For most of the past decade, DMA cheats were anti-cheat's nightmare. The cheat ran on a separate device — an FPGA card, a Raspberry Pi, sometimes a second PC — reading game memory directly over PCIe or Thunderbolt and never executing a single instruction on the gaming PC the anti-cheat was watching. There was nothing on disk to scan, no process to inspect, no driver to flag.
In 2026 that has finally started to change. Detection isn't perfect, but the gap between "nearly invisible" and "regularly banned" has closed enough to be visible in the ban numbers. Here is what changed.
A quick recap of what makes DMA hard
DMA — direct memory access — lets a hardware device read or write system memory without going through the CPU. Originally a performance feature for things like network and disk controllers, it is also a clean way to read the running game's memory from outside.
The cheat device runs its own software, on its own hardware, and presents itself to the gaming PC as a generic peripheral. Classic anti-cheat techniques — file scans, process introspection, hooking the Windows kernel — never see it. This is why for years ESEA was the only mainstream anti-cheat publicly claiming any DMA detection at all.
What's actually new in 2026
Three detection vectors have matured at once. None of them is a magic bullet; together they have raised the cost of running a DMA cheat materially.
1. PCIe device scrutiny
DMA cheat hardware connects somewhere — an internal PCIe slot, a Thunderbolt port, sometimes an M.2 socket. Modern kernel anti-cheats now enumerate the PCIe devices on your machine and compare their vendor and device IDs, configuration space, and timing characteristics against a known-good baseline. A device that claims to be one thing but reads memory like another, or that appears with a vendor ID that does not match any real product on the market, is now something the anti-cheat can flag.
Public reporting on Vanguard's approach describes dumping PCIe slot data at game launch and watching for unusual transfer rates and chipset-level anomalies. The exact internals are not published, but the direction is clear: the anti-cheat is treating the PCI bus as part of its scan surface, not just the OS.
2. Closing the pre-boot gap
A DMA cheat is most dangerous when it can read memory before the anti-cheat is loaded. That window depends on the IOMMU — the chipset function that decides which devices may touch which memory — fully initialising during boot. In late 2025 Vanguard publicly took a position on this and began restricting players whose motherboard firmware reported Pre-Boot DMA Protection as on while the IOMMU was still uninitialised. Riot's fix wasn't to detect cheats during the gap; it was to refuse to play until the gap is gone.
This is the most interesting move structurally, because it turns the problem from "spot the cheat" into "demand a trustworthy foundation." Vendor pressure has forced firmware vulnerabilities into the open, with CVEs assigned, and the cheats that relied on that window now have to find a new one.
3. AI-driven behavioural review
Hardware checks help; they don't catch everything. The third front is purely behavioural: anti-cheats are increasingly recording how a player performs and running that against models trained on known cheat patterns. Reaction times no human can produce, sight lines that betray information the player should not have had, and statistical anomalies across many matches are what tell on a DMA user even when the device itself stays hidden.
PUBG's published 2026 anti-cheat roadmap names this directly: "AI-powered video review for more efficient pattern analysis," alongside hardware-based restrictions and ban-evasion detection. Krafton paired the roadmap with a 2025 enforcement figure — roughly 260,000 DMA-based cheaters permanently banned that year, plus legal action against cheat networks. Whatever one thinks of the framing, the numbers are not consistent with a still-undetectable threat.
Where this is honestly still limited
These advances narrow the field, but several limits remain:
- A well-built FPGA cheat with a custom vendor ID and careful read patterns can still pass a basic PCIe enumeration check.
- Behavioural detection generates false positives, which is exactly why PUBG's 2026 roadmap also funds faster false-ban review — an honest acknowledgement that the trade-off is real.
- IOMMU-based pre-boot defence requires the user to have current firmware and the right BIOS settings. Plenty of players still don't.
- DMA hardware vendors iterate. So do anti-cheat teams. The arms race continues; nothing here is final.
What this shifts for everyone else
For regular players, the practical effect is reassuring: a motherboard whose firmware is current and whose Secure Boot, TPM and IOMMU are properly enabled is now a real defence against DMA-based opponents, where two years ago it largely was not.
For game studios, the takeaway is that anti-cheat increasingly extends below the operating system. Riot has been explicit about this; PUBG is going the same way. Anti-cheat that lives only in user space, or only as a kernel driver, is no longer where the frontier is.
The takeaway
DMA cheats are not solved. They are no longer untouchable either. Three things — PCIe-level scrutiny inside the anti-cheat, refusing to run on systems with a pre-boot DMA gap, and AI-assisted behavioural review — have together pushed detection from "almost none" to "regular ban waves and visible enforcement." The clearest sign of the shift is that publishers are willing to put numbers behind it; the honest qualifier is that none of those three vectors is complete on its own. Expect the arms race to keep moving, and expect anti-cheat to keep moving deeper.