BRENDAN KOERNER | 05 August 2017
LATE LAST AUTUMN, a Russian mathematician and programmer named Alex decided he’d had enough of running his eight-year-old business. Though his St. Petersburg firm was thriving, he’d grown weary of dealing with payroll, hiring, and management headaches. He pined for the days when he could devote himself solely to tinkering with code, his primary passion. The time had come for an exit strategy.
But Alex couldn’t just cash out as if he owned an ordinary startup because his business operates in murky legal terrain. The venture is built on Alex’s talent for reverse engineering the algorithms—known as pseudorandom number generators, or PRNGs—that govern how slot machine games behave. Armed with this knowledge, he can predict when certain games are likeliest to spit out money—insight that he shares with a legion of field agents who do the organization’s grunt work.
These agents roam casinos from Poland to Macau to Peru in search of slots whose PRNGs have been deciphered by Alex. They use phones to record video of a vulnerable machine in action, then transmit the footage to an office in St. Petersburg. There, Alex and his assistants analyze the video to determine when the games’ odds will briefly tilt against the house. They then send timing data to a custom app on an agent’s phone; this data causes the phones to vibrate a split second before the agent should press the “Spin” button. By using these cues to beat slots in multiple casinos, a four-person team can earn more than $250,000 a week.
Alex, who insists that his hacking doesn’t violate Russian law, fancies himself a bit of a Robin Hood—a champion for the common man against an avaricious casino industry. “Gaming manufacturers claim they provide ‘entertainment,’ but we all know the nature of this ‘entertainment’ a little too well,” he says by email. “All they and I are really doing is moving money. Their job is to help casinos take money from the people; my job is to help myself and the people take money from the casinos. Just a little counterweight to the global gambling system, where the house always wins.” Yet he also knows that his self-described “milking system” is considered criminal in several countries, including the United States: In 2014, four of his agents were indicted on federal fraud charges after sweeping through casinos in Missouri, Illinois, and California.
Determined to find a way to score one last payday before shutting down his enterprise, Alex reached out to Aristocrat Leisure, an Australian slot machine manufacturer whose vulnerable products have been his chief targets. In a November 2016 email to Tracey Elkerton, the company’s global head of regulatory and product compliance, he offered to direct his agents to “cancel their work on Aristocrat slots to stop compromising your trademark” as well as “help your developers eliminate all design flaws.” He did not mention the fee he expected to be paid for these services, though he did note that he wished “to extract maximum money from my developments.”
Alex also insinuated that Aristocrat might face grave consequences if it chose to ignore him. “The matter could become worse if technical details would be available for your competitors or will be shared via internet or media,” he warned. To underscore the fact that he needed to be taken seriously, he ended the email with proof of his technical prowess: a mathematical breakdown of the supposedly secret PRNG that powers Aristocrat games like 50 Lions and Heart of Gold.
Clearly unsettled by the tenor of Alex’s approach, Elkerton suggested that they meet on neutral ground in the US. “If we were to arrange a meeting, our goal would be to understand the method that you have developed that is being used in various countries to cash out more money than expected from certain Aristocrat slot games,” she wrote in her reply.
Alex could never agree to such a meeting, of course; by setting foot on US soil he would be risking arrest. Frustrated by what he perceived as stalling on Aristocrat’s part, he decided to make Elkerton aware of just how much havoc he could wreak on her employer.
My own dialogue with Alex began in February of this year, after he read a story I’d written about his agents’ exploits in the US. (“I keep an eye on what becomes public regarding my business,” he explained via email.) His name had already come up twice in the course of my reporting—once from someone close to the fraud investigation in the Eastern District of Missouri and once in conversation with Willy Allison, a casino security consultant who has been tracking the St. Petersburg organization for years.
After much back and forth, Alex agreed to an on-the-record interview on the conditions that his surname not be used and that he could disregard questions about his personal life that struck him as too invasive. To bolster the veracity of what he shared, Alex supplied corroborating evidence in the form of emails, mathematical proofs, and audio recordings. I was able to verify several of his statements by checking them against legal documents or by consulting with people familiar with his organization’s work.
There are still several aspects of Alex’s story that could not be confirmed, however, starting with his education. He claims that after studying math and programming at a top Russian university, he spent two years at the FSB Academy, a government-run school that trains prospective members of the country’s intelligence apparatus. He also says he was once employed at a St. Petersburg military university that specializes in teaching cryptography and hardware hacking. During his formative years, Alex says, he never had the slightest interest in slot machines: “As a mathematician, I was aware of how odds work at an early age,” he says. “Mostly gambling appeared to me as nothing more than taxation on stupidity.”
Alex’s life-changing introduction to slots came about a decade ago, while he was working as a freelance hacker. A Russian casino hired him to learn how to tweak machines manufactured by Novomatic, an Austrian company, so that their odds would favor the house more than usual: The machine had been programmed to pay out 90 percent of the money it took in, a figure that Alex’s client wanted him to adjust down to 50 percent.
In the course of reverse engineering Novomatic’s software, Alex encountered his first PRNG. He was instantly fascinated by the elegance of this sort of algorithm, which is designed to spew forth an endless series of results that appear impossible to forecast. It does this by taking an initial number, known as a seed, and then mashing it together with various hidden and shifting inputs—the time from a machine’s internal clock, for example. Writing such algorithms requires tremendous mathematical skill, since they’re supposed to produce an output that defies human comprehension; ideally, a PRNG should approximate the utter unpredictability of radioactive decay.
After wrapping up the casino gig, Alex spent six months teaching himself everything he could about PRNGs—in part because he admired their beauty but also because he knew that such expertise could prove profitable.“I mastered it to the point where I can develop such algorithms myself, on a level I am yet to see in a gambling machine,” says Alex, who will never be accused of lacking confidence. “It’s in my bloodstream now. I feel the numbers; I know how they move.”
In 2008 Alex unleashed his newfound mastery on the gambling world, hiring a small group of employees to “milk” Novomatic machines throughout eastern Europe. (Three years later, Novomatic became the first slots manufacturer to warn its customers that some of its PRNGs had been compromised.) After Russia largely outlawed its casino industry in 2009, resulting in a massive sell-off of gaming equipment, Alex was able to get his hands on an Aristocrat Mark VI slot machine cabinet. He reverse engineered the PRNGs for numerous Mark VI games and the popular machine—more than 100,000 are still on casino floors worldwide—soon became his burgeoning organization’s favorite prey: In the 2014 case in Missouri, for example, every count in the indictment relates to the bilking of a Mark VI.
Alex recruits his field agents online and meets few of them in person, ensuring that they won’t be able to reveal too much about his operation if they’re ever caught and interrogated. He pays little attention to the applicants’ education or professional backgrounds, since the job requires minimal know-how: The entire training regimen takes just two hours, during which prospective agents are taught how to use the customized phone app that prompts them when to hit a machine’s Spin button.
What Alex values most in his employees is discretion: He looks for people who, he says, “understand the importance of covertness in their actions and general behavior” and who “look respectable enough not to cause unnecessary suspicion.” Before they embark on their first assignment, new agents are offered the chance to purchase an “insurance policy”: In exchange for taking a bigger cut of the agent’s winnings, the organization will provide legal assistance and financial aid to the agent’s family in case of arrest.
Those arrests have been rare, since the milking system isn’t technically illegal in many jurisdictions. When agents have been caught by casino security guards, they’re usually just stripped of their winnings and banned from the premises. But Alex has weathered a few notable legal setbacks, which have resulted in some of his secrets spilling forth.
In the Missouri case, for example, one of the defendants, a Kazakh national who had been living in Florida, decided to cooperate with the FBI in exchange for leniency. (His three codefendants, all of whom were Russian citizens, pled guilty and received short prison sentences.) And in 2016, a Czech man opened up to Singaporean authorities after he was charged, along with two Russian accomplices, with violating that nation’s Casino Control Act. These two informants divulged how their fellow agents record video of slot machines without arousing suspicion (they often conceal phones behind mesh shirt pockets) and how the organization’s revenue gets divvied up (90 percent goes back to St. Petersburg).
Besides his Robin Hood justification, Alex defends his enterprise as cunning but by no means criminal. “We, in fact, do not meddle with the machines—there is no actual hacking taking place,” he says. “My agents are just gamers, like the rest of them. Only they are capable of making better predictions in their betting. Yes, that capability is gained through my technology, it’s true. But why should it be against the law? On the basic level, it’s like using a calculator for counting faster and more accurately, rather than relying on one’s natural capacity.” It is logic very much in sync with Russia’s culture of cutthroat capitalism.
Just before Aristocrat shut down for Australia’s Christmas break last year, Tracey Elkerton received an unexpected phone call from a man who identified himself only as Peter. “I’m calling on behalf of Alex,” he explained in lightly accented English, without informing Elkerton that he was secretly recording the call. (Alex let WIRED listen to the recording.) “He is a guy from Russia that you had an email exchange with? He hired me as an interpreter and he’s currently on the other line with me. Can you speak for a few minutes with him?” (Alex knows some English, but he prefers to use a translator when handling sensitive business matters.)
On the recording, Elkerton sounds initially flustered by the situation and appears to try to nip the conversation in the bud by saying that she has a meeting to attend. But Peter cajoles her into remaining on the line so he can relay Alex’s message, and the veteran Aristocrat executive gradually becomes more assertive as the half-hour conversation wears on. “He is talking of a deal with you where he can help you neutralize the exploit and stop the occurrences in the casinos,” Peter says on Alex’s behalf. “Like, he wants to be paid for it. So his question is whether you are willing to negotiate on that issue.”
Elkerton sounds skeptical. “It is very unlikely that Aristocrat will pay for information,” she replies. “It’s simply not how we operate. We have developed a solution for our products moving forward and we’re comfortable with that solution.”
Peter counters by expressing Alex’s doubt that Aristocrat realized just how many of its machines are at risk. He then makes a startling new claim: Alex has cracked the PRNGs for games that run on Aristocrat’s latest slot-machine cabinet, known as the Helix, which is two generations more advanced than the Mark VI.
Elkerton does not dismiss the possibility outright. In fact, she says that it does at least seem plausible. The Helixes that Aristocrat had been shipping, she says, “do not yet contain the solution that we have implemented.” (An Aristocrat spokesperson stresses that “Ms. Elkerton’s comment in response to the extortionist’s cheat allegation against unspecified games on Helix cabinets simply acknowledged a theoretical potential.”)
Sensing that he now has the advantage, Alex instructs Peter to demand that his proposal be passed along to Aristocrat’s most senior decision-makers, whom he believes would accept his offer if they knew their Helixes were in peril. But Elkerton counters by citing not only Aristocrat’s commitment to being “truly ethical” in its dealings but also her fear that Alex might not be a man of his word: “I have no guarantee that Alex shuts down this crew slash syndicate if we were to pay him a fee, a consulting fee, whatever we want to call it.”
Before ending the call, Elkerton poses a question to Alex: Why, after many years of earning millions with his milking system, is he now eager to cut a deal with Aristocrat? Why is he no longer content to continue making a small fortune by sending his agents around the globe? “He does know that in some countries [his system] is illegal, and that does concern him because he does not want to be criminal,” Peter answers. “He decided it would be better for him to get out of the illegal field and just shut it down and get a certain payment from the company for consultation and the patch.”
Upon hearing that Alex’s fondest wish is to be a straight arrow, Elkerton bursts into grim laughter.
Alex waited three weeks for Aristocrat to have a change of heart, then sent Elkerton a lengthy email in which he detailed the specific services he could provide in exchange for a sum that ran into eight figures. He also outlined some of the steps he might take if Aristocrat continued to dawdle, such as sharing his vulnerability information with the company’s competitors so that they could secure their own machines as well as poach Aristocrat’s customers.
As in his earlier email, he offered mathematical evidence of his bona fides—in this instance a breakdown of how the PRNG works for a game called 50 Dragons that runs on Helix machines. The proof also included a photograph of a Helix machine that Alex’s organization had allegedly targeted at the Sands Macau Casino; Alex urged Elkerton to have one of the company’s engineers check the machine’s logs to verify his claims.
Aristocrat parsed its words carefully in response to my inquiry as to whether Alex has cracked a Helix game’s PRNG. “Aristocrat received information from the extortionist alleging to be proof of a cheat,” the company informed me in a written statement. “However we could not verify any cheat based on the information provided. Aristocrat reiterates that it has no evidence of any actual or potential cheat of any title other than the handful of Mark VI vintage titles previously reported.” (Aristocrat has informed its customers that the thousands of compromised Mark VI games “are no longer supportable” and urges them “to replace this old, end of life technology with new, more modern products.”)
It seems improbable, however, that Alex could send Aristocrat a proof that the company’s engineers would instantly recognize as fiction. Were he to do so, Aristocrat would have good reason to dismiss him as a charlatan whose threats are idle. But based on its reaction to my various inquiries, the company seems far from nonchalant about the Alex situation. (In response to a specific question about whether Alex’s email contained the 50 Dragons proof, a company spokesman said: “Aristocrat has confirmed this extortion attempt, the fact that it has been referred to the relevant authorities, and managed in compliance with all relevant protocols. It would be inappropriate to comment further.”)
After Alex shared his most recent Aristocrat PRNG proof with me, I showed it to David Ackley, a computer science professor at the University of New Mexico. Ackley discovered that the algorithm had a peculiar backstory. On a hunch, he took some of the equation’s values that were expressed in hexadecimal format and converted them to decimal format. When he did, he noticed that the resulting numbers were familiar: One was an approximation of pi (31415926), one was an abbreviation of the mathematical constant e (271828), and one was a slightly ribald jest (69069).
By tracing those jokey references back, Ackley found that those exact numbers had also been used in a PRNG featured in SpaceOut, a 1988 program for the X Window System that simulated travel through a star field. When I contacted the author of SpaceOut, he recalled that he had cribbed his PRNG from the second volume of Donald Knuth’s The Art of Computer Programming, a classic of the discipline. I was able to locate that PRNG in the edition of the book that was published in 1981, though it may also appear in the original edition from a dozen years earlier.
This coincidence raises at least two possibilities. The first is that Alex sent Aristocrat a fake proof full of mathematical in-jokes and wagered that the company’s engineers would be too dense to realize that he was putting them on. The second is that Aristocrat has been basing some of its PRNGs, at least in part, on an algorithm that is at least 36 years old and which has long been in the public domain.
If the latter is the case, then Aristocrat—like all slot machine manufacturers—has a ready defense against any suggestion that its PRNGs are too feeble. Because government regulators must vet and approve all PRNGs before they’re used in casinos, those regulators are easy to blame when hackers like Alex find flaws in the code. “Every single Aristocrat game that is on a venue floor—regardless of where it is—has been approved by the relevant regulators and complies fully with the standards required at the time it was placed,” a company spokesperson told me.
Aristocrat has held fast to its refusal to negotiate with Alex, a decision that not all of its corporate peers have made when dealing with similar crises. In fact, plenty of companies confronted by hackers with damaging information have opted to play ball and transmit the requested bitcoins to their tormentor. “You might be able to live with the cost of paying off the lawsuits and that sort of stuff, but the potential reputational damage might be too much to bear,” says Steve Stone, a leader of IBM’s X-Force Incident Response and Intelligence Services division, which advises client on how to handle cyberextortion. But he adds that those companies often rue their decision in the long run, since—as Tracey Elkerton implied in her phone call with Alex—black-hat hackers aren’t known for being merciful: “It’s not all that unusual to pay and then they come back and say, ‘Oh, now we have two things.’ And then it’s ‘Now we have three things.’”
Having failed to persuade Aristocrat to strike a deal, Alex is now toying with the idea of approaching IGT, another slot machine manufacturer; Alex claims to have recently deciphered the PRNGs for games that run on machines made by Atronic, an Austrian company that is now an IGT subsidiary. “I have to say they are a bit more robust [than Aristocrat’s] and some machines did give me the pleasure of a challenge, but they are still generally weak,” he boasts. “An engineer’s mind is just too linear. They don’t understand the psychology of dismantling, they just don’t know where and how a hacker is going to strike. So they leave a number of doors open for me to enter.”
Alex also claims to be engaged in selling his milking system to interested parties. One of his customers, he says, was a New York-based crew of alleged Russian and Georgian mafiosi, 33 of whom were indicted in June for racketeering, fraud, and other crimes. According to confidential government informants, this crew, known as the Shulaya Enterprise, brought an Aristocrat Mark VI slot machine to a Brooklyn aparment in September 2016; four months later, the group began fleecing casinos in Pennsylvania by using “electronic devices and software designed to predict the behavior of particular models of electronic slot machines.”
When he inevitably tires of the slot-machine racket altogether, Alex is prepared to exit the industry in a blaze of mischief. “Sometimes I fantasize about just putting my tech out there for everyone to use,” he says. This would result in what he terms his “zombie apocalypse” scenario: Equipped with Alex’s information and software, both obtained online for free, anyone with a smartphone will be able to turn a vulnerable slot machine into a gaudily decorated ATM.
“Can you imagine something like that?” Alex asks. “It could uproot the entire slot machine industry. And the world just might become a slightly better place. Well, for most people at least.” Should that future come to pass, the losers will only have their mathematical sloppiness to blame.
The Raven Group offers unsurpassed Defensive Intelligence Collection & Analysis services that are unsurpassed. Raven also offered AI solutions for video and audio streaming / recordings. Utilizing cutting edge the technology and decades of experience, Raven offers clients a means to greatly enhance their security posture and knowledge. The best defense is a good offense!
The Raven Group is a Corporate Counterintelligence (CCI) and Cybersecurity consulting firm that helps companies protect their company, customers, employees, and reputation. Raven’s consultants of former CIA Intelligence Officer and Federal Law Enforcement Special Agents have spent a lifetime protecting our nation from threats of every kind and are second to none. Let us bring that expertise to your company.