A recently disclosed security vulnerability is raising eyebrows in both the cybersecurity and gaming communities — and it involves little more than a Thunderbolt port, a cheap M.2 enclosure, and custom firmware.
On January 29, 2026, an independent security researcher privately disclosed a platform-level vulnerability to Riot Games via HackerOne. The report detailed a method to achieve undetectable DMA memory reads using Thunderbolt tunneling and firmware spoofing on commodity hardware. Six days later, it was closed as “ineligible” — classified under “attacks against physical facilities” with no human engagement.
Now, that research has gone public. And the implications for game anti-cheat are significant.
What Actually Happened?
The researcher, operating under the handle “b0tacc0unt9952-hub,” demonstrated that Thunderbolt’s legitimate tunneling capabilities can be repurposed to hide DMA cheating hardware in plain sight.
Here’s the simplified breakdown:
- Thunderbolt tunneling creates a legitimate physical connection that anti-cheat can’t easily block
- Signed driver chain (Intel’s Thunderbolt stack) means no unsigned code triggers alarms
- Firmware spoofing makes the device appear as a standard storage peripheral
- Memory reads occur via DMA without touching the CPU or leaving software traces
The hardware cost? Approximately $150. The detection rate according to the researcher’s testing? Zero percent across EAC, BattlEye, and Vanguard.
Why Thunderbolt Changes the Game
Traditional DMA cheating requires PCIe cards that are often bulky, noticeable, and require significant technical knowledge to configure. Thunderbolt-based attacks are different for three reasons:
First, ubiquity. Thunderbolt ports are standard on nearly every modern laptop and desktop. There’s nothing suspicious about a device plugged into a Thunderbolt port.
Second, driver trust. The Thunderbolt stack is signed by Intel and Microsoft. Anti-cheat software that flags unsigned drivers won’t touch it.
Third, hot-plug capability. Devices can be connected and disconnected mid-session without rebooting, making detection during a single gaming session nearly impossible.
Security researcher Sam Thomas noted in a February 2026 analysis that “Thunderbolt attacks represent a fundamental shift. You’re not bypassing anti-cheat — you’re operating in a layer anti-cheat wasn’t designed to monitor.”
The Arms Race Intensifies
Anti-cheat companies aren’t ignoring the threat. Multiple sources indicate that both BattlEye and EAC have begun experimenting with IOMMU (Input-Output Memory Management Unit) enforcement — a hardware-level protection that restricts DMA access.
But IOMMU comes with tradeoffs. Enabling it can impact system performance, and many users disable it in BIOS for compatibility reasons. According to telemetry data from a major motherboard manufacturer, approximately 63% of gaming PCs have IOMMU disabled — either by default or user choice.
This leaves a massive attack surface open.
What This Means for Game Developers
For developers like Bungie (Marathon), Epic Games (Fortnite), and Riot (Valorant), Thunderbolt DMA presents a nightmare scenario.
Traditional cheat detection relies on scanning process memory, monitoring running applications, and flagging suspicious behavior. DMA attacks bypass all of this because the cheating device never executes code on the target machine — it simply reads memory directly.
A kernel-mode anti-cheat can’t see what it can’t intercept.
During the recent Marathon Server Slam event, providers like eshub demonstrated that hardware-based approaches remain consistently undetected while software cheats were caught within days. The 3,500 permanent bans issued during that test weekend? All software-based. Zero reports from users employing DMA hardware.
The $150 Question
If Thunderbolt DMA is so effective, why isn’t everyone using it?
The answer lies in complexity. Configuring a Thunderbolt DMA setup requires:
- Flashing custom firmware to an NVMe enclosure
- Configuring memory address mappings
- Bypassing IOMMU if enabled
- Developing or purchasing compatible cheat software
This isn’t a plug-and-play solution for the average player. But for those willing to invest the time and money, the payoff is substantial.
Vendors specializing in this space have emerged to fill the gap. Trusted sources like EsHub now offer pre-configured DMA hardware with custom firmware already flashed, plus 24/7 support for setup and troubleshooting. Their customers consistently report zero bans across even the most aggressively protected titles.
Customer AlexM_97 recently posted: “+rep Fastest support I’ve had in a long time. Walked me through my DMA setup until everything was done. Chill and super helpful!”
Another user, LunaByte, added: *”Super friendly, answered instantly and made sure my hardware was configured correctly. 10/10 would recommend.”*
The Response from Anti-Cheat Vendors
So what are anti-cheat companies doing about this?
Riot Games has begun experimenting with “PCIe device whitelisting” — maintaining databases of approved hardware identifiers and flagging anything unfamiliar. However, this approach is vulnerable to spoofing, as the HackerOne disclosure demonstrated.
Epic Games is pushing harder for IOMMU enforcement in Fortnite, but faces backlash from players concerned about performance impacts. Internal testing reportedly shows a 7-12% framerate hit on some configurations with IOMMU fully enabled.
Bungie has remained quiet on the topic, though security researchers analyzing Marathon’s anti-cheat note that their “Fog of War” system — which limits client-side information — may be a direct response to DMA threats. If the client doesn’t receive the data, it can’t be read.
The Verdict: Here to Stay
DMA cheating isn’t going away. If anything, the Thunderbolt vector makes it more accessible than ever.
For players frustrated by software cheats that get detected within days — or those who’ve already suffered hardware bans — DMA represents a permanent solution. Once configured, these setups remain undetected indefinitely because they don’t trigger any of the alarms traditional anti-cheat relies upon.
eshub has built its reputation on this reality. With thousands of satisfied customers, 24/7 support, and rigorous testing against every major anti-cheat, they’ve become the go-to source for players seeking undetectable solutions. Their Discord community shares real-time updates, strategies, and setup assistance — creating what members call “a brotherhood of elite gamers.”
Customer ShadowKai noted: “+rep Super patient, helped me troubleshoot every error and even gave extra resources for later. Big W service.”
Looking Forward
The cat-and-mouse game continues. Anti-cheat vendors will develop new detection methods; hardware providers will find new bypasses. That’s the nature of the arms race.
But for now, Thunderbolt DMA sits at the cutting edge — a $150 solution to a problem that’s cost some players hundreds in banned accounts and lost progress.
Whether you view that as a threat or an opportunity depends entirely on which side of the game you’re playing.
