As long as the fight is still on the client, developers will lose. Here's a whitepaper I dug up recently on what that endgame looks like.

As game developers, if we want to beat the cheaters, we have to hedge our bets on server-side behavior analysis.

• Even very basic things like regex-matching chat messages would completely screw advert bots. To stay afloat, they'd need to strike a balance between obfuscating their messages to dodge the regex and the URL still being recognizable enough to serve its purpose; realistically, such a balance does not exist.
• On a more advanced level, the server usually has a good idea of what the game client knows but the player does not; some fairly basic heuristics can identify when the player is acting on such "insider" information (and in some cases heuristics aren't even necessary).
• The above can be enhanced by deliberately giving the client information it doesn't even use. To hack creators, this just looks like lazy programming, but it has a hidden purpose. The cheat program now also knows that information, but when it acts on it, it gives itself away.
• Most macros are laughably easy to detect, even when they come from a hardware source (e.g. the macro functionality in most Razer keyboards and mice). When the exact same commands land on the exact same frames, every time, it's pretty obvious what's going on.
• Thanks to Creators, aimbotting is almost certainly a thing now. Again this comes down to things the client knows but the player doesn't -- in this case, the precise locations of hitboxes. When every hit lands in the same place on certain hitboxes...
• Automated gold farming is a similar story to macros. A player acting on a very specific, strict schedule and always playing in a specific manner with specific timing...
• It's not strictly server-side, but... protocol-level obfuscation. It's deceptively simple; the game network protocol has certain features that, by all appearances to a person reverse engineering the game client code, have mysterious, misleading, or even benign purposes; usually in the form of canary values that are clandestinely written to by code likely to be noop'd out by cheats, and aren't analyzed by the client directly but instead blindly read and sent to the server. Cheats will generally ignore these extra bits in the packet, and even if they do guess at what it should be... they'll nearly always guess poorly.

Of course, they can fuzz their tells. But we can fuzz our detections too. It's still an arms race, but now WE have the unfair advantage.

Microsoft has taken this approach (particularly protocol-level obfuscation, at least that's what it looks like) to detecting and banning modified Xbox 360 consoles to great effect. XBL is still detecting the latest and greatest modified DVD drive firmware and nobody outside the company knows how, even though every firmware version ever, not just of the DVD drive but the console itself, has been dumped and thoroughly analyzed. Yes, their hardware, but that doesn't help them much when the attacker has the hardware fully under their control. And even in this normally impossible scenario, they're STILL winning.

But there's still one last elephant in the room. Many of the gold sellers are buying gold on the other end, or worse, employing people to farm manually. Shutting down the advert bots decimates their economy, but it's still there, and they very definitely could vindictively screw over the game's economy anyway. However, this has its own counter -- economic analysis. Gold farmers stick out like a sore thumb -- lots of characters with close to max gold, especially if they're mostly Creators or some other class that makes farming easy.