Americas Cardroom has confirmed that an unknown but purportedly small number of its online players had their accounts accessed and the majority of their existing account balances withdrawn and transferred to third parties via cryptocurrency transactions, often Bitcoin-based. The exact number of accounts affected by the hacking, which ACR has stated was done externally (and not by rogue employees), is uncertain, but appears as though it might be in the range of one or two dozen players.
In what ACR described as an episode of “credential stuffing,” which involves repeated attempts to log on to a player’s account via username-and-password combos that are stolen or purchased illicitly, the bad actor(s) involved managed to withdraw large balances in scattered instances over the past couple of months. ACR has also declared that it has refunded all players who are known to have been victims of the hacking.
Exactly how that hacking occurred remains a bit of a fuzzy story at this time. ACR, in confirming the outsider theft, also declared that it has closed a security vulnerability seemingly exploited by the thief or thieves. That vulnerability appears to have existed within ACR’s mobile client and likely involved a single specific mobile-based operating system. Given the relatively small number of players who were impacted, the exploit could also have been virus-based and hidden within another app that a small number of players may have already had on their devices.
The problem was first brought public by a Twitter poster named GambleGamble, and from there it was picked up by Todd “Dan Druff” Witteles, who has devoted a thread to the issue, including GambleGamble’s initial report of a theft for roughly $8,800, plus additional reports having since been made to Witteles by other, unnamed players.
Witteles has been quick to jump to the conclusion that the theft had to have been orchestrated by some insider at ACR. Though that it was one logical interpretation of the known facts, it may not be the only one. Some sort of malware that was able to read a mobile user’s various user names and passwords from other apps, or from Google itself, and then attempt to use them to log into ACR, still remains a possibility. That falls under the general definition of “credential stuffing,” if indeed credential stuffing is what has occurred here.
A couple of caveats are offered here. Witteles is decidedly not a fan of ACR. I’m rather more mixed, and I have done some work for ACR in the past (though not at present), so I am disclosing that here as well. I think ACR is a much better site than it was quite a few years ago, and of today’s so-called “grey market” sites, I think they’ve been as responsible an operator as anyone in recent times.
There are some questions here as to why ACR reacted as slowly as it did when GambleGamble and others made their complaints, and there is still some question, according to Witteles, as to whether all affected players have indeed been refunded. On the flip side — and acknowledging that few of the specifics of the hacking are actually known — that ACR has attempted to make players good is a point in their favor.
Could some ACR employee be responsible for the theft? It’s certainly not impossible, though I was assured through a well-connected intermediary that the theft was external to ACR operations. That’s not something that any operator, large or small, would ever want to get caught in a lie regarding; it’s so much better to fess up from the start in such a situation than risk a much larger public black eye later on.
A segue to an UltimateBet tale…
The interesting part of this tale is that the type of insider theft that Witteles still believes occurred here actually did take place in online poker over a decade ago. It happened at the Cereus Network, more specifically at UltimateBet, and it was unconnected to the insider-cheating scandal centered on Russ Hamilton.
A UB insider told me it was called the Jeremy Day episode, referring to the employee involved. Day, allegedly, was able to access a poorly secured data file containing user names and passwords, and he then logged into numerous accounts, gambling away something like $120,000, if memory serves correctly. Day was a low-level customer-service worker in Toronto, but he was also the son of a mid-level manager, so he had some protection. He was fired, I believe, but never prosecuted, given that UB was itself at the time dodging the law in several jurisdictions.
Whether or not Day actually dumped the funds to an accomplice at the tables, I don’t know, but I was actually provided with a piece of the stolen data file. I saw the names of several of the affected users themselves, which ironically included one of UB’s many owners, Annie Duke, and if I remember right, the login information for her pet “SekretSquirrel” account. What happened is that the episode was covered up by the site’s operational boss at the time James Ryan, and that coverup continued under others once Absolute Poker and UltimateBet merged and Ryan went his own way.
The affected players were refunded, but, as I was told, only under the condition that they not speak about what happened. It was several years after the fact when I learned of it, and I attempted to contact one of the players about it who was a PocketFives regular, and he reported me to PocketFives just for asking. Lol that.
Word spread, of course, and that included among workers inside of Absolute Poker after the two sites merged and became the Cereus Network. The episode resurfaced when a second customer-service worker on the AP side, who was based in Costa Rica, learned of that episode and of Russ Hamilton’s cheating, and then attempted to blackmail Absolute Poker.
When that failed, he tried to blackmail Hamilton, which didn’t work out for him either. The guy didn’t want a ton of money, relatively speaking, just something like $90,000, and he even had plans for it — he wanted to open a donut shop in Costa Rica. (Honestly, you can’t make this shit up; I’ve literally seen the diagram the guy created for how he wanted his donut shop to be laid out.)
Now that’s a helluva unexpected segue, isn’t it? Carry on. And should you be one of the players affected in this ACR kerfuffle, feel free to contact me with your details.