A theory that I have heard on the Eve Online forums and even in the comments on the blog is that Team Security is ignoring the little guy running single bots and concentrating on the botters running large scale operations designed to fuel illicit RMT rings. Apparently that belief was prevalent amongst users of the Eve Pilot family of bots. The following exchange I just found from the end of April is why I wrote "was prevalant".
28 April 2012
Famine: "But i think Slav has mentioned that single users of his program have not been banned since the middle of 2011 or something."I've heard mention of using VMWare to disguise a botter's IP address and to run multiple bots. I've also caught other mentions where users of VMWare are getting caught, although I've intentionally shied away from spelling out avoidance methods in great detail. If using VMWare is a practice that is likely to get a botter noticed, then I'm anxious to watch the tears flow. The botters know that Team Security uses IP addresses to ban players so they use VMWare to disguise them. But if VMWare is a red flag, what's a botter to do, go straight? That's crazy talk!
Slav2 (developer of Eve Pilot): "This statement was true before resent bans. Pre festival time has traditionally higher risk of a ban, when CCP collecting statistics to show in graphs. I think CCP made some changes in bot detection after festival. Some new ideas could appear when GMs collected statistics. Now single bots who use VMWare may be banned too."
What appears is occurring is that Team Security's technical detection methods were first extremely reliable detecting botting fleets or people stupid enough to bot longer than 12 hours a day, so that is what was banned. As time moved on and the detection methods improved, VMWare users of Eve Pilot are now detectable even if botting by themselves. No grand strategy of going after the illicit RMT trade first involved. CCP was just picking off the low hanging fruit and they now have brought out a ladder and are reaching a little higher.
Now if only we can get a new Security dev blog with an update. CCP Sreegs showed the CSM some fascinating stuff and I'd really like to hear the unclassified version.