Blizzard used a cheat detection system in wow that allowed their server to send arbitrary code for clients to run. The code failing to return an expected result was a sign that there was tampering going on. Emulating windows api to run on Linux is a form of tampering, though obviously not necessarily a sign of cheating. Guessing they used some code that didn’t work on Linux and banned everyone who failed before realizing that some failed due to Linux, and then were able to separate the Linux users from detected cheaters by how it failed (either that or they had to undo all bans from that round).

Though it does make me wonder if it meant they can’t/don’t detect cheaters on Linux. Probably not, because my guess is they start out by looking for any cheats they can find, install them on test machines, then work at detecting the differences between those test machines and ones without the cheat. So they’d know about Linux-based cheats, too. They might even be able to use timing-based attacks to detect kernel level ones, too.