This is not a post about anti-cheats or the technical aspects of exploiting and exploit prevention. This is a post targeting the severe lack of tooling and support provided by Roblox in regards to exploiting and dealing with generally abusive users.
I would encourage readers to share their own testimonials and experiences with exploiters. The intent of this post is to vent frustrations and bring awareness to an ever worsening issue, not to serve as a hub for advice on dealing with these issues. Please considering making proper tutorial posts in #resources:community-tutorials instead.
EDIT: This was moved to the feature requests section and some people may not be able to reply. Sorry!
My background
I have been playing and making games on the platform for almost 10 years. I have developed and assisted in developing multiple large games as well as a number of smaller projects. Over the years I have connected with developers in every field and Iâve been lucky enough to participate in the Accelerator program twice.
I have invested a lot into this platform both personally and professionally, both a developer and as a user. I am by no means an authority on exploiting and moderation but I am somebody with years of hands on experience tackling these issues as a developer.
My current project (at the time of writing this) is a 100 Robux paid access game with a relatively small average player count (~200). Itâs a zombie survival game with some perma-death mechanics. Our ban statistics for the last ~1 year are as follows:
- September 2021: 390 bans by moderators, 252 bans by anti-cheat
- October 2021: 427 bans by moderators, 246 bans by anti-cheat
- November 2021: 409 bans by moderators, 297 bans by anti-cheat
- December 2021: 433 bans by moderators, 404 bans by anti-cheat
- January 2022: 370 bans by moderators, 531 bans by anti-cheat
- February 2022: 403 bans by moderators, 424 bans by the anti-cheat
- March 2022: 403 bans by moderators, 247 bans by the anti-cheat
- April 2022: 516 bans by moderators, 386 bans by the anti-cheat
- May 2022: 756 bans by moderators, 399 bans by the anti-cheat
- June 2022: 652 bans by moderators, 489 bans by the anti-cheat
EDIT: Our game went free to play! Iâve made a follow up reply that contains our opening month ban statistics. I wonât be updating this list anymore or further replying with new ban statistics.
These are the accounts that have been caught with sufficient evidence to warrant a ban. Hundreds of names get added to our watch list that have yet to be observed exploiting by our moderation staff.
These ban statistics are alarming for me. This is a game with a barrier to entry (100 Robux), and itâs a game with a fairly low population. In our case, user reports of âexploiters in every serverâ are not at all unfounded.
Since implementing a support ticket system in our Discord community we have opened 15638 support tickets where users report exploiters, and 4845 support tickets where users wish to have their account(s) unbanned. These are just the reports that people have bothered to officially log. Countless reports go undocumented.
In total ~27000 accounts have been banned from our paid access game with a safe estimation that 90% of those bans being exploit related, the rest being abusive user behavior.
As a developer I have been tasked with creating my own moderation systems, my own logging system(s), my own support network, my own moderator teams and tooling for them, my own anti-cheat, my own cultural protection systems, and I am responsible for a number of smaller jobs targeted towards customer service.
It is not an insignificant amount of my daily time that goes towards dealing with exploit and customer service related incidents. In my personal opinion this situation is only getting worse and I am at my limit (or very close to it) with what I can do as a developer to tackle these issues.
A severe lack of tooling
Itâs important when reading this section to remember that developers of all skill levels exist and are impacted by exploiters. To those who say âget goodâ remember that just because you grasp the tech and concepts, doesnât mean others do.
Currently the only way to keep somebody out of a game is to call the player:Kick()
method after theyâve joined the place. Thatâs it. There is no :Ban()
, there is no automated way of keeping people out, there is no way to stop them from being able to press âplayâ.
The lack of a first party ban system intrinsically means there is no first party ban-specific database available for developers to use. Developers are expected to use DataStoreService or 3rd party services to track this information themselves.
There should not be that steep of a learning curve involved with banning players. The effort that goes into creating proprietary ban systems should not be undermined by the inability to properly ban users. Only being able to ban user accounts is not a sufficient solution when account creation is free.
The developer that does not know how to sufficiently code these systems is left in a situation where they either do nothing, or they implement a 3rd party solution. This can have as high of a leaning curve as doing it yourself, and it risks bringing incompatibility issues into projects.
I understand that there is no zero-skill solution, there will always be some technical knowledge required to properly implement moderation tooling - it just should not be as hard as it currently is given how important moderation is to the health of a game.
Logging tools and customer support systems provided by Roblox would be very nice to have but I understand that they are a whole other can of worms to get into. That being said I think there should still be developer facing API systems available to assist in services other than basic moderation tools.
Developers are expected to write or use tooling that in practice is essentially the same in every game. It is time for Roblox to own this issue on a first party basis and properly assist developers with tooling so we can better solve issues that everyone is eventually faced with.
As a developer I cannot reasonably be expected to deal with issues whose solutions exist outside of the limitations applied to developers. It does not feel like Roblox does enough to close this gap and it results in developers being expected to shoulder tech debt in place of features a modern social platform should be providing.
Support systems
As a developer with a game that isnât high-up on any charts I currently have zero support networks available to me to help solve critically important moderation and exploit related issues in my game.
For almost a week users were crashing my game servers with external tooling. I was lucky enough at the time to be taking part in the accelerator program where I could easily reach out for help. I donât know what I could have done if I wasnât in the right place at the right time. The privilege of having that connection was my saving grace and itâs something that isnât available to a vast majority of developers.
As a developer what am I supposed to do about networks of exploiters (paid and free) who target my game and harass my staff. It feels like the expectation is for developers is to tit-for-tat back. Where do I report (with evidence) illegal and ToS breaking activities that will actually see results or at least a human response?
For years now people who play my game have been purchasing exploits (not the injectors, the exploits the injectors run) off site and for various currencies (USD, crypto, robux, so on). These users and the people who write these exploits are notorious for being abusive in action and in language to not only my games staff, but also to the users who donât exploit. I have always pressed the report button and I have yet to see any action ever come from doing so.
As a developer who is interested in protecting my game from exploiters I have little to no targeted resources to learn from. The developer forum is hit and miss in both content and quality, and there arenât sufficient first party published articles on exploits or moderation practices.
The article below is the only one that shows up on the developer wiki. It instructs people to turn off loadstring, gives 2 paragraphs on server validation, and says you should check models for suspicious scripts. There are no first party resources on moderation, exploiting concepts, quirks of the engine to watch out for, best practices, or even a list known common exploits to watch for. We get nothing.
I do not feel like there are nearly enough quality resources to assist developers when it comes to front line moderation and security. I do not feel like community resources are accurate enough or accessible enough to be useful, and I do not feel like it should be a communal responsibility create important resources that the platform should be providing in the fist place.
Culture
I canât speak to the experiences of others but my game communities have greatly suffered because of exploits. Fifteen minutes donât go by without somebody complaining about exploiters. A day doesnât go by where Iâm not told to âget an anti-cheat, lazy devâ. The toxic and abusive culture that exploiters are rooted in has rotted away the trust my community has in itself and in me as a developer. Despite my best efforts to build functioning anti-cheats and arm my moderators with tools, I will never be able to build a better culture for my communities so long as Roblox as a whole fails to address exploiting in a more hands on way.
The language we see used by children, teens, and young adults when appealing bans is concerning as well. These users either blatantly lie to us and claim they were false banned, even after being shown proof of them cheating, or they just donât care because exploiting is just apart of the game for them now.
We have had users who see nothing wrong with the exploits they use. âIâm not abusing itâ, âI speed hacked to get to X quickerâ, âESP is to avoid fly hackersâ, âI use no recoil so itâs easierâ. Some of these people even equate exploiting to be âthe same as modding minecraftâ and see no fault in what they were doing, let alone risk.
People will open report tickets claiming they were âkilled by somebody with aimbotâ or âspotted with ESPâ when in reality it was a totally normal gameplay interaction. These players are being conditioned to cry wolf at the slightest hint of a suspicious encounter because running into exploiters is such a common occurrence now.
The accessibility and availability of exploits is a serious issue in and of itself but the impact itâs having on game communities is shockingly bad and is rarely every mentioned. The normalization of exploiting is a serious degradation issue that impacts the health of developers, communities, and the games they all enjoy.
In closing
I do not feel supported as a developer by Roblox when it comes to maintaining the social and functional health of my game. Exploiting is a rampant issue that feels largely ignored, cries for help often go unheard and unanswered, and the cultural damage is unprecedented and in some cases irreversible.
I am not ignorant to the fact that Roblox does make an effort to address these issues. I just donât feel like there is any presence to those actions. Responding to these issues should ideally be a collaborative effort between developers and Roblox but it more often than not feels like developers are left stuck between an unstoppable force and an immovable object.
Tech and security improvements that combat exploits are always appreciated but other developer facing parts of this system really need some attention. If we canât be apart of the technical fight then please better enable us to repair the social and education issues surrounding exploits.