Bans are batched, not instant
Here's something that catches almost everyone off guard the first time: most OSRS bans don't happen in real-time. You can bot for a week without issues, log in on a random Tuesday, and find your account permanently banned — for something you did eight days ago.
This is by design. Jagex collects behavioral data over days or weeks, runs detection passes against that data, and then deploys bans in waves. The flag and the ban are separate events separated by a deliberate delay.
A Jagex moderator confirmed this directly in a player appeal response:
"It's important to mention that whenever a ban is added to an account, you are not necessarily banned for the actions being carried out at that specific time. The actions could have been committed a few weeks prior to the ban wave... Note: these bans are issued at a random time interval after the macroing is detected to protect the macroing detection systems."
The deliberate delay serves two purposes. First, it obscures which specific behavior triggered detection. If bans were instant, botters could trivially A/B test their scripts — change one variable, run for an hour, see if you get banned. The delay breaks that feedback loop. Second, it allows Jagex to batch-process large groups of accounts sharing the same behavioral fingerprint in a single pass, which is far more efficient than processing each account individually.
Real-time detection does exist, but it's reserved for egregious behavior — teleport hacks, speed manipulation, actions that are impossible in normal play. For standard botting, the detection-to-ban pipeline runs on a delay measured in days to weeks.
This is important to internalize because it changes how you evaluate risk. If you botted aggressively last week and haven't been banned yet, that doesn't mean you're safe. It means the wave hasn't hit yet. And if you get banned today, don't assume it was something you did today — it was almost certainly flagged earlier.
The numbers — how big are these waves?
The scale of Jagex's anti-bot operations is genuinely staggering. Their 2024 disclosure provides hard numbers:
- 6.9 million accounts banned in 2023 alone
- 67,000+ OSRS accounts banned per week in 2024, on average
- 2,800 of those weekly bans are specifically for boss-related botting
- ~900 billion GP removed from the OSRS economy per week through bans
- Only 38 bans were overturned on appeal in all of 2024 — a quashed rate of approximately 0.36%
That last number deserves emphasis. Out of roughly 3.5 million bans issued in 2024, thirty-eight were reversed. When Jagex bans an account, they are overwhelmingly confident it was botting. The appeals process exists, but statistically, it almost never results in an overturn.
For historical context, the most notorious single wave was "Bot Nuking Day" on 25 October 2011, when Jagex rewrote the client's obfuscation layer — breaking most injection and reflection bots — and banned over 1.5 million accounts in a single wave. The total active player count dropped by roughly 60% overnight. That event reshaped the botting landscape permanently and led directly to the development of Botwatch — the ML-based system that replaced brute-force client detection.
A former anti-cheat team member who worked at Jagex for seven years publicly reported applying over 12 million offences during his tenure. That's one person, on one team. The operation is industrial-scale.
The fingerprint clustering problem
This is the section most people haven't thought about — and it's arguably the most important for understanding why ban waves work the way they do.
Jagex doesn't just analyze individual accounts in isolation. The evidence strongly suggests they cluster accounts exhibiting similar behavioral fingerprints and target those clusters as a unit.
Here's how it works. Imagine 500 accounts are all running the same public script with default settings. They share the same click timing distribution — the same mean delay, the same variance, the same distribution shape. They follow the same interaction sequence: click tree, wait, click tree, drop inventory, repeat. They take breaks at the same intervals. They walk the same path between the bank and the resource.
Individually, each account might look plausible. But collectively, 500 accounts with statistically identical behavioral signatures form a cluster that stands out clearly against the background noise of normal player behavior. When Jagex identifies that cluster, validates it against confirmed bot accounts, and builds a detection pass targeting that fingerprint, every account matching the pattern gets swept in a single wave.
This explains several patterns the community observes:
Public free scripts with thousands of users have the highest ban rates. The cluster is massive. Thousands of accounts sharing an identical behavioral fingerprint is trivially identifiable. It's a large, high-value target that's worth the engineering time to classify.
Private or custom scripts survive significantly longer. A script used by 5 people generates a cluster of 5. That's virtually indistinguishable from noise in a dataset of millions of active accounts. The fingerprint exists, but it's not worth Jagex's time to find and target.
"Suicide botting" with disposable accounts trains the detection system against that script's fingerprint. Every throwaway account that gets flagged contributes data to the labeled training set. The more accounts using a script that get caught, the better Jagex's classifier gets at identifying that specific fingerprint — making it progressively more dangerous for everyone still using the same script.
The same script can go from safe to banned overnight. Not because the script changed, but because the cluster grew large enough to be worth targeting, or because Jagex's classifier improved enough to detect it. The script you ran safely for three months can get every remaining user banned in a single wave once the fingerprint is identified.
This has a direct implication for plugin choice: behavioral uniqueness is a structural safety property. Plugins that produce genuinely different behavioral fingerprints per user — different timing distributions, different action sequences, different randomization seeds — prevent the formation of large, detectable clusters. Your account's behavior shouldn't match anyone else's.
What triggers a wave vs. what triggers an individual ban
Not all bans come from waves. Understanding the difference matters for assessing your risk profile.
Waves target a specific behavioral fingerprint. Jagex identifies a pattern — a particular click timing distribution, a specific action sequence, a characteristic session structure — validates it against known bots, runs the classifier across the active account population, and bans every match. Waves tend to be activity-specific: the 2024 stat showing 2,800 weekly bans for boss-related botting specifically suggests that Jagex runs content-area-specific detectors, not one monolithic classifier.
Individual bans are more often triggered by player reports combined with suspicious activity flags. Jagex has confirmed that player reports accelerate review — a reported account gets moved to the front of the queue for manual or automated assessment. The community-built Bot Detector plugin for RuneLite has reportedly made individual bans happen faster since its widespread adoption. The plugin uses its own ML model to score accounts as likely bots, and sends those predictions directly to Jagex's anti-cheating team via an API. It's essentially crowdsourced bot detection running on thousands of legitimate players' clients.
Gold farming accounts get hit harder than personal-use automation, and the reason is additional signal layers beyond behavioral analysis. Wealth transfer patterns — one-directional trades to mule accounts, interaction with known RWT networks — stack on top of behavioral flags. Account age and progression mismatches (high GP but low quest points, high combat but zero non-combat skills) add further signal. IP and device linkage to other banned accounts can flag an account before it even starts botting. Gold farming operations leave a broader footprint than a single player automating their herb runs.
The practical takeaway: if you're automating personal account progression — varied skills, normal-looking wealth levels, no mule transfers — your risk profile is fundamentally different from someone running a 20-account gold farming operation. Both can get banned, but the detection surfaces are different.
The account age and legitimacy shield
Newer accounts face significantly more aggressive detection thresholds than established ones. This is consistent across community data and logically sound — fresh accounts are cheap, disposable, and disproportionately used for farming operations. Jagex's models almost certainly weight account maturity as a risk factor.
But it's not just about age. It's about baseline establishment. An account with months of varied manual play has a behavioral profile on Jagex's servers — typical session lengths, click patterns, activity distribution, XP rates. When that account starts botting, the automated behavior needs to deviate substantially from its established baseline to trigger detection. A brand-new account has no baseline. Everything it does is evaluated from scratch against the general population model, where the priors on "is this a bot?" are much less favorable.
Factors that appear to raise the detection threshold based on observable community patterns:
- Account age — months or years of existence with login history
- Total level and XP spread — XP distributed across many skills, not spiked in one
- Quest points completed — varied, non-repetitive gameplay history
- Historical manual play sessions — a positive baseline of clearly human input patterns
- Membership status and payment history — real payment information as a partial identity signal
- Social activity — friends list entries, clan membership, public chat history
This is why account warm-up isn't just "looking legitimate" — it's establishing a statistical baseline that makes automated behavior harder to distinguish from normal play variance. The detection system is comparing your current behavior against your own history, not just against a generic bot model.
The investment in manual warm-up play compounds over the account's lifetime. An hour of real gameplay doesn't just help today — it shifts the baseline permanently, making every future automated session incrementally safer.
Timing and world selection
Community observation — correlational, not causal — suggests that larger waves tend to cluster around Monday through Wednesday during UK office hours, often in the period after Wednesday game updates. Jagex's anti-cheating team works from their Cambridge office on UK business hours. While the ban system itself is automated, the deployment of new detection passes and the processing of flagged accounts may follow office schedules.
However, a nuance from community discussion is worth noting: "There are no set times on when Jagex ban people... Yes it makes sense that there may be more bans during office hours, simply because Jagex employees are in the office actively processing account bans, investigations etc. but this does not mean you are guaranteed to be banned during this or any other time."
The takeaway isn't to avoid botting on specific days — it's that ban timing is noisy enough that you can't game it reliably. If your strategy depends on "I only bot on weekends when Jagex isn't in the office," you're relying on a weak, unverifiable signal.
World selection has a more directly actionable impact. The Bot Detector plugin's users cluster in popular botting hotspots — Motherlode Mine, Wintertodt, Blast Furnace, rooftop Agility courses. These are the locations where you're most likely to be actively scanned by other players running ML-based bot detection. Botting in less popular worlds and at less trafficked training locations reduces your exposure to the player-report-driven detection pipeline.
This doesn't protect you from Jagex's own behavioral analysis — that runs regardless of where you are. But it does reduce the chance that your account gets flagged and fast-tracked by player reports, which can trigger individual bans faster than you'd otherwise encounter.
This is why Pluginscape plugins use unique per-user timing distributions — your behavioral fingerprint shouldn't match anyone else's. When a wave targets a specific pattern, you want your account to be noise, not signal.
Further reading: How to minimize the risk of getting banned → · How Jagex actually detects bots →