Darknet Diaries - Ep 18: Jackpot
Episode Date: July 1, 2018A man addicted to gambling finds a bug in a video poker machine that lets him win excessive amounts of money. ...
Transcript
Discussion (0)
Ah, Vegas. Home of swinging jazz, drunken mischief, and the dream of getting rich.
Slot machines all around, with the constant echo of people winning money everywhere.
But the thing is, the casino always wins.
The machines and the games are built in such a way that, in the long run, the player will eventually lose.
Almost every single bet you can place in Vegas has the odds in the house's favor.
Yet millions of people play, looking for ways they can cheat the system.
But what if you found a way to actually swing the odds in your favor, and let you win whenever you
want it? These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Dark by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work,
what kind of car you drive.
It's endless. And it's not a fair fight. But I realized I don't need to be fighting this
alone anymore. Now I use the help of Delete.me. Delete.me is a subscription service that finds
and removes personal information from hundreds of data brokers websites and continuously works
to keep it off. Data brokers hate them because Delete.me makes sure your personal profile is
no longer theirs to sell.
I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for Darknet Diaries listeners.
Today get 20% off your Delete.me plan when you go to joindeleteme.com slash darknetdiaries and use promo code darknet at checkout.
The only way to get 20% off is to go to joindeleteme.com
slash darknetdiaries and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries and use code darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing,
incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work. If you want to improve the security of your organization, give them a call. I'm sure they can help.
But the founder of the company, John Strand, is a teacher, and he's made it a mission to make
Black Hills Information Security world-class in security training. You can learn things like
penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers. Head on over to BlackHillsInfosec.com to learn more about what services they offer and find
links to their webcasts to get some world-class training. That's BlackHillsInfosec.com.
BlackHillsInfosec.com.
For a short while in my life, I was a crabs dealer in Las Vegas, Nevada, InfoSec.com on their slot machine or wave a special feather in the air on every roll of the dice. I've seen
people count cards and write down all of their spins and outcomes. Each are looking for a way
to move that edge in their favor to give them a long-term winning strategy. Some people take this
very seriously. Most of the serious slot machine hackers will purchase a machine and try rigging
it at home. They play around with adding various objects to the machine to attempt to make it
malfunction and to spit out cash. There are loads of slot machine hacking devices that exist today.
One is called the monkey paw, and it's a device that has a little light in it that you stick up
the coin hopper of the machine. And this tricks the machine to think that when the payout occurred,
the coin never fell, thus making another coin fall. A slot thief can steal all the coins of
the slot machine in just a few minutes.
Another common slot machine hacking tool is the old EMP.
By placing an electromagnetic pulse around certain slot machines,
it can cause the machine to behave abnormally
and do things like give you instant credits or pay out more than it should.
But being caught using devices like this is almost immediate prison time.
The penalties are harsh and strict, and it's a big
risk for thieves. John Cain is a virtuoso pianist. Now at 50 years old, he's been an expert pianist
for the last 40 years, playing for large audiences, teaching piano, selling his recordings.
He lives in Las Vegas and runs a management consulting firm,
which claims to have 30 of the Fortune 100 companies as his clients. By 2005, John's
business was lucrative. He was living in a large house on the northeast end of Vegas. In it, he had
three Steinway Grand Pianos, and one of his hobbies was model railroad trains. One of his
spare bedrooms showcased an entire miniature town with a model train running through it with exquisite attention to detail. But besides
loving the piano and building model trains, he also loved the thrill of gambling.
This went on for years, but by 2006, he was severely addicted. That year, he blew through
$500,000 in gambling, often at the Boulder Station Casino.
His favorite game was video poker. Video poker is a simple yet exciting game. You're given five
cards with the option of throwing out any of those cards to get a new one, and the goal is to get the
best hand possible. One can win anywhere from the one cent you put in the machine to thousands of
dollars on the jackpot. John spent a large amount of time playing a video poker game called Game King, made by IGT.
This is the most popular video slot in Vegas.
It contains such games as Deuce is Wild, Jacks are Better, Triple Play, and Bonus Poker.
His pianist hands would grace the buttons of the machine with style and elegance.
We'd play for hours at a time and thousands of games of
poker. But one day, something weird happened. In April 2009, he was playing the Game King
video poker machine at the Fremont Casino in downtown Las Vegas. He was trying to change his
bet and hit some wrong buttons. But all of a sudden, his machine was indicating that he had won
over a thousand dollars
without even placing a bet. He knew right away this wasn't right, and the game malfunctioned on him.
His payout was so big, the casino attendant had to deliver it by hand. He told the attendant he
thinks that there was an error, but the attendant just thought he was joking and paid it anyways.
He tried replicating the issue. He spent hours more playing and trying to make this strange behavior happen again.
John phoned a friend.
Years earlier, John had a gambling friend named Andre Nestor.
Andre and John met through an AOL chat room for Vegas locals.
They shared the same addiction to gambling and would often sit side by side playing various slots.
Andre was 13 years younger than John and worked answering
phones for a bank. He made considerably less than John but still managed to lose about $20,000
a year gambling for the six years he lived in Vegas. After that, he called it quits and moved
to Quiet Town in Pennsylvania where he'd only occasionally play the lottery. Andre had been
living in Pennsylvania for the last two years. John called Andre and told him about this bug he found in the video poker machine
and that he thinks he might be able to replicate it.
Andre was immediately interested and drove to the airport that night
and waited all night until the next flight to Vegas.
John picked Andre up at McCarran Airport, grabbed breakfast,
and they went right back to the Fremont and sat side by side
on the two Game King video poker machines.
John had some ideas on how to trigger the bug, but he didn't know for sure how to reliably do it.
He explained to Andre what he thought was the method, and the two got to work looking for the bug.
They would try various betting strategies, different games, combination of button pushing, and different bet levels.
And every now and then they were able to trigger the bug, but it wasn't consistent.
The game they were playing would let them bet anywhere from one cent to 50 cents a hand.
The bug they found would let them change their bet after the win. So they could play for hours
losing only pennies, but then when a big hand would show up, like four of a kind, they could
change their bet to 50 cents. And immediately they'd get the winnings for a 50 cent wager
instead of a one cent wager.
This would result in thousands of dollars for a win like this.
After hours of playing side by side,
they figured out the exact sequence that would need to be done for an extra large payout to happen.
They hit numerous jackpots that night and left to have a celebratory dinner.
The two started mapping out their plans.
Fortunately for them, the Game King video poker
machine is very popular in Vegas. It's not only in casinos, but it's also in diners and gas stations
and pretty much everywhere. They knew if they hit the same machine every night, they'd come under
suspicion. So they planned out how they'd make their way across town, hitting different casinos.
John was worried about Andre though. He feared that even if Andre had
won a lot of money, he'd just give it right back on the roulette or blackjack tables. So John asked
Andre, if you had a million dollars, what 10 things would you do? And asked Andre to really
think about it. The two went back to John's house for the night. They spent another day at the
Fremont to make sure their strategy worked. And sure enough, it worked great.
Then they made their way to another casino.
Same game, same strategy, but the exploit didn't work.
They tried numerous other casinos, the Hilton, Hard Rock, Luxor, Stratosphere, and Tropicana.
None of the Game King video poker games would produce the same exploit.
They went back to the Fremont.
But sure enough, it worked great there.
The two were baffled.
So Andre decided to head back to the airport and fly back home to Pennsylvania.
And at the airport, Andre lost another $700
gambling at the video poker machines there.
But Andre still left with $8,000 more than what he came with.
John went back to the Fremont
and sat under the neon signs
with the 90s top 40 music playing
and smoke swirling all around and he continued playing poker. He kept winning and kept playing
and kept winning and the slot manager noticed the Game King video poker machines were all losing
a lot of money for the casino. The slot manager told John that they are disabling the double up
feature on these machines. This feature allowed players to double their winnings or lose everything.
John was using this feature every time he could, and the slot manager knew it.
John was not too worried that the feature would be disabled,
since it was the bug that would let him win and not the double-up feature.
But when John returned the next day to play at the Fremont, the bug wouldn't work.
John was baffled, and he called Andre up to explain, and Andre
immediately realized the missing link to their exploit was the double up feature. With it on,
the exploit worked, and with it off, it didn't. So Andre jumped on another plane and headed back to Vegas.
The double up feature on these games had been turned off because many players don't like that
feature, but you can ask the gaming attendant to enable the feature, and sometimes they'll do it for you.
So John and Andre went to a new casino and asked the attendant to enable the double-up feature, and away they went.
Andre started playing, and he hit four of a kind, which awarded him $500.
And he tapped the magic button sequence, and shazam, his $500 instantly became a $10,000 jackpot. They cracked
the code and realized they could go to any casino now and make their money. Their plan was working.
They were unstoppable. They had almost endless amounts of machines they could exploit now,
with tens of thousands in jackpot winnings to be had. Andre was looking at a whole new life.
He had been living on welfare checks and is now dreaming of owning a home, buying nice clothes, and giving gifts to his friends. They kept exploiting the bug all around
town. When they stumbled upon an even better version of the bug, they found they can trigger
the payout twice with the same hand. In fact, they can trigger the payout over and over with the same
hand without even drawing more cards. This would be risky to exploit, though, since having the attendant pay out $4,000 over and over
on the same hand would surely be noticed.
So they would swap seats when one would hit the jackpot like that
and then leave the casino.
This episode is sponsored by SpyCloud.
With major breaches and cyberattacks making the news daily,
taking action on your company's exposure is more important than ever.
I recently visited spycloud.com to check my darknet exposure and was surprised by just how much stolen identity data criminals have at their disposal.
From credentials to cookies to PII.
Knowing what's putting you and your organization at risk and what to remediate is critical for protecting you and your users from account takeover, session hijacking, and ransomware.
SpyCloud exists to disrupt cybercrime,
with a mission to end criminals' ability to profit from stolen data.
With SpyCloud, a leader in identity threat protection,
you're never in the dark about your company's exposure from third-party breaches,
successful phishes, or infostealer infections.
Get your free Darknet Exposure Report at
spycloud.com slash darknetdiaries. The website is spycloud.com slash darknetdiaries.
Andre and John had mastered their system. They didn't even see it as gambling anymore.
They basically were able to win however much they wanted, whenever they wanted.
Andre worked out he could make $500,000 a day if he really wanted.
So the exploit worked like this.
Step 1. Find a GameKing video poker machine that allowed different betting levels.
Step 2. Ask the slot attendant to enable the double up option and be polite and courteous as they make the changes.
Step 3. Add money to the machine and select the lowest bet level you can.
Step 4. Play with the lowest bet level until you win a big hand, say 4 of a kind or royal flush.
Step 5. When the royal flush is showing on the screen, don't cash out.
Instead, hit the more games button and select a different game variant.
Play it until you win there, any win. This sets up the more games button and select a different game variant. Play it until you win
there. Any win. This sets up the double up option. Now your next win will be double the normal.
Step six, add more money to the machine. Step seven, touch the more games button again. Now
select maximum bet level and go back to the game variant you hit the Royal Flush on. Step 8. Hit the cash out button and bingo.
Jackpot.
You win up to 10 times more than what your original Royal Flush had awarded you.
John wanted a cut of the earnings since he told Andre about the exploit.
The two argued over this and eventually made Andre go out and play on his own.
Over the course of his few days in Vegas,
Andre pulled in $152,000 from places like the Wynn and the Rio.
Andre flew back to Pennsylvania.
John went on a winning streak of his own,
visiting eight different casinos and pulling in over $500,000,
hitting jackpot after jackpot, night after night.
John played with a straight-faced business type of attitude.
Back home in Pennsylvania, Andre found a nearby casino that had the Game King video poker game.
And Andre would bring an entourage with him to the casino.
First would be a bodyguard, a retired cop, to watch over Andre.
Second would be a friend of his, who was a server at Red Lobster,
to sit and collect
the winnings so it would go on his taxes and not Andre's. Andre continued to win another $50,000
in the casino. John had continued his exploits across Vegas. He went over to the Silverton
Casino, the one that has the mermaids swimming in the aquarium. He went into the High Limit Room
and found a Game King video poker machine. He got the attendant to enable the double up feature and began hitting jackpot after jackpot.
First, $4,300.
Then $2,800.
Then $4,100.
Then a few more.
Each win required an attendant to come and pay the jackpot in cash and fill out an IRS form to declare the winnings. Then he hit a seventh jackpot of $10,400
and then an eighth jackpot of $8,200. But this time, the attendant didn't come right away.
John waited impatiently. An attendant came but told John to wait. John complained. John's winning
streak had caught the attention of the casino surveillance.
They thought this guy was either incredibly lucky or was cheating, so they had security come whisk him away into the back room. He was handcuffed and they froze his machine. John was taken to
the Clark County Detention Center on suspension of theft and spent the night in jail. The next day,
he was released and immediately called Andre to warn
him not to go back to the casino as they know about the bug now. But Andre didn't listen,
thinking John was just trying to keep the bug to himself. So he continued to visit his local casino
with his entourage and kept winning. A few days later, the Nevada Gaming Control Board visited
the Silverton Casino. They examined the game and found no evidence of
tampering and they pulled the game's memory and took the surveillance tapes. They went back to
the lab with the surveillance tapes and they were able to duplicate the bug. This would be the first
bug like this found on Game King. The gaming control board immediately notified IGT, the makers
of Game King. IGT had a long reputation of having reliable and bug-free games.
Both the gaming control board and the IGT have strict audits to make sure nothing like this ever gets into the wild.
And after further review,
IGT had discovered this bug was present for seven years and nobody knew it was there on thousands of games around the world.
So IGT immediately issued a notification to all its customers
indicating to disable the double up feature immediately and that the patch would be available soon. Andre had no
idea how much the gaming board knew and thought John was just telling a lie in order to keep the
exploit to himself. So Andre continued visiting his local casino and was able to win more than
$480,000. Eventually the casino refused to pay a jackpot, and Andre left.
And when he got to the parking garage, he ran out of there.
At 1 p.m. on August 6, 2009, Andre was sleeping on the couch in his condo.
And all of a sudden, there were shouts at the door.
State police, open up!
The battering ram started hitting the front door.
The door splintered open, and the police raided his condo.
Andre started for the stairs, which is when he saw a trooper in full riot gear
pointing an AR-15 rifle at Andre, shouting,
Get on the floor!
Andre laid on the floor.
The cops grabbed him, lifted him up, and handcuffed him to a chair.
Andre watched for two hours as the troopers turned everything over in his house.
They flipped the mattresses, opened drawers, tore down parts of the ceiling, and went through his PC. Andre's friend,
who was part of his entourage, came over to see Andre, but was immediately arrested too
for being an accomplice. The cops seized every penny they found in the condo and turned it over
to the district attorney. Andre was charged with 698 felony counts, ranging from theft to criminal conspiracy.
Andre spent 10 days in jail, and he was determined to fight this case,
thinking a jury would surely side with him.
And that's when the FBI stepped in.
They took him out of the Pennsylvania courtroom he was in and extradited him to Las Vegas.
Him and John were now being charged with federal offenses.
As the FBI agents walked him to the car,
a local news crew had a chance to interview Andre.
Here's a clip from that interview.
I'm being arrested federally now for winning on a slot machine.
Let everybody see the surveillance tapes.
I pressed buttons on the machine on the casino.
That's all I did.
So now winning is apparently illegal. It's unbelievable. I have 700
felonies. A message is being sent to everybody that if you play and you win at the casino,
and then they later determine that their machines weren't completely set up to take your money,
and you win, then you're going to be arrested. It's not right, and I think that people really need to hear everything that I said today.
I talked to gaming attorneys in Nevada.
They say I didn't do anything wrong.
The philosophy is if a casino puts a machine on the floor that pays out more than what is normally expected,
and a person figures it out and takes advantage of it,
as long as they don't use
devices or counterfeit money of any kind, then there's nothing illegal. It's a matter between
the casino and the maker of that machine. John and Andre were charged with conspiracy
in violation of the Computer Fraud and Abuse Act of 1986. The CFAA was enacted to punish hackers
who illegally broke into government and banks.
The FBI was stating they knowingly exploited a bug that went beyond their allowable level to access the video poker machine and that it was contrary to the rules of poker.
However, their defense attorney argued that anything the game allowed them to do should be considered allowable access. Most slot machine hacking is done using extra devices like magnets or electrical pulses,
but Andre and John only used the in-game features to manipulate the game to play how they wanted.
The defense attorney stated, all these guys did is push a sequence of buttons that they were
legally entitled to push. The case dragged on for 18 months. During that time, a few other cases of
violations of the CFAA came before the courts. One was Aaron Schwartz, who was arrested for downloading academic articles without permission.
The other was about leaking a database to another employee.
The prosecution didn't win either of these cases, and the CFAA was not looking like a strong law.
So with John and Andre's case, the CFAA law was being scrutinized heavily.
The courts were unsure if this law would even cover
their behavior. On December 3rd, 2013, the feds gave them both the same deal. If one was to testify
against the other, they'd get no jail time and only probation. The deal was only for the first
to testify. This is known as the prisoner's dilemma. John and Andre weren't able to speak
to each other, so they had to take the only option you can in this situation, and they decided not to testify. The prosecution didn't have much to
use against the two, so they ultimately dropped the charges and let them both go free.
Andre's money was seized and returned back to the casino in Pennsylvania, where he won it.
However, the IRS is stating he owes $239,000 in back taxes from his winnings, which he doesn't have.
Andre feels bad that the money got between John and him and caused arguments.
John and Andre haven't spoken much since they were arrested in 2009.
And they were both banned from the casinos they've won in.
But there was no court evidence that suggests John winnings were confiscated or returned. much since they were arrested in 2009, and they were both banned from the casinos they went in.
But there was no court evidence that suggests John Winning's work confiscated a return.
It's unknown what happened to his money. John went back to playing piano and recording songs.
Vulnerable slot machines are still being patched to this day. It's not as easy as simply clicking update, because the systems aren't connected to the internet. Applying patches
to them is more complicated and there are thousands of these games spread all across the world.
Not all of them are managed by a casino which applies the latest patches. There's a good chance
that most of the machines are patched though so it's best to keep your quarters in your pocket.
In the end the casinos were hardly bothered by the winning streak John and Andre hit
because it was just dozens of casinos and only hit by two guys.
If this exploit had leaked into the wild, where hundreds of people all heard about it at once,
it would have been a terrible nightmare for casinos around the world.
So it's lucky for the casino that these two kept this exploit secret.
You've been listening to Darknet Diaries. Big thanks to Kevin Poulsen over at Wired Magazine for covering this story in depth and getting all the juicy details. You can find links to
his articles at darknetdiaries.com. This episode is made by me, Jack Recider.
Theme music is created by the mysterious and talented Breakmaster Cylinder.