In a case that illustrates the perils of online betting, a leading Internet poker site said Friday that a hacker exploited a security flaw to gain an insurmountable edge in high-stakes, no-limit Texas holdem tournaments — the ability to see his opponents’ hole cards.
The cheater, whose illegitimate winnings were estimated at between $400,000 and $700,000 by one victim, was an employee of AbsolutePoker.com who hacked the system to show that it could be done, said a spokesman for the company, who spoke with msnbc.com on condition of anonymity.
“This is literally a geek trying to prove to senior management that they were wrong and he took it too far,” he said.
The Costa Rica-based company, which is controlled by a parent company owned by members of the Kahnawake Mohawk tribe in Canada, issued a statement later in the day acknowledging the breach and promising to refund all money, including interest, to players who were victims of the scheme. It also promised a "comprehensive statement ... providing more details of the findings" would be issued soon.
The spokesman said the employee did not withdraw any of the money from the accounts that were used in the scheme.
“We acknowledge a significant internal security breach whereby a resource who was infinitely knowledgeable about the system was able to get into the accounts in question. He played on those accounts and he saw hole cards,” the spokesman said.
“We have closed that security breach and we have identified a very serious issue internally as far as communications flow and we’re resolving that, ” he said.
Lawsuit and criminal charges possible
The spokesman said the company also was contemplating filing a lawsuit and criminal charges against the employee.
While peeking at an opponent’s hole cards was likely to bring a hail of lead in the Old West, the group of wronged players in this case was initially rebuffed by Absolute Poker when they aired allegations of apparent cheating on the 2+2 poker forum in late September.
In a series of postings that soon spread to other poker forums, the players said that some players using the aliases “Graycat,” “Potripper,” “Steamroller” among others appeared to have superhuman powers at the poker table. Several players who had encountered the suspect players in games from mid-August through mid-September said they played with wild abandon, always seemed to know when to raise and fold and were winning at an inconceivably high rate.
Serge Ravitch, a 27-year-old New York lawyer turned poker player who was among the first to level cheating charges, said the company’s response to the initial posts was “essentially to stonewall and deny any cheating had ever occurred or that the described events were even possible.”
Many players also were initially skeptical, though that sentiment largely melted away when players posted a re-creation of a tournament (requires registration to view) involving “Potripper” on the Internet.
The re-creation, also posted to Youtube, was based on a “hand history” that Absolute Poker sent to one of the complaining players, but which contained far more information than the hand histories usually available to online players. This one showed all players' hole cards, rather than just those of the requesting player, and included a great deal of private information, including IP addresses and e-mail addresses.
Two independent experts who examined the re-created tournament record at the request of msnbc.com came away convinced.
‘He can see the cards’
“(He) can see the cards, and you can put my name on that,” said Roy Cooke, who was head of security at the pioneering poker site Planetpoker.com for six years.
“When people are doing things out of character and consistently doing it right, there’s a reason for it,” he said. “When they’re always playing the hand that has value in a situation and then folding a great hand when it has value, they can see the cards.”
Michael Shackleford, a former actuary with the Social Security Administration who now focuses on gambling at his Web site, wizardofodds.com, said it was highly unlikely that Potripper’s streak was simply attributable to good luck.
“It would be easier to buy a 6/49 lottery ticket in six different states, and hit the jackpot all six times," he said.
If the experts found the evidence overwhelming, Absolute Poker did not.
In its first statement on the allegations, the company said, “The result of our investigation is that we found no evidence that any of Absolute Poker’s redundant and varying levels of game client security were compromised. In other words, we have determined with reasonable certainty that it is impossible for any player or employee to see whole cards as was alleged. There is no part of the technology that allows for a “superuser” account, and there is no way for any person to influence the game software to their advantage.”
Who was the mysterious observer?
Ravitch, a blogger known as “Adanthar” in the online poker community, and Nat Arem, another player involved in posting the tournament re-creation, began fielding a flood of tips from insiders in the offshore Internet gambling industry and continued to press their case. With help from other players, they traced the IP address of a mysterious observer at Potripper’s table to Costa Rica and determined that the account was an internal Absolute Poker account developed during beta testing. They also cross-referenced an e-mail address used by the observer and found that it apparently belonged to Scott Tom, who they identified as either a past or current official at Absolute Poker.
It was only in this last detail that the amateur sleuths erred, according to the account emerging Friday.
Adam Small, an official with Pocketfives.com, a community of online tournament poker players, said that he spoke with officials of Absolute Poker on Thursday night and was told that the rogue employee had deliberately used information pointing to Tom.
“What they said on the phone was that it was not Scott Tom ... and that he has sort of framed Scott Tom,” he said.
The Absolute Poker spokesman did not confirm that the employee had attempted to frame Tom, but he said, “No management was involved, and Scott Tom … had no part in playing on any of these accounts.”
In a statement earlier this week, Absolute Poker said Tom “has not been involved with Absolute Poker for over a year and to the best of our knowledge, information and belief has not had access to any of Absolute Poker’s systems, databases or information.”
Site owned by Canadian Mohawks
Absolute Poker states on its Web site that it is owned by Tokwiro Enterprises Enrg., located in Kahnawake Mohawk territory nine miles south of Montreal, Quebec. Tokwiro is described as a Mohawk owned and controlled sole proprietorship. The site also is licensed and ostensibly regulated by the tribe’s Kahnawake Gaming Commission, though it is not clear what level of scrutiny the commission applies to its licensees.
Many poker players interviewed for this article expressed concern that the incident would be another “black eye” for online poker, which has surged in popularity in recent years despite attempts by the U.S. government and many states to prevent Americans from playing over the Internet. Most indicated they would prefer that the sites were licensed and regulated by the United States, but said they consider most of the leading offshore sites to be fair and secure.
“I think that the reasons this got handled the way that it has, with a happy ending, is because the overwhelming majority of people in the industry … want things to be run in a fair and honest way,” said Small of Pocketfives.com. “… There is a perception that a lot of people in the industry are thieves, but that’s not the case for the most part. When something like this happens, the rest of the people, as soon as they catch wind of it band together and look for ways to pool information and bring people down who have done harm to them.”