Disclaimer: All information described in this article is publicly available and can be independently verified through research. Nothing presented here violates any non-disclosure agreement or discloses proprietary detection methodologies that I have reported. This article is intended for educational and research purposes only, to showcase my knowledge of the cheating communities.
Introduction
Many people seem to believe that the rumoured $8.5 billion game cheating industry, a figure recently published by Intorqa's threat intelligence research, is extremely easy to get into. This is far from the truth, largely because it is not actually just one scene. You have the low-tier and the high-tier, a hard divide between copy-paste providers and professional businesses. I spent roughly three years inside the cheating community, spending my first two years in the lower-tier part. I spent time in community servers - places like Enigma and Exploiters Heaven. There are actually a very few highly knowledgeable people in those spaces, and guess what? The smart ones eventually moved to defensive game security! I know going from pasting a public driver in 2023 to understanding kernel-level security in just three years sounds like a massive stretch. Honestly, it was just pure, hyper-focused obsession. I basically had no life outside of this, it was and still is my passion hobby. While early LLMs were terrible at giving direct Windows internals code, using AI as an interactive tutor to break down complex concepts, combined with thousands of hours of failing and debugging, compressed what used to take a decade of trial-and-error into a highly intensive three-year crash course.
In this article, I will cover how modern cheats are structured and created. I'll also cover the business aspect - what is actually going through the minds of the people building and selling these tools. Let's start with the lower-tier providers. These developers usually make anywhere from $100 to $10,000 before burning out. While they might make up 90% of the providers you see advertised on YouTube, they capture a very small percentage of the actual industry revenue.
I started roughly in 2023 by pasting GitHub drivers after getting banned from Fortnite. I was heavily into competitive play, but I got banned using a public cheat from a random YouTube video. I wanted to stay undetected, but after realizing ChatGPT was too terrible at Windows Internals to help me, I was forced to look into it myself. One thing average cheaters don't realize is that UnknownCheats is a treasure trove of information. When I looked at the driver I was pasting, I would look at a specific API it called and wonder how anti-cheats could detect it, where I would move over to UC to see if others had the same question. If there was an LLM trained solely on every single page of UnknownCheats, it could probably output not just every bypass, but the exact detection vector for every bypass, simply because the users on that forum are constantly challenging and correcting each other's code.
Low-Tier: Marketing & Auth
The most popular authentication for lower-tier providers is KeyAuth. To be fair, the infrastructure itself isn't inherently terrible, but low-tier developers implement it so poorly. They don't do any work to hide the keys or encrypt the packets by modifying the library, meaning a cracker can just intercept the traffic and return whatever response they want. They usually wrap their entire cheat into one singular application. On startup, they do a few basic checks, usually just scanning for debugger window names, and then they run the KeyAuth license check. In assembly, this is typically a simple je instruction. If the license is invalid, it jumps to a routine that closes the application. A cracker can literally just patch that instruction to an unconditional jmp and bypass the entire paid system.
For the lowest-tier providers, you don't even need to use runtime debugging. Even when using advanced protectors like VMProtect, these developers don't bother to encrypt their strings. You can just dump the program strings and find the raw catbox.moe link where they are secretly downloading their driver payload. These drivers are usually detected anyway unless they got incredibly lucky and didn't get scammed buying a driver, making it almost pointless to reverse-engineer them. Let's get one thing straight - Obfuscation is not there to stop reversing completely, but rather to delay it. Time is money, even in game security, as spending 2 months reversing a cheat is 2 months that they could have reversed 20 cheats.
The business model for this tier relies purely on volume and scams. These providers use bots like RestoreCord to farm Discord members via OAuth. When their cheat gets automatically banned, they usually decide to exit scam, selling that list entirely to other cheat providers. They claim these OAuth bots are used to pull back members if the server ever gets terminated, but in reality, 90% of them just use it to hand over their members before disappearing and rebranding the next month. Marketing is something that separates the providers insanely. They mainly spam videos on YouTube or TikTok, which sure, gets them a few buyers. People pay for SEO boosting, which I don't completely understand, but it is now essentially required to achieve top results in a search for cheats in most games. Thumbnails are pretty much copy-pasted, where they cost about $5 on average.
Low-Tier: Technical Aspects
Since low-tier devs don't have much experience with internals whatsoever, I will cover mainly externals. Either way, these providers almost never go internal, with the sole exception of an internal cheat being released for free and them pasting it whilst it works. So, first, they obviously load their driver with KDMapper. For those who don't know, it is a manual memory mapper which allocates and then overwrites memory into a, usually, RWX (read-write-executable) region, with their own driver memory and it then hooks a rarely called function to execute the entry point, where KDMapper hooks NtAddAtom. Lo and behold, their memory is now in the kernel!
However, this comes with significant drawbacks. Due to the ease of this method, alongside it being public for so long, any interrupt fired will catch their unbacked code. Furthermore, these providers do not dynamically import, and if they do - they cache their imports, making it completely useless. You can just scan for imports in unbacked memory to detect these, hence why their detection is already automated. For their communication method, it is generally just IOCTL with IoCreateDriver as KDMapper does not create a DriverObject, with some people thinking manually creating the object creates a difference when the IRP will point to your memory anyway. I'm not exactly sure what goes through their minds there, I guess they assume IoCreateDriver is hooked or something?
This was the case before a great project by a friend - noahware. He released a Hyper-V hijacker called hyper-rev, which uses Hyper-V to disguise itself. Once this project was released, oh boy, there were maybe 100 new providers suddenly claiming they had hypervisors. Obviously, this then led to every anti-cheat team enforcing TPM as they could check the boot-chain. To clarify, some anti-cheats were already enforcing it and planning it, but this just sped that process up. Secure Boot was enforced beforehand, as TPM is not enabled on all systems. This is because Secure Boot would prevent them from loading their .efi file without a valid signature. As a result, people self-signed their file and inserted the keys into the BIOS. ACs such as Vanguard, then started checking these against whitelisted ones. You can already imagine the problem this would cause, as custom OS builds would have different signatures. Therefore, TPM 2.0 was enforced on just about every modern anti-cheat.
Low-Tier: User Experience
Usually, the low-tier providers have awful user experience. Apart from the lightning-fast ticket replies, their cheat is generally only working for a specific Windows version as they don't use offsets from Microsoft's public symbols, but rather hardcoded signatures. I mean, this is if they do anything special anyway. They all use KDMapper anyway, so they don't support anything past Windows 10 on most anti-cheats. Either way, bans occur within a few hours, so complaints start to flood in.
Low-Tier: Financial Infrastructure
This is pretty straightforward, as they don't have enough money to buy ID-verified accounts. They use PayPal as their main method behind crypto, and instantly cash out to different PayPal accounts since PayPal automatically locks your account if you receive too much funding via Friends & Family (F&F). Of course, this means you won't be getting a refund to your account since you sent it in F&F!
They usually use SellAuth, as it has no restrictions on what to sell and takes a small fee out of all purchases.
High-Tier: Business & Operations
Unlike the low-tier providers, high-tier providers generally exist solely as slotted, sometimes alongside a public cheat for extra revenue. The main difference between a high-tier public and a low-tier is randomization, as the problem with public cheats is how many people use them. Slotted is where a cheat requires ID-verification to join, alongside it having a strictly limited amount of slots. These usually cost from $300 to $1000 just for a month. Now, just from 1 slotted cheat alone, 10 users will make you $3,000 - $10,000. See where this is going?
To be clear, I'm not just guessing how this works. I know this because I worked alongside other developers on builds that were white-labeled and resold to huge battle royale providers that I cannot name, but ruled the scene during the time I was working. Working directly with developers at that scale gives you a real look at how the high-tier operates. During my development, we made a slotted and public cheat, where the public was focused entirely on randomization. To do this, we created a small mutation engine for the driver using tools like Zydis and a server-sided loader where it dynamically re-compiled the executable on the server with VMProtect. For the driver alongside the engine, the focus was making sure everything static was randomized per user.
Whereas on the slotted cheat, the focus was solely on hiding the fact the executable was ever ran, erasing traces in places such as Windows Prefetch. Obviously, there are lots of edge-cases, so execution cannot be 100% hidden. At the time, my reversing skills were not high enough to even get an idea of the insane level anti-cheats operate at, but I hid from common places. For the driver, I simply disabled interrupts during pretty much any operation and used an NMI (Non-Maskable Interrupt) function pointer hook that evaded EAC's integrity checks. Obviously, I won't go into detail on where this specific hook is to not aid cheaters, but it isn't difficult to find. The invite-only aspect and server-side randomization not only prevents game security teams from reverse-engineering them, but also prevents them from getting a secure detection rate.
When you're working at this level, you also see the actual business infrastructure. I actually found and reported lots of vulnerabilities to KeyAuth for free, which resulted in their supposed 1.3 recode. That was around the time I realized I actually enjoyed the defensive side, understanding how things work and breaking them, way more than selling the cheats.
High-Tier: Obfuscation and Anti-Dumping
Great, so we've got the business model out the way - how they do what they do. Now, how do they keep their program from being analyzed or reversed? I mildly covered this in the past section, as they use randomization, but let us cover the actual obfuscation.
First, we have LLVM passes. This is something I personally used, though it is now pretty useless as LLMs are advanced enough to simplify them. If you don't know, LLVM is basically a framework between the compiler converting your source code into an actual program, meaning we can create simple operations into more complex ones. Not all providers specifically use this, but it is an extremely good measure to take.
Then, we have of course their VMProtect or Themida. Ideally, they use VMProtect as the virtual machines seem to be more complex than Themida, but this just adds more complexity on-top of their LLVM passes. You may have seen header files released by some protection frameworks on GitHub or UnknownCheats, but you cannot do true control flow flattening through a header file.
For string encryption, it is a bit different. When low-tier providers do encrypt their strings, they use something like skCrypt. Fortunately, this is extremely easily reversed as the decryption routine is a straightforward loop, so an automatic script is pretty trivial. Most high-tier providers either introduce their own or use oxorany. Oxorany is a popular choice, because the decrypt function is heavily unreadable. It jumbles the control-flow heavily, and attempts to cause stack frame analysis failures so long as you compile it with obfuscation enabled. There are also a lot of fake decrypt paths, to confuse the reverser. It also uses a specific macro which forces the compiler to generate mathematically different encryption routines, meaning it isn't as straightforward to reverse. Overall, high-tier providers use LLVM passes, oxorany, mutation and virtualization to complicate their executable.
We've covered obfuscation, but that is useless if the anti-cheat team can just buy a key for $7.99! Well, let's see what they do. These providers do generally use their own authentication, I personally used KeyAuth as a backend base whilst routing it through my own encryption and checks. This seemed to work as it only ever got cracked once - which was a runtime dump of values from the server, meaning it broke on the next game update.
Anyway, rather than a simple license check, these providers stream any important variables from their server. If you need offsets for a game, they send a request to the server for the offset value. The server can then check, okay, is this session validated? What is the saved license key for this session? Then, there is no way to get it without a server exploit.
The same is done for files, where the driver itself is usually encrypted before transit, during transit, and only decrypted right before manually mapping. This obviously presents two issues - where the payload can be extracted right before mapping and during the mapping. KDStinker is a great example of this, but these two issues were taken care of by most providers. To extract the payload before mapping, you have to know the location. So, they can just decrypt parts of the region at once to not expose the whole PE header at once.
During the actual mapping, one thing that I did was check the IRP pointer to my vulnerable driver, since KDStinker was extremely relevant at the time. Of course, this is a losing game; you are running the unencrypted driver on the machine eventually, so we can just hook any execution on unbacked regions, assuming you are mapping unbacked. Again, this is something you'd discover during the reversal. For this part, cheats simply retrieve everything important from the server, usually encrypted in transit.
High-Tier: Technical Aspects
Finally, let's get onto the external function of their driver! Generally, these providers do not use something like IOCTL.
Usually, you see these providers using a user-mode exploit. A good example of this is Samuel Tulach's PreviousMode exploit. More things like the supervisor bit were also exploited to work around SMEP/SMAP, but these are all pretty easily checked. I should mention that many of the higher low-tier providers use .data pointer hijacks, where they point the shellcode into a discardable section, where it then jumps into their driver which relies on a key decoded in that specific shellcode sequence. Sorry to break it to you guys, but EAC has their own in-house x64 emulator to counter these type of tricks, and if they catch execution in a discardable section, you can guarantee a ban. I cannot comment on it in more detail, as I reported something similar to Epic Games through HackerOne, but all these "creative" ideas that the low-tier providers think is so smart, is really not.
Most high-tier providers do not constantly have execution in the kernel, as it is a losing game, so they use a vulnerable driver to setup the exploit and then clean their traces. People don't realise how much anti-cheats tunnel vision on the kernel, thinking that user-mode is a solved space. They only use user-mode to ban-wave or gain traces, but don't think of how much people can be process-hollowing, reading their protected memory. At one point, shared memory was a pretty popular solution, but interrupts solved a large portion of the kernel space. There were some top-tier cheats that used hypervisors to hide their internal execution, hooking the system call handler to mask their DLL calls, but this was broken down as a result of TPM enforcement.
High-Tier: User Experience
Many people hate on anti-cheats for introducing things like HVCI enforcement or TPM. Let's use a metaphor for this because I don't want to keep repeating "anti-cheat", we'll say the anti-cheat is stopcheating. In reality, these aggressive enforcements are an extremely good change, more than you can imagine.
First, you might think it is simply just to prevent cheats from manually mapping, or boot-kits from loading. Well, it is, but let's say a cheat has found how stopcheating queries HVCI, and then spoof that it is enabled. Say we don't try to allocate RWX or scan for RWX pages as a counter, this still requires cheat users to manually disable HVCI on their machine. From my experience and others, average users are not so willing to do this. This is especially true if the cheat sells to new users rather than the average cheater; they don't trust the software, and honestly, they shouldn't.
This gets even worse if the cheat requires disabling Secure Boot, because the user now has to reboot into their BIOS. User experience and compatibility are extremely, extremely important in this industry. I used to get yelled at for hours on end by providers due to the cheat's usability not being good enough, as the providers I worked with wanted a maximum of 10 support tickets daily. I’m not sure how that is even possible with this type of software, but it is what it is. Ultimately, it gave me great experience learning how to work under pressure.
High-Tier: Financial Infrastructure & Laundering
This is where the business gets a bit dodgy. Now, selling and developing cheats is technically legal on its own. Copyright infringement and pretending to be an employee to counter DMCA strikes are a different story.
Where it is definitely not legal, is buying stolen IDs or verified, burner PayPal accounts to store money. Many high-tier providers follow the process of accepting mainly crypto, where they then launder it through multiple wallets and split it up into different privacy coins and assets. Then, they use their own ID-verified crypto exchange accounts to off-ramp and pay out directly to bank accounts like Revolut. They also usually use their own custom-built e-commerce platforms, hiring a dedicated web developer to build and secure their payment portals rather than using public platforms. To be fair, there are a few exceptions where providers attempt to legitimize their operations by setting up registered corporate entities, paying taxes, and passing KYC checks to keep their payment processors running.
Conclusion: The Future of the Arms Race
At the end of the day, the battle between anti-cheat teams and cheat developers is no longer just about who can write the better rootkit. The kernel space is becoming increasingly hostile and locked down. With anti-cheats enforcing TPM 2.0, HVCI, and using advanced telemetry, the arms race has shifted. It is now as much about business logistics, infrastructure, and user experience as it is about pure code. When an anti-cheat enforces a new feature, it harms that customer base.
For me, the transition from offensive development to defensive security wasn't about some sudden moral awakening. It was just a realization of where the actual engineering challenge lies. Anyone can paste a driver, and even at the high-tier, you are ultimately playing a losing game. Over a long enough timeline, most cheats are eventually detected, disrupted, or rendered commercially unviable and it's just a matter of how much telemetry they want to collect before they nuke your user base.
Anyway, thanks for reading, and I hope this gave you some good insight into how the cheat industry actually operates under the hood. I've mainly been working on a separate blog post regarding MmCopyMemory detection, but I did want to share some perspective into Threat Intelligence. This was written as a sequel to my original "Understanding Anti-Cheat Architecture" blog post, looking at the opposite side of the exact same war.