In early July 2014, Lumiere Place accountants noticed that several slot machines from their casino had gone mad for a couple of days. The certified software gives casinos fixed edge so that casinos know how much they earn in a long run, let it be 7,129 cents for each dollar. But on June 2 and 3, several slot machines at Lumiere Place had paid much more than they had received, though no major jackpot had been awarded. In the gambling industry lingo, it is called negative hold. As the casino software is not affected by any fits of madness, the only explanation for that was cheating.
The casino security service checked their video archives and identified the reason, a black-haired middle-aged man in a polo with a square brown bag. Unlike other con men, he wasn't obviously cheating on their slot machines. He played only at old-fashioned models produced by the Australian Aristocrat Leisure manufacture. He was playing played, pushing the buttons, like in any other game, furtively holding his iPhone close to the slot’s screen.
He would leave the slot machine, then return back to it for another try and win the bank. The player would make a bet from $20 to $60 and win about $1300; after than make a cashout and go to another slot machine to repeat the whole pattern. He won about $21.000 in 2 days. The only suspicious thing about him was the way he would hold his index finger above the “Spin” button; the man would hold it above the button for long enough before finally pushing it. Common players don’t do anything like that.
On June 9, Lumiere Place shared what they had found out with the Missouri Gambling Comission, which issued a warning for the state. After that, several casinos discovered that they had been tricked the same way, though in particular cases there had been some other players. And, in every case, the players had been holding their phones in front of the slot machines' screens.
Having examined car rental records, Missouri authorities identified the player from Lumiere Place as Murat Bliev, a 37-year-old Russian citizen. Bliev returned back to Moscow on June 6 and was sent back to the USA by the criminal enterprise he was a member of, based in Saint-Petersburg and making a specialty of worldwide slot scamming, soon after his arrival. It was a serious mistake of the enterprise, quietly making money by cracking some of the most valued algorithms in the gambling industry, to send him back.
From Russia with Fraud
Russia has become a nest of criminals hacking slot machines since 2009, when gambling was virtually restricted in the country. Vladimir Putin believed this step would reduce the influence of Georgian criminal enterprises. Casinos had to sell all their slot machines with great discounts to any buyers they could find. Some of these slot machines were purchased by the perpetrators who wanted to know how to upload new games to old boards. Naturally, some of these slot machines were purchased but Murat Bliev’s bosses who wanted to find vulnerabilities in pokies’ source code.
In 2011, central and eastern Europe casinos registered a number of incidents when the pokies produced by the Austrian developer Novomatic paid unbelievably huge sums. Novomatic’s engineers couldn’t find any evidence of manipulations made to their pokies and decided that the perpetrators had found out the way to predict pokies’ behavior. ‘It is possible to detect some “patterns” in the game outcome by focused and prolonged observation of particular games’, reported the company to its clients in February 2011.
Such tracing is expensive. The game outcomes are generated by pseudorandom number generators which are designed to give unpredictable results. Government regulators certify all algorithms before they are implemented in casinos.
But the name contains this word “pseudo” which means that generated numbers are not truly random. They are created with code instructions so they are a bit deterministic. Input data depends on the current slot state. Input data may vary in different periods of time because it comes from the internal clock. It means, that if hackers know how the pseudorandom number generators work, they have to analyze how the slot works before they can find out the patterns. It takes time and computer power so it is impossible to do in a casino as it will attract securities’ attention.
Lumiere Place case showed that Murat Bliev and his companions had found the way to overcome this obstacle. Darin Hoke, who was the head of surveillance at L’Auberge du Lac Casino Resort in Lake Charles, Louisiana, carried out his own investigation. Having talked to his colleagues who had reported unusual pokies’ behavior, and examined photos taken by surveillance cameras, he identified 25 possible perpetrators who had been working in casinos around the world, from California to Romania and Macau. Hoke checked out hotel records and found out that 2 of Bliev’s companions from Saint Louis had stayed in the USA and had been heading to the Pechanga Resort & Casino in Temecula, California.
On July 14, 2014, California Department of Justice agents apprehended one of them at Pechanga and confiscated 4 mobile phones and $6.000 in cash. This Russian citizen wasn’t charged; his current location is unknown.
The mobile phone from Pechanga together with investigation results from Missouri and Europe revealed some key details of the case. According to Willy Allison, a security consultant from Las Vegas who has been tracking the group of Russian hackers for several years, the perpetrators use their phones to record several dozens of spins at the game they want to hack. They upload the video to technicians from Saint-Petersburg, who analyze and identify the patters of slot machines. Finally, the team from Saint-Petersburg sends a list of temporary markers to specially developed mobile application installed on the perpetrator’s mobile phone. The markers make the phone vibrate in a quarter of second before the moment when he should press the “spin” button.
‘The reaction speed of a human being is about a quarter of second, that’s why they use these settings’, says Allison, the founder of the annual game protection conference. The temporary markers don’t always work as expected but still they let the hackers to win much more than normally. Some perpetrators can win more than $10.000 per day but they try not to cashout more than $1.000 from a single slot machine not to attract attention. A team of 4 men, working in different casinos, can earn up to $250.000 per week.
Reusable Business
Since there are no slot machines in Murat Bliev’s home country, he didn’t stay in Russia for a long time after returning back from St. Louis. He visited the USA for 2 times during 2014; his second visit started on December 3. He headed from the airport straight to St. Charles, where he met 3 other men trained to win at Mark VI Aristocrat slot machines: Ivan Gudalov, Igor Larenov, and Yevgeniy Nazarov. They planned to spend the next days “attacking” various casinos in Missouri and western Illinois.
It was a mistake for Bliev to come back. On December 10, as he was spotted in Hollywood Casino in St. Louis, the four perpetrators were arrested. As Bliev and his companions had worked in several states, they were accused of fraud. The formal charges became the first serious challenge for the team from Saint-Petersburg. It was the first time when one of their members faced prosecution.
Bliev, Gudanov, and Lavrenov, Russian citizens, confessed to the crime and were sentenced to 2 years in prison with the following deportation. Nazarov, a citizen of the Republic of Kazakhstan, granted religious asylum in the USA in 2013, is still waiting for his sentence, which means he is cooperating with the government. Aristocrat representatives states that one of four defendants hasn’t been sentenced yet as he continues to assist the FBI with the investigation.
The information provided by Nazarov may be hopelessly outdated. Two years has passed since the arrest date so the team from Saint-Petersburg has become more cautious. Some of their tricks were discovered during the previous year, when Singaporean authorities arrested and prosecuted a group of hackers. Radoslav Skubnik, a Czech citizen and a member of the team, disclosed some details of the financial structure of the criminal enterprise (90% of total income goes to Saint-Petersburg) and their tactics. ‘They put a mobile phone in a vest pocket, mask it with a net, not to hold it in their hands’, says Alisson. Darrin Hoke says he received a message saying that they send the videos via Skype so they don’t have to leave pokies to send the videos.
It appears, that the criminals were prosecuted only in 2 cases, in Missouri and Singapore, and there are more known cases when they were caught and kicked off particular casinos. The team from Saint-Petersburg continues to operate. In the past 3 month, 3 casinos in Peru reported they had been cheated by Russian gamblers playing at old Novomatic Coolfire slot machines.
It seems that the enterprise from Saint-Petersburg will continue to flourish. There is no simple way to change the slot machines. Hoke says Aristocrat, Novomatic and other manufactures whose slot machines have been hacked would have to recall and change them with something else but they will never do that. Aristocrat reported there were no flaws in their slot machines and those machines had been designed and certified with full accordance to the strict technical standards. In the same time, many casinos can’t afford buying updated slot machines protected from hackers. While old hackable slot machines are still in use and popular among the clients, it will be more profitable for casinos to use them accepting occasional losses caused by hackers.
Thus, casino security service has no choice but to keep an eye on the indirect signs of fraud. A finger hovering above the “spin” button may appear the only sign to tell that hackers from Saint-Petersburg are about to win again.