Riot fought cheats by hiring the people who coded them
A young cheat developer finishes another long day of tweaking code. He has developed a cheat to help players win at the world’s most popular computer game, League of Legends. People will pay him to use it. Tens of thousands subscribe to his third-party software. His bank balance is looking pretty healthy, and this latest update is sure to attract even more customers.
Finished with his day, there’s just one more thing to do. He has to send the code to someone who is also paying handsomely to access it, a secret client that he is contracted to work for—Riot Games, the company that makes League of Legends.
“I know that no-one reading this will be sympathetic and I guess I can’t complain.”
It sounds like the script of a teenage reimagining of Donnie Brasco. Yet, according to the coder, this was an ongoing strategy in Riot Game’s battle against the cheat coders and Elo-boosters that plague the game for regular users. Over the past year, the company has come under heavy criticism from the community for failing to stanch the flood of players using third-party cheat software, such as scripts and drophacks, to climb the rankings. For at least five months—and likely more—Riot paid cheat coders to pass along code, work as consultants, and act as informants on their peers, according to sources within the cheat-coding community and a contract obtained by the Daily Dot.
One of those reached out to the Daily Dot to tell his story. He asked to stay anonymous for obvious reason—cheat coders are some of the most reviled people in the League of Legends scene.
“At first a well known Rioter, who I won’t name, would reach out to members of the cheating community that they could entice with non-monetary rewards,” the cheater, who we'll call David, explained (a second coder confirmed many of David's claims but asked to speak off the record). “They’d be giving them free Riot Points [the more valuable of the two in-game currencies] and various items of swag, like Teemo hats. I can’t believe people actually accepted it. When I was offered that, I told them to get fucked.”
"I have to be honest, I’m not even sure how much Riot want to fix the problem anymore."
That early strategy didn't work. David wasn't the only one balking at the contract. And that meant Riot didn't get enough code samples. So the company increased its investment. It contacted its list of people from the cheating community again, this time with a more tempting offer.
“They appealed to what all coders really enjoy,” David laughed, “exposing flaws in someone else’s code. They straight out said we could get paid to work as consultants and all we had to do in exchange was explain how these programs we were making worked. We didn’t have to stop coding cheats. We would get paid twice.”
The “Independent Consultant” contract arrived and David looked it over. It was a lot more formal than he was expecting. His job was to “assist the company’s security team by providing security research and consultation services.” This included “compiling reports of security issues based on external tests” and “providing proof of concept code.” He showed us both the contract and his rate, which was more than reasonable. But he asked that we not reveal the amount, as he believes different consultants received different rates and it may make him identifiable.
They were offering solutions to issues but were hitting a brick wall.
For its part, Riot Games told the Daily Dot the program was never secret. It pointed us to an initiative announced less than a month ago, the Bug Bounty program, and suggested that its work with cheat coders like David was simply the early stages of the program.
And in a statement, the company noted that it has for years worked with security researchers. "It’s important for Riot to do its best to keep League of Legends players safe and we can’t do it alone," the statement read. "Throughout the years, we’ve compensated security professionals for technical and non-technical information to help better understand how cheats are developed, how to fix them and what groups are actively trying to disrupt the fairness of the game."
Like many other bounty initiatives run by tech companies around the world, Riot's program encouraged the general public to submit bugs and cheats for potential "cash and cred." The November announcement noted that the program was still in "closed beta" and was "only available to a few security professionals who we’ve already identified." Those consultants, the announcement noted, "have helped us squish more than 75 bugs, vulnerabilities, and exploits, including client crash exploits, vision related exploits, and vulnerabilities that could potentially lead to player impersonation on forums." The post did not elaborate, however, that many of these "security professionals" were apparently the same people actively selling cheats to the League of Legends community.
At the beginning, the work was both lucrative and fun. David says he divided his time between dealing with the cheating community and Riot’s in-house security team, who shared a similar enthusiasm for coding. They were “great guys when it came to bouncing ideas back and forth," he recalls. Though he offered them everything they expected, soon enough Riot's upper-tier management were starting to apply pressure for “more results," according to David.
“Personally, I think I gave them everything they could have wanted and more,” David said. “There were probably 10 exploits that never saw a ranked game during the months I was contracted. The management would pressure you and say they weren’t getting enough for their money, so you’d work more and more hours. If that didn’t satisfy them, then they’d ask you to give up other people.”
The method for detecting these exploits generally required David to actually go into games and use them. He'd then measure and report his findings. It was essentially a mandate to cheat. Other players reported him a “fuck-ton” during this time, which slowed him down and made it harder to rack up more game time to feed Riot information. Riot, however, disputes this parts of David's story: "Contrary to his claim, we do not allow researchers to use exploits in games against other players," the company said in a statement.
David began to grow disenchanted with what he was doing. What was once about using his expertise to shore up Riot’s software was rapidly becoming more about informing on people.
David said most cheat coders out there would have likely been on Riot payroll at some point, and he scoffed at the idea that any cheat coder was unknown to Riot. If you're coding third-party software for League of Legends and are involved in the community, then your details will have been passed on to Riot by your compatriots. “We had to be full on fucking rats,” he said, “providing them with name, age, and location of anyone they asked about.” If this information wasn’t forthcoming, Riot allegedly threatened to pull contract.
In its statement to the Daily Dot, Riot pushed back at the claim it had pressured researchers. "Fixing security bugs is rarely simple," the statement said, "and pressuring researchers would damage our reputation in this very close knit community."
“What they do with the information we provide them… Well, it’s not always what I would call ethical” David explained. “They know legally they can’t touch them without cast-iron evidence, so when developers won’t ‘flip,’ Rioters go directly to them and let them know that they know who they are. If you’re a 16-year-old learning how to code and you get confronted like that, obviously you’re going to shit your pants. It’s obviously more cost effective than how they used to do things but I doubt it has the same results.”
Riot paid cheat coders to pass along code, work as consultants, and act as informants on their peers
Even in his short time working for Riot, David noticed the shift in focus. Everyone agreed that a software solution to the cheating would be an outdated concept, but he wasn’t entirely sure what the plan was to replace it. He continued offering multiple “outside the box” solutions to the cheating problem. But where once they were taken on board and eventually implemented, now they seemed to be mostly shelved. Management instead continued to focus on a two-pronged attack, asking existing consultants to divulge information about other coders and prominent members of the cheating community, then attempting to attract them into the Riot fold with inducements. This seemed odd to David, who says Riot was barely listening to the consultants they already had.
“I have to be honest, I’m not even sure how much Riot want to fix the problem anymore,” he continued. “I, as well as others, told them that there was an easy way to detect anyone using scripts. The issue with these scripting programs is that when you right click to tell your champion to move it sends a ‘WAYPOINT_UPDATE’ packet that both the client and server can see. The scripts where you hold down a single key that does everything for you? They send 50-100 updates a second. Not even the Korean overlords are right clicking that much. All Riot need to do is put in a filter that detects who is sending updates at that speed and they’d catch every single scripter.”
Over the past year, the company has come under heavy criticism from the community.
With all the coders wanting to keep their involvement with Riot secret, there were only one or two others that David could speak with about how things were going. And he learned that his colleagues were having similar conversations with the company: They were offering solutions to issues but were hitting a brick wall. They speculated that this was simply a fiscal decision, that it was a lot easier to monitor the situation and only react if it got out of hand, than it was to continually implement the fixes. After all, the company couldn’t be entirely sure that information wasn’t going back to the cheating community too, even though David maintains he much preferred the consultancy work to the more shadowy “day-job.”
Not long after, David was informed that the nature of his contract would be changing. Gone would be the generous hourly rate, which allowed him to bill up to a maximum of 40 hours a week. In its place, Riot would pay “per exploit fixed.” He felt this made little sense within the context of the original agreement, that not all code supplied would necessarily fix an exploit but would certainly equip Riot with the tools needed to at least be on a level playing field. Not only that, Riot had already turned down several proposed fixes David was sure would work, so it kind of felt that his salary could fluctuate based on what mood Riot was in. By the same token, the demand for information about other coders didn’t show any signs of relenting.
The Riot contract had once been enough to live off, making the cheat coding effectively a side-project that enabled this employment. That would no longer be feasible under the new contract.
David said that when the new contracts were forced upon all the consultants, Riot's security team were “dismayed.” They knew exactly what this meant. It was no longer in David's best interests to give full disclosure.
“I know that no-one reading this will be sympathetic and I guess I can’t complain,” he said. “I got months of great pay—until they switched the agreement—and a free trip to L.A. In the end though, they weren’t committed to fixing the problem and couldn’t pay me enough to make my time worthwhile, so I went back to developing cheats and Elo-boosting.”
Update 12/19 7:45pm CT: This story has been updated to include additional statements from Riot Games.
Image by Jason Reed