Hacks! An investigation into the million-dollar business of video game cheating

Counter-terrorists win?

VAC bans are usually irreversible. Perry C. Gamble would never play another match of CS:GO unless he opened another Steam account and bought another copy of the game. That's where the charm of cheating wore off for me. It was fun while it lasted, but I couldn't imagine paying another $15 for a new copy of CS:GO plus the ongoing $10.95 a month Ultra Cheats membership just to get easy kills.

John Gibson, president of Tripwire Interactive ( Rising Storm , Killing Floor ) told me plenty of cheaters feel differently. “We see a spike in hackers after we have a sale on one of our games,” he said. “Their last 10 Steam accounts have been banned, and the game is on sale for $3, so they'll buy 10 copies for $30 on 10 different accounts and they'll keep cheating.”

I told Gibson that I found that behavior mind-boggling. He isn't confused by it. He's just angry. “Give me five minutes alone with a hacker or a hack writer,” he laughed. “That's what I think about that mindset.”

Newell called cheating “a negative-sum game, where a minority benefits less than the majority is harmed.” It's obvious Valve and other developers take the issue seriously, but talking to Gibson made me realize it's also personal. Before he would even talk to me, I had to prove that I wrote for PC Gamer. He's been burned before. One of his first experiences with a hacker was someone who pretended to be a journalist with a fake, up-to-date gaming blog. He leveraged his early access to Tripwire and other developers' games to provide hacks and pirate games.

He's in jail now—for stealing credit card data, not cheating.

Gibson told me that, legally, it's not worth going after sites like Ultra Cheats. Most of them are based out of Russia, China (Ultra Cheats is registered in Beijing), or other places where extradition is, in Gibson's words, “questionable.” At the very least, Tripwire would have to pay another lawyer in that country, making it prohibitively expensive and complicated.

Criminal justice systems, perhaps understandably, aren't preoccupied with people cheating in online games. “Especially when it's international,” Gibson said. “Then you're talking about the FBI and Interpol. If someone stole $10 million in diamonds, call them. If someone is hacking your game, they don't care.”

If Tripwire, Valve, or other developers want to reduce the number of cheaters, they have to do it themselves. Note that it's “reduce” and not “eliminate.” Like Newell, Gibson knows that this isn't a battle he can finish. “It's like the Wild West,” he said. “It's more about managing the risk and hacks without inconveniencing your legitimate players too much.”

Tripwire's anti-cheat strategy is three-pronged. The first is technical, using both VAC and Punkbuster. This is one topic Gibson was secretive about, but he said Tripwire uses both because “they handle things in different ways.”

"If Tripwire, Valve, or other developers want to reduce the number of cheaters, they have to do it themselves."

The second is being a proactive developer. When Tripwire notices a loophole, it closes it as fast as possible. When Red Orchestra 2 first launched, it didn't do a whole lot of server-side validation on hit detection. The game was plagued by hacks that allowed your machine to tell the server you shot someone in the head even when you were clear across the map. “Very quickly we put up an update that basically verified, within a reasonable margin of error, that they kind of have to be where you say you shoot them at,” Gibson said. “If they're not, then we know that it's a hack and we ignore that shot.”

The third is having an engaged server admin community and giving them the tools to be the third line of defense. “That's a huge thing for us,” Gibson said. “Hackers come in, it's obvious fairly quickly that they're hacking, the server admin bans them from the server and problem solved.”

Punkbuster also allows server admins to take screenshots of what players see. If the server admin captures evidence of cheating, he or she can submit the proof to PBBans , a global database of hackers, making it very difficult for that hacker to join any Punkbuster servers.

This also allows server admins to pass along evidence of cheating to Tripwire, which can use the information to close more loopholes.

Overall, Gibson thinks this strategy works very well. “I have over 1,275 hours in Red Orchestra 2 and Rising Storm,” he said. “I've been on a server with about two hackers in all that time.” I asked him if Tripwire downloads paid cheats as part of its efforts to prevent them. “We're a proactive dev,” he chuckled. “Infer from that what you will.”

Gross Income

After being banned from Counter-Strike, I spent several weeks poking around the Ultra Cheats forums hoping that someone would talk to me about how the site was managed. I only got real attention once I admitted that I was writing a piece for PC Gamer. I bounced from admin to admin until I got to Slayer, Ultra Cheats' manager and lead coder.

Slayer didn't want to talk at first. “I don't think any good for Ultra Cheats would come from this,” he said. I promised him I wouldn't use any real handles or even the site's real name, and that I wanted him to respond to quotes from developers like Gibson. I suspect the notion that he'd get a reaction from a game developer is what got him on board.

Like Gibson, he needed confirmation that I was really writing for PC Gamer, and he was more thorough about it. I gave him my real email address and name (not Perry C. Gamble's), Twitter, and an email confirmation from an editor.

Gibson was worried about hackers posing as journalists. Slayer was worried about giving legal ammunition to parties that want Ultra Cheats gone, and competing cheat providers.

We set a date to talk over Skype, but when the time came Slayer wouldn't agree to a voice call, just text, because he was worried about me recording him as well as “other reasons.” To my surprise, he brought along another Ultra Cheats administrator, Prophet, and they'd only talk to me together. I guessed that this was to keep one another from saying anything they might regret.

They said part of Ultra Cheats' money comes from a different site that it operates in Brazil (a huge gaming market) and reseller sites, which sell Ultra Cheats' product under a different brand in exchange for a cut of sales.

Slayer said that Zero's $1.25 million a year was a little inflated, but that I could come up with a rough estimate of Ultra Cheats' annual revenue by gauging the size of the community.

On March 20, over 2,500 members logged into the Ultra Cheats' forums, almost all of whom are plainly listed as paying for standard or more expensive cheat packages. At an average of $10 per user a month, Ultra Cheats makes $300,000 a year. Add to this the fact that the forum has almost 150,000 members overall (though we don't know how many are active, paying users), the Brazil site, and resellers, and it's not hard to imagine Ultra Cheats breaking a million dollars a year. Slayer declined to share the exact number of their active users.

He said coders supply cheats on the site in exchange for a cut of the sale. These “vendors,” as Slayer calls them, take in about half the profits of the whole operation. Both Prophet and Slayer said that they get paid “enough,” but not enough to quit their day jobs. “More than minimum wage,” they said. Customer support, technical support, and other people like Zero who help run the site get paid as well, but less. Zero didn't want to say how much he makes, but admitted that he has a day job and that free cheats attracted him to the position.

“I do this because I really think of the community and staff as a big family,” Prophet said.

The rest of the money goes to “the ownership entity,” which Slayer and Prophet refused to talk about in any way. All they would say is that the entity controls the PayPal account I paid (and hence all Ultra Cheats' money) and that only Slayer knows anything about it. Anything between this ownership entity and the rest of Ultra Cheats goes through him. For all I know, this ownership entity doesn't even exist and Slayer and Prophet were the actual owners.