Late last week, ArenaNet, makers of the MMO Guild Wars 2, suspended over 1,500 player accounts it suspected of cheating. According to one of the players caught in the sweep, the studio accomplished this using what some users and experts are calling spyware to monitor peopleâs computers for known cheat programs.
âToday, ArenaNet suspended 1583 accounts involved in the use of illicit third-party software,â a representative for the company said in a forum post on April 12. They said the suspensions would last six months and not be open to appeal, before going on to advise players to remove any âillicit third-party softwareâ from their machines lest they become the victims of malware or computer viruses. Fabian Wosar, a player based in Germany who also claims to be a security researcher, was one of the players suspended and used it as an opportunity to investigate how and why he was targeted.
In a lengthy Reddit post on April 13, he said he had reverse-engineered a 32-bit version of the gameâs client released on March 6. According to Wosar, this version of the game client, which was live until March 27, allowed ArenaNet to periodically check whether other processes running on playersâ computers simultaneously matched a list of cheat programs. While Wosar admitted to using bots to farm in other games like FFXIV and Path of Exile, he said heâs never used them for Guild of Wars 2 because itâs not as grindy. Instead, he believes his account was flagged simply for having the other programs installed on his computer and potentially running in the background.
On April 14, an ArenaNet rep posted a message on the gameâs forums saying that â1516 accounts were suspended because we detected that the accounts were running Guild Wars 2 at the same time as one or more of the following programs over a significant number of hours during a multi-week period earlier this year.â The post listed the cheat programs it recently checked for.
Wosar had fretted that ArenaNetâs approach could flag people who might be innocently be running programs the company doesnât like even if they werenât using them on Guild Wars 2. âI am working for an anti-virus company,â he wrote in his post. âI have a ton of tools running that can be used for hacking games. Process Hacker, Cheat Engine, Wireshark, IDA, x64dbg. Was I now banned because I forgot to close all my work stuff after work or because I grabbed my daily reward during lunch break?â CheatEngine is one of the programs ArenaNet said it monitored for.
ArenaNet hasnât been clear about what theyâre checking hacking programs for and whether theyâre ensuring that they are being used on Guild Wars 2. In their April 14 post, they said, âWe targeted programs that allow players to cheat and gain unfair gameplay advantages, even if those programs have other, more benign uses.â ArenaNet did not respond to a request by Kotaku for further comment.
Wosar initially feared ArenaNet was indiscriminately monitoring all programs running on userâs computers and having that data sent back to its own servers. Subsequent research by him and another Redditort suggest it was only retrieving info on matches for the blacklisted programs. Wosar still doesnât like it.
âA lot of people will probably feel uncomfortable knowing that a game they play accesses all the programs running on their system and reads a lot of files that it has no business reading in addition of potentially sending some of that information back via the internet to their servers,â he said in an email to Kotaku.
Two security experts Motherboard spoke with said they would both characterize ArenaNetâs methods as a form of spyware but noted that, in the larger scheme of things, it was not very complex and would be easy for savvier users to bypass now that they know it exists.
