GGPoker Under Fire as Security Breach Allowed ‘MoneyTaker69’ to Pillage From Players

  • It’s been 16 years since the POTRIPPER super-user scandal on UltimateBet and Absolute Poker
  • GGPoker blocked the use of Sharkscope in September 2023
  • Players detected suspicious win rates and hands by MoneyTaker69 on GGPoker
  • GGPoker said MoneyTaker69 was able to see all-in equities via a software vulnerability
Mysterious man in hoodie hiding face with hole cards
A player on GGPoker exploited a security vulnerability to cheat their way to thousands in winnings. [Image: Shutterstock.com]

“Something is rotten in the state of Denmark.”

 ~ Hamlet, Act I, Scene 4, line 90

Is MoneyTaker69 the new POTRIPPER?

In 2007, the online poker world was reeling after its biggest ever cheating scandal. The findings of the Kahnawake Gaming Commission had confirmed the worst suspicions about what had been going on at Absolute Poker/Ultimate Bet. The “POTRIPPER” super-user scandal had dealt a severe blow to confidence in online poker, a fledgling industry which already had an image problem.

Players were concerned about whether the online sites were running clean games with incorruptible random number generators and safe methods of payment processing. They questioned whether those sites could or would self-police, putting their customers’ interest before their own on matters of game integrity. They loved the game, but didn’t know if they could trust the caretakers of it to be unimpeachable.

it is the players who have done the legwork

Sixteen years later, the online poker world is reeling once again as it appears that we have another “super-user” scandal in our midst. It’s early days for this particular allegation, but just like the POTRIPPER case, it is the players who have done the legwork, piecing together important data points as GGPoker account “MoneyTaker69” has been involved in a large number of implausible hands.

Worryingly, this news comes just three months after GGPoker decided to block SharkScope from tracking and displaying tournament results on its platform. That decision was heavily criticized because of how it limits transparency and hinders the players’ ability to detect cheating or collusion. GGPoker released a statement today claiming that this breach was caused by a “client-side vulnerability.” Regardless, players have been speculating about the possibility of an inside job and problematically for GGPoker, blocking Sharkscope as it did is certainly a measure that would have been seen as necessary if such an inside job was about to take place.

The POTRIPPER scandal

In the Fall of 2007, rumors abounded about cheating on the Cereus Poker Network. Players on Absolute Poker and Ultimate Bet were convinced that there were accounts which had access to the hole cards of the other players at the table. Graphs were tabulated and then circulated on forums showing that win rates for these accounts were quite simply off the charts, mathematical outliers well beyond what even the most expert of players was capable.

In October, the Kahnawake Gaming Commission opened an investigation into the alleged cheating which largely centered around a complete tournament history of one particular account. The hand history included the hole cards for all the players at the table and IP addresses for the players and third-party observers who were watching online. The account was that of POTRIPPER, a now infamous name in the online poker world.

exploited the fact that they could see their opponent’s cards to win an estimated $22.1m

On September 29, 2008, the Kahnawake Gaming Commission released its findings, stating that between May 2004 and January 2008, Russ Hamilton had spearheaded an elaborate scheme to steal from players at Absolute Poker/Ultimate Bet. Hamilton, the 1994 WSOP Main Event champion, was a consultant for Ultimate Bet. For over three years, POTRIPPER and other “super-user” accounts had exploited the fact that they could see their opponent’s cards to win an estimated $22.1m.

Skullduggery

In the 16 years since, many of the top poker sites have developed more sophisticated security and integrity teams to combat cheating. While many of the measures used to catch cheaters are kept secret for effectiveness’s sake, there is a general effort to provide as much transparency as possible. This is partly a PR decision to build community confidence in the sites, but it also keeps open one avenue to the detection of cheaters.

Integrity Teams are responsible for catching the vast majority of cheaters, but players are occasionally responsible for apprehending bad actors via their own initial investigations, aided by sites like Sharkscope. The look and shape of a player’s winning graph can be telling. A player’s game selection can reveal important information. Cross-referencing multiple players for same games played and other data points can point to skullduggery.

It was therefore a worry when, in September 2023, the world’s largest poker site GGPoker blocked the use of Sharkscope. It is even more concerning now that there is an acknowledged instance of super-using on the site by an account aptly named MoneyTaker69.

TwoPlusTwo forum poster rings the bell

On Christmas Day, the bell was rung by TwoPlusTwo forum member “y2da,” who posted a screen shot of MoneyTaker69 winning the GG Masters $400K guarantee for $47,586.80 alongside some wild gameplay statistics. A couple of hours later, forum member “juuuu35” replied with some standard deviation math, concluding that his run was “nearly impossible.” MoneyTaker69 also played the $1,000 buy-in tournament on GGPoker that night and made the final table.

As word spread between December 26th and 27th, the special powers of MoneyTaker69 became the subject of conversation.

There was also further research into hands played by poker’s newest “magic man.” One especially suspicious cash game hand in which the account called an all-in turn shove with Jack-Deuce on a board of A♣️-Q♦️-7♣️-6♠️ raised eyebrows. MoneyTaker69’s opponent on that occasion held 5♣️-4♣️.

It has also been pointed out that the entity behind the MoneyTaker69 account has not been careful, VPIPing (voluntarily putting money in the pot) at an incredibly high and long-term impossible-to-win rate.

GGPoker claims “Client-Side Vulnerability”

On December 28th, Phil Galfond congratulated the players who had put in significant legwork to uncover MoneyTaker69’s cheating:

On December 29th, GGPoker did as Galfond expected and responded to the cheating allegations, confirming foul play by MoneyTaker69.

In a statement that begged more questions than it answered, GGPoker richly claimed that it had spotted “unusual game patterns and abnormal client packets” from MoneyTaker69, identifying an “unfair playing advantage” caused by a “client-side vulnerability.” The site said that it had banned the account and confiscated the unfair winnings which it claims totals $29,795. It will also reconcile the payouts for impacted tournaments.

 he was able to deduce all-in equity by exploiting a client-side data leak vector”

GGPoker went on to explain the vulnerability:

Under a specific set of circumstances related to the “Thumbs Up/Down Table Reaction” feature, which involves decompilation of our Windows game client, interception of network traffic, and alterations of our game packets, Moneytaker69 was able to customize his own game client. These customizations could only be made to our Windows desktop game client since part of our desktop client leverages the Adobe Air framework, which has attack vectors that other frameworks do not. At no point was the user able to access our servers or server data, including others’ hole cards. Through this customized game client, he was able to deduce all-in equity by exploiting a client-side data leak vector. Our engineers detected this vulnerability and issued an emergency update on December 16th to disable the Thumbs up/down table reactions. However, the user was already in possession of the customized game client, which he blocked from receiving further updates, and was able to continue to accumulate the data leak during the flop and turn. Through this accumulated data, he could guess his win probability with reasonable assurance.

Something rotten in the State of Denmark

In an effort to reassure its players, GGPoker says that it has issued “security patches” to prevent further client-side data leaks of this kind. The site also says that it has added “solutions” that will detect and prevent players from beneficially customizing the game client. It will also be recruiting to double the size of their security team and will be pursuing help from “renowned security professionals.”

knowing flop and turn equities is very close to super-using

From its point of view, GGPoker has put a lid on the issue, acting quickly to shut down the rogue behavior of a singular bad actor. The problem is that a security breach, particularly one of this nature, rightly sends shockwaves through the entire industry. GGPoker might be saying that this wasn’t super-using, but, if what they are saying is true, knowing flop and turn equities is very close to super-using.

There is also the more general concern that players are only now finding out that GGPoker hasn’t been encrypting hole card information, an insanely reckless shortcut to be taking when literal tens of billions of dollars have exchanged hands on their site. With these revelations, players have a serious cause for suspicion and concern. Something could indeed be rotten in the state of Denmark but the question remains: Will Heaven direct it?

Leave a Reply

Your email address will not be published. Required fields are marked *