Denuvo's single-player DRM is fully cracked. 2K is forcing 14-day online check-ins to fight back.

The community-maintained list of Denuvo-protected single-player PC games hit zero uncracked titles in late April 2026. Tom’s Hardware reports it as the first time that’s happened in the DRM’s 12-year history. Two breakthroughs got there in parallel.

One is a hypervisor-based bypass attributed to scene groups including MKDev and DenuvOwO. The other is traditional reverse engineering, led by the veteran releaser voices38. The publisher response, applied to a small number of high-revenue 2K Games titles, isn’t a new DRM. It’s a 14-day timer. After that window, VGC reports that “the game will not load unless players connect online again, authorise their install and get a new authorization token.” That phrasing is from publicly-shared patch notes, not a 2K press release. Denuvo and 2K have not commented on the rollout.

How the bypass works

The hypervisor-based bypass operates at a layer below the operating system. Kotaku’s writeup describes it as a “driver at a PC’s kernel level” that intercepts Denuvo’s integrity checks and replies with the responses the game expects to see. The DRM thinks it’s running unmolested. It isn’t.

The reverse-engineering track is the one Denuvo’s anti-tamper team has been fighting since launch in 2014. It’s slower per title but produces a clean executable. The combination is what closed out the list. Earlier this decade, individual titles took weeks or months between release and crack. The pattern over the last six months collapsed: titles were getting cracked the same day they released.

That’s the part of the news cycle that flips Denuvo’s value proposition. The DRM was always sold to publishers on the premise of protecting the launch window (usually the first 30 days of sales), not eternity. When same-day cracks become routine, even that pitch wears out.

What 2K added

Denuvo and 2K Games’ counter, reported by VGC, is a fresh DRM layer rather than a new tamper protection. The patched titles, NBA 2K25, NBA 2K26, and Marvel’s Midnight Suns, now check for what 2K calls an “offline authorization token” that the game caches locally for 14 days. After that window, the game refuses to launch until the player connects to the internet, gets a fresh token from Denuvo’s servers, and re-authorizes.

The clever bit: this defeats the hypervisor bypass, because the bypass can fake responses inside the player’s machine but it can’t fake a call-and-response with Denuvo’s actual auth servers. Token issuance is a real network round-trip, and the kernel driver isn’t sitting in the middle of TLS to forge it.

The not-clever bit: it punishes paying customers. GamingOnLinux flags the obvious failure modes. Steam Deck users on long flights. Players in regions with unreliable internet. Anyone who let a single-player game sit untouched for two weeks and now can’t launch it on the train. The architecture of the check makes the offline experience strictly worse than it was before the crack.

Neither 2K nor Denuvo has issued an official statement on the rollout. Reporting attributes the change to in-game patch notes and player observation rather than a publisher announcement, so treat the specific title list as confirmed for the games where players have observed the behavior, and as developing for the rest of 2K’s catalog.

What this means for you

If you own NBA 2K25, NBA 2K26, or Marvel’s Midnight Suns on PC, the practical change is that an offline single-player session now has a clock on it. Launch the game online once a fortnight and the experience is identical to what you had before the patch. Forget for three weeks and you’ll get an authorization-required prompt at launch with no way around it.

If you don’t own those titles but you buy Denuvo-protected games regularly, the pattern matters because it telegraphs the next move from publishers. Anti-tamper alone is finished as a launch-window defense. The next thing on the menu is always-online for single-player titles, hidden under the friendlier label of “occasional check-ins.” Watch which 2K and Take-Two titles get the same treatment in the next quarterly patch. Watch whether Ubisoft, Activision, or other Denuvo-using publishers follow. The DRM brand stays the same. The thing it actually protects is shifting from “the .exe” to “your network connection.”

The piracy scene’s response is predictable: a separate cracking effort against the token system. The race that started in 2014 has a new lap.