Riot Games is waging a high-stakes, real-time battle against the multi-million dollar industry of video game cheating. By deploying its kernel-level anti-cheat system, Vanguard, the developer behind Valorant and League of Legends is successfully keeping competitive play clean, maintaining a cheater rate of less than 1% in ranked matches as of early 2025.
Phillip Koskinas, head of anti-cheat at Riot, oversees an aggressive, multi-pronged strategy that combines deep-system security with psychological warfare to neutralize cheat developers and their customers.
The Kernel-Level Strategy
Vanguard operates at the kernel level of the Windows operating system, granting it the highest possible privileges to monitor system integrity. Koskinas notes that the software enforces essential security protocols, including Trusted Platform Module (TPM) and Secure Boot. By verifying that hardware drivers are up to date and preventing unauthorized code execution, Vanguard creates a secure “playground” where tampering is immediately identified.
Undercover Operations and Psychological Warfare
Beyond technical barriers, Riot employs a “reconnaissance arm” that infiltrates cheat communities. Using undercover identities, team members acquire and catalog new threats before they reach the public. Riot often baits developers by leaking fake techniques to gain credibility, only to wait for the cheat to launch before banning the entire user base.
To discourage repeat offenders, Riot uses hardware “fingerprinting” to uniquely identify and lock out devices. The team also engages in public trolling, discrediting developers by exposing their Discord channels and mocking the performance of those who rely on “brainless” exploits.
The Evolution of the Cheater’s Toolbox
Cheating has evolved from simple software scripts into complex hardware-based attacks. The most sophisticated methods involve Direct Memory Access (DMA) cards. These high-speed PCI Express cards exfiltrate game memory to a separate computer, allowing players to view enemy locations and items on a second monitor without triggering detection.
Other methods include screen reader cheats, which use a second PC to analyze the game’s HDMI output and send input instructions to robotic hardware (like an Arduino) connected to the mouse. This enables near-perfect aim, though Koskinas argues that such precision is often a “tell,” as it lacks the natural variance of human movement.
Transparency in an Invasive System
Despite privacy concerns surrounding kernel-level access, Riot maintains that this level of intrusion is the only way to counter modern kernel-based exploits. To build trust with the player base, Koskinas is increasingly prioritizing transparency regarding how Vanguard functions.
“We’re not telling you what’s under the hood,” Koskinas said, “but we’ll tell you almost anything else.” By keeping the community informed about their methods, Riot aims to balance their invasive security requirements with a commitment to maintaining a fair, competitive environment for all players.