The Economics of Video Game Cheating

Interesting article on the business of selling enhancements that allow you to cheat in online video games.

Posted on May 5, 2014 at 6:55 AM • 20 Comments


Bob S.May 5, 2014 7:29 AM

Who would think cheating video games is a multimillion dollar business?

Can the end times be far anymore?

Is their a cheat sheet for that, too?

AlexMay 5, 2014 9:25 AM

Remembering modern military see-thru-walls technologies for urban warfare.

DawnFalconMay 5, 2014 10:30 AM

Bob S. - Oh heck, it's been bigger than that. "Gold farming" in massively multiplayer games dates back to the turn of the century,

Two of the major players were Yantis with "MySuperSales" and Brock Pierce's "IGE"...which eventually merged, and then they started buying up game sites...including Thotbott (/the/ old WoW database) and OGaming and Allakhazam...which became, and they ended being involved in gold farming.

See, that's another thing...cheating in MMO's in /achievement/ per-se (gold buying, power leveling) is frowned on, but cheating in exploration (database sites) isn't...even though the database sites now have premium memberships as well, and hence are also "paid cheating" and part of that industry.

Who owns many of the biggest database (and addon) MMO sites today?
That's right, (Who, these days, are a subsidiary of Tencent, the fifth-largest internet company, and own Riot Games (who have a database for, LOLKing...))

Cheating is *big business*.

mmorpgerMay 5, 2014 4:20 PM

One of the things I noticed with Guild Wars 2, which I recently started playing, is how you can buy gems for the online store with cash and sell them to other players in-game for gold. There's even a nice little graph showing the price curve over time. This way, gold farming is integrated into the game with the owners collecting the profits as opposed to some third party. Those who want to spend money can. Those who don't can trade in-game for what that money buys.

Perhaps the wave of the future?

Perhaps something the owners could rig fairly easily to keep folks playing and paying? It does seem as though the gem/gold ratio never really drifts far enough to make a profit trading.

GweihirMay 5, 2014 7:40 PM

The solution is simple: Just tie accounts to an expensive to replace ID and then share bans between games. These scum are not part of the civilized world, make them feel it.

qmcMay 5, 2014 7:58 PM

mmorpger, this is true, yet there are still sites spammed in-game that will give you better exchange rates on gold and items. But the spam at least seems significantly cut down, merely by providing an easy way to "legitimately" provide the real money trade to in-game currency.

ThothMay 5, 2014 9:14 PM

More people are spending their time on games and the blurring of the real world and the virtual world is taking place at an accelerated pace, thus, it is rather sensible to target the desires of people.

Nick PMay 5, 2014 10:11 PM

@ Gweihir

Most video game cheaters have a decent amount of money. Making an expensive ID would likely do more harm to poor and working class gamers, while also reducing revenue for game companies. I also think it would create more incentive for malware writers to grab and sell the ID's, leading to bans of good players ID's.

KhavrenMay 6, 2014 8:10 AM

Neal Stephenson used this concept as the background for his most recent novel:

What interests me, and probably the feds, is the money laundering aspect. I believe there is a legal requirement in the US to be able to restrict sending money to terrorist organizations, and gold farming is a way to transfer wealth with less tracking than bitcoins.

GweihirMay 6, 2014 8:40 AM

@Nick P: That would be the two tricks to do here:

1. Expensive to _replace_ but not to get initially.
2. Make sure it cannot easily be stolen.

But I realize this is pretty similar to other things. Basically, it is a secure, personalized token that is required and the problems of getting that are well known.

There is a second solution I like in one online game (don't remember the game they do this in):
All the cheaters get banned to a cheater-server. They can then cheat each other all they like. The advantage is that unlike with a direct ban, the game provider does not lose money, at least not initially and so they may be more aggressive with that.

DragonlordMay 6, 2014 8:52 AM

@Gweihir - The problem is that most gold farmers use trial accounts which are tied to an e-mail address to do the actual farming by using all of the tricks necessary to get the characters to where they can make the money.

The MMORPG providers need to provide trial accounts in order to provide an incentive for people to test the game and possibly convert to paid subscribers.

The gold sellers also buy gold off of legitimate players who have accumulated more than they need for cash, and then sell that money on in game for more cash.

And finally there's the "levelling" services that are available where they will level your character to whatever you want for a price.

IroMay 6, 2014 11:30 AM

Now this is a really interesting use case with a lot to learn about relation between social aspects and technical security.

Game tells user: disable security if you want to play. User wants to play, complies.
Cheat-kit tells user: disable security if you want to cheat. User wants to cheat, complies.
Program tells user: click here to see dancing pigs ... you get the picture
Pavlov's dog at it's best.

So who is "good" and who is "bad" here? Bad game company who uses a rootkit to achieve a better game experience for 95% of their customers, and to protect their revenue by not allowing a few cheaters to break their product?

This is the very first use case I know where a strong DRM-like scheme would in fact provide *direct* benefit to most users: if you don't want a few people to ruin the game, don't let them run the game on a machine which they control.
I hear people yelling "NO - it is MY PC, I want full control!". Reminds me a bit of Kant's categorical imperative as answer to people saying "I want my freedom to the fullest extent, no matter what". Maybe the solution is to have a user-controlled PC for "real" stuff and a vendor-controlled box for games.

While writing I note the analogy to music/movie DRM discussion. But there are key differences:

a) There is no *direct* benefit for users who accept a content DRM scheme. Content providers just claim that there might be benefits in future, if everyone pays. And that some of those benefits might result in slightly lower prices for everyone. In practice there are massive issues with content DRM, but only for paying customers.

b) The market is different: real world shows that content business is fine even without DRM. So it seems a few copycats don't ruin the market. But in games, esp. MMOs, a few cheaters ruin a whole game economy.

xd0sMay 6, 2014 12:06 PM

The argument can be made that free-to-play gaming business models evolved directly in response to the gold farming / in-game item markets created by gold farmers. Most publishers wanted a cut of the action, so lower cost games with in game purchases, including gold, specialty items, and boosts started to appear. In the eyes of the publishers the gold farmers were a tolerable nuisance (once the bans on trial accounts were implemented in many games) because they were paid accounts to the publisher, which tolerated the farmers long enough for the farmer to see return, then in response to the user push, the farmer gets banned, and buys another account. In the interim the farmer made money, some players got what they wanted (levelling or gold or items).

Levelling services are interesting variants as they typically required a "give me your account info so I can log on as you" to be successful. This violates terms of use in most games and are pretty bad security, as unless the user is diligent in changing passwords the account is exposed to future theft of items or gold etc from the same people that leveled you in the first place for money. These are more of a liability to the publisher due to the risk of theft and replacement of items (not a direct cost but a support call and customer satisfaction cost).

Overall the gaming world in some ways led the way for micro-transaction business models, which in some ways was driven by the gold farmer in the first place. The fraud and money laundering issues are likely still being re-learned by a new set of programmers and folks who in the past never thought about this level of security.

Nick PMay 6, 2014 2:55 PM

@ Gweihir

That's actually an interesting scheme. I did play one where there were a few dedicated servers that had no rules. Lots of cheaters there. I'm not sure that these approaches will work as many cheaters enjoy the power trip they get from dominating honest players. (eg "raging") Playing against other cheaters often plays out differently.

@ Iro

I'd agree with a form of DRM for games & there's definitely less cheating on console, further supporting the point. Might not need a dedicated, fully DRM machine though. There are various designs where users have control over their machines, yet certain pieces of software are a protected black box. The hardware itself ensures this. The user can install them, remove them, use them, etc just not read or modify their internal state during operation. The designs are intended to allow a person to run something like a private key signer on a machine whose OS & apps are thoroughly compromised. They're often implemented with custom hardware or TPM's. So, it's similar to DRM we hate, but leaves most control of platform in user's hands.

NonameMay 7, 2014 6:54 AM

> free-to-play gaming business models evolved directly in response to the gold farming

Crazy world: now the games are free-to-play and the cheating software comes at a monthly fee.

AutolykosMay 7, 2014 7:17 AM

@Gweihir: That method has a lot of similarity to "hellbanning" trolls in newsgroups and Internet fora. And I'd assume that trolls and cheaters share quite similar motivations (like getting off on a power trip by pissing off other people), so it might actually be quite effective.
Another tried and true method[1] to combat trolls is to make them fail Captchas at an increased rate with increasing likelihood of them being a troll (using Bayesian Filters), to frustrate them into leaving and playing elsewhere. Could also be done to cheaters with raising pings, inducing lags and the odd "accidental" disconnect here and there. That should take them a while to notice, and ruin their experience enough that they go to another game.
It's probably more effective than a straight ban, because they will need a while to figure out they were detected first (or buy new copies of the game on suspicion alone), making them either suffer a lot of "bad connections" or waste a lot more money (that goes straight to the devs, so win-win).

[1] (only in German)

AnuraMay 7, 2014 11:52 AM

I wonder if eventually we can have a high enough bandwidth and low enough latency to allow the client to act as a terminal. Instead of running the game on your machine, you essentially stream a video and send commands. At this point you would be limited to aimbots using image recognition.

IroMay 7, 2014 7:22 PM

Yes, that would solve most issues. But it is not only the bandwidth. I doubt game companies would be ready to additionally host the equivalent of a high-end graphics card for 3D rendering *per player* in their data centre. That would be required to create the indiviual aspects' video streams.
I think today's solution is more efficient: the server sends position data and the client renders the video, using pre-loaded 3D models.

The security issues start with real-time interaction and input data from client to server.
Here, it would already help if game developers applied the most basic security rules like validation of input that is sent from the clients. Some companies do, and they are more successful than others to fight cheating and botting. Others blindly accept it when a client tells their server: my player just teleported around the virtual world and killed 10 dragons with a toothpick. Those companies might learn the lesson when customers leave.

AnuraMay 8, 2014 1:06 AM


Well, it's more a question of whether or not the players are willing to spend $100 a month on an online game.

Probably not.

PeriwinkleMay 8, 2014 1:18 AM

There are already Cloud Gaming services where the rendering happens on a server farm and it streams video to the client and input to the server, just as you describe. As @Iro says, this is exceedingly wasteful, but it hasn't stopped some people using it.

The current purpose of cloud gaming is to minimise the hardware required on the client side, but as you observe, it would close most methods of cheating.

From there, we take the step of having a multiplayer gaming session simulated and rendered within a single cluster in the same server farm, for maximum efficiency and to try and guarantee equal performance to all players.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.