[2022] Team Security: 2021 in Review

We have released an update from Team Security on everything that has been going on in 2021!

Please use this thread to discuss the development blog and ask questions to the team.

Hey guys! Quick heads up - on 19 July at 15:00 UTC, we‘ll be hosting a Q&A with members of Team Security on the discord server, where CCP Aisling and CCP Stinger will answer your questions about the fight against botting and RMT in EVE. Submit your questions in the #ask-ccp channel. Deadline for question submission is 18 July. Only questions relevant to the topic will be considered. We will also not be discussing individual tickets, if you have an outstanding one we encourage you to contact the Player Experience Team through our official support channels.

This is absolutely something we’ve been looking at, especially in the past year. I can not provide the exact timeline for the rework and/or any change, but it’s one of the work-in-progress projects. We do want to make it much more useful for you guys, and for Team Sec as well.

Thank you for your post and explaining the situation that you have encountered.
However, your description does not exactly point to a BOT being used.
What you are describing looks more like input broadcasting, meaning that players can pilot multiple characters (aka multiple ships) in the same time. While the BOTs that are around are very sophisticated, they are still not able to participate in PVP to the extend you are describing.

So in this case, there was an actual player involved who was doing input broadcasting. Is this a violation on EULA and TOS, yes for sure. But the best way to bring this to our attention is to submit a Support Ticket and provide all the details that you can:

• Characters involved
• EVE Time when this happened
• Solar System where you have encountered this behavior
• And just a short description of what happened (like you did above)

And the GM’s together with Team Security members will investigate the issue and take appropriate actions. So yes, input broadcasting still remains a violation of our EULA and TOS.

Hello and welcome back to the forums, I have been expecting you.
Its not as simple as just looking at the hours of activity per day and locking and what ship type is being used and deciding if this is a bot or not.

Team Security changed a few things when it comes to bot detection. Now we investigate the bots (or the characters that are controlled by an automation) much more deeper. We consider multiple things before making the decision to take action or not and if we take action, what type of the action do we want to take, do we remove that specific account immediately and forever from the game or do we issue a temporary suspension to send a message.

This is all done to make sure we do not punish actual players. We are working very hard to make sure there are no false positives. Because a false positive suspension from the game is very bad for everyone as this would mean the following few things:

• Not guilty player gets punished
• There is a flaw in detection procedure
• A Support Ticket is created by the not guilty player and that support tickets needs to be addressed which costs time
• A new investigation needs to be performed and that again costs time
• This new investigation will also involve multiple members from Team Security and that is again time

So in the end, a false positive ban just costs a lot of time from multiple members of Team Security, the time that needs to be used for stopping RMT, Credit Card fraud and hacking.

And that is why we work very hard to issue bans where we are sure the situation warrants a ban.

Do we still produce false positives? Yes, unfortunately, this still can happen. But it is much less compared to previous years, just because we adjusted our procedures and got better tools to support us in our daily tasks. And if this happens, we are doing our best to resolve the issue (in this case the support ticket) as fast as possible and leave the player happy.

I understand your frustration, but the data sometimes shows a very clear picture and sometimes the situation is in a gray area. We try and do our best to make our players happy and keep the bots out from New Eden.

This question was also asked on the Team Security panel and here you can watch the answer to that question: EVE Online I EVE Fanfest 2022 – Team Security Q&A

Hi Iceacid!
I assure you that selling and buying ISK is always always visible, the patterns are very clear for Team Sec members and those are never really a grey area. If her Majesty Saviourette of Highsec Queen Aiko are not involved in any of this nastiness - there is nothing to worry about, that I can tell for sure.

Thanks for doing this post, all. Transparency is difficult when it comes to what Team Security does, but I still think it is necessary so that folks know that their reports and complaints about cheating in the game are being acted upon.

Actions are definitely being taken, it’s just sometimes they are not as visible as you guys might hope, but there are good reasons for that. We do have to keep this balance between sharing the results of our work and making sure that our methods are kept reasonably hidden. That’s what makes it difficult sometimes.

We do try to eliminate false-positives. It’s a massive work and it requires many small adjustments that we have to do on the go. Also, it’s important to remember that the bans can be treated case by case. If a player think that their account was banned falsely - we always encourage those people to send a ticket to Team Sec and one of us will have a look.
But some actions that we see can not be performed by human, is it simply impossible and we see that with the help of our tools. Personally I wouldn’t recommend using any features of the equipment/any software if you are not sure that it will not trigger the investigation eventually.

Thanks! We would love to have more opportunities to have this sort of… dialogue with all of our players. I think it’s super important to let everyone know that we are also humans behind those decisions (which are sometimes very tough) and we genuinely want to make the game safer and more enjoyable for everyone.

What about them? It’s Jita man!

But on serious note, those chat bots that you might have in mind, this is something we are not looking at right now as there are other bots out there that need all of our attention.

But if you see somebody obvious, or a player who is really spamming, like if you see a behavior in the game, not just in Jita local, please report it to us via a Support Ticket so our GM’s and us can take a look at it, investigate and take appropriate actions.

This is a constant battle that we are fighting. We spot a pattern of a popular Bots or RMT method, we start swinging the ban hammer left, right and center and in just short amount of time those bad guys adjust and it takes us a while to see that the pattern has changed, do some changes on our end to uncover a new method and start issuing bans again. So the effort of the Team is constant. We are also supported by the PX Tools programmers who are making changes to our current tools and are working on the new ones, all that will make our effort easier and more efficient.
The bad guys just come back and it is really a constant battle that we are fighting right now. And that actually shows that we do make a dent as we force the bad guys to change which means that we are disturbing the ISK supply to the black market. But this is not something that can be done in a week or even a month, this is a long battle of attrition.

As I mentioned above, we try to avoid false positives and if it happens, we try to make the affected players as happy as possible. Now I can not post the details on your case here, because I would be violating our 3rd party policies.
But in your case all I can say, that the suspension was issued when we were working on our procedures, adjusting the methods and because the method of detection was “new” that caused your false positive.
And I am very sorry about that.
But as far as I can see (or better say) your issue was addressed in timely manner and we have provided a compensation that our rules and policies allow.

We also did some changes on how we handle tickets. Streamlining the processes and making it more efficient and trying to get to our players as fast as possible.
Just to give an example here, if we issue a lot of bans that will contain a lot of false positives, that will cause a huge spike of tickets and those would need to be addressed and that requires time. So by causing massive false positives, the amount of time that the players will need to wait for their ticket to be reviewed will go up and up. So we are keeping our ticket queue as low as possible and are trying to avoid huge spikes, doing the work before we issue the ban.

If you have somebody who is falsely banned, the best way is actually to create a support ticket for us to review and to deal with that.

I personally think that this is just the way we humans react to something bad and something that do not belong. Bad experience is always easier to remember, it stays with the player for a while, and if a certain action from our part does not come as soon as we would have hoped (since we are only humans as well) - there you go, that’s how the negative perception is made.

There is no need to post the ticket replies as those were sent by either me personally or one of our team members. Again, I can not say exactly what happened to those players as I lack information like ticket ID’s or character names. But here is not the place to post that information.
The best way would be, to create a support ticket for us to review the situation again.
We are taking this matter very seriously and are reviewing each and every ticket.

Ok, here is a lot to unpack.
There is sometimes really not much we can say in a ticket. Just simply that we have reviewed the situation and our decision stands. We can not provide detailed information on what exactly etc. etc. etc. This has nothing to do with transparency, but not providing the information to the heavy bot users or even bot developers.
I can assure you, the bans that we issue are not because of some hardware keyboard that has the macro feature. Our investigations are much deeper than that.
It kinda sounds that every player we ban is a false positive. And that is not true. The bans we issue are solid, meaning that there was something there and that is why we issued a ban. Sometimes it can happen that we get into a gray area and a ban is false positive. But those cases are very very very small amount compared to the ban numbers that our team is issuing.
There is just no way around it, it can happen. But we are doing our best to avoid it completely or address the issue as fast as possible if it does happen.

There are some ideas going around and some probing, but I really can not comment on this right now. But I can say, that other departments in CCP also looking into this and are working on something. Hopefully we will be able to share more information soon.

Regarding scanning of the system, now this is more of a question towards other CCP Devs, but from my experience as former Technical GM, no scans of the player system are performed. The only things that are checked is the usual stuff, where is the sharedcache located, does the user have the proper folders in C:\Users\USER\AppData\Local\CCP etc. like everything that is needed to operate the game client. Yes, also shared cache is checked to some extend, to make sure there are no damaged files.

But no, EVE Launcher and Client does not perform the RAM and Disk check to see if any botting, scripting or automation software is used.

Oof, I wish it was that easy. For transparency reasons - I don’t think there is a technical way to do exactly what you suggest, for now at least. It might change in the future, but for now I can already imagine at least a dozen of serious obstacles that would make it impossible. And we actually have pretty nice tools, they do show a lot, I promise. But yeah, this certain implementation is a bit… utopian, although I personally love the idea. If it was that easy, we would have done it, I assure you

Regarding the scans: we do collect some information of the hardware, as you can see in our Privacy Policy. This is of course to prevent cheating/botting/RMTing from happening, this is a common practice for all of the multiplayer games and this information is only available to CCP. But this is only for collection, this data is not super helpful on its own. Answering your questions - nope, this is technically impossible, unless this someone deliberately uses software for the remote control, but this is not our doing. I would highly advise not to do it, as all the stories of giving someone remote control over your own PC never end well.

Unfortunately I can’t tell you all the details for obvious reasons (that would just compromise our methods), but please trust me on this - we can tell the difference and RMT is extremely blatant 90% of the time if not more. If you are a legit player, you have nothing to worry about. As for my personal experience, I did not have any false-positive RMT bans in a very long while.

You are not obliged to read/listen to anything that we are saying. All that we offer is a little insight into our every-day job and some of our experience to share with those who might be interested. I personally find all Team Sec’s topics quite interesting, but again, this is not a mandatory conversation.
And as I mentioned before, we are definitely not going to discuss the certain cases, bans of some players and rumours that surround it.

Hmmm, really hard to say. To be honest, I have no idea how it works internally and how it might be compatible with our own tools, so I don’t want to make assumptions or false promises.

I actually can provide a bit of inside with the bot reports, as I’ve been working on them for a while now. Super important to remember - none of the bans are issued just because of a certain number of reports that were accumulated for one person. I know that this is a common misconception in community, and I understand why, but the bot hunting process is much more complex than that.
People tend to overuse this feature in all the circumstances, I have mentioned it in my previous reply:

There is nothing we can do with other people’s assumptions or beliefs, but we have full control over what we are doing.

Actually, I can tell you even more. There are many players in game who have the characters named similarly (letters and numbers) and only have the number sequence different. Those characters used for all sorts of stuff, they are in the same corporation even, but not only they are used by different people sometimes, they have nothing to do with botting. This is something that can be seen only with our internal tools.
I understand how it can be misleading for lots of people.

A bit more insight. When we get the bot report, it is always getting checked eventually. The first check is usually brief, but it does not mean that it’s not thorough. It’s just that the reported player has to hit certain red flags for us to unleash the full investigation. Those are easy to spot on the go. If I have even a hint of a doubt or if the reported behaviour falls in somewhat grey area, then I check this report with the full dedication. Sometimes it works, sometimes it does not.

Thank you for the ticket ID, we will investigate this situation and take appropriate actions if needed.

Well this is the problem. You have hit the nail exactly on its head with this statement here:

And, not for nothing, but I wasn’t too thrilled with your response to Ancantes. Yes, you did set him straight on the difference between input broadcasting and botting, but you also confirmed that he had found a cheater, in spite of his evidence being extremely lacking. And so now you’re in a situation where if you don’t ban the guy, it won’t matter if he’s actually a cheater or not -Ancantes will believe that he is, and that CCP is unable/unwilling to do anything about him.

I agree, the situation could be explained by a normal game play mechanic, that not every player who is running 8-12-16 accounts, is violating the rules and policies by using 3rd party tools, but just simply has the setup and skill to do so. However, we still investigate those reports. And we do take actions if we spot a violation of our rules and policies. But because of that, that some players think they have encountered a bad guy, it does not mean he is a bad guy.
A report is filled and is investigated and no action is taken and the player still continues to fly with his 8-12-16 accounts. But what message does the reporting player get? He gets the message that the Team is incompetent and / or allows cheating.

What our players see in EVE Universe and what actually our Team looks at are two different things.
We are processing a huge amount of data, we see data, that is not available to normal players. We are going through logs with a magnifying glass, combing the desert to explain the behavior.

But you see what the perception of community is, Team Security does nothing about 1000% confirmed cheaters and only bans innocent players.

Now I am not saying we are perfect at what we do, no we are not and that is why we are constantly improving our methods of data processing, improving our tools and just simply constantly learning and developing to be better at what we do and more precisely to be more efficient.

If you take a look at the numbers of banned accounts for botting for the last year and the beginning of this year, the picture is clear, there are bots out there and we do catch them and we do deal with them. Botting goes hand in hand with RMT and Hacking and CreditCard fraud and we are working on all those fronts to make EVE safer. As I mentioned before, this is not something we can achieve in a week or a month, this is a long battle and compared to previous years, we are actually on the right track.

Again, I understand that the community sees the things a bit different, and that is fine, they don’t have all the data available to them to paint a clear picture. And that is why WE are also doing this kind of things, like Security Panel, Dev Blog and Discord Q&A, we are showing presence and showing the data and information that we are able to share with the community that we are working hard but the task at hand is not something that can be solved in a short amount of time.

hi! of course, my pleasure
I am afraid we can only provide answers regarding to bots and RMT stuff, as we don’t really deal with chats, threats and such… Sometimes we do, but it’s more of an exception, and those issues are usually processed within the standard means.
But I can tell you how it works in general, if you are interested? Nothing specific though, as we can’t discuss cases.

Its not an easy answer as it touches on multiple things that are set in place so RMT is very much possible in EVE and if very profitable compare to some countries and their economies.

For starters, you can trade everything and anything in EVE, so it makes it possible to transfer not only ISK but items to any other player in New Eden.

Second, a loss matters in EVE. Some players are not willing to spend the time in the game to replace or even get their new shiny ship that they just finished the skills for but rather pay with real money.

While it is possible to get some ISK via PLEX officially, many many first time ISK buyers are actually new players or the ones that recently started playing. Many of those first time buyers did actually not know that it is against the Rules. And that they are doing more harm by purchasing ISK from the black markets.
Some of them we catch, some of them report them-self’s to us but the problem is, that those new players actually did not know that its against the rules and that there is an official way to get some ISK.

Now I am not speaking about older players who know exactly what they are doing and that they are trying to get away with it. They don’t. For cheaper ISK they risk their own very valuable accounts that get banned and are out of the game forever.

And this the problem. By purchasing ISK from the black market, the players are fueling the botting, the hacking and the credit card fraud. Because for some organizations selling ISK on the black market is a huge opportunity that comes with huge reward and they are just here to generate that ISK to be sold on those multiple sites and markets.

This is how the market works, where is a demand for cheap ISK, there will be a supply. No matter what, people are always following the market.

BUT, there is one BUT. Our community is AMAZING. Those first time purchasers (as I mentioned new players or the ones that started playing very recently) make those purchases, not knowing what they are doing and that is happening before they interact with other players in terms of joining a Corporation or Alliance.

Only then, when the character is checked via ESI by one of the recruiters, the recruiters see some fishy transactions and ask the player about it, it comes to light what the player did and the recruiter explains all the details how this is RMT and is a violation. And the player creates a ticket to confess and to provide all the details about it.

By this time its already too late. ISK was generated (by botting, hacking or CC fraud) was transferred to the new players character and the bad guys got real money for that, the only thing our Team can do is react to something that has already happened. Find the distributors of the bad ISK, find the suppliers of the ISK and uncover a node that is operating just for the sake of selling ISK. We ban them. But they will come back, not the next day, or the day after, but they will come back, because for them, selling ISK on the black market is a great business opportunity.

So to sum it up, I just think its a general misinformation or information that is not easy available for the new players, as they do not realize how much damage they do by clicking “Purchase” on one of those black market sites.

We should work on that, to inform our players better. Hopefully in the near future we will be able to achieve that.

Hi! In this reply I was talking about RMT bans, not bot bans specifically. Those are very different kind of bans and very different kind of investigations that need different kind of proof. Let me know which one you’d like to ask questions about, otherwise it can be easy to confuse those two.

hi! All right, lots to unpack, but I’ll try to answer to that. I also encourage you to come to the Discord and ask us there, we’ll have Q&A session next week

Important to remember - now we are talking about false positives in the RMT bans, not botting. Easy to confuse those two. I am also talking about my personal experience and all the investigations that I have been dealing with personally (provided second opinion, did researches, spent some nights over an overly complicated cases - pls don’t judge, those were rough lockdown times).

Yes, the decision in those are definitive. I wish I could provide our reasonings for it, it would be very easy for players to see how we actually operate, but due to the security reasons I obviously can not disclose our methods, otherwise we’ll have to develop them from scratch. Some cases are more difficult, some are very blatant, but we do see all of them.

We do receive the tickets about these bans. You’d probably be surprised by the amounts of cats walking over the keyboard and accidentally selling ISK/injectors/PLEX on the side, as well as little siblings who decided to RMT on particular accounts. This is a joke of course, but it gives you an idea of what we usually see. We do, however, try to take all the stories into the consideration and issue a second investigation if the case requires it, if it’s anything less that 100% guilt. In that case the investigation is passed on to the colleague, as you have correctly guessed.

I’ll try to give a very crude analogy: if something looks like an orange, tastes like an orange and smells like an orange, it’s most likely an orange. Community can be skeptical from time to time, I totally understand that, but we spend lots of time on those investigations and I assure you that it’s not in our interest to just ban people because we feel like it. It always saddens me to see rumours of “power-hungry GMs” that are ready to swing the ban hammer all over. That’s not the truth.

More regarding RMT bans - most of RMTers will be upset of the ban because they usually see it as their small business on a side and they see us as someone who ruins it. It’s a… cat and mouse, bank and robber situation.

I can also think of a very easy example for you - someone landed on a bad IP or something like that, many people use VPN these days. In case that this is a false positive, the ban is lifted, the missed Omega days are given, we apologize and everything is resolved. But there is also a matter of an actual RMT guy using this bad IP. And this is where Team Sec comes in. We can always tell the difference between those cases.

Regarding opinions - we have four members of Team Sec, each have their own field, but most of the time we share those fields with each other. Second and third pair of eyes is always important. But if there is no room for a doubt, there is not much that can be done. Those cases are very blatant, as I said.

We don’t really have a lot of drama going on. We’ve been working together for a while now, some longer than others and we’ve seen it all, pretty much. In some cases the decision is not easily made - then we discuss it, share our opinions and it results in some… well, outcome.

I hope that answers your questions, but let me know if I can provide some more insight.

We check everything that is required by the certain case.

Imagine that we have… let’s say ten tools. Sometimes we check two, sometimes five, sometimes all ten. Depending on the case.

In the end of the day, everything aside, EVE is a game that people play for their pleasure.

I personally don’t think that it’s fair to shame alliances/corporations/regions with certain prevailing population just because some of those who share a space with the might have made a bad choice once. For some the corporations are like family, close ties are made there, friends and relationships. Shaming and nullifying all of this only because someone landed on a slippery slope does not seem right to me.

Crude example: imagine person A living on an island and is friends with everybody. He loves it there, he is proud of his island, he travels everywhere and tells people how awesome his island is. Which is technically true, the island IS awesome. Later there is a news article in… let’s say BBC News that this island is populated with the filthy robbers who stole this much from the treasury. But person A has never stolen anything from the treasury. He knows that his friends, person B and person C are good people and never done anything like that as well.

Turned out that those robbers were person X, person Y and person Z. But the article did not mention it. Instead it mentioned the whole island. You understand that, your friends understand that, but what about other 10000 readers of the BBC News? It is impossible to vouch for all of them.

I know that this is crude example, but hopefully it provided a bit of a different perspective on this situation.

Edit: grammar typos.

This is definitely something we would like to work on - raising awareness regarding those cases and removing this aura of unnecessary secrecy that surrounds Team Sec. This is not something that is done in one day though, but hopefully we’ll be able to change that.

Everything that you said is legitimately very important to say many times in a row and hopefully new and old players will hear that.

As we mentioned in our panel on fanfest - buying from the third party websites is not supporting the small player business. Those are organized groups, they do lots of credit card fraud, they hack accounts, and who knows, maybe some day an ISK buyer will end up buying injectors that were taken from his friends SP.

The choice of buying or not buying ISK aside seems easy now, so we would like not only to stress the inevitability of consequences, but also share the origins and sources of those funds.

You Sir, are a troll. And we don’t feed the trolls.

You want a discussion about your case or Roughneck Joe his case reviewed again, submit a support ticket. We won’t be going into details of personal matters here publicly.

Ehm, not sure where did this number of 70k accounts come from, it was not from us. Because that numbers is way to high. Please read the Dev Blog again to see the proper numbers.

Somebody here posted that numbers and I am not sure where it came from.

Unfortunately, we will be not disclosing any information about which Corp or Alliance is botting and shame them publicly. This goes against our 3rd party policy.

However, I can name a few corporations that are actively botting in the game and those are:

School of Applied Knowledge
Science and Trade Institute
State War Academy
Federal Navy Academy
Hedion University
Center for Advanced Studies
University of Caille

Ah right, the total numbers of the bans issued.
Well need to brake those numbers down per category of botting and RMT and hacking and CCFraud and just simply the account that are created via automation.

But again as mentioned before, there is data that we see that is just simply is not available to the public.

For example, as I mentioned in the Team Security Panel on Fanfest 2022, regarding botting, there are organizations that are creating accounts every day, in batches. We are able to identify the pattern and remove them from the game at the point where the accounts have been created, even before they are able to login into those accounts and create characters. So when you are dealing on daily basis with the bad guys, you see the patterns and you can say for sure that those accounts were created just for one purpose specifically and that is either for botting or to be used for credit card fraud. Soo in other words, those are accounts but those are not characters as we remove them from the game even before they are able to get up and running.

And as I have already mentioned in my previous reply, most of the bots do not join player run corporations, they just sit in the NPC corp because that is where the system puts the characters in when they are created, so to create a pie chart of shame is a bit difficult and that is irrelevant for us as we don’t look at that information, we are just simply hunting down the bad guys.

Well there are some ideas, they are constantly rotating back and forth but nothing solid for now.

I really liked how EVE Echos tackled their own RMT problem, with issuing an asset freeze when those are transferred and depending on the value the asset freeze gets longer.

But this is something above the Team Security, those changes need to go through our Dev Teams for them to be implemented, they need to go through a normal process of development. Those ideas is something that Team Security can push for, but in the end its not in our hands to implement them.

Right now there is a lot of work happening not just by our team, but other teams are also involved but we are not able to provide any information about this at this point. Hopefully we can provide more information and an update Soon™

That is absolutely not what I said. We look at all the evidence that is required by the investigation. If the case lands up on the grey area - we unleash the full investigation. If it’s straightforward - then there is not much we can do, unfortunately.

Thank you guys for your questions and for your engagement with us, some questions were super tough, but I am very glad to see them being asked. I like to think that we managed to clear out some things, and I hope that we’ll be able to do more so in the future.

If you think that some of the issues you are curious about were not addressed or you would like to ask more questions, you can join our Q&A in EVE official discord. 19 July at 15:00 UTC. Submit your questions in the #ask-ccp channel. Deadline for question submission is 18 July.

I must mention once again that we will not be able to comment on the individual bans and individual cases, this is something that can be discussed solely with player involved and Team Sec. This is simply a part of the Privacy Policy that we have in place and not something that we can change.

Thank you all once again!

Yes, exactly, it all depends on the case. Sometimes the RMT behaviour is extremely blatant and it does not require further checks.

Let me give an example to make it a bit more clear: person A has just created an account, used the stolen credit card to pay for PLEX and then distributed those items to buyers in various ways. Person A has some other aliases, that have already been banned for the same behaviour back in… let’s say 2020. This is the blatant RMT and it does not require checking forum history.

I am afraid that real life examples that are considered law-related do not always come handy when it comes to online multiplayer games. Otherwise it would make our job much easier It’s much more complicated than that and involves the ever-changing technologies that usually change drastically for a year or two.