Friday, February 23, 2018

A Brief History Of CCP's War On Bots And Illicit RMT: 2009-2017

EVE Online once again is experiencing a period in which a significant portion of its player base is riled up about the subject of botting. From what I can tell, the origin for the latest round of bot awareness is the troubles on the Serenity server and the migration of Chinese players to the main Tranquility shard. A post from November 2017 on the EVE Online sub-Reddit, "The era of the Chinese empire: Fraternity taking all the outposts!", summed up some of those concerns. Below are some highlights.

badfcmath: There's growing concerns with Serenity (EVE's Chinese server), both in the stability of the company maintaining it and the inflated PLEX prices which many attribute to unchecked botting (think DRF renters but bigger). This is why we have seen many folks joining Tranquility, and the return of the divine Wind Spirits.

NeoExmachina: so are you denying that there's much more botting on the chinese server than on TQ even though it's economically provable?
Or that in China it is a legit job modell to farm ingame currency in MMO's for companies which then sell it?
Not saying that every chinese person is involved in RMT, but the assumption that there will be an influx of RMT with people from serenity migrating to TQ is not unjustified.

orici-andria: I will agree with you if this conversation starts 10 years ago but now things are quite different.

So called "gold farmer " groups are shrinking in china.simply because as economical grows more ppl tend to pay in game to enjoy the content than rmt.any decent daytime job earns more than that.u can check the skillinjector price curve since we came here.we are more like consumers than providers.

And botting in serenity is more complicated since some historical facts involved.but it is not as simple as "rmt ". Firstly the operation company failed to do its fucking job .they got sued by group of botters whose accounts were banned and hilariously the company lost the case this was a very bad signals to botters and ordinary players.

Secondly large alliances support botting to gain advantage over their enemies thus hundreds of supers were built with help of bots.those who didn't support botting had to face a dilemma whether got crushed by those supers that shouldn't be in this game or just do the same build fleet with "high technology ".and then all hell break loose. then botting followed by RMT is publicly acceptable even the RnK dude in this thread publicly support botting in chinese forum. And their leader-chairman of PIBC told corp CEO to buy isk from RMTer if they had not enough isk to pay alliance-tax.

Believe it or not we are those who hate rmt and botting.simply because we have seen what hell was like in EVE

RNK_Fu1crum: When botting become half-allow in Serenity, it would become necessary to half-allow your alliance member to run it. Just imagine what would happen if CCP half-allow people to run them if you don't do it you will be blobed and there is no way to fight back. It's operating company's duty to ban BOTs when they decide to allow it, there is only so much we can do. As the attitude against BOTs, https://tieba.baidu.com/p/4573418008, this thread could show more than enough of my opinion.(One of major company BOTs announced to shut down, I post a thread to celebrate.) But unfortunately, that's toxic we have to drink to keep us alive nowadays. It's more like the nuclear weapon, it would end the world someday, but if you refuse to have it, your world would end today. :(((

The concern continued to grow as the Chinese presence increased. In the aftermath of the destruction of 8 botting Nyx in Omist in January, the head of the Imperium special interest group The Reavers, Asher Elias, wrote the following:
"If CCP cannot catch a blatantly incompetent botter doing an action that is impossible for one person to do (ratting in 10 Nyxes in different systems at the same time) while they do so for over a year, how many more sophisticated bots are slipping through the cracks? Especially with the recent influx of Chinese players who came from a server notorious for botting, what assurances do the long-time EVE players have that their effort put into raising ISK won’t be dwarfed by another person who is playing dirty pool? Lastly, and most worryingly, how much evidence does the average player have to see that their honest efforts are being nullified by the most inept cheaters that CCP seems resolved to ignore and take their account fees before they decide that they have to join the race to the bottom so as not to be put terribly behind the baseline of success?"
Writing about botting and illicit real money trading in EVE Online for close to seven years perhaps gives me a jaded view on the subject. Or maybe the time I started playing EVE, six weeks after the launch of Unholy Rage, CCP's first major anti-RMT/botting operation. Perhaps a little history lesson is in order.


On 22 June 2009, CCP launched Unholy Rage. In a trial run in March, CCP had banned 3000 accounts for botting and illicit RMT activities. Three months later, the campaign began by banning 6200 paying accounts on the first day.

The effect of banning 6200 accounts on ACU
The drop in the number of players logged in was immediate. The seven-day rolling average of concurrent users logged into EVE dropped from 31,707 accounts on 21 June 2009 down to 27,333 players on 30 June 2009, a 13.8% drop. Put another way, the data suggests that during the first three weeks of June 2009 almost 1 in 7 pilots logged in at any one time were bots.

During the duration of Unholy Rage, CCP banned over 30,000 accounts, many repeat offenders. But CCP's strategy and tactics changed in March 2011 with the introduction of a new security chief. Fanfest 2011 introduced CCP Sreegs, better known to the EVE player base as former Goonswarm executor Darius JOHNSON, and a new group named the EVE Security Task Force. In a pre-Fanfest dev blog on phishing, CCP Sreegs laid out CCP's goal.
"The reason these things exist RMT, Phishing, Forum Hacking for account harvesting, Bots, etc... is to squeeze money out of you and into the hands of a third party. There is no such thing as a free lunch anywhere and our overall strategy is to do whatever is necessary in order to make these endeavours unprofitable."
At Fanfest, CCP Sreegs announced the implementation of a new, 3-strikes policy toward botters, withe the following penalties:
  • 1st offense - 14-day ban
  • 2nd offense - 30-day ban
  • 3rd offense - Permanent ban
In addition, CCP Sreegs announced the introduction of a automatic bot detection program and that the ESTF would begin targeting specific bots when possible. The first victim of the approach was a mining bot named Roid Ripper, which folded in May 2011. At this point, the actions of the ESTF began changing the behavior of botters. As the developer of one bot posted on his forums:
"Guys, stop posting about bans please. You post really useless information which dont help to understand, improve macro etc. Dont use bot for longer then human usually do, do something with your bot besides mining to change behavior of it. Use latest version of the program, rename executable to something differen. Do all customizations I added to the bot (custom program title, custom hotkeys, overview preset naming, other settings, custom bookmark names, custom delays and log offs). Dont make direct transactions, use market to sell something to your bot for expansive and buy from your bot for cheap or another public methods. You getting banned because your used to click "START" and forget about precautions."
In the early summer of 2011, CCP implemented a player idea, the Report A Bot feature, into the UI in order to direct botting reports into their own queue.

The layoffs in October 2011 in the wake of the Summer of Rage disrupted the operations of the ESTF. But in March 2012, CCP Sreegs announced the formation of a permanent security team tasked with combating botting and unsanctioned real money trading:
"Back before Fanfest last year we had a group assembled called the EVE Security Task Force. That group was tasked with performing actions like the one recently taken against botters. As a matter of fact that group took action the day prior to Fanfest and continued to do so on a twice-monthly or more basis for many many months. The process is designed that way because I don't believe that security is something you unwrap once every 2 months and pat yourself on the back about. What I said a year ago about the subject remains true today in that I believe it to be a continued process. This will be a slow burn and it will be regular. I do need to add to that the fact that these things were turned off for a period of time. As you are all aware the company has gone through a lot of changes in the recent months. Because of this there was a period of time where nobody had responsibility for handling the technology responsible for nuking botters. As of now there is a formal team on the EVE project devoted entirely to security, of which I am the product owner which is a fancy word for manager. This means that we've now thrown the switch again and turned on the catching bad guys machine because we own it and we don't like cheaters."
CCP also announced a change in the penalties for a first offense for botting. In addition to receiving a 14-day ban, an account banned for botting lost the ability to transfer characters. Botters had been either trading characters amongst themselves or selling them on the Character Bazaar. The new penalty moved to shut down the practice.

In an April 2012 dev blog following Fanfest, CCP Sreegs also announced that the automatic detection process would run daily and that the new security team had taken the following actions:
  • Around 105 accounts with direct ties to RMT (Real Money Trade) operations banned permanently
  • Between 1-3 trillion ISK in assets seized permanently
  • Around 500 billion ISK in RMT transactions reversed
CCP also changed the penalties for buying and selling ISK outside the PLEX system:
"Using the initial operation we enacted last Friday [24 February 2012] the procedure was to permanently ban all isk sellers and suppliers. No warnings given. People caught purchasing ISK found themselves with negative wallet balances due to the ISK being reversed back into the closed accounts which will eventually go into some magical space ISK burning facility or if you want to be really technical, be deleted from a database. We will continue to expand the scope of this to include asset seizure in the coming days which will include reclamation of supercaps and actions against alliances if need be. All actions will be retroactive to at LEAST February."
At the end of April, a bot developer acknowledged the effectiveness of CCP's anti-botting measures in a post on his forums:
Famine:  "But i think Slav has mentioned that single users of his program have not been banned since the middle of 2011 or something."

Slav2 (developer):  "This statement was true before resent bans. Pre festival time has traditionally higher risk of a ban, when CCP collecting statistics to show in graphs. I think CCP made some changes in bot detection after festival. Some new ideas could appear when GMs collected statistics. Now single bots who use VMWare may be banned too."
In early August 2012, botters received a surprise. The security team had put into place a system that would not allow players to log into the game from a computer previously detected as used by a banned player.  Either the launcher or the client uploads hardware system data that allows CCP to digitally fingerprint a computer.  Those attempting to create a new account reportedly just receive a message stating the account is waiting to be verified. Some botters eventually figured out a way around the system, but the workaround added one more pain point to receiving a ban.

One botter returning to EVE summed up the sentiments of many with the following quote: "so are the bans still being given out like free candy from a pedafile to little school girls?"

While 2013 was an eventful time for CCP's Team Security, a lot of the action involved events outside the scope of this blog post. Still, the security team made some news. The first came in a March dev blog that announced a change in the bot ban policy from a three-strike system down to two due to the rarity of permanent bans.

Demonstrating that 3rd strikes were seldom issued

The new penalties became:
  • 1st strike for botting is a 30-day ban
  • 2nd strike for botting is a permanent ban
  • Any client modification is a permanent ban on first offense
  • Any involvement in RMT is a permanent ban on first offense

The ban wave that caused general RMT sites to stop selling ISK

The second half of 2013 saw one of the most significant ban waves in EVE history. At the end of July, botters began reporting that CCP was banning their backup farms. Botters normally had a stable of characters training to replace the bots that CCP would inevitably find and ban to keep on botting. The ban wave had a long-lasting effect, with the median price of ISK on a list of ISK selling sites I monitored actually more expensive than buying PLEX from CCP and converting the game time to ISK.

A timeline showing prices when general RMT sites stopped selling ISK
In late September, two major virtual game currency sites, IGE and MOGS, stopped selling ISK. A third site, Safe EVE ISK, went out of business in mid-October. And in mid-November, two more sites, IGXE and In Game Delivery, also stopped selling ISK. By mid-2014, so many RMT sites had stopped selling ISK that I ended my regular monitoring of the sites as not enough remained to provide useful data.

In December, Team Security announced another tightening of the rules. The penalties for buying ISK or items from the black/grey market on 1 January 2015 changed to:

  • 1st offense - 7 days ban and ISK removed
  • 2nd offense - permanent ban

At Fanfest 2015, Team Security announced the introduction of two-factor authentication on 28 April 2015. The introduction of two-factor authentication was first brought up at the security presentation in 2011 when attendees were given key fobs as examples of what was to come.


In the years 2016 and 2017, CCP attempted to portray itself as a kinder, gentler company when combatting real money trading. While the security team continued to run their processes and conduct investigations, gone were the dev blogs filled with graphs boasting of their successes. Team Security's presence at Fanfest was also greatly reduced, with only a roundtable in 2016 and no events at all in 2017.

ISK sellers receiving a sales boost prior to Ascension
The reduced visibility of Team Security's actions came at a time when game design decisions began to favor the black marketeers. The first of those decisions was the creation of skill injectors on 9 February 2016.

The introduction of a way for players to purchase skill points not only resulted in a record demand for PLEX, but also gave a shot in the arm to ISK sellers, as the demand for hacked and botted ISK also increased. Sales shot through the roof.

Two weeks later, CCP announced an amnesty for ISK buyers:
Effective immediately, we are also offering amnesty for ISK buyers who come clean by emailing security@ccpgames.com with actionable evidence of people selling ISK. Such information should include:
  1. What you bought
  2. When you bought it
  3. From whom you bought it
  4. Proof of purchase – we’ll correlate with our own in-game logs. Usually your proof of purchase or receipt will include all of the 3 items above. 
For your honesty and cooperation, which is sincerely appreciated, you will not be banned. Other actions will be determined on a case by case basis.

We want to point out that this is not intended to encourage anyone to go and buy ISK – if you have already then you can come forward with actionable information and receive amnesty as described above. Repeat offenders who have previously utilized the amnesty program will of course not be viewed in such a positive light. 

Players who didn't take advantage of the amnesty, June 2016

In October 2016, Team Security took to social media to announce an RMT ban wave. Over 100 ISK buyers received bans. An interesting statistic emerged from the head of Team Security, CCP Bugartist, in that over 30% of hacked accounts had bought ISK and/or items off the black market before being hacked.

On 15 November, CCP introduced the Alpha clone state, the EVE Online version of free-to-play. The introduction of a free-to-play element to an MMORPG produces botting and RMT challenges to any game. In EVE's case, RMT operators took advantage of an exploit to gain access to free skill points.

The Ghost Training Dump-Off Of 2017
In May 2017, instead of crowing about a major RMT ban wave, CCP was responding to outrage over Ghost Training, which CCP defined as, "the use of alpha account status to accrue skillpoints at a more rapid rate than they are gained through normal alpha account gameplay, and/or train omega skills on an alpha account." Due to the nature of the exploit, CCP chose to email accounts that took advantage of the exploit asking for the skill points back. With that type of notice, the RMT operations detected dumped off their ISK to prevent taking a complete loss. The graphic above showed the effects at one black market site.

That brings the story up to the outrage that began in November 2017 described at the beginning of this post. The story of the botting Nyx in Omist hit mainstream gaming media outlets such as PC Gamer and MassivelyOP in beginning in January. At this point, CCP decided to conduct a press offensive of their own and presented CCP Peligro and CCP Grimmi to the gaming media in interviews with sites like Kotaku and PCGamesN.

In the interview with PCGamesN, CCP Peligro made a curious statement.
"We've been measuring bans for the longest time and we're not so sure [success there] has any impact, so now we're trying to measure player sentiment as the true indicator of whether or not we’re doing a good job."

In a game in which many players judge success by looking at killboards, I'm not sure that player sentiment will improve without a copious display of graphs. I also think that the latest change to the bot ban policy might prove hard to sell to some habitual critics of CCP:
As of March 1st, 2018, botting bans will be handled as follows:

Macro use/modified client
1st offense – 3-day temporary ban.
2nd offense – Permanent ban

The change is for the 1st offense which currently is a 30-day temporary ban. This is done to streamline the process and to make it all more user friendly. Players caught botting will get a painless chance to mend their wicked ways, and if they don't then they simply get removed from the game pronto and we can all move on.
Of course, nothing convinces people like success. If the security team can continue racking up ban numbers like the 1800 accounts banned in January, players may accept the results and pay little attention to the details.

No comments:

Post a Comment