A man steps out of his car on the streets of Los Santos, and stares at the figure opposite him. It’s his exact double, identical in every way. Even their names are the same. This should be, by all rights, impossible.
Luckily, this impostor is friendly. But he could have just as easily been a hostile hacker in Grand Theft Auto Online. Rockstar Games’ online sandbox for Grand Theft Auto 5 has evolved wildly over the years, adding flying cars and orbital strikes. But GTA Online players themselves have also become equally as dangerous, thanks to exploits and mods.
These third-party mods allow hackers to access the IP address of other players on the server, which can reveal a person’s city and general location. If someone is dedicated enough to ruining your day, they’re able to follow you into invite-only sessions and even bring up information about you in the real world. Players can feel hunted down no matter where they are in game. Running a “Crew Only” session or setting up a virtual private network (VPN) program can help, but your average GTA Online player may not know about these precautions, leaving them vulnerable.
The doppelgänger in this story hails from a video created by popular YouTube commentator Mutahar of SomeOrdinary Gamers. Mutahar was speaking with a friendly modder in that video, showcasing the extent to which the game can be cheated by nefarious parties. There are many more hacks like the avatar duplication, though this particular exploit is one of the more outrageous ones.
Worse yet, these apparent security holes are available in other Rockstar games, like Red Dead Online. Such issues have been well-documented over the years — it’s practically a meme that Rockstar’s games are full of hackers — but recently, the community has hit a breaking point with these mods. Players have been trying to get Rockstar’s attention for months, but at the end of 2020, the community rallied with measures like an open letter to the developer.
Some of these hacks are mildly funny, like a hacker spawning a swarm of legendary bears to attack a cowboy. Others are just annoying but functionally harmless, once you switch servers, like someone exploding everyone on the server or summoning planes in crowded intersections.
Both GTA Online and Red Dead Online run on peer-to-peer servers instead of dedicated servers, which means that a player acts as the host, and others connect to their server. A dedicated server is run by a third-party, and costs more money to set up and maintain. Peer-to-peer servers are functional, but the host sends the data back and forth to ensure everyone can play in a session. This is less expensive for the developer, but can lead to worse performance.
Players can also set up an invite-only session, which allows them to play alone. In Grand Theft Auto, this means players can’t do certain activities, like selling their business stock or stealing vehicles for their warehouse. GTA Online’s newest content, the Diamond Casino Heist and Cayo Perico Heist, can be completed in invite-only sessions, which means players don’t have to deal with griefers on flying attack vehicles, or hackers spamming explosions and rapidly cycling through the time of day to cause flashing lights.
But if someone has a player’s Rockstar ID, which is the individual number attached to a player’s Rockstar Games Social Club account, they can join a player’s invite-only sessions. A display name could be something like VideoGameLover, but a Rockstar ID is a string of numbers that cannot be changed. Mutahar showed off this exploit, which led to the encounter mentioned above where he watched his own avatar dance in front of him.
Other members of the Rockstar community have corroborated these claims, and these problems are especially hazardous for new players who can’t escape to in-game properties. One fan named Ethan, posting under the handle thebrickprince, posted a Twitter thread at the end of 2020 that read, in part: “I plead to @RockstarSupport AND @RockstarGames to do something about this. […] Please make changes to your game that dont allow modders to do this. Please do something.”
Thebrickprince also notes that it’s difficult to report bad actors and have them moderated out of the ecosystem, as they can use mod menus to spoof their names and Rockstar IDs.
Rockstar did not respond to requests for comment in time for press.
I plead to @RockstarSupport AND @RockstarGames to do something about this. You’ve sent cease and desists to menus before, please do it again. Please make changes to your game that dont allow modders to do this. Please do something.
— thebrickprince 亗 (@thebrickprince) December 22, 2020
The only way to easily prevent someone from joining your session via Rockstar ID is to run a Crew Only session, which means players can only play with their in-game guild. These problems are also only present on PC; console players cannot access mod tools.
While the problem remains widespread, Rockstar’s parent company is indeed doing something to help mitigate the risk. In January, cheat seller Luna Cheats was shut down, and announced they would donate all their earnings to a charity designated by Grand Theft Auto publisher Take-Two Interactive. There are other mod menus out there, and playing the game since Luna Cheats’ closure doesn’t feel much different. At one point, I was pulled into a player’s apartment building, and he began spraying me with a money gun. In another instance, I logged in to find a string of explosions automatically eliminating every player on the server.
GTA Online is in one of its best states since launch in terms of pure content, but fans are worried about the game’s future if these security issues persist. Shutting down Luna Cheats is a good start, and commenters like Mutahar are optimistic that Rockstar and Take-Two are listening to their concerns. But fans have been raising the alarm on these issues for months, and the hacking problem is far from solved. With a Grand Theft Auto 5 port in the works for PlayStation 5 and Xbox Series X, players are wondering if these exasperating issues will continue to follow them to even more platforms.