Networks

Press F to Exfiltrate: Hidden Command Patterns in Gaming Traffic

Keystone Collective

13 min read
Press F to Exfiltrate: Hidden Command Patterns in Gaming Traffic
Photo by Alexander Andrews / Unsplash

If you wanted to smuggle a message across the internet without raising eyebrows, you could do worse than a multiplayer game. It’s noisy, it’s encrypted, it’s socially acceptable at 3 a.m., and your firewall team will fight harder to keep Fortnite working than your VPN. Perfect cover.

It also helps that games are the last socially acceptable background app. We’ve normalised “quick matches” during lunch, patch downloads that clog the Wi-Fi, and voice chat that sounds like a kettle boiling. Esports broadcasts run all day. Cloud gaming keeps sessions alive on phones and office laptops alike. During lockdowns, half the planet rediscovered cooperative shooters as therapy. From a defender’s point of view, that means constant game-shaped traffic from perfectly innocent people. If you’re trying to hide a whisper, you want a crowd; if you’re trying to defend a network, you want fewer crowds. Guess who gets their wish.

And the incentives line up a little too neatly. Developers optimise for smooth play and low latency; platforms optimise for frictionless updates; players optimise for “one more round.” Now add censors, criminals, and covert operators who optimise for “don’t get noticed.” The technical tricks aren’t new, people have hidden messages in everything from DNS to cat photos, but games offer something special: a moving target with built-in excuses for weirdness. Lag spike? Server tick rate? Packet loss? Sure. Meanwhile, a low-rate command channel is riding shotgun inside someone’s victory dance.

This piece is about hidden command patterns in gaming traffic, how attackers tuck signals into ordinary play, why that’s hard to spot, and what defenders can actually do without blocking half the office from “quick lunch matches” that last two hours. We’ll keep the maths in its box. Think of this as the “explain it to a smart colleague” version: clear, concrete, and only slightly dystopian.

Why games are a brilliant hiding place

They’re everywhere.
There isn’t one “game protocol.” Every title and engine does things a bit differently. You can’t just block “games” the way you block “BitTorrent.” Try that in a company and watch productivity fall off a cliff when the CFO can’t play their puzzle game on the plane. Even within a single franchise, versions, regions, and anti-cheat updates tweak how traffic looks. Seasonal events ship new assets and change matchmaking. Cross-play adds console quirks to PC lobbies. From a defender’s perspective, the goalposts move monthly; from an attacker’s perspective, that’s camouflage on a conveyor belt.

They’re noisy and human.
People don’t move like robots. Players jiggle, strafe, spin, panic, and mis-click. That constant movement produces a natural mess in the data. If you hide tiny signals inside that mess, they blend in. Like whispering in a crowd. Humans also bring lovely, defender-unfriendly rhythms: rage quits, AFK pauses, lobby idling, mid-match alt-tabs, voice chat push-to-talk bursts. All legit. A low-rate covert signal can surf those mood swings and look like just another twitchy wrist or someone tapping their W key while waiting for a revive.

They’re already encrypted.
Many games wrap traffic in TLS or their own crypto. That’s great for player privacy, and great for anyone who wants to hide a small extra message inside the normal flow. You won’t see the words, only the rhythm. And it’s not just the match: launchers, patchers, storefronts, telemetry, anti-cheat heartbeats, everything talks over secure channels to CDNs you probably trust. So even if you do SSL inspection (brave), you’ll mostly find perfectly legitimate blobs flying to household names. Good luck telling the “secret wink” from Tuesday’s shader cache.

The game must carry certain updates.
Even if you never touch timing, a game has to send positions, camera angles, and commands so everyone sees the same world. That gives attackers places to stash bits without breaking anything the player notices. Netcode is allergic to tampering that hurts “feel.” Studios will happily add bandwidth, extrapolation, and prediction to keep things smooth. That bias means subtle, legal-looking tweaks, minuscule aim deltas, harmless command sequences, get preserved end-to-end. If it keeps the headshots crisp, the network will carry it faithfully… even when it’s carrying a little something extra.

How the hiding works

Strategy games; play as message.
In RTS titles, nothing looks stranger than a player… playing. That’s the cover. The sender simply leans on ordinary actions, selecting units, setting rally points, building structures, and lets tiny choices carry meaning. Swap the order of two harmless actions and you’ve flipped a bit; make a control group with three units instead of four and you’ve flipped another. The receiver, watching the same match or parsing the replay, applies a pre-agreed codebook and turns those quirks back into text. It stays quiet by moving slowly and impersonating popular build orders, with a dash of randomness so it doesn’t tick like a metronome. Over many games, though, the act slips: the action mix becomes weirdly consistent and the natural lulls in play get suspiciously short.

Shooters; micro-nudges.
In FPS games, the server must transmit every twitch of your view and each feather-light strafe. That’s the smuggling lane. The sender buries bits in microscopic wobbles, barely left versus barely right, a whisper of down instead of up, timed to moments that already invite tiny corrections, like peeking or settling recoil. A spectator or demo reader measures those deltas and translates them with the shared codebook. Stealth comes from staying below human perception and blending nudges into genuine movement. Given time, a tell emerges: the distribution of tiny angle changes grows a peculiar bump at one or two micro-values that real players don’t favour.

In-world signals; writing on the scenery.
Sometimes the network never carries anything “special” at all; the scene does the talking. Players arrange bullet holes on a wall, drop items into tidy grids, or stand in simple formations, a postcard spelled in assets the game already synchronises for everyone. A human or a basic vision script reads the shape from a screenshot or stream. It’s slow and fragile, so the trick is to keep messages short and hide them inside believable rituals: target practice, loot sorting, pre-round line-ups. The giveaway isn’t in packets; it’s in patterns. The same duo keeps “decorating” the same wall. The same squad keeps laying out perfect checkerboards mid-fight. Rituals repeat; that repetition is your handle.

Field camouflage; choosing “equally fine” values.
Plenty of protocol fields have multiple legal options that look identical to the game. Pick one option and it means zero; pick its twin and it means one. Because timing and sizes barely change, the traffic rhythm stays dull, exactly what the defender’s dashboard expects. The receiver, sitting in the same session, reads those benign choices and reconstructs the message. Stealth depends on prudence: only plausible values, an unhurried pace, and a hint of randomness. Over long sessions the mask slips a little, leaving a faint statistical tilt, nothing dramatic, just a preference normal players don’t consistently show.

What they all share.
Every method depends on a codebook agreed in advance, trades speed for deniability, and borrows the messiness of real play as cover. That’s why defenders rarely need to “read” the secret; they only need to notice when the mess goes missing, when a session is a bit too neat, too regular, or too incessant for actual humans having actual fun.

What this looks like on the wire (without deep packet voodoo)

How real game traffic “breathes”

Every online game has a rhythm. Servers send updates dozens of times per second, like a heartbeat, and players’ inputs arrive in messy bursts that rise and fall with the action. When you plot that traffic, you see the pulse of real play: sudden spikes when something exciting happens, quiet pauses in lobbies, random gaps when someone’s cat walks across the keyboard. It’s chaotic, but believably chaotic.

A covert channel, on the other hand, doesn’t breathe like that. It needs to send messages at a steady pace, even when nothing’s happening. That turns the natural ebb and flow of packets into something unnervingly regular, like a drummer who refuses to stop between songs. You start seeing little bursts that repeat like clockwork, or “quiet” moments that aren’t actually quiet at all. Over time, the session feels mechanical, like someone pretending to be human but forgetting to blink.

Defenders who know what a normal game sounds like on the wire, when players are idle, when maps change, when everyone’s loading back into a round, can often spot these differences without ever reading the data itself. You’re not looking for the message; you’re listening for the lack of mess.

The shape of the stream

You can’t see inside encrypted packets, but you can see their size and direction. Every title has a fingerprint: smaller packets go up (player inputs), bigger ones come down (game state, updates). Together, they form a natural “conversation.” It’s never perfectly even, more like a pub chat, full of interruptions and pauses.

When someone’s using the game as a covert channel, that conversation gets weirdly polite. The client sends packets that are just a bit too similar in size, or the back-and-forth rhythm doesn’t change when the action slows down. Think of it as someone trying to fake laughter at the right time, but doing it every ten seconds no matter what’s funny.

There’s also the issue of transitions: map loads, round starts, reconnects. In a genuine game, these moments are messy, big bursts followed by quiet. Hidden traffic often uses those transitions as cover for extra messages, like a spy slipping notes during applause. The tell isn’t the spike itself, but the little pattern that keeps showing up after every new round, identical each time.

When you can see behaviour, not just packets

If you’ve got access to game logs or replays, say you’re a developer, tournament organiser, or researcher, you can go deeper. Real players have texture. In strategy games, they mix commands differently each match, adapting to opponents, fumbling, and overbuilding things they don’t need. A covert script doesn’t improvise; it repeats neat, predictable sequences because the order matters more than the outcome.

In shooters, it’s the same idea but with movement. Human aim is messy: quick flicks, overcorrections, the occasional panic spin. Hidden message systems prefer microscopic, repeatable nudges, tiny left-right twitches that mean something to the receiver but look strange in the aggregate. Over time, those “coincidences” pile up into a rhythm no real player could sustain.

Paths tell stories, too. Humans wander, detour, and get distracted. Covert motion tends to be symmetrical, efficient, and a bit too neat, like watching someone trace a geometric pattern while pretending to explore. None of these signs prove anything by themselves, but if you see a session that’s eerily tidy, never takes a break, and moves like it’s drawing on graph paper, you might be looking at traffic with a secret agenda.

The bottom line

You don’t need deep packet inspection or graduate-level maths to spot weirdness. Real play is messy, unpredictable, and full of pauses. Covert channels can hide inside that noise, but in doing so they often lose what makes it human. Look for games that stop breathing like games. When the fun starts sounding like clockwork, something else might be playing.

How defenders can catch it (without becoming the fun police)

Let’s start with the obvious: if you’re thinking, “I’ll just block all game traffic,” congratulations, you’ve just declared war on half your company and every teenager in a ten-mile radius. You’ll discover how many “critical business processes” apparently depend on Steam. And when productivity tanks because no one’s allowed a five-minute puzzle break, you’ll be explaining to management why the cure cost more than the disease. Blocking games doesn’t stop covert channels; it just moves them to something equally noisy, Zoom calls, YouTube, your coffee machine’s firmware updates. The internet is an endless buffet of plausible cover traffic, and games are only one dish.

The better strategy is boring: learn what normal looks like, then side-eye anything pretending too hard to be normal. Every title has a signature rhythm, a particular way the packets breathe, shout, and occasionally hiccup. Capture a few clean sessions, study how they behave, and you’ll start to notice when something’s… off. Maybe the game’s traffic never quite goes quiet. Maybe it’s a little too consistent, ticking along like a metronome even when the match ends. Maybe that workstation that definitely doesn’t have Overwatch installed keeps talking to the same port range at midnight every night. You’re not hunting for a smoking gun, just a suspiciously well-behaved player.

And when you do find something odd, context is king. A weird game session during lunch is probably nothing; a weird session right after someone downloaded a “free cracked copy” from YouTube is another story. The gaming world is already a thriving economy of malware and misdirection, fake demos, trojaned mods, Steam titles quietly mining crypto while the player thinks they’re upgrading a sword. Attackers don’t just hide in the games themselves; they hide in the ecosystem, the launchers, the patchers, the “helpful” Discord bots promising free skins. If your SOC is looking only at the game traffic and not what led up to it, you’re staring at the punchline instead of the setup.

The surprisingly fun maths bit

If you’re the sort who secretly enjoyed Calculus (you know who you are), this is where it finally pays off. Traffic analysis is mostly about patterns, and patterns love maths. The simplest trick is to look at inter-arrival times, the gaps between packets. Plot them as a function, take a Fourier transform, and behold: peaks where peaks shouldn’t be. A normal game gives you a messy, organic spectrum; a covert channel often leaves neat harmonics, like someone humming under the music. A few well-placed integrals later and you’ve basically got the first chapter of an undergraduate dissertation in applied paranoia.

Then there’s entropy, everyone’s favourite word that sounds smart at conferences. Measure how unpredictable a session’s packet sizes or timings are, and compare that to a known baseline. Real humans are gloriously inconsistent; secret channels crave order. Lower entropy means something, or someone, is imposing a rhythm. You can even model it with a bit of calculus, fitting curves to how variance changes over time. If your graph looks like a flat ECG, your player might be more algorithm than adrenaline.

Or, for the show-offs, there’s cross-correlation, the fancy way to ask, “do the packets going out match the ones coming back?” Games have a natural back-and-forth: send input, get feedback, send input again. A covert channel breaks that cadence. The client keeps whispering when the server isn’t listening, or the server sends acknowledgements that feel a beat off. Plot the lag, do some light differential analysis (yes, differentiation finally matters!), and you’ll see where the conversation stops being a conversation and starts being a monologue.

These are all things an ambitious undergrad could code up in Python with Wireshark captures, a bit of NumPy, and too much coffee. In fact, some already have, entire dissertations are written on detecting “unnatural regularity” in network traffic. It’s like birdwatching for spies: you don’t need to know what kind of bird you’ve found, just that it’s chirping in 4/4 time while all the others are jazz improvising.

Catching covert channels, then, isn’t about packet sorcery or heroic firewall rules. It’s about seeing games as part of a bigger pattern of behaviour. You let the harmless play go, you flag the stuff that doesn’t breathe right, and you follow the digital breadcrumbs backward, through dodgy downloads, sketchy executables, and suspiciously timed browser extensions, until you find what’s really hiding in the noise. It’s detective work, not pest control. The goal isn’t to stop people having fun; it’s to make sure the fun isn’t sending encrypted love letters to a command server in another time zone.

The ethics bit, and other awkward truths

There’s a fine line between curiosity and mischief, and this topic loves to dance on it. Researching covert communication in games isn’t evil, it’s just deeply inconvenient for everyone else. Some people explore it to understand censorship resistance, whistleblowing, or digital self-defence. Others, less nobly, use the same tricks to move stolen data under the cover of pixelated carnage. The maths doesn’t care; ethics do.

If you’re poking at these ideas, do it with the self-awareness of someone defusing their own bomb. Don’t run experiments on live servers; don’t publish source code that turns every 14-year-old with a compiler into a freelance spymaster; and don’t be surprised when a studio’s legal department develops a sudden interest in your GitHub repository. There’s a reason responsible disclosure exists, use it. You can be clever and decent; it’s allowed.

For defenders, the moral hazard runs the other way. Yes, you can instrument every packet and analyse every mouse twitch, but maybe don’t become the digital equivalent of a curtain-twitcher. Surveillance creep is real, and the last thing the world needs is another company claiming it “had to” inspect private traffic because someone might be hiding Morse code in a headshot. The line between vigilance and voyeurism is blurry enough without dragging games into it.

The bigger truth is that games have become part of our digital nervous system. They’re chat rooms, marketplaces, classrooms, therapy sessions, everything but “just games.” That makes them both irresistible to attackers and impossible to police without breaking something human. The challenge isn’t to sterilise the medium; it’s to raise the cost of abuse until the bad actors find somewhere less hospitable.

So, no, you won’t stop people hiding messages in games. You’ll just make it annoyingly difficult, a bit like smuggling a grand piano through airport security, you can try, but it won’t be subtle. And if there’s a moral in all this, it’s that secrecy and play have always been cousins. Spies and gamers both live for the thrill of hiding in plain sight; the rest of us just hope the fireworks stay virtual.

References:

Diehl, M. (2008) ‘Secure covert channels in multiplayer games’, Proceedings of the 10th ACM Workshop on Multimedia Security, pp. 117–122. New York: ACM Press. Available at: https://dl.acm.org/doi/10.1145/1411328.1411350 (Accessed: 4 November 2025).

Hahn, B., Nithyanand, R., Gill, P. and Johnson, R. (2015) Games Without Frontiers: Investigating Video Games as a Covert Channel. arXiv preprint arXiv:1503.05904. Ithaca, NY: Cornell University. Available at: https://arxiv.org/abs/1503.05904 (Accessed: 4 November 2025).

Hernandez-Castro, J.C., Blasco-López, I., Estévez-Tapiador, J.M. and Ribagorda, A. (2006) ‘Steganography in games: A general methodology and its application to the game of Go’, Computers & Security, 25(1), pp. 64–71. Available at: https://doi.org/10.1016/j.cose.2005.12.001 (Accessed: 4 November 2025).

Malwarebytes Labs (2025) ‘Steam games abused to deliver malware once again’, Malwarebytes Blog, 25 July. Available at: https://www.malwarebytes.com/blog/news/2025/07/steam-games-abused-to-deliver-malware (Accessed: 4 November 2025).

Proofpoint (2024) ‘Threat actors deliver malware via YouTube video game cracks’, Proofpoint Threat Insight Blog, 3 April. Available at: https://www.proofpoint.com/us/blog/threat-insight/threat-actors-deliver-malware-youtube-video-game-cracks (Accessed: 4 November 2025).

The Verge (2025) ‘Steam game removed after cryptostealer takes over $150K’, The Verge, 22 September. Available at: https://www.theverge.com/news/782993/steam-blockblasters-crypto-scam-malware (Accessed: 4 November 2025).

Vines, P., Kohno, T. (2015) ‘Rook: Using video games as a low-bandwidth censorship-resistant communication platform’, Proceedings of the 14th ACM Workshop on Privacy in the Electronic Society (WPES ’15), pp. 75–84. New York: ACM Press. Available at: https://dl.acm.org/doi/abs/10.1145/2808138.2808141 (Accessed: 4 November 2025).

Wajid, A., Kamal, N., Sharjeel, M., Sheikh, R.M., Wasim, H.B., Ali, M.H., Hussain, W., Ali, S.T., and Anjum, L. (2021) ‘A first look at private communications in video games using visual features’, Proceedings on Privacy Enhancing Technologies, 2021(3), pp. 433–452. Available at: https://petsymposium.org/popets/2021/popets-2021-0055.pdf (Accessed: 4 November 2025).

Wired (2015) ‘An app that hides secret messages in Starcraft-style games’, Wired Magazine, 15 April. Available at: https://www.wired.com/2015/04/app-hides-secret-messages-starcraft-style-games/ (Accessed: 4 November 2025).

Zander, S., Armitage, G. and Branch, P. (2008) ‘Covert channels in multiplayer first person shooter online games’, Proceedings of the IEEE 33rd Conference on Local Computer Networks (LCN 2008), pp. 215–222. Piscataway, NJ: IEEE. Available at: https://ieeexplore.ieee.org/document/4664172 (Accessed: 4 November 2025).

Zander, S., Armitage, G. and Branch, P. (2009) ‘Reliable transmission over covert channels in first person shooter multiplayer games’, Proceedings of the IEEE 34th Conference on Local Computer Networks (LCN 2009), pp. 169–176. Zurich, Switzerland: IEEE. Available at: https://files.core.ac.uk/download/77144498.pdf (Accessed: 4 November 2025).

Read more