed a computer game he loved. “They came in on the server and were killing everyone.” His irritation led him to develop his first real cheat for the game.

“I modified the game to gas out the entire map, all of it, and got around to get everyone’s’ loot,” he says. “I used memory editing software to alter the value of a certain type of character attack, greatly amplifying its effectiveness”. The hack froze his own system, but then he logged back in and “everything was dead. There was loot everywhere”.

Permanently banned

Usually the shelf life of cheats is short. “With a game like Overwatch, even if you magically get away with it, someone else will come along and do the same thing clumsily. They get detected and their detection gets you. You are done and permanently banned”.

Cheating and game modification is reported to be increasing worldwide. A 2018 survey by Irdeto, a service for platform security, found that around a third of gamers admitted using cheats to improve chances online. The result is often dissatisfaction among the rest of the gamers. Some industry experts say it is an exaggeration. Yet, with gaming customer satisfaction to be at stake, cautiousness may be prudent. Sadly, the results also indicated that only 12 per cent of online gamers never had their experience negatively affected by cheating. When cheating makes games less eager to play, logic suggests fewer players, which means less revenue for gaming companies. It can make them nervous.

This is why gaming networks like Steam, a video game digital distribution service by Valve, cracked down so hard on cheating and game modifications in various ways. One of Steam’s tactics was its Valve Anti-Cheat or VAC. It is an automated system designed to detect cheats installed on users’ computers. When the gamers equipped with cheating software logs on, VAC bans them from playing on VAC-Secured servers.

Erik Arfvidson, head of cyber security at Blade Group’s Shadow – a gaming streaming service that helps transform devices into Gaming PCs – says some ethical people cheat because of sheer laziness or lack of time. Arfvidson, who used to be a passionate gamer himself, remarks that he does not have the 200 extra hours in his week chasing a new level status. Cheats help reduce the repetitive grinding that takes place in games. In his view, cheating is ethically acceptable to a certain point, such as if it doesn’t affect the experience of other players.

In a competitive environment, it is a whole different ball game, he conceits: “It is frustrating. I hate it. You try to get better at the game, and someone just comes and destroys it for you.” He argues that cheating has its place, but not in a professional environment.

Where to draw the line? Experience suggests few gamers may dare to cheat professionally. For many, their reputation is at stake and if they do it, they may quickly get booted out of tournaments. When the gaming squad OpTic India at the Extremesland Zowie Asia CS:GO 2018 tournament cheated, the VAC system spotted OpTic team member Nikhil ‘Forsaken’ Kumawat using an aimbot. The team eventually disbanded.

Causing outrage

Yet Arfvidson says cheating at microtransaction games is – to some extent – acceptable. Microtransaction games rely on a business model where aspects of a game’s contents can be purchased to enhance game experience for the player. Cheating obtains items that others would need to pay for. “It gets expensive,” he says.

Pushing microtransaction by game developers can cause outrage among gaming fans. For example, when legendary gaming event Hunt and Iron Crown Collection introduced new items, they could only be unlocked through the purchase of special Apex Pack loot boxes, not challenges.

Gaming fans of Star Wars Battlefront II revolted against microtransactions, loot boxes, character progression and perceived pay-to-win mechanics. The result: a loss in reputation before the game even launched. Another example is from Mortal Kombat 11 – one gaming enthusiast calculated that, due to considerable amount of customisation and unlocks in the game, it would take $6,440 USD to unlock every skin, or well over 3,000 hours of playtime.

“You have some parents freaking out when their kid just spent $300 on buying items in games,” Arfvidson adds.

Davis says microtransactions are as abusive and morally reprehensible as high street gambling shops. “If a single player game is trying to charge you $99 for some sort of extra item that is necessary to progress, every week, you can’t blame someone for wanting to find a way around it. Pay-to-win is not what gaming should be about.”

A lack in parental control can add to the problem, says Paul Dignan, Systems Engineering Manager at F5 Networks. The difference between Xbox and PlayStation for the game Fortnite shows it. On the Xbox, there is a child account and specific restrictions on what players spend, and the need for parental authorisation. “On the PlayStation, you can’t play it with a child account, you need an adult account. I see people giving their kids adult accounts, allowing children to make payments without parent’s knowledge.”

Frenzied emotions

Online gambling is also vulnerable to hacking. Cédric Messeguer, deputy managing director of business development at cyber security firm Digital Security, says players hacked opponents at online poker. They got themselves access to other participants cards to win the stake.

Emotions can play a large role as to why some cheat. Davis describes the frenzy he felt when he competitively played first-person shooters online with a microphone. “You get into a real state,” he argues. “You think you are nice and calm. Three hours later, you are shouting at someone, and then you ask yourself ‘what’s wrong with me?’”.

When you are in that state, it can lead to a bad choice, and Davis says “that is usually a quick fix, a quick dopamine hit, which is to take the whole server offline. Then the police come knocking on your door”.

The latter scenario can be very real and sobering, but it is a way to reduce the number of court cases. Davis comments that nowadays in the UK, “they normally don’t [make it to court] because the National Cybercrime Unit knocks on peoples’ doors and asks them kindly ‘can you stop doing that mate, we don’t want to take you to court over this because it is just boring for everyone’”.

Attacking specific usernames that killed you on a multiplayer game, he says, can be a way to let off steam. It is exacerbated because gamers love their usernames. “Often they are unique. They use [their username] everywhere. If I was killed by Crusher99 in Call Of Duty, that is also Crusher99 in Overwatch.” As players use them everywhere, those that get upset in a game may just get their revenge by attacking the person behind the username, Davis says.

“Someone’s killed them. Now their character is dead they must wait a minute to be reborn,” he adds. “They might google the username of the character that killed them on Instagram and then post about it in the [gaming] chat. [It is] just because you want to get revenge quickly on people on the internet shouting at you through a microphone.”

Wreaking havoc in multiplayer game used to be much easier. For example, a player who got annoyed at another person beating them at a first-person shooter could cause a distributed denial-of-service (DDoS). This used to be a viable option. DDoS typically involves malicious actors sending huge amounts of traffic to overwhelm and disable a targeted system.

Bot takedown

Those with that intent can purchase so-called ‘booters’ – an amount of bandwidth or runtime – and then fire it at someone. It doesn’t work so well anymore due to computer power and bots that modern gaming requires. Ten years ago, 50,000 bots could take down quite a lot, but “now you are looking at a ludicrous amount, yet these botnets still exist,” Arfvidson says, and one would need look no further than the Darknet, where botnets can be purchased for less than $50 USD.

DDoS attacks on Blizzard Entertainment that brought its gaming platform to a standstill shows it can still pack a punch. Yet, most people have implemented basic distributed denial of service prevention that makes successful attacks less likely. However, NGFW (next generation firewalls) and the like can be expensive for companies, Arfvidson says.

When it comes to money, hacking and cheating for games can be extremely lucrative for those who trade them. Cheats are sold on encrypted chat forums and are hard to police, but there is backlash even there. Discord, a proprietary digital distribution platform designed for video gaming communities, says it bans anyone who operates a server that distributes hacks with intent to sell, a representative wrote in a Reddit post.

Another example is the recent arrest of four Chinese hackers who were creating and selling cheats, shows it can be very profitable, but very risky. Police said the group made $140,000 before their arrest. In 2018, the Chinese police arrested 15 people suspected of creating cheat programs for the game Player Unknown Battleground (PUBG), an online multiplayer battle royale game.

Buying cheats isn’t just risky for the creators. One reply to a Quora (Q&A forum) post as to whether cheats work in online games stated: “Yeah, some of them work, for offline games. But let me warn you, do not EVER look for cheats/generators/etc on online games. Because almost all of them contain viruses and won’t work.” This suggests the industry is beginning to self-regulate.

Whether ethical or unethical, in some countries cheating in games makes you a criminal. In 2016, the South Korean government passed an amendment into law to crack down on video game hacks and modifications. If guilty, perpetrators can face up to five years in prison or be fined $43,000.

Lawfulness of selling cheats is still widely debated. On Stack Exchange, an online forum for developers, the question of legality frequently appears. The person who started the group ‘sells game hacks for a living’. One respondent wrote “selling a cheat isn’t illegal. You are not breaking the ToS [terms of service] if you’re not the one using it”. Another labelled it as illegal: “All modern ToS will not allow you to reverse engineer the software.”

This ‘grey zone’ with everlasting debates will help to keep the market vast for buying and selling cheats online. To many outside the ethical hacking and gaming sector, the connection between gaming modifications and serious criminal cyber-attacks is cloudy. This is unsurprising as cheats become more sophisticated. Some game hacks are even demonstrating ‘malware-like behavior’, Santiago Pontiroli wrote on a cybersecurity company blogpost. These evasion features and techniques would “rival those of advanced persistent threats”.

Cyber security companies for game manufacturing fret about players’ data, too. Digital Security’s Messeguer explains there is a chance that leaked data can aid in impersonating identities. There is no shortage of precedence for leaks. One is the Zynga case from last September. A cybercriminal claimed to be responsible for breaching more than 200 million Android and iOS players of Zynga games, a publicly listed company that developed FarmVille on Facebook.

However, Davis says some of the best game mods come from community hackers and help games to be popular for many more years than developers anticipated, solely because of these game modifications being available.

So, is hacking games ethical? Davis says it really depends on how you do it. If you’re hacking in an e-sports game where people are making money from it and are getting annoyed because it is a ranked high-level game, “it is maybe a bit dodgy.

“Honestly on an individual game, it is alright to modify the code. We own the game. If we’re not going to the top of the leader board and profiting off it, that is OK if you don’t want to play something for 200 hours”.