I Know What You Played Last Summer: Evaluating the Feasibility of Privacy Attacks in Massively Multiplayer Online Role-Playing Games

Massively Multiplayer Online Role-Playing Games (MMORPGs) increasingly rely on player-developed third-party tools to extend functionality and personalise gameplay, creating a complex software ecosystem that introduces both usability benefits and security risks. This study investigates whether such tools can be exploited as an attack vector for cybercrime by designing and implementing a proof-of-concept add-on within a widely deployed commercial MMORPG using its native scripting and application programming interface. The developed tool supports automated player discovery, chat capture, target inspection, and local data persistence, enabling a systematic evaluation of how cyber-assisted and cyber-dependent crimes could be facilitated within the game client. Empirical testing demonstrates that while the platform’s protected execution model and interface restrictions prevent direct credential theft and remote code execution, the add-on architecture allows extensive behavioural data collection and social-engineering-relevant monitoring, making several forms of cyber-enabled crime technically feasible. These findings show that MMORPG add-on frameworks represent a non-trivial socio-technical attack vector in next-generation online platforms, where security depends not only on code isolation, but also on how user-generated extensions interact with human behaviour. The results highlight the need for architecture-aware security controls and governance mechanisms to mitigate emerging threats in large-scale, extensible virtual environments.