The drugwars team implemented an authentication method on the websocket API around a day ago. This means that most of the published auto-heist scripts will not work anymore out of the box but need some adjustments. Not everybody that used the public scripts will be able to make these changes and I haven't seen any posts with updated scripts yet.
The change which is require to login to websocket API takes about 5-10 lines of code. From my perspective it was made not to limit access to API but to help drugwars team find user names of players who are abusing the API.
The problem is that it in reality it doesn't change anything, for 6 STEEM you can buy a new Steem account and use it only to find players with cheap resources by calling get_user method. This info you pass to army of bot. The bot attacks looks then legit because no abuse of API is done by them :( You will have to only regular buy new accounts which will be banned for abusing the get_user method.
From my perspective identifying and banning bots is waste of time, instead of developing the game the team has to do some statistic analysis :( Instead of this number of user actions should be limited for e. g. 20 attacks a day, or only 1 attack in time frame of 2h . Maybe a captcha should be added before each attack.
.
I think some anti-bot tools could be tweaked to work offline too, via temporary information read from/via blockchain. Either way, decentralizing anti-cheating on STEEM can be a hard to do thing. Maybe it would be something to address (if not already done) on SMT's.
For example, the player @qurator-tier-1-2 has already some bots. I can never attack this one anymore. On top of this, the player itself is part of a bot on STEEM, which makes all this very hard to manage.
Although I agree limiting will reduce the bots, it will never avoid them. And because of the capability of STEEM accounts, it would not work. People will just create more accounts to have strategic scripts working on them.
I think that should be a "luck" aspect to when a player attacks. Like a sliding scroll (anti-bot features), or something like @properfraction said "Maybe a captcha should be added before each attack", and if during that period, more than 1 player slides successfully the scroll, a roll is done, to which one attacks. This will both kill bots and also allow attacks to be fair (in my view).
FYI @drugwars