GGPoker security breach allowed “MoneyTaker69” to cheat

“Something is rotten in the state of Denmark.”

~ Hamlet, Act I, Scene 4, Line 90

Is MoneyTaker69 the new POTRIPPER?

In 2007, the online poker world was reeling after the biggest cheating scandal of all time. The Kahnawake Gaming Commission’s findings had confirmed the worst suspicions about what was going on at Absolute Poker/Ultimate Bet. The “POTRIPPER” superuser scandal dealt a serious blow to trust in online poker, a young industry that already had an image problem.

Players were concerned about whether online sites were running clean games with incorruptible random number generators and secure payment processing methods. They wondered whether these sites could or would police themselves and put their customers’ interests ahead of their own when it comes to game integrity issues. They loved the game, but didn’t know if they could trust the coaches to be untouchable.

It’s the players who did the legwork

Sixteen years later, the online poker world is once again reeling as it appears we have another “superuser” scandal in our midst. It’s early days for this particular allegation, but just like the POTRIPPER case, it’s the players who have been doing the legwork and gathering important data, as the GGPoker account “MoneyTaker69” was implicated in a large number of implausible hands.

Worryingly, this news comes just three months after GGPoker’s decision to block SharkScope from tracking and displaying tournament results on its platform. This decision has been heavily criticized for limiting transparency and making it difficult for players to detect cheating or collusion. GGPoker released a statement today claiming that this breach was caused by a “client-side security vulnerability.” Regardless, players have speculated about the possibility of an inside job, and what is problematic for GGPoker, blocking Sharkscope is certainly a measure that would have been deemed necessary if such an inside job were to take place.

The POTRIPPER scandal

In the fall of 2007, there were numerous rumors of cheating on the Cereus Poker Network. Players at Absolute Poker and Ultimate Bet were convinced that there were accounts that had access to the hole cards of other players at the table. Charts were tabulated and then distributed on forums showing that the win rates for these accounts were simply off the charts, mathematical outliers far beyond what even the most experienced player could achieve.

In October, the Kahnawake Gaming Commission opened an investigation into the alleged fraud, focusing primarily on a particular account’s full tournament history. The hand history included the hole cards of all players at the table, as well as the IP addresses of players and outside observers watching online. The account was that of POTRIPPER, a now infamous name in the online poker world.

took advantage of the fact that they could see their opponent’s cards to win an estimated $22.1 million

On September 29, 2008, the Kahnawake Gaming Commission released its findings and found that between May 2004 and January 2008, Russ Hamilton had masterminded an elaborate scheme to steal from players at Absolute Poker/Ultimate Bet. Hamilton, the 1994 WSOP Main Event champion, was a consultant for Ultimate Bet. For over three years, POTRIPPER and other “superuser” accounts had exploited the fact that they could see their opponents’ cards to win an estimated $22.1 million.

Skull digging

In the 16 years since then, many of the top poker sites have developed more sophisticated security and integrity teams to combat fraud. While many of the measures taken to catch fraudsters are kept secret for efficiency reasons, a general attempt is made to ensure as much transparency as possible. This is partly a PR decision to increase community trust in the sites, but it also keeps open a path to detecting scammers.

Integrity Teams are responsible for catching the vast majority of cheaters, but occasionally players are responsible for catching malicious actors through their own initial investigations, aided by sites like Sharkscope. The look and shape of a player’s win graph can be telling. A player’s game selection can reveal important information. Cross-referencing between multiple players for the same games played and other data points can indicate cheating.

Therefore, there was cause for concern when the world’s largest poker site GGPoker blocked use of Sharkscope in September 2023. What’s even more concerning now is that there is a confirmed case of super-using on the site by an account aptly named MoneyTaker69.

The TwoPlusTwo forum poster rings

On Christmas Day, TwoPlusTwo forum member “y2da” rang the bell I posted a screenshot from MoneyTaker69, who won the GG Masters $400,000 Guarantee for $47,586.80, along with some wild gameplay stats. A few hours later, forum member “juuuu35” responded with a standard deviation calculation and concluded that his run was “almost impossible.” MoneyTaker69 also played the $1,000 buy-in tournament on GGPoker that night and made the final table.

As news spread between December 26th and 27th, MoneyTaker69’s special powers became a topic of conversation.

There has also been further research into the hands of poker’s newest Magic Man. A particularly suspicious cash game hand where the account called an all-in turn shove with Jack-Deuce on a board of A♣️-Q♦️-7♣️-6♠️ raised eyebrows. MoneyTaker69’s opponent held 5♣️-4♣️ on this occasion.

It was also pointed out that the company behind the MoneyTaker69 account was not careful and was VPIPing (voluntarily putting money into the pot) at an incredibly high rate that was impossible to win in the long term.

GGPoker claims “client-side vulnerability”

On December 28, Phil Galfond congratulated the players who had made significant efforts to expose MoneyTaker69’s scam:

On December 29th, GGPoker did what Galfond expected and responded to the fraud allegations and confirmed wrongdoing by MoneyTaker69.

In a statement that raises more questions than it answers, GGPoker claims this in detail it was stained “unusual gaming patterns and abnormal client packets” from MoneyTaker69 and identified an “unfair gaming advantage” caused by a “client-side vulnerability.” The site said it suspended the account and confiscated the unfair winnings, which it claims totaled $29,795. In addition, the payouts for affected tournaments will be reconciled.

He was able to derive all-in equity by exploiting a customer-side data leak vector.”

GGPoker further explained the security flaw:

Under certain circumstances relating to the Thumbs Up/Down Table Reaction feature, which includes decompiling our Windows game client, intercepting network traffic and changes to our game packages, Moneytaker69 was able to customize its own game client. These adjustments could only be made to our Windows desktop gaming client because part of our desktop client leverages the Adobe Air framework, which has attack vectors that other frameworks do not. At no time did the user have access to our servers or server data, including anyone else’s hole cards. Through this customized gaming client, he was able to derive all-in equity by exploiting a client-side data leak vector. Our engineers discovered this vulnerability and issued an emergency update on December 16th to disable the thumbs up/down table responses. However, the user was already in possession of the customized game client, which he had blocked from receiving further updates, and was able to further accumulate the data leak during the flop and turn. Based on this collected data, he was able to estimate his probability of winning with sufficient certainty.

Something is wrong in the state of Denmark

To reassure its players, GGPoker says it has issued “security patches” to prevent further client-side data leaks of this type. The site also claims to have added “solutions” that detect and prevent players from advantageously adjusting the game client. Additionally, the company will hire staff to double the size of its security team and seek help from “renowned security experts.”

Knowing about flop and turn equity comes very close to super using

From his perspective, GGPoker has brought the problem under control and acted quickly to stop the fraudulent behavior of a single bad actor. The problem is that a security breach, especially one of this nature, rightly sends shockwaves throughout the industry. GGPoker may say that this wasn’t super using, but if what they say is true, knowing the flop and turn equity is very close to super using.

There’s also the broader concern that players are only now finding out that GGPoker didn’t encrypt the hole card information, an insanely reckless shortcut when there were literally tens of billions of dollars exchanged on their site. These revelations give players serious cause for suspicion and concern. There may indeed be something fishy in the state of Denmark, but the question remains: will heaven direct it?


Leave a Reply

Your email address will not be published. Required fields are marked *