This is also the same for radar hacks. Or if you play a MoBa, screen alert hacks. All they do is boost player performance without being detectable. Most server side anti-cheat can only pick up on certain things, I don’t know Minecraft’s solution but I doubt it catches disguised cheating via code injection.
The real question is: why does the client even know about players who aren't visible to them?
The solution with Minecraft PvP is simple: if you can't see a player, the server won't even tell you the player exists.
If you use a wallhack you can see players walk behind a wall and then just disappear as if they had logged out, and suddenly reappear from behind the wall on the other side as if they had logged in.
What Minecraft anticheat systems do is relatively simple:
- They only send information to clients if the players should have that information as well
- after every movement, action, etc they calculate whether the movement you did would have been possible by a real human given the information you should have had at that point, and if not, you're banned
- all actions and movements are compared over minutes of gameplay and, if your actions are too different from all other players, sent to review by a human (and potentially banned)
You don't need to install anticheat on the player's computers. The players can run all the mods and cheats they want, but cheaters can only see the same information as all other players, can only move the same way as all other players, and can't shoot faster or more precise than any other player.
So while some people may still be cheating, at that point you can't tell the difference anymore.
For comparison, this is btw how all other software outside of gaming is written. In all other parts of computer science you'd get fired if you did what game developers do.
Imagine if reddit would send all DMs to all users and only make the DMs invisible on the client. That'd be an immediate lawsuit. Instead, the server validates who should be able to see what and only sends that information.
Or imagine if banks allowed anyone to make any transaction they wanted, only the banking app verifying that you've actually got that much money. Utterly ridiculous. Of course the servers validate whether you should actually be allowed to do that.
As result, writing third party apps for most websites is allowed, the EU even requires banks to support third party apps, but modded clients for videogames are considered a security risk. What the fuck.
Sorry, but being a developer I can tell when players are just repeating half-truths they read online.
There's no reason why strategies that work in any other kind of computer science shouldn't work in gaming.
The difference between an attack costing $0.00 and $$0.01 is enough to reduce attack volume by orders of magnitude.
Even just costing the attacker 30 seconds is enough to have a massive effect, which is why captchas exist.
Game keys tend to be in the $1 - $5 range, which makes bans an extremely useful tool.