Monday, December 23, 2013

The War On Bots & Illicit RMT - 2013 In Review

To tell the truth, I did not expect to write a review post this year.  I was surprised at the amount of news on the subject that actually came out over the past 12 months.  Last year I just included "War on Bots" in the title and just put in illicit RMT as a side issue.  This year covering the illicit RMT trade makes up a good chunk of the the news in 2013.  Also, I started covering the secondary RMT market in other games.  In some ways that was in response to the sheer magnitude of what I saw.  But more importantly, the games industry is starting to look at what CCP is doing to combat the illicit RMT trade and copying elements of CCP's strategy.  In particular, the adoption of PLEX-like objects by Jagex into Runescape (Bonds) and Carbine into the upcoming sci-fi MMORPG Wildstar (C.R.E.D.D.) show how other game companies view CCP's PLEX strategy.

But what about the news from 2013?  The year started out with many ISK selling sites raising prices due to CCP's efforts in the fourth quarter of 2012.

Between 23 December 2012 and 13 January 2013 eight web sites increased their prices an average of 25.1% with six companies raises prices by 20.4% between 6 January and 13 January.

The news in January was not just about the efforts of Team Security.  When the CSM 7 Winter summit meetings were published, an initiative came to light to get better information on players.  In order to gather that information, CCP would need to link users across multiple accounts.  While that demographic information is useful for game designers creating content and tracking the economy, the information would also make it easier to track down botters and ISK sellers to ban more of their accounts when discovered.

In February New Eden saw the great EVE University market bot scandal.  A member of EVE University was detected using a market bot, received a 14-day ban, but did not have any ISK gained from the activity confiscated.  The player then donated 317 billion ISK to EVE University and apparently bio-massed the character and quit EVE.  EVE University then petitions the donation and CCP confiscates the ISK.  What made the story a scandal was a member of the Council of Stellar Management going public and questioning the integrity of Team Security.  Once facts about a ban usually held private were revealed the scandal slipped away.

Also in February an amusing incident occurred involving an ISK selling company and a web designer who left the debug option active.  The resulting errors that displayed for days when attempting to access one website showed the connections between 3 ISK selling sites.  The lesson is that those engaged in illicit RMT aren't above a little trickery to increase sales.

March was an eventful month that saw Team Security add checks for known botting software and other hacks.  The first target was an application called Red Guard.  Red Guard is designed to spoof CCP's digital fingerprinting software so if a botter is caught that Team Security does not ban all of the botter's accounts.  This actually resulted in a call by Red Guard users to restrict access to the public.  Six days later Red Guard went from freeware to a $25 application with an additional $25 for updates.

With Team Security adding software detection to its anti-bot algorithms the question then arose on whether the multi-boxing software ISBoxer was no longer allowed.  This became more likely as CCP had made a ninja edit to a page on the old forums that Lavish Software was using as part of its marketing efforts.  According to bot developers, CCP was only trying to detect two Inner Space extensions, DirectEVE and ISXEVE, and not anyone using Inner Space.  CCP also later announced that ISBoxer users would not receive bans as long as the software was only used for multi-boxing.

Partly as a result of Team Security's increased anti-botting measures activity on Tranquility dropped 8.2% from 21 February to 14 March.

The month ended with a change in the penalty for botting.  Instead of a three strikes policy, botters would receive a 30 day ban for a first offense and a permanent ban for the second offense.

In April, the news focused more on hacks affecting the client rather than directly against bots.  For the first time cache scraping was explicitly declared a violation of the EULA but that CCP would not enforce penalties against those engaging in the practice.  Also, 2350 players received a 30 day ban for using an autopilot warp to zero hack.  While the hack involved client modification the decision was made to only impose a 30 day ban because of the lack of enforcement in the past.

May and June were fairly quiet although two events did occur in June that I did not write about.  The first occurred on 2-3 June as EVE Online was the target of a DDoS attack.  Tranquility and associated websites were taken down as a precaution against hackers using the attack as cover for another type of attack.  Later in June Blizzard's Mobile Armory was hacked and hundreds, if not thousands, of accounts stripped of gold.  That the hackers were able to bypass Blizzard's vaunted authenticator system is a warning to CCP for when it opens up the CREST API to 3rd party developers.

Events remained quiet until the end of July when CCP Stillman and the official EVE Online Twitter account released a graphic demonstrating a drop in bot bans.  CCP Stillman attributed the drop in the changes to ice belts and null sec rats introduced in Odyssey.

The drop was not allowed to last as three days later CCP Stillman tweeted about CCP Peligro instituting a new ban wave.  The effort continued throughout August, with ISK selling sites showing the effects in late August as between 18-25 August 9 of the 12 ISK sellers on my watch list raised prices by an average of 17.9%

September was another busy month as companies besides CCP made headlines with their efforts against the illicit RMT trade.  Square Enix, the maker of Final Fantasy XIV, seized 367 billion gil, worth between $2.5 and $4.2 million, in a three-week operation in the second half of the month.  Jagex, the makers of Runescape, acknowledged that banning 1.1 million accounts in 2013 was not enough and instituted Bonds, a PLEX-type instrument.  While Jagex claimed Bonds have nearly eradicated gold farming, I'm withholding judgement until more data is available.

But September was also a significant month for ISK sellers as well.  The upwards trend of the price of ISK on the secondary market peaked on 22 September as the median price on my watch list exceeded that of the price obtainable from purchasing PLEX directly from CCP and selling the PLEX in Jita.  At that time, two major secondary market virtual currency sellers, IGE and MOGS, dropped out of the EVE Online ISK market.

The subsequent drop in the price of illicit ISK due to less companies fighting over the available supply was overshadowed by the SOMERblink RMT scandal.  The scandal began with DNSBlack going on the EVE Online forums and declaring his intent to RMT money, items, and characters legally.  While his scheme fizzled out, one enterprising capsuleer managed to become an affiliate of Shattered Crystal and set up shop on the EVE Online forums using the same process as SOMERblink to eventually RMT 188 billion ISK

The loophole involved using the EVE Time Code sellers agreement to override the EULA.  That allowed SOMERblink to give those who purchased game time codes from first Shattered Crystal, and later Markee Dragon, 200 million ISK for purchasing each ETC.  The exact amount of ISK laundered in that fashion is not known, but the real world value was $135,000 when SOMERblink was an affiliate of Shattered Crystal.  As a result of the uproar CCP's legal counsel Bill Winter sent all ETC sellers a letter announcing a closing of the loophole and giving the sellers until 7 November to make sure any player affiliate complied fully with the EULA in these matters.  SOMERblink then poured fuel onto the outrage of its critics and held a liquidation sale right up until the deadline.

On the secondary RMT market prices declined throughout October and November as additional companies stopped selling ISK.  The site Safe EVE ISK let its domain lapse in late October/early November.  And two other websites, In Game Delivery and IGXE, stopped selling ISK in mid-November.

Team Security did try to open up a new front on the War on Bots in November with efforts to silence the spambots in the trade hubs.  But the spambots did return and those spotted two weeks into the effort are still present and spamming.

December's main news came from an unexpected source: the latest document leaks from Edward Snowden concerned the efforts of U.S. and British intelligence to infiltrate and spy on Second Life and World of Warcraft.  Since virtual worlds could provide a way to launder money, I looked at a popular player auction site to look at the potential size of the secondary RMT market.

Just based on a one day snapshot the market for WoW gold is just so much larger than all other games combined.  Those wishing to hide any laundering activity could use the secondary WoW market to launder money without leaving much of a trace.  I should add that the size of the market is very volatile, as the amount of ISK for sale at the site jumped from 1.8 trillion ISK to 10.9 trillion ISK in the course of 24 hours this weekend.

In the end 2013 was a rather eventful year when the subject was botting and illicit RMT.  While I write rather extensively on the subject, I hope that next year sees a decrease in the amount of newsworthy activity.  I wouldn't mind writing less.  Honest.


  1. 10.9 trillion ISK available on one site, with a jump of 9 trillion in 24 hours. Sounds like goon leadership made their monthly deposit.

    You do great work sir. Have a wonderful holidays.

  2. $25 million traded in one day on one of 3 sites similair in size, Thats fucking mental, Some of these gold companies must have made huge bank in the last ~8 years.

    1. Sorry, not sold in a day. The snapshot was of how much was for sale. The numbers tend to jump around.