Developers are not equipped to deal with exploiters

This is not a post about anti-cheats or the technical aspects of exploiting and exploit prevention. This is a post targeting the severe lack of tooling and support provided by Roblox in regards to exploiting and dealing with generally abusive users.

I would encourage readers to share their own testimonials and experiences with exploiters. The intent of this post is to vent frustrations and bring awareness to an ever worsening issue, not to serve as a hub for advice on dealing with these issues. Please considering making proper tutorial posts in #resources:community-tutorials instead.

EDIT: This was moved to the feature requests section and some people may not be able to reply. Sorry!

My background

I have been playing and making games on the platform for almost 10 years. I have developed and assisted in developing multiple large games as well as a number of smaller projects. Over the years I have connected with developers in every field and I’ve been lucky enough to participate in the Accelerator program twice.

I have invested a lot into this platform both personally and professionally, both a developer and as a user. I am by no means an authority on exploiting and moderation but I am somebody with years of hands on experience tackling these issues as a developer.

My current project (at the time of writing this) is a 100 Robux paid access game with a relatively small average player count (~200). It’s a zombie survival game with some perma-death mechanics. Our ban statistics for the last ~1 year are as follows:

• September 2021: 390 bans by moderators, 252 bans by anti-cheat
• October 2021: 427 bans by moderators, 246 bans by anti-cheat
• November 2021: 409 bans by moderators, 297 bans by anti-cheat
• December 2021: 433 bans by moderators, 404 bans by anti-cheat
• January 2022: 370 bans by moderators, 531 bans by anti-cheat
• February 2022: 403 bans by moderators, 424 bans by the anti-cheat
• March 2022: 403 bans by moderators, 247 bans by the anti-cheat
• April 2022: 516 bans by moderators, 386 bans by the anti-cheat
• May 2022: 756 bans by moderators, 399 bans by the anti-cheat
• June 2022: 652 bans by moderators, 489 bans by the anti-cheat

EDIT: Our game went free to play! I’ve made a follow up reply that contains our opening month ban statistics. I won’t be updating this list anymore or further replying with new ban statistics.

These are the accounts that have been caught with sufficient evidence to warrant a ban. Hundreds of names get added to our watch list that have yet to be observed exploiting by our moderation staff.

These ban statistics are alarming for me. This is a game with a barrier to entry (100 Robux), and it’s a game with a fairly low population. In our case, user reports of “exploiters in every server” are not at all unfounded.

Since implementing a support ticket system in our Discord community we have opened 15638 support tickets where users report exploiters, and 4845 support tickets where users wish to have their account(s) unbanned. These are just the reports that people have bothered to officially log. Countless reports go undocumented.

In total ~27000 accounts have been banned from our paid access game with a safe estimation that 90% of those bans being exploit related, the rest being abusive user behavior.

As a developer I have been tasked with creating my own moderation systems, my own logging system(s), my own support network, my own moderator teams and tooling for them, my own anti-cheat, my own cultural protection systems, and I am responsible for a number of smaller jobs targeted towards customer service.

It is not an insignificant amount of my daily time that goes towards dealing with exploit and customer service related incidents. In my personal opinion this situation is only getting worse and I am at my limit (or very close to it) with what I can do as a developer to tackle these issues.

A severe lack of tooling

It’s important when reading this section to remember that developers of all skill levels exist and are impacted by exploiters. To those who say “get good” remember that just because you grasp the tech and concepts, doesn’t mean others do.

Currently the only way to keep somebody out of a game is to call the player:Kick() method after they’ve joined the place. That’s it. There is no :Ban(), there is no automated way of keeping people out, there is no way to stop them from being able to press “play”.

The lack of a first party ban system intrinsically means there is no first party ban-specific database available for developers to use. Developers are expected to use DataStoreService or 3rd party services to track this information themselves.

There should not be that steep of a learning curve involved with banning players. The effort that goes into creating proprietary ban systems should not be undermined by the inability to properly ban users. Only being able to ban user accounts is not a sufficient solution when account creation is free.

The developer that does not know how to sufficiently code these systems is left in a situation where they either do nothing, or they implement a 3rd party solution. This can have as high of a leaning curve as doing it yourself, and it risks bringing incompatibility issues into projects.

I understand that there is no zero-skill solution, there will always be some technical knowledge required to properly implement moderation tooling - it just should not be as hard as it currently is given how important moderation is to the health of a game.

Logging tools and customer support systems provided by Roblox would be very nice to have but I understand that they are a whole other can of worms to get into. That being said I think there should still be developer facing API systems available to assist in services other than basic moderation tools.

Developers are expected to write or use tooling that in practice is essentially the same in every game. It is time for Roblox to own this issue on a first party basis and properly assist developers with tooling so we can better solve issues that everyone is eventually faced with.

As a developer I cannot reasonably be expected to deal with issues whose solutions exist outside of the limitations applied to developers. It does not feel like Roblox does enough to close this gap and it results in developers being expected to shoulder tech debt in place of features a modern social platform should be providing.

Support systems

As a developer with a game that isn’t high-up on any charts I currently have zero support networks available to me to help solve critically important moderation and exploit related issues in my game.

For almost a week users were crashing my game servers with external tooling. I was lucky enough at the time to be taking part in the accelerator program where I could easily reach out for help. I don’t know what I could have done if I wasn’t in the right place at the right time. The privilege of having that connection was my saving grace and it’s something that isn’t available to a vast majority of developers.

As a developer what am I supposed to do about networks of exploiters (paid and free) who target my game and harass my staff. It feels like the expectation is for developers is to tit-for-tat back. Where do I report (with evidence) illegal and ToS breaking activities that will actually see results or at least a human response?

For years now people who play my game have been purchasing exploits (not the injectors, the exploits the injectors run) off site and for various currencies (USD, crypto, robux, so on). These users and the people who write these exploits are notorious for being abusive in action and in language to not only my games staff, but also to the users who don’t exploit. I have always pressed the report button and I have yet to see any action ever come from doing so.

As a developer who is interested in protecting my game from exploiters I have little to no targeted resources to learn from. The developer forum is hit and miss in both content and quality, and there aren’t sufficient first party published articles on exploits or moderation practices.

The article below is the only one that shows up on the developer wiki. It instructs people to turn off loadstring, gives 2 paragraphs on server validation, and says you should check models for suspicious scripts. There are no first party resources on moderation, exploiting concepts, quirks of the engine to watch out for, best practices, or even a list known common exploits to watch for. We get nothing.

I do not feel like there are nearly enough quality resources to assist developers when it comes to front line moderation and security. I do not feel like community resources are accurate enough or accessible enough to be useful, and I do not feel like it should be a communal responsibility create important resources that the platform should be providing in the fist place.

Culture

I can’t speak to the experiences of others but my game communities have greatly suffered because of exploits. Fifteen minutes don’t go by without somebody complaining about exploiters. A day doesn’t go by where I’m not told to “get an anti-cheat, lazy dev”. The toxic and abusive culture that exploiters are rooted in has rotted away the trust my community has in itself and in me as a developer. Despite my best efforts to build functioning anti-cheats and arm my moderators with tools, I will never be able to build a better culture for my communities so long as Roblox as a whole fails to address exploiting in a more hands on way.

The language we see used by children, teens, and young adults when appealing bans is concerning as well. These users either blatantly lie to us and claim they were false banned, even after being shown proof of them cheating, or they just don’t care because exploiting is just apart of the game for them now.

We have had users who see nothing wrong with the exploits they use. “I’m not abusing it”, “I speed hacked to get to X quicker”, “ESP is to avoid fly hackers”, “I use no recoil so it’s easier”. Some of these people even equate exploiting to be “the same as modding minecraft” and see no fault in what they were doing, let alone risk.

People will open report tickets claiming they were “killed by somebody with aimbot” or “spotted with ESP” when in reality it was a totally normal gameplay interaction. These players are being conditioned to cry wolf at the slightest hint of a suspicious encounter because running into exploiters is such a common occurrence now.

The accessibility and availability of exploits is a serious issue in and of itself but the impact it’s having on game communities is shockingly bad and is rarely every mentioned. The normalization of exploiting is a serious degradation issue that impacts the health of developers, communities, and the games they all enjoy.

In closing

I do not feel supported as a developer by Roblox when it comes to maintaining the social and functional health of my game. Exploiting is a rampant issue that feels largely ignored, cries for help often go unheard and unanswered, and the cultural damage is unprecedented and in some cases irreversible.

I am not ignorant to the fact that Roblox does make an effort to address these issues. I just don’t feel like there is any presence to those actions. Responding to these issues should ideally be a collaborative effort between developers and Roblox but it more often than not feels like developers are left stuck between an unstoppable force and an immovable object.

Tech and security improvements that combat exploits are always appreciated but other developer facing parts of this system really need some attention. If we can’t be apart of the technical fight then please better enable us to repair the social and education issues surrounding exploits.

Thanks for sharing. As someone who’s also dealt with similar issues, I sincerely hope Roblox plans to combat exploiting in some way in the future.

As it stands now, all we can do is ban exploiters or create our own tools to ban them from our games automatically, which can take up considerable development time and often doesn’t even solve the root problem. If an exploiter is caught, they can just spend 30 seconds creating a new Roblox account and find ways to circumvent bans.

The unfortunate reality is most devs (understandably) end up choosing to prioritize content, whereas games that focus on fighting exploiters get stuck in a neverending battle.

Exploits are one of the top things we think about when designing our features & experiences, since anything competitive will likely not work well once the exploits are rolled out.

I wish Roblox would take legal action against exploit creators & distributors, the same way other large companies do.

it’s an issue that can only be fixed by those least likely to listen. I also find it funny how everyone’s first solution is to say “LolManEpic999 used an exploit on my game, so roblox should sue the creator of the exploit!!!”. If Roblox thought it’d be worth their time, they would’ve already done it. The legal team of Roblox isn’t ignorantly unaware of exploits, they just don’t see it worth it. Any damage caused by exploiting would be lesser than what it would cost to sue a big exploit(like Synapse X). The best thing Roblox could do is try to detect injections instead of changing a few numbers every week. It’d also helped if they actually banned people for cheating, instead of kicking for “Unexpected client behavior”, and not allowing the person to play Roblox for 30 minutes.

In Zombie Strike, we automatically poison an account when they use a several year old cheat. We have had 2,311 of these incidents in over 2 years. God only knows how many cheaters we’ve had over the years that were using a recent cheat.

Roblox not having any sort of in-game banning system is horrific. A basic HWID/IP ban would do absolute wonders. Every time this is brought up, people mention HWID randomizers (which could be done by exploits), and VPNs. They fail to consider that most people who use exploits are little baby kids who don’t have VPNs. A basic banning system would do miles. It is absolutely miserable that it is an extremely common occurence for someone to literally download cheats mid-game on Roblox, maybe get banned by an admin, then join back on a new account a moment later.

This is not even to mention the amount of cheating that is just a part of the Roblox platform.

Exploiters can still delete any non-part object in their characters. There is no excuse for this behavior to not be togglable (and then disabled by default).

Exploiters can still delete any object in their Player instance if their character is not set. There is no excuse for this behavior to not be togglable (and then disabled by default).

(Don’t tell me to track it with scripts, I shouldn’t freakin’ have to!)

Automatic animation replication, automatic Motor6D replication, etc are all features that can be nice to have, but should not be baked in to using characters.

The frequency of cheaters is an extremely large part as to why I do not play Roblox games anymore. A few months back I joined a game, beat a few people in combat, and got to watch them literally download cheats right then and there. I haven’t gone back to that place since, and it’s not the developer’s fault.

I explicitly mention this in the post. It’s not a reason to give up and try to do nothing. That’s why it would be nice for IP bans as well. In fact, being able to tell from the developer’s side when someone has a weak HWID randomizer (one that randomizes often) would be an extremely good red flag for developers to look closer into.

In a non-Roblox game I manage with thousands of monthly active users, we do both HWID and IP bans. HWID randomizers are common, and yet HWID bans still stop an extreme amount of people, and in other cases, will give a huge red flag for other accounts. For instance: if a person joins on a new account with a banned HWID, and randomizes their HWID, we can poison the account and require they get a new one, adding more barriers to entry.

These measures work, I literally use them every day outside of Roblox.

i think the reason people are just so opposed to it is because of fear of developers with bad intentions. plus it could have complications with COPPA as it would allow any game developer, big or small, to collect HWID and IPs from children. even if roblox somehow allows you to ban certain HWIDs and IPs without seeing them, it would never stop the unrational paranoia of users(did you see the unncessary outrage that came from giving users the optional choice to ID verify?). roblox is just really different from any other platform

You don’t need the ability to collect HWIDs to support HWID bans, even though it would catch more of the cases of what I’m talking about.

Most users will have no idea it’s even a feature, most users are young children who are playing games with their friends. I don’t care about YouTubers fear mongering or similar, the gains from being able to ban most people overwhelmingly outweighs that.

I have been dealing with banning and general moderation of users in our game for 8 years now. It is absolutely bewildering that a platform like ROBLOX does not offer a proper moderation system. For company that prides itself in providing as many tools as possible to developers, it’s missing this feature that should’ve been present by day one.

The amount of time I put into my game to make sure it has proper measures to combat (most) exploits used by exploiters is horrendous. Not like it really matters since exploiters usually find a way around everything.

I was thinking of implementing a client-sided anti-cheat to stop some basic exploits but realized it’s substantially useless considering exploiters can do anything they want with their Roblox client.

Adding some more statistics here, my experience is a semi-competitive shooter with around 1.5mil monthly active users:

Over the past 7 months our automatic anti-cheat measures have logged over 240,000 instances of accounts exploiting and banned over 150,000 accounts, with our user moderators catching and banning thousands more.

Despite our best efforts, exploiters are still a major issue. Players constantly complain about hackers, tell us to ‘get better anticheat’, and have their experiences ruined by kids who downloaded scripts off youtube because they’re that easy to get.

A large amount of dev time has to be put toward finding, testing, and patching exploits that could be better spent elsewhere if we were given proper tools to deal with the exploiters we already catch.

Over the last 5 years our mod team has banned over 5000 people from WFYB and associated games. This is through purely user-reported exploits, and represents a very small amount of overall exploits on Roblox. It’s common knowledge that exploits are easily and freely available for any game.

It is very common for top developers to be forced to implement the following:

1. A custom ban system and website with ticket handling
2. Automated anti-exploit since not every input or process can be legitimately secured through normal means on Roblox.
3. Manage a moderation team from the game’s community

Exploits in certain experiences can be ok (social games, et cetera), but when they ruin the gameplay for others, this becomes unacceptable.

It’d be really cool if Roblox could solve this for us, this is literally a non-trivial amount of time for each and every developer right now.

Adding onto statistics here, BedWars has implemented several detections for specific exploits and cheats in the past. Historically, our detections have accumulated tens of thousands of individual accounts in just 72 hours, depending on the time of year. In the past, we’ve been able to have real-time analytics on the number of exploiters actively playing the game and the rate at which legitimate players will play against a cheater. Without going into specifics, those numbers were (and presumably still are) horrendously bad.

Roblox needs to provide better tooling for dealing with bad actors at scale. Not only implementing a robust banning mechanism but also tools for moderating games and dealing with reports. Roblox already has a built-in report category for exploits, but it is not exposed to developers.

Having to extensively sink my own development time and energy into designing systems to deal with exploiters and into designing tools for moderators to deal with exploiters is incredibly exhausting work, and the idea of doing such a thing has completely shut down any motivation I had to work on specific types of projects.

When it comes to all this, Roblox is either downright negligent or even working against efforts that developers could employ to combat developers (by patching out weird quirks of the engine that were used to detect exploits on the client-side). The attitude (or rather lack there of) they have taken towards mitigating exploits is quite simply disheartening.

Alongside all that, Humanoids and NetworkOwnership as a whole are horribly flawed against exploiters. There is no easy way to prevent most movement / physics exploits in one fell swoop unless you were to go out of your way to develop an server-authoritive networking model for your character (which no developer should ever have to do for all the pain that comes with it) and extensively control and monitor the physics and network owners of in-game physics objects.
To emphasize how bad all that is, it is possible to outright kill people with only a tool, and fling them around by just making your character spin erratically.

For reference, one of the games I work on has around 30,000 bans, and those are just the ones handed out by moderators.

You misread my post. Literally the entire post before it is arguing in favor of HWID bans.

My bad, I was reading like 3 different post and misread yours.

In Deepwoken, our most recent paid access game, we’ve detected around 60,000 accounts exploiting, and we have around 40,000 bans on record for exploiting in the first 4 months alone. That’s about 8% of the accounts who have purchased the game.

In Rogue Lineage, our previous paid access game, we have around 150,000 anti-exploit bans on record, not counting moderator bans. This accounts for about 15% of the accounts who have purchased the game.

Players who get banned just make new accounts, buy the game again, and exploit all over again. Their Roblox account suffers no repercussions for this behaviour no matter how many games they exploit. The only exploiters who actually see punishment are the tiny few actually making exploits, not the thousands of script kiddies who buy the exploits. Roblox offers no built-in moderation tooling or support. We have to rely on our in-house moderation and simply hope that our players’ days aren’t ruined too often.

Any game with competitive aspects is completely compromised in its integrity by the state of Roblox security. When we think of a fun feature it’s immediately ruined by the realisation that it could just be gamed and trivialised by anyone who has the $20 to buy an injector. Players are just expected to grin and bear it. We have hundreds of support tickets made every single day by players who are the victims of exploiters.

I made a Squid Game in September because I wanted to get in on the hype. It got to 900 concurrent players and then multiple hackers went in and flew around the map flinging everyone to their death.

The player count dropped to almost 400 a few hours after reports of this activity started.

With 100 player servers, all it takes is 1 person to kill your game.

Citizens are not ready to deal with war, but when it comes we face it.

My game (WiP) is insanely difficult to exploit, because we don’t use PlayerModels and it’s a territorial based game instead of a player PvP game, so even by doing ;kill all wouldn’t be able to do any harm.
Sadly once it’s popular I’m sure some people will start creating a brand new script just for my game, what should I do?
For ranked mode should the account age be over 15 days, pays 1 robux or/and have premium?

In MetaMethod games we have a similar horrible instance, users who create or have stashes upon stashes of alts, generators, friends etc is concerning, none the less that Roblox is such an easily exploitable platform where getting an executor let’s you do wonders.

Here’s some of the following that makes absolutely no sense why it’s even possible for the client:

• Save instance
• Access core UI but we as developers can’t??
• Manipulate with physics objects without server validation allowing for common things like flight
• Destruction and disabling of scripts mid run session out of studio
• Ability to switch humanoid states to allow noclip

The list goes on and on, it’s understandable Roblox as a platform restricts us from clients and consumers IPs and MAC addresses but as a publicly shared company now with Investors it should be a much higher priority to allow creators which are your lead exposure to the world to actually combat there script kiddies.

Steam has no problem collecting your data or VAC banning you as a whole, and it has children games on there as well. So why do us developers have to work around the systems in hope that the anti exploit can actually catch the exploiter and not someone with horrible internet? Not to even mention how easily it’s for game specific exploits to be created, distributed and then cyphered so the developer barely can debug it and find the way to fix it.

If you are wanting to appeal to the users on the platform a start would be to stop with moderators, they are a thing of the past no one here will say that they do the best job at reading reports nor actually dealing with those who break ToS. We need systems in place people. Systems that won’t allow simple injector to just execute code easily on client and even if it’s possible then to put in counter measures that would restrict or make it way harder for any exploiter to read your code, steal your hard work or plague the game with their alts.