In early June 2014, an accountant from casino Lumiere Place in St. Louis noticed that some of the gambling machines over the last few days like crazy. Government approved software on which these machines work, the casino a fixed mathematical advantage, and therefore the gambling establishments know how much they eventually earn, say, 7,129 cents for every spent dollar players. But on 2 and 3 June some of the machines at Lumiere Place began to throw a lot more money than they received, although no major jackpots were not. Such a deviation in the jargon of the gaming industry called negative hold. And because the programs are not prone to sudden bouts of insanity, the only possible explanation was that someone was cheating.
Service casino security watched the video and after some time figured out the attacker. It appeared to be dark-haired man of thirty wearing a t-shirt and square brown wallet. Unlike most of the online fraud, like he had nothing to do with their chosen slot machines. All of these machines were pretty old models the production of Australian company Aristocrat Leisure. This man is just pushing buttons, playing “Star drifter” and “Pelican Pete” and he at that time was stealthily attached his iPhone to the screen of the machine.
After playing a few minutes, he left and came back again to try their luck. And then he would frantically take. On spent 20-60 dollars he received as many as 1 in 300, then finished the game and moved to another machine, where everything began again. For two days his winnings amounted to more than 21 thousand dollars. The only oddity in his behaviour was the fact that he’s long had his finger on the “Start” button, and then pushed her sharply and hastily. Usually players do not make such long pauses between moves.
9 Jun casino shared their observations with the gambling Commission of Missouri, which declared an emergency across the state. Some casinos soon discovered that they also cheated in a similar way, although there came other people, not like a man who cheated at Lumiere Place. In each case, the attacker has applied a cell phone to the machine model Aristocrat Mark VI, and then pressed a random button.
After analyzing data on the rental car, the authorities of Missouri have figured out that cheating in a casino Lumiere Place was engaged in a 37-year-old Russian Murat bliev. 6 Jun bliev flew to Moscow, but St. Petersburg organization, in which he worked (she has dozens of employees who cheat the “one-armed bandits” all around the world), quickly sent him back to the United States where he joined another group of crooks. The decision again to send Bliev in the United States was a rare misstep for this company, which quietly steals millions, breaking the most complex and valuable algorithms for the gaming industry.
From Russia with fraud
Russia is one of the main centers of fraud with slot machines in 2009, when the country outlawed almost all gambling games. (Vladimir Putin, who at that time was the head of the government, allegedly believed that such measures will reduce the influence of Georgian organized crime.) Because of the ban thousands a casino had at bargain prices to sell their slot machines to buyers which they could find. Some cheap “one-armed bandits” were in the hands of the crooks who really wanted to learn how to load a new game in the old boards. Other machines were in the hands of the bosses Bliev in St. Petersburg, and they have tried to crack the code of these machines in search of vulnerabilities.
By the beginning of 2011 in many casinos in Central and Eastern Europe began to see cases of, when slot machines of the Austrian company Novomatic was paying incredibly large winnings. Engineers Novomatic couldn’t find anything that would indicate a break-in. Therefore, they suggested that the fraudsters figured out how to predict the behavior of slot machines. “Through dedicated and long observation of the individual sequences of the game, presumably to find some “regularity” in its results”, — informed the Novomatic its customers in February 2011.
To identify these patterns required a huge effort. Playing slot machines run a program called “random number generator” (csprng). They intentionally give very strange and puzzling results. Government regulatory bodies such as the gambling Commission Missouri test each algorithm on the technical condition and integrity, and only after that give the casino permission to use them.
However, as seen from the prefix “pseudo”, these numbers are not entirely random. Because people create the PRNG using the coded instructions, initially they are somewhat deterministic. (A real random number generator must be based on the phenomenon of miraculous origin, such as radioactive decay.) The PRNG takes a seed number, and then mixes it with various hidden and changing values and parameters (e.g., time embedded in machine hours). In the end there is a result, to predict which is apparently impossible. But if hackers can identify the ingredients of this mathematical confusion, they are able to predict output from PRNG. This process of reverse engineering significantly easier if the hacker gets physical access to the insides of the slot machine.
But the secret knowledge of arithmetic used in the slot machine to generate random game results for hackers is not enough. The fact is that the original data input to the PRNG varies depending on the time status of each machine. For example, the initial numbers at different points in time different, as well as data from the internal clock. Therefore, even if the attacker understands how the pseudo-random number generator, it is necessary to perform the game process in order to understand its regularities. And this requires time and considerable computing power. But if you put the laptop in front of a machine playing “Pelican Pete” is sure to attract the attention of the security service of the casino.
Scam at Lumiere Place showed how Murat bliev accomplices solved this problem. After hearing about the incident in Missouri, an expert on casino security hawk Darrin (Darrin Hoke), who worked at that time Director of surveillance at the casino L’auberge du Lac in Louisiana, decided to investigate the scale of this hacking operation. Interviewing colleagues, told him about the suspicious aspects of the slot machines, and after reviewing surveillance footage, he was able to identify 25 of the alleged Scam, who worked at the casino from California to Romania and Macau. After reviewing the record in hotels, Hoke found that two accomplices Bliev by the fraud in St. Louis never left the USA and moved to the West country in Temecula, California, where there is Pechanga casino. July 14, 2014, agents from the California Department of justice has detained one of the associates at the Pechanga casino and confiscated his cell phone four and six thousand dollars. (The man was a Russian citizen, the prosecution was not presented to him, and his current whereabouts are unknown.)
Taken at casino phones, as well as data of investigations in Missouri and Europe revealed several important details. According to a security consultant to casinos of Las Vegas Willie Ellison (Willy Allison), which for several years tracked the Russian Scam, attackers by telephone recorded about two dozen turnovers in the game that they intended to crack. They transferred these data to the technical staff in St. Petersburg, where the video was analyzed, and experts have calculated the patterns in the machine’s operation on the grounds that they were aware of the PRNG this model. In the end, the team from St. Petersburg is transmitted to the app in the phone of the player the time markers. These markers have made the phone vibrate for 0.25 seconds, after which the player had to rapidly depress the button.
“Normal human reaction time is about a quarter of a second, because of what they did,” says Ellison, is the founder of the annual international conference for the protection of the games. Click on time it turns out not always, but the attacker still gets much more than usual. The crooks tend to win more than 10 thousand dollars a day. (Allison notes that these players try to limit your winnings each machine is less than the sum of thousands of dollars, so as not to arouse suspicion.) The team of four, working in several casinos, one week can win more than 250 thousand dollars.
Because in Russia there is no “one-armed bandits” to extort money from them, Murat bliev did not stay in Russia after his return from St. Louis. In 2014, he twice visited the United States. The second trip began on 3 December. Straight from the Chicago airport, he went to Missouri in St. Charles, where he met with three accomplices who know how to beat the slot machines model Mark VI. This is Ivan Gadalov, Igor Lavrenov and Eugene Nazarov. The Quartet of gamblers intended to spend a few days in Missouri and Western Illinois, playing in various casinos.
It was not necessary Believe to return. On 10 December, shortly after the security service caught him in St. Louis at the Hollywood casino, all four crooks were arrested. Because bliev with associates and worked in several States, the Federal government accused them of conspiracy to commit fraud. These charges were the first major setback for the St. Petersburg organization. Prior to that none of its players are not subject to criminal prosecution.
Bliev, Lavrenov and Hudalov who have Russian citizenship, and eventually made a deal with the investigation on the recognition of his guilt, and was sentenced to two years imprisonment in Federal prison, followed by deportation. Kazakh Nazarov, who in 2013 in the US received religious asylum and is a resident of Florida, is still awaiting sentencing. This indicates that he is cooperating with authorities. In a statement to WIRED, the company Aristocrat Leisure said that one of the four accused, the verdict is not yet rendered, because it “continues to help the FBI in the investigation”.
Whatever information provided Nazarov, she’ll probably be out of date, and not be of little value. Two years after the arrests in Missouri working in the field of Saint Petersburg, the scammers have become much more cautious and circumspect. Some of their new tricks was exposed last year when Singapore authorities have arrested and charged a group of cyber criminals. One of its members, a Czech by the name of Radoslav SKOLNIK (Radoslav Skubnik), shared details about the financial structure of the organization (90% of all profits go to Saint Petersburg), and also about the tactics of its actions. “Now they will be putting their cell phone in the chest pockets of shirts, hiding them behind a small mesh — says Allison. — During recording, they don’t have to hold the phone in my hand.” A security expert hawk notes that receives information about how the scammers intend to transfer to Russia via video Skype, so I don’t have to move away from the gaming machine to download the frames.
Instituted in Missouri and Singapore, case is the only cases where gamblers prosecuted, although some were caught and kicked out of some casinos. At the same time, the St. Petersburg organization sent its agents on and on. For example, in recent months, at least three casinos in Peru reported scams Russian players who played on older machines Coolfire Novomatic.
The economic realities of the gaming industry is a guarantee that the St. Petersburg organization will continue to thrive. Technically to make the machines vulnerable to hacking very difficult. As noted by hawke, Aristocrat, Novomatic and other manufacturers of slot machines the PRNG with the compromised “will be forced to decommission all their vehicles, putting instead something different.” But they clearly do not intend to do so. (In his statement to WIRED Aristocrat said that she is unable “to identify defects in computer games,” and that its machines are “made in accordance with the strictest technical standards.”) At the same time, most casinos can’t afford the cost of the latest samples of “armed bandits”, where the PRNG encoding is used to protect mathematical secrets. And the old, discredited machine is still popular among visitors, therefore from a financial point of view it is more expedient to accept periodic losses from fraudulent actions and continue to use them.
So the whole burden will fall on the security personnel of the casino who will have to monitor closely what is happening, revealing the slightest signs of fraud. And finger hovering over the button, in such a situation, it may be the only clue pointing to the fact that the St. Petersburg hackers are about to win the next jackpot.