Fraud Prevention

Pokémon Go Ruined by Cheating Bots

June, 13, 20195 min Read

Hackers have rigged the game Pokemon Go to allow thousands of software “bots” to play the game automatically. Instead of walking around catching Pokemon and items, lazy hackers scoop them up without getting out of bed. In the past few days this has been getting a lot of attention from gaming site Polygon, popular site Vice, tech site Ars Technica, and more.


UPDATE: Polygon spoke with us about Pokémon Go bots ruining the game, and how our unique CAPTCHA can stop them with visual puzzles that blend into normal gameplay. We propose that Pokemon Go should embed a simple, playful CAPTCHA to catch cheater bots while leaving real players unaffected. CAPTCHA is any kind of digital activity that only humans can complete, to distinguish between people and programs. FunCaptcha protects major game and social sites and apps against millions of bot attacks per day.


Will I have to solve a CAPTCHA as I play Pokemon Go?

No you won’t. FunCaptcha would pop up in the game only for players who are beyond the upper limit of how fast a human could possibly be progressing. This is a fuzzy line, and super-devoted players should not get banned on a whim, so the gray area gets filled by FunCaptcha. Even if a hugely successful real player has a great day and sees a FunCaptcha, he or she will be able to solve it in seconds, having a bit of fun doing it, and even get a little in-game reward for their trouble, like getting a bonus PokeStop.

Won’t hackers make their bots operate at a speed just below the activity threshold you set?

We have learned a lot about hacking over the years and see this as a victory, not a problem. Even if hackers stay just on the safe side of the line, that will limit the bots to a fraction of 1% of their current speed, making the impact on the game economy and competition minimal. To give up because hackers are slowed instead of stopped is like saying, “Some marathon runners buy really expensive sneakers to give them an edge, so let’s scrap all the rules and let runners wear rocket skates.”

Also, in the process of finding the threshold, a lot of hackers will slip over it, get challenged with a FunCaptcha, fail to solve it, and get suspended or banned. The risk gets much higher and the reward much lower — that is victory when dealing with automated abuse.

It is so easy to see how to turn a Pokemon the right way up — why can’t a bot do it?

The human brain has amazing powers of pattern recognition. What you find very easy (like seeing that this is a Pikachu and you know which way to stand it upright) is hard for a software program. It’s not impossible, but the kind of work and intelligence it takes to write and train a program to recognize Pokemon is much better spent on an activity far more profitable than Pokemon Go abuse. These are PhD-level challenges, and need more than a fast-food wage to justify the work.

By protecting thousands of sites and apps, our development team has overcome all kinds of challenges. Some of the things we know about how to complicate “machine vision” attacks are secrets we can’t share here. For proof, witness the years of attacks we have overcome.

Why say that competing at gyms the main goal in the game, over catching Pokemon?

We hear from many players who feel their interest waning because gyms are hopeless. Every gym we try leaves us with no XP and no effect on the big battle. Lately we are playing less because we think, what’s the point? Without a reason to even try a battle, we don’t get to see our beloved little creatures do what they are made to do.

After all, the original Pokemon show had at least one battle in every 30-minute episode. The Pokemon card game was all about fighting. The Pokemon games on the Nintendo GameBoy had battle after battle. The generation who grew up with Pokemon battled a lot in every kind of game so far. Now, it seems like nobody we know ever gets to win at any battle, and we are all getting disheartened.

Another way to think about it is how many of Pokemon Go’s game assets and features have to do with fighting. Tap a Pokemon in the game and see nothing but stats that have something to do with winning battles: hit points, attack type, combat power, and how much candy and stardust you need to make those stats better. Nearly all the animations and detail of a Pokemon can only be seen during a battle. Most of the things you get while walking around are about battle — including the Pokemon you catch that are weaker versions of what you already have. When you run out of room, you transfer them to the Professor… why? To get the item that makes your lead Pokemon more powerful. To give up on battling “cuts the game loop” that makes the rest of the game feel worthwhile.

Why so serious? It’s just a game.

We want to help Niantic address this problem before the world’s most successful app has its bubble popped. It’s too great a game to be ruined by lazy hackers, especially when the solution is already at hand.