“There is something rotten in the country of Denmark.”
~Hamlet, Act 1, Scene 4, Line 90
Is MoneyTaker69 the new POTRIPPER?
In 2007, the online poker world was reeling after the biggest cheating scandal ever. The Kahnawake Gaming Commission’s findings confirmed the worst suspicions about what was happening at Ultimate Bet Poker. The “POTRIPPER” superuser scandal has dealt a huge blow to confidence in online poker, a nascent industry that was already suffering from an image problem.
Players were concerned about whether online sites ran clean games using incorruptible random number generators and secure payment processing methods. They have questioned whether those sites are capable or capable of self-censorship, putting their customers’ interests ahead of their own on matters of game integrity. They loved the game, but they didn’t know if they could trust its caretakers to be unimpeachable.
It’s the players who did the legwork
Sixteen years later, the online poker world is reeling once again, as it appears we have another “super user” scandal in our midst. It’s early days for this particular allegation, but just like in the POTRIPPER case, it was the players who did the legwork, piecing together the important data points, as the GGPoker account “MoneyTaker69” was involved in a large number of preposterous hands.
Worryingly, this news comes just three months after GGPoker decided to ban SharkScope from tracking and displaying tournament results on its platform. This decision has been heavily criticized because it limits transparency and hinders players’ ability to detect cheating or collusion. GGPoker issued a statement today claiming that this breach occurred due to a “client-side security vulnerability.” Regardless, players have been speculating about the possibility of an inside job and this has posed a problem for GGPoker, and banning Sharkscope as it did is certainly an action that would have been deemed necessary if such an inside job was about to happen.
Buttripper scandal
In the fall of 2007, rumors abounded about cheating on the Cereus Poker Network. Players of Ultimate Poker and Ultimate Bet were convinced that there were accounts that had access to the hole cards of other players at the table. Charts were tabulated and then circulated in forums to show that the win rates for these accounts were simply off the charts, mathematical outliers far beyond what even the most experienced players could handle.
In October, the Kahnawake Gaming Commission opened an investigation into alleged cheating that largely revolved around the entire tournament history of one particular account. The hand log includes the hole cards of all players at the table and the IP addresses of players and outside observers who were watching online. The account belonged to POTRIPPER, now a notorious name in the world of online poker.
They took advantage of the fact that they could see their opponent’s cards to win an estimated $22.1 million
On September 29, 2008, the Kahnawake Gaming Commission released its findings, stating that between May 2004 and January 2008, Russ Hamilton led an elaborate scheme to rip off players in Ultimate Bet Poker. Hamilton, the 1994 WSOP Main Event Champion, was an advisor to Ultimate Bet. For more than three years, POTRIPPER and other “super user” accounts took advantage of the fact that they could see their opponent’s cards to win an estimated $22.1 million.
Skull deception
In the 16 years since, many of the top poker sites have developed more sophisticated anti-cheat security and integrity teams. While many of the measures used to catch cheaters are kept secret for the sake of effectiveness, there is a public effort to provide as much transparency as possible. This is partly a PR decision to build community trust in the sites, but it also keeps the path open for detecting cheaters.
Integrity teams are responsible for catching the vast majority of cheaters, but players are sometimes responsible for catching bad actors through their initial investigations, with the help of sites like Sharkscope. The shape and form of a player’s winning chart can be obvious. A player’s game selection can reveal important information. Cross-referencing multiple players for the same games played and other data points can indicate cheating.
So it was alarming when, in September 2023, the world’s largest poker site GGPoker banned the use of Sharkscope. Even more troubling now is that there is an acknowledged example of overuse on the site by an account called MoneyTaker69.
The TwoPlusTwo forum poster rings a bell
On Christmas Day, TwoPlusTwo forum member “y2da” rang the bell. Posted the screenshot of MoneyTaker69 wins the $400K Guaranteed GG Masters for $47,586.80 along with some wild gameplay stats. A few hours later, forum member “juuuu35” responded with some standard deviation math, concluding that his run was “almost impossible.” MoneyTaker69 also played the $1,000 buy-in tournament on GGPoker that night and made it to the final table.
As word spread between December 26 and 27, MoneyTaker69’s special powers became a topic of conversation.
There has also been more research into the hands played by the newer “magic man” in poker. One particularly suspicious hand in cash games is in which the account calls an all-in with a Jack-Deuce on the A♣️-Q board.♦️-7♣️-6♠️ Raising the eyebrows. MoneyTaker69’s opponent on that occasion held 5♣️-4♣️.
It was also pointed out that the entity behind the MoneyTaker69 account was not careful, and is VPIPing (voluntarily putting money into the pot) at an incredibly high rate and impossible to win in the long run.
GGPoker claims ‘client-side vulnerability’
On December 28, Phil Galfond congratulated the players who worked so hard to uncover the MoneyTaker69 cheat:
On December 29, GGPoker did what Galfond expected and responded to the cheating allegations, confirming an error on MoneyTaker69’s part.
In a statement that raised more questions than it answered, GGPoker made the candid claim I’ve been spotted “Unusual Game Patterns and Abnormal Client Packs” by MoneyTaker69, identifies an “unfair play advantage” caused by a “client-side vulnerability.” The site said it blocked the account and confiscated the unfair gains it claims totaled $29,795. Payments for affected tournaments will also be reconciled.
He was able to infer end-to-end ownership rights by exploiting the client-side data leakage vector.
GGPoker continued explaining the vulnerability:
Under a specific set of circumstances related to the “table reaction up/down” feature, which includes decompiling our Windows game client, intercepting network traffic, and making modifications to our game packages, Moneytaker69 was able to customize its game client. These customizations can only be made on a Windows desktop gaming client, because part of our desktop client leverages the Adobe Air framework, which has attack vectors that other frameworks don’t have. At no time was the user able to access our servers or server data, including hidden cards of others. Through this custom game client, he was able to infer end-to-end ownership rights by exploiting the client-side data leakage vector. Our engineers discovered this vulnerability and released an emergency update on December 16 to disable like/dislike table interactions. However, the user already had the custom game client, which prevented them from receiving further updates, and was able to continue collecting data leaks as they tossed and turned. From this accumulated data, he can make a reasonable guess about his probability of winning.
Something is rotten in Denmark
In an effort to reassure its players, GGPoker says it has issued “security patches” to prevent further client-side data leaks of this kind. The site also says it has added “workarounds” that will detect and prevent players from meaningfully customizing the game client. It will also recruit to double the size of its security team and seek assistance from “renowned security professionals.”
Knowing which stocks are volatile and turning is something that comes close to being super useful
In its view, GGPoker put a lid on the issue, and acted quickly to stop the rogue behavior of a lone bad actor. The problem is that a security breach, especially this type of breach, sends shock waves through the entire industry. GGPoker might say this wasn’t overuse, but if what they’re saying is true, knowing stocks are volatile and shifting is pretty close to overuse.
There is also a more general concern that players are only now discovering that GGPoker has not encrypted hidden card information, which is an insanely reckless shortcut to take when tens of billions of dollars are changing hands on their site. With these revelations, players have serious reason to doubt and worry. It is possible that something is truly corrupt in the country of Denmark, but the question remains: Will heaven guide it?
