The ‘Leak’ of Warzone’s New Anti-Cheat System Was Actually Part of the Plan

The company pushed out the new RICOCHET anti-cheat system to some users to test its reliability, which inevitably led to it getting into the hands of cheat developers.
Image: Activision

On Wednesday, Activision bombastically announced its new anti-cheat system—called RICOCHET—and promised to eradicate most cheaters from its massively popular online games such as Call of Duty: Warzone. The system will run in the kernel, the core of the operating system, which controls and has access to most of the computer's functions and has the highest privileges. 


In the last few months, anecdotal evidence collected by Motherboard's Warzone players, as well as prominent streamers, showed an uptick in cheaters in Warzone games. Activision responded by banning around 200,000 accounts in July and August, announcing a new anti-cheat system, and publishing a tweet warning cheaters they "aren't welcome." 

The company said RICOCHET would be released later on, but on Thursday, the Call of Duty blog Modern Warzone reported that the anti-cheat system had "leaked" to cheat developers, going as far as theorizing that this may have been a "controlled 'leak'" designed to trick cheat developers. 

In reality, what happened is much more mundane. Activision has already released the system for some players, as a way to test its reliability and stability, according to two sources with knowledge of the company's plans, who asked to remain anonymous as they were not authorized to speak to the press.

In other words, cheaters being able to look at RICOCHET was inevitable and part of the plan. And it shouldn't help cheat developers that much. 


"That will help the people that would in any case be able to bypass that first version. The less advanced cheaters are screwed either way as they don’t have the skills to come fight in the kernel," one of the sources said. 

Do you develop cheats for games or reverse engineer anti-cheat software? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wire/Wickr @lorenzofb, or email

This is to be expected, according to an expert in anti-cheat systems. 

"They obviously don't want the cheat community to get early access to the driver but it's almost always going to happen if you do any sort of test with the public," Paul Chamberlain, who led Riot’s anti-cheat team and and the development of Vanguard, told Motherboard in an online chat. "So as long as they weren't testing with a non-release ready version (for example a non-obfuscated version or a version with debug symbols available) the only impact is that the cheat devs get a small head start. Running a public test is likely to be more valuable to Activision than the extra secrecy."

Activision, through its official Call of Duty Twitter account, confirmed that it had released an early version of RICOCHET to “select 3rd parties.”


“RICOCHET Anti-Cheat is in controlled live testing. Before putting it on your PC, we’re testing the hell out of it,” the tweet read.

Zebleer, the administrator of the cheat platform Phantom Overlay, told Motherboard in an email that they have been analyzing the early version of the anti-cheat.

"To me, it's still a leak because it was not intended for widespread access until later," they said. "This leak isn't threatening to COD in the same way that, for example, Twitch's source code leak was threatening to them. This is something we would have gotten our hands on upon implementation of the new anti-cheat anyways, and we would have began reversing it then rather than now. The only difference that the leak makes is that we have a head start, before implementation, to begin reversing & analyzing now."

"I can tell you that this driver was easy work. I am very surprised at how easy this was to reverse & analyze considering the massive amount of PR that COD did to hype up their new efforts in the anti-cheat space," they added. "Only top level spoofer providers will prevail over Ricochet, but there will be a few that do."

Thi story was updated to include a comment from Phantom Overlay’s developer and Activision’s tweet.

Joseph Cox contribued reporting and writing.

Subscribe to our cybersecurity podcast CYBER, here. Subscribe to our new Twitch channel.