WhyYouShouldn'tUseThird-PartyToolsinGachaGames:ASecurityGuide
Third-party tools for tracking pity and enhancing profiles in gacha games pose significant security risks that outweigh their apparent benefits. This analysis covers 16 popular gacha games, documenting 40+ third-party tools and their risks.
Why You Shouldn't Use Third-Party Tools in Gacha Games: A Security Guide
Third-party tools for tracking pity and enhancing profiles in gacha games pose significant security risks that outweigh their apparent benefits. While sites like Paimon.moe or StarRailStation promise features that games don't natively offer, their data extraction methods—from PowerShell scripts to MITM proxies—use techniques identical to those employed by malware, exposing authentication tokens and compromising player account integrity.
This analysis covers 16 popular gacha games from publishers like HoYoverse, Kuro Games, Hypergryph, Yostar, Nexon, and Sunborn, documenting more than 40 third-party tools, their technical methods, documented security incidents, and official policies that prohibit their use. The conclusion is clear: although native features may be more limited, they are infinitely safer.
The Third-Party Tools Ecosystem in Gacha Games
Tools for HoYoverse Games
HoYoverse has the most extensive third-party tools ecosystem, driven by the massive player base of Genshin Impact, Honkai: Star Rail, Zenless Zone Zero, and Honkai Impact 3rd.
Most Popular Pity and Wish Trackers:
| Tool | URL | Supported Games | Extraction Method |
|---|---|---|---|
| Paimon.moe | paimon.moe | Genshin Impact | PowerShell script that reads local cache files and extracts authkey |
| StarRailStation | starrailstation.com | Honkai: Star Rail | PowerShell script from GitHub Gist (get_warp_link_os.ps1) |
| StarDB.gg | stardb.gg | Genshin, HSR, ZZZ | PowerShell command (iwr -useb stardb.gg/warp | iex) |
| rng.moe | zzz.rng.moe | Zenless Zone Zero | URL extraction from game logs |
Profile and Build Tools:
| Tool | URL | Function | Method |
|---|---|---|---|
| Enka.Network | enka.network | Character showcase | Unofficial API that queries public data by UID |
| Akasha System | akasha.cv | Damage leaderboards | Uses Enka.Network API |
The most common method involves reading the output_log.txt file located in %userprofile%\AppData\LocalLow\miHoYo\[Game Name]\ to extract URLs containing the authkey parameter—a temporary authentication token valid for approximately 24 hours.
Tools for Wuthering Waves and Punishing Gray Raven
Kuro Games presents a smaller but equally risky ecosystem:
| Tool | URL | Method |
|---|---|---|
| WuWa Tracker | wuwatracker.com | Reads Client.log to extract URL with player_id, svr_id, record_id |
| WuWaPal | wuwapal.com | Same URL extraction technique from convene history |
| Wuthering.app | wutheringwaves.app | URL import from PC, Android, iOS, PlayStation |
The extracted URL has the format https://aki-gm-resources-oversea.aki-game.net/aki/gacha/index.html#/record?svr_id=XXXXX&player_id=XXXXXX, containing sensitive player identifiers.
Important note: Punishing Gray Raven has a native visible pity counter in the Research Logs menu, almost entirely eliminating the need for external tools.
Tools for Arknights, Girls' Frontline, and Azur Lane
The Hypergryph, MICA Team, and Yostar ecosystem presents tools with particularly concerning methods:
The Alarming Case of Girls' Frontline 2:
| Tool | URL | Method |
|---|---|---|
| EXILIUM Tracker | exilium.xyz | HTTPS interception via Fiddler proxy |
| GFL2 HELP | gfl2.help | Requires Fiddler Classic to decrypt HTTPS traffic |
The GFL2 HELP tracker requires users to:
- Download Fiddler Classic (HTTP debugging proxy)
- Configure "Decrypt HTTPS traffic" — enabling man-in-the-middle interception
- Accept certificates and enable decryption
- Capture access tokens from intercepted API calls
This method is technically identical to a Man-in-the-Middle attack, exposing ALL device HTTPS traffic.
Arknights has a safer ecosystem with manual entry tools like Krooster and Arknights Toolbox, although recently (January 2026) it added official headhunting history accessible via the Yostar account center.
Tools for Other Gacha Games
| Game | Main Tools | Method |
|---|---|---|
| Reverse 1999 | Timekeeper.top, MobileMeta.gg | Require URL with temporary auth token |
| Blue Archive | BlueArchive.gg, BA-Armory | Primarily manual entry (no auth trackers) |
| Brown Dust 2 | DotGG | Informational guides only |
| Snowbreak | Snowbreak.gg | Database without account connection |
| Duet Night Abyss | None popular | Cosmetic gacha with native visible pity |
Critical warning from MobileMeta.gg for Reverse 1999: "Please make sure you don't share this information with anyone else as it contains the temporary auth token associated with your account"
Technical Data Extraction Methods and Their Risks
Local Log File Parsing
How it works: PowerShell scripts read game log files to extract URLs containing authentication tokens.
Set-ExecutionPolicy Bypass -Scope Process -Force; iex "&{$((New-Object System.Net.WebClient).DownloadString('URL'))}"Security risks:
- Remote code execution without verification
- Bypass of Windows security policies
- Users cannot audit the code being executed
- Technique identical to malware distribution
The most commonly accessed file is output_log.txt in the LocalLow folder of each game. HoYoverse patched the authkey exposure in logs in version 3.0, forcing tools to use more invasive methods like proxy mode.
Traffic Interception via MITM Proxy
How it works: Tools like Fiddler or mitmproxy act as intermediaries between the game and servers, intercepting and decrypting HTTPS traffic.
Critical risks:
- Total traffic interception: A malicious tool can capture ALL network traffic, not just game data
- Session token exposure: Authentication headers, cookies, and tokens become visible
- System-level vulnerability: Installing root CA certificates allows decrypting ANY HTTPS traffic on the device
- Credential theft potential: Passwords from other services would be exposed if the proxy is compromised
Chromium Browser Cache Parsing
Tools using this method: HoYo.Gacha, some genshin-wish-export forks
Process: Reads cache files in ...\webCaches\2.46.0.0\Cache\Cache_Data\ to extract API URLs with tokens.
Risk: Access to browser data that may contain sensitive information from other sessions.
Browser Console Scripts
High risk: Users paste JavaScript code directly into the browser console, enabling:
- Arbitrary code execution
- Session token theft
- Access to cookies and localStorage
- Vector for XSS attacks
HoYoLAB Cookie Capture
Some tools request HoYoLAB authentication cookies (ltuid, ltoken). Unlike the authkey (valid ~24 hours), these cookies provide persistent access and can only be reset by changing the password.
Documented Security Incidents
Mass Account Thefts in Genshin Impact
The r/GenshinHacked subreddit emerged with more than 400 affected players reporting account theft. The main Genshin Impact subreddit suppresses these posts due to their volume—described as "too many of these posts." Players report losses of thousands of dollars in in-game purchases and items. miHoYo rejected refunds even when they acknowledged accounts were hacked.
Phishing Campaign with Fake Leak Database
In 2021, scammers created a website claiming to verify if accounts were compromised in a supposed "miHoYo data leak." The community detected that UIDs in the fake database had 8 digits instead of the correct 9. The creator had a history with hacking tools.
Blue Archive Hacked in August 2025
A hacker gained access to Blue Archive accounts to post images of the character "Koyuki" throughout the game. Nexon had to issue compensation packages including recruitment tickets, AP, and other resources.
Malware Distributed as Gaming Tools
- RedLine malware: Responsible for 170 million stolen passwords in six months (47% of all analyzed stolen passwords)
- Trojan.Scavenger: Disguises itself as cheats or enhancements for popular games, compromising crypto wallets and password managers
- Stealka Infostealer: Distributed via GitHub and SourceForge as game mods, attacks 100+ browsers for autofill data and session cookies
Fake Wuthering Waves Website
A clone of the official Kuro Games site was detected (kurogames → kuropages URL) that collected sensitive information through fake pre-registration forms.
Terms of Service and Official Prohibitions
HoYoverse/miHoYo
Official statement on scripts, plug-ins, and third-party software:
"miHoYo strengthened anti-cheat mechanisms to better prevent the use of plug-ins and third-party software"
Key ToS terms:
- "You are responsible for maintaining the confidentiality of your account information and if third parties use or access your account, you cannot claim compensation from COGNOSPHERE."
- "Do not transfer or make available to third parties your account information."
November 2023 statement: "Some players have been using third-party violation tools such as mouse macros and automation scripts... seriously damages game fairness" — Penalties include account bans and recovery of illegally obtained rewards.
Kuro Games (Wuthering Waves, PGR)
From Wuthering Waves ToS: "Cheat means that in the Services (generally, 'Game'), users achieve or attempt to achieve an unfair competitive advantage through any program, method, software or hardware."
"Please note that we may collect and transfer detailed information about your KURO GAMES account, gamelogs and any unauthorized program."
Fair Play Policy:
- "Strict prohibition of third-party applications to disrupt gameplay experience"
- Penalties: account suspension or permanent ban
Kuro Games confirmed a wave of bans in January 2025 via Discord.
Nexon (Blue Archive) — The Most Restrictive
"Do not modify Cash Items or the Service... including, without limitation, creating cheats and/or hacks or using third-party software to access files in the Service"
"Reverse engineer, packet sniff, decompile or disassemble any portion of the Service" — Explicitly prohibited
"Do not use 'packet sniffing,' scripting and/or macro software for any purpose"
Uses NGS (Nexon Game Security) — kernel-level anti-cheat.
Yostar (Arknights, Azur Lane)
GamePress warning: "Yostar and Hypergryph warn that they will ban accounts using cheats, plug-ins or third-party software to modify in-game data."
From ToS:
- Only operating one (1) account is allowed without written permission
- Cannot sell, gift, trade or transfer accounts — "may result in permanent ban"
NEOWIZ (Brown Dust 2)
Cancelled Steam launch in December 2024 due to policy conflicts. Explicitly warns that use of third-party emulators may result in permanent bans.
Native Features Available in Each Game
HoYoverse Games
| Game | Native History | Native Pity Counter | Limitation |
|---|---|---|---|
| Genshin Impact | ✅ Wish Menu → History (extended to 1 year since v4.5) | ❌ Requires manual counting | History erases after 1 year |
| Honkai: Star Rail | ✅ Warp Menu → Records | ❌ Requires manual counting | Limited history |
| Zenless Zone Zero | ✅ Signal History | ❌ Requires manual counting | 6 months retention |
| Honkai Impact 3rd | ✅ Supply History | ✅ Visible counter on banners | More complete than other HoYoverse games |
Other Games
| Game | History | Visible Pity | Notes |
|---|---|---|---|
| Wuthering Waves | ✅ Convene History | ❌ Manual counting | Only 6 months of data |
| Punishing Gray Raven | ✅ Research Logs | ✅ Visible counter | Eliminates need for third parties |
| Arknights | ✅ New January 2026 | ✅ Visible on banners | Since "The Rolling Thunder" banner |
| GFL 1 | ❌ Basic | ❌ No | Legacy system |
| GFL 2: Exilium | ✅ Recruitment → Details | ✅ Visible | Only 6 months retention |
| Azur Lane | ✅ Construction log | ✅ On UR banners | 200 pulls guarantees UR ship |
| Reverse 1999 | ✅ Summon History | ✅ Visible counter | Complete native |
| Blue Archive | ✅ Pull History | ✅ Recruitment Points (200 = spark) | Robust system |
| Brown Dust 2 | ✅ Banner History | ✅ Pickup tracking | Infinite Draw system |
| Snowbreak | ✅ Pull Records | ✅ Visible counter | Native sufficient |
| Duet Night Abyss | ✅ Via Details button | ✅ Separated by banner | Cosmetic gacha only |
| Arknights: Endfield | In development | ✅ 65 soft pity, 80 hard pity | Pity carryover between banners |
Key conclusion: All analyzed games have some form of native tracking. Although less sophisticated than third-party tools, it is completely safe.
Technical Analysis of Popular GitHub Tools
biuuu/genshin-wish-export (3,800+ stars)
Security findings:
- ⚠️ No SECURITY.md file
- ⚠️ Proxy mode requires network interception
- ⚠️ A fork removed auto-update "to avoid security concerns"
- ⚠️ Issue #530 reports loss of 3+ years of history without recovery
MadeBaruna/paimon-moe (1,500+ stars)
Security findings:
- ⚠️ Web service — data goes to external servers
- ⚠️ Google Drive integration for sync (third-party exposure)
- ⚠️ 302 open issues in repository
- ⚠️ Scam-detector.com gives it 58.4 points — "high-risk activity related to phishing"
wuwatracker/wuwatracker (245+ stars)
Security findings:
- ⚠️ Global statistics imply data aggregation on servers
- ⚠️ Sync with Google account
- ⚠️ No formal privacy policy in repository
Risk Level Summary by Method
| Method | Tools Using It | Risk Level |
|---|---|---|
| Proxy/MITM | biuuu proxy mode, GFL2 trackers | 🔴 CRITICAL |
| Web backend | paimon-moe, wuwatracker | 🔴 HIGH |
| PowerShell scripts | StarRailStation, StarDB, most | 🟠 HIGH |
| Chromium cache | HoYo.Gacha | 🟠 MEDIUM |
| Local log files | Most trackers | 🟡 MEDIUM |
| Public API (UID only) | Enka.Network | 🟢 LOW |
| Manual entry | Calculators, simulators | ✅ SAFE |
Why Native Features Are Superior
Argument 1: Zero Authentication Token Exposure
Built-in features never expose authkeys, session tokens, or cookies to third parties. Everything happens within the game's official ecosystem.
Argument 2: No External Code Execution
No PowerShell scripts to execute, certificates to install, or proxies to configure. Completely eliminates the most common attack vector.
Argument 3: Guaranteed Official Support
If something goes wrong with your account using native features, official support can help. If you used third-party tools, publishers explicitly wash their hands: "you cannot claim compensation".
Argument 4: No Ban Risk
Although the ban risk for pity trackers is currently low, publishers can change their policies at any time. Tools "tolerated" today may become bannable tomorrow.
Argument 5: Data Under Your Complete Control
Native features don't send data to third-party servers with unknown or non-existent privacy policies.
Security Recommendations for Gacha Players
- Never execute downloaded PowerShell scripts to get game data — use exclusively in-game features
- Don't install root CA certificates from third-party tools under any circumstances
- Don't share URLs containing authkey or authentication tokens
- Enable 2FA on all game accounts that support it (Yostar, HoYoverse)
- Use unique passwords for each game — credential stuffing is a real attack vector
- Distrust tools that ask for login credentials directly
- If the game has native tracking, use it instead of external tools
- Keep a manual record of your pity if the game doesn't offer a counter — it's tedious but safe
Conclusion: The Risk Doesn't Justify the Convenience
Third-party tools for gacha games offer more attractive interfaces and features that developers don't provide natively. However, their technical methods — PowerShell scripts with security bypass, MITM interception of HTTPS traffic, extraction of authentication tokens — are indistinguishable from malware techniques.
The 170 million passwords stolen by RedLine malware in six months demonstrate that attackers actively exploit gamers' trust in unofficial tools. Documented phishing incidents in the Genshin Impact community, the Blue Archive hack in 2025, and explicit warnings from all major publishers reinforce this reality.
All analyzed games offer native history and pity tracking features. Although more limited, they completely eliminate the attack vectors that third-party tools introduce. The question isn't whether third-party tools are convenient — they are — but whether that convenience is worth the risk of losing an account with hundreds or thousands of dollars invested.
The answer, from a computer security perspective, is unequivocally no.
References and Sources
Official Publisher Documentation
- HoYoverse Terms of Service: tot.hoyoverse.com/en-us/terms
- HoYoverse Security Advisory: genshin.hoyoverse.com/en/news/detail/5763
- Kuro Games ToS: wutheringwaves.kurogames.com/p/language_en/terms_of_service.html
- Nexon Terms of Service: m.nexon.com/terms/304
- Yostar ToS: yostar.co.jp/terms-and-conditions.html
- Sunborn Privacy Policy: gf.sunborngame.com/privacy_policy.php
- Bluepoch User Agreement: re1999.bluepoch.com/gameprotocol/en/userAgreement.html
- Seasun ToS: snowbreak.amazingseasun.com/show-631-2-1.html
Third-Party Tools Analyzed
- Paimon.moe: paimon.moe | GitHub: github.com/MadeBaruna/paimon-moe
- StarRailStation: starrailstation.com/en/warp
- Enka.Network API: github.com/EnkaNetwork/API-docs
- WuWa Tracker: wuwatracker.com | GitHub: github.com/wuwatracker/wuwatracker
- GFL2 HELP: gfl2.help/en/pulls
- biuuu/genshin-wish-export: github.com/biuuu/genshin-wish-export
- HoYo.Gacha: github.com/lgou2w/HoYo.Gacha
- MobileMeta.gg Reverse 1999: reverse1999.mobilemeta.gg/summon
Security Reports
- Bitdefender Genshin Scams (2025): bitdefender.com/en-us/blog/hotforsecurity/genshin-impact-scams-players-games-2026
- Kaspersky Stealka Infostealer: kaspersky.com/blog/windows-stealer-stealka/55058/
- Kaspersky Genshin Driver Exploit: usa.kaspersky.com/blog/genshin-driver-attack/27034/
- Specops Credential Stealing Malware: specopssoft.com/blog/top-password-credential-stealing-malware/
- TheGamer Account Theft Report: thegamer.com/genshin-impact-stolen-accounts-hacked-tfa/
Documented Incidents
- GamerBraves Phishing Scam: gamerbraves.com/genshin-impact-community-spots-potential-phishing-scam/
- GamerBraves PGR Twitter Hack: gamerbraves.com/punishing-gray-raven-global-twitter-account-got-hacked-to-promote-crypto/
- Dexerto Blue Archive Hack: dexerto.com/gaming/hacker-breaks-into-gacha-game-just-to-post-one-anime-girl-everywhere-3245982/
- Yardbarker Wuthering Waves Bans: yardbarker.com/video_games/articles/kuro_games_confirms_wuthering_waves_bans
- WuWa Fake Website: wutheringwaves.gg/beware-of-the-fake-wuthering-waves-official-website/
Communities and Discussions
- r/GenshinHacked (stolen accounts subreddit)
- GamePress Arknights Ban Warning: ak.gamepress.gg/news/arknights-warning-bans-incoming
- Steam Community Wuthering Waves ACE discussions
- UIGF Standard: uigf.org/en/standards/uigf-legacy-v4.0.html
Last updated: February 2026
Disclaimer: This report is for informational and educational purposes only. It does not constitute legal or security advice. Use of third-party tools is at your own risk. Always verify current policies of each game before using any external service.