Cheat Maker Is Not Afraid of Call of Duty’s New Kernel-Level Anti-Cheat

Games giant Activision wants to kick out cheaters from its massively popular Call of Duty games with a new anti-cheat system that will run with the highest privileges on users' computers. 

Activision announced its new anti-cheat system, called RICOCHET, on Monday. The company also said the new system will run in the kernel, the core of the operating system, which controls and has access to most of the computer's functions. Activision said the system will be deployed first with an update to Call of Duty: Warzone and will then be integrated into the upcoming Call of Duty: Vanguard "at a later date."

"The PC kernel-level driver monitors and reports applications that attempt to interact with Call of Duty: Warzone, allowing the RICOCHET Anti-Cheat team to determine if a machine is utilizing unauthorized processes to manipulate the game," Activision wrote in the blog post announcing the new system.

At least one developer of Warzone cheats so far is not deterred by RICOCHET, although their comments may be more marketing fluff than anything else. 

“Hello Ricochet anti-cheat. Goodbye Warzone only competitors who copy & paste from UnknownCheats,” the cheat developer, Phantom Overlay, wrote one of its Telegram channels. “Goodbye rage cheaters filling every lobby. Goodbye hacker vs. hacker. Hello Phantom Overlay.  Hello kernel-mode. Hello legitimate looking cheating. Hello fun."

“Rage cheaters” refers to players who use cheats in games in a way that makes it obvious to other players that they are cheating, as opposed to players who try to use cheats subtly without being detected. The developer is suggesting that RICOCHET will stop rage cheaters, but not more subtle cheaters. 

In an email an administrator for Phantom Overlay, who goes by the handle Zebleer, told Motherboard that “The hard part for the Ricochet team will be to be effective in kernel against us, which I do not believe they will be, especially at first, and even more so with a non-invasive approach.”

“Quality cheat sellers hate a cheating problem just as much as non-cheating players do. It means more competition for us, including very low quality competition. The Warzone cheat market in particular has been saturated & plagued with a ridiculous amount of providers who mostly paste their source from public or semi-private places such as UnknownCheats or GuidedHacking. We very much want a challenge so that we can overcome it & watch as many of our annoying competitors exit scam their customers, who will then come to us,” Zebleer added.

Earlier, the same developer warned their users that "during these uncertain times it's important that [Phantom Overlay] users exercise caution across the board. The best thing to do is probably take a break from the game for a few days as we learn more." (It's important to note that the new anti-cheat system has not been turned on yet.) 

Regular apps such as a video game—and most anti-cheat systems—or a text editor usually run with fewer privileges, in the so-called user space or user mode. By making the new anti-cheat system run in the kernel, where it has the highest privileges, Activision hopes the system will be able to monitor more processes, including cheat applications.  

The company teased the announcement in an over-the-top tweet on Tuesday.

"Dear cheaters," the tweet read. "Cheaters aren't welcome. There's no tolerance for cheaters, and soon you'll know what we mean." 

Activision is not the first company to turn to kernel-level anti-cheat systems to combat cheaters. 

In 2020, Riot Games launched a kernel-level anti-cheat system called Vanguard (not to be confused with the upcoming Call of Duty game of the same name), that was designed to detect cheats in the company's online shooter Valorant. At the time, security experts, as well as some players, worried that the system was too invasive, and that it was effectively a surveillance system designed to run at all times, even when the game wasn't running. Riot later changed this and allowed users to disable Vanguard when not playing Valorant, and the system is considered to be largely successful at combating cheaters.

Activision said that its RICOCHET anti-cheat system "will only operate when you play on PC."

"The driver is not always-on. The software turns on when you start Call of Duty: Warzone and shuts down when you close the game," the blog post read. " Plus, the kernel-level driver only monitors and reports activity related to Call of Duty. "

People who have worked to secure games and fight cheaters have no doubt that a kernel-level anti-cheat system is the best way to win the endless cat-and-mouse game between video game developers and cheat developers. 

"As companies assess the cheating landscape they notice that cheat devs are becoming more sophisticated and it's now common for cheats to have kernel components and those cheats are becoming more difficult to address without also being in the kernel," Paul Chamberlain, who led Riot’s anti-cheat team and and the development of Vanguard, told Motherboard in an online chat. 

Moreover, Chamberlain added, players accept and have gotten more used to these kinds of anti-cheat systems, thanks to Vanguard and others such as Easy Anti-Cheat and Battleye. 

"I think companies are taking cheating more seriously and are willing to invest more resources into the problem and so they are less intimidated by more sophisticated technologies like kernel drivers," Chamberlain concluded. "This can happen when you start hiring more dedicated anti-cheat staff because the programmer you already have will be much more comfortable working with game code in user mode while anti-cheat specialists are more likely to have familiarity with kernel development and so are more likely to be comfortable recommending it to decision makers." 

The RICOCHET system is Activision's latest salvo in its battle against cheaters, which has been heating up in the last few months. In July and August alone, Activision banned 200,000 accounts accused of cheating in Warzone, bringing the total of banned accounts since the launch of the game in 2020 to more than 700,000. 

“Will Ricochet be effective overall? Yes. I think that the "cheating problem" in Call of Duty is officially over upon Ricochet's arrival, and we are all thankful for that,” Zebleer told Motherboard.

Joseph Cox contributed reporting.

Update: This piece has been updated to include comment from Zebleer.

Subscribe to our cybersecurity podcast CYBER, here. Subscribe to our new Twitch channel.