Published on November 6, 2025 7:27 PM GMT
Any competitive online game is going to attract cheaters. They ruin the game for everyone else, and even the suspicion that your opponent is cheating suffices for that. Naturally, some countermeasures have to be taken.
You might have heard the phrase "To describe a system accurately is to attack it", but sadly I think most of this is already common knowledge for anyone actually selling cheating as a service, and that's a huge industry. The customers don't need any technical skills. I used to know a guy who sold both cheat and anticheat programs for a game, ensuring that the illusion of an arms race kept both sides paying a monthly subscription.
The oldest solution, from the LAN gaming era, is just to refuse to play with the cheater. You don't even have to know they're cheating; you'd also refuse to play with anyone who's too much better than you. This is the same solution we use for board games, and non-competitive games.
Many online games, especially those with smaller player counts, do manual matchmaking. Typically it's done using the lobby system: anyone can open a game lobby, and it's visible to other people who can decide to join. Before the game starts, the lobby leader attempts to balance the game, and kicks out anyone they don't want in. People learn to recognize cheaters by the nicknames used. Again, anyone too good for your lobby gets kicked out.
Almost all popular games have an automatic matchmaking queue. Players have a skill rating, used by the system to find them an equally-skilled opponent. In team games, the system is slightly more complicated as you have to balance entire teams against each other. The skill rating is typically shown publicly, by displaying the raw number or some kind of rank. In most games, obtaining a higher rank is a major drive for cheaters, but also for everyone else.
Cheating
The easiest form of cheating to detect is performing actions the game rules don't allow, like walking through walls, flying, or creating items or money from nothing. These can typically be either prevented or at least detected automatically, depending on whether the server is authoritative or not. This means it's typically dependent on bugs in the game code, and can be fixed once it becomes known. These are rarely an issue nowadays.
A more problematic cheat works entirely within the limits of the game code: the player input is replaced or augmented automatically. For instance, in a shooting game, it could slightly adjust your aim so you hit the enemies every time, or just automatically press the trigger once it points to an opponent. The most egregious form of this is spinbotting, spinning the camera around multiple times per second, immediately eradicated every enemy. The subtler forms make it really hard to distinguish between a good player and an automation. Some statistical methods, including machine learning, can be used to detect unnatural mouse movements or inhuman reaction times. But it's a cat-and-mouse game.
This kind of cheat is the primary problem in games of perfect information like chess. Any decent chess engine beats every human alive, and it cannot be detected in any other way than comparing player moves against engine moves. And even in those cases, if done carefully and not too often, undetectable. Even professional players in live tournaments are sometimes suspected of cheating this way, sometimes in really creative ways.
The third primary type of cheating is obtaining information you shouldn't have, for instance to see through walls or know the actions your opponent has done in secret. In perfect-information games this is by definition impossible. In others, it can be mitigated by not sending out any state that's not necessary for the clients to see. But in fast-paced games, it's often necessary to share information that might be required soon, like what's around a corner just before crossing it. Many developers don't bother to implement this at all, since it's often quite hard to predict what events might happen soon.
Again, this is often impossible to detect. It just looks like good game sense. But if you make decisions based on information you shouldn't have, someone watching you would notice. This can also be automated to a degree, but that will not catch all cases.
There are other ways of cheating too, like joining a game with multiple accounts to get more information, abusing lag compensation, or hard-to-see textures with simpler ones, but the examples above are plenty enough background. There's a type of non-technical cheating I must talk about, though: letting someone else play for you, or playing as someone else. These are completely non-detectable by measures that attempt to separate humans from machines, and many games don't bother to protect against these at all.
A common practice, not even thought of as cheating by many people, is smurfing, using a separate low-ranked account to play against lower-ranked people. Since any decent matchmaking system would quickly adjust your skill to match the actual level of play, you have to either sandbag, losing games on purpose, or simply create new accounts periodically. Often the developers are not willing to do anything about this, only partially because it's too hard. There are even paid services that lose games for you, avoiding the AFK detection that games commonly have.
Letting a better player play for you is the opposite form of this. There are paid boosting services that get you up to your desired rank without you having to play the game at all, letting you enjoy the status of a good player until you actually have to play the game yourself. This makes little sense to me, but I've heard of them, which means they are too popular.
Countermeasures
The design phase of game development must already consider cheating. Can the asymmetrical info somehow not be shared to all clients? Can we make it easier to play for humans compared to computers? This is never sufficient, and most popular games don't seem to be impacted much by this, but I think some ideas get filtered out because this would be too hard to do. Building a good anticheat solution is often more work than the game itself.
Almost all games use the same technical prevention measures: not providing source code for the games and using authoritative servers. On consoles, hardware is often designed to resist tampering, and on PC remote attestation is used, sometimes controversially implemented as a kernel-level anticheat. All detection measures double as prevention, as the fear of getting caught is the most important deterrent.
The detection is done with a collection of evidence-gathering instruments that estimate the likelihood of cheating. The one every single game has is the other people in the same match. Typically there's some kind of report button you can press. Sometimes there's also a way to kick the cheating person out by popular vote, although such means are prone to abuse. In other games, the opposing team might simply leave the game, losing their rating but not giving the cheater the satisfaction.
Some technical detection measures I've already discussed a bit, but more things exist. A common one is having other players or paid moderators to manually review gameplay footage, especially when cheating was already suspected by other detection measures. This is really important to prevent false positives.
Response
When we have determined that someone is cheating, something has to be done. The simplest measure is banning them permanently, possibly redeeming lost points to their past opponents. For lesser antisocial behavior it's typical to give a timeout, but that's insufficient here. To make it harder for the cheat developers to detect why they got caught, the bans are typically delayed and batched, even when this means that more people will have to play against them. False positives are problematic, though, so overwhelming evidence is required. Bans are almost always irrevocable, since in any system worth having, the ratio of true to false positives would make it incredibly expensive for customer support.
However, if the banned person can just make another account and keep playing, what's the point of banning them in the first place? For paid games, buying a new copy is often a sufficient barrier. In the age of free-to-play games and microtransactions, this won't help much. You could, in theory, tie the game to the real-world identity of the person somehow, but currently nobody wants to follow a KYC process just to play a game. Using a phone or credit card number might be viable, but you can have multiple of them. Tying the ban to hardware ID is sometimes done, as replacing that is certainly not free, but this is problematic for shared computers in net cafes and such. IP address bans used to be common, but are nowadays infeasible due to operators using NAT to share IPs.
Another way is to limit account creation rate, for instance requiring new accounts to go through a lengthy tutorial or having to play some amount of practice games before being allowed into competitive matches. There's a balance here, as you still want fresh people to pick up the game quickly, and the type of people who cheat often don't value their time highly. Even if the approach is otherwise viable, it'll create a business of making new accounts that have passed the barrier.
Some kind of collateral can be used to solve the issue quite cleanly. While nobody actually requires a security deposit, stuff bought with microtransactions, like skins and such, is lost. This also means that anyone owning expensive in-game items is unlikely to be a cheater. Some platforms apply the ban to the entire account, which could have multiple games.
A sneakier approach is to not ban the person at all, and instead do a shadow ban, where they're stuck playing against bots only, so the ban isn't immediately apparent. A more refined approach is keeping a reputation score in addition to the skill score, and doing matchmaking across both axes, so that the cheaters end up playing with other cheaters. This is rather neat, and works against any other antisocial behavior too. New accounts need to have quite low reputation, but using the existing account as an explicit collateral can help with this.
Lastly, the social aspect of getting caught for cheating works quite well. Cheaters are typically banned from live competitions. And nobody wants to play with a cheater, so letting everybody know who cheated should work quite well.
Discuss
