Nine Win Casino - Player’s winnings are delayed due to account security issues.

I won over 500,000 half was paid then they advised the other money had been played , they advised someone had logged in using password and 2FA wich is impossoble. I asked for audit logs (they wouldn't provide) I am currently working with a lawyer in curacao who is going through our emails etc. The bottom line is the site are responsible for the money until they let me withdraw , IF an unauthorised session took place and the money lost when password or 2fa had not been used - they are responsible.

Dear ALAZ,

Thank you very much for submitting your complaint. I’m sorry to hear about your negative experience with Nine Win Casino.

Please allow me to ask you a few questions, so I can better understand the situation.

• Could you please share any evidence supporting your claims?
• Could you please explain when did the incident take place?
• Share more information regarding the timeline of events and your communication with the casino regarding the issue with me at [email protected]

I hope we will be able to help you to resolve this issue as soon as possible. Thank you very much in advance for your reply.

Best regards,

Tomas

Dear ALAZ,

We are extending the timer by 7 days. Please, be aware that in case you fail to respond in the given time frame or don’t require any further assistance, we will reject the complaint.

Good Afternoon,

Apologies for the delay - I have emailed you the timeline.

Regards,

Alex

Thanks for your patience.

Let me cite from the document you provided:

The casino claims that:

During the new sessions starting from the 2024-10-15 02:43:06 UTC + 0 and over the time the balance was gambled away (until your login on 2024-10-16 10:55:15 UTC + 0) only one IP address was used to access the account;

This IP address belongs to you as you confirm the session opened on 2024-09-16 21:38:41 UTC +0 with your Iphone from the same IP address;

The gambling pattern during these sessions is extremely similar to what we can see in your account before the alleged takeover.

Have you received the IP log from this period from the casino?

Were the games played during this period those you were usually playing?

Thanks in advance for your reply.

No they have refused to provide the logs after multiple requests. They eventually (after changing multiple times) advised that someone accessed this from an old device (this hadn't accessed the site for OVER 6 months) this would have been also, AFTER the password had been changed and 2FA added to the account. At the time they say the account was accessed the ONLY phone (The IPHONE) with the 2FA generator/ access to the account was in a different country! (This IP address belongs to you as you confirm the session opened on 2024-09-16 21:38:41 UTC +0 with your iPhone from the same IP address). By there own admission no one would have been able to access without the relevant password OR the 2FA code. In this instance if someone HAS it is a security flaw on there part as aforementioned the only phone that can generate this code was abroad & I can assure you it was not transmitted in any way

It is impossible 2FA and password were used IF the account was even accessed at all.

As for the pattern I would not know - they asked me to clear all cookies etc then blocked account while they investigated , I have not accessed since as they have made it require a password change and I do not want to jeopardise my case if this were to alter some level of audit log forensic information I may need to rely on. But historically I played "top trending games". As outlined to them when they said this I am sure they are "Top trending" for a reason.

Again the Curacao based legal representative has advised they are operating with a unknown legal entity I have requested this information as well as licence information from them also and they have refused to give it to me.

Further to this it is important to note - they had been advised on numerous occasions as they were trying to get me to return and spend the balance (I have provided you the messages & texts) that this account WOULD NOT be used until the full amount had been withdrawn so to stop texting me. I find it highly irregular after telling them this the balance *(after 6 months) is lost in a session but they refuse to provide information on the log in audit to prove a password and 2FA were used.

Thank you very much, ALAZ, for providing the necessary information. I will now transfer your complaint to my colleague Matej ([email protected]), who will be at your service. I wish you the best of luck and hope the problem will be resolved to your satisfaction in the near future.

Dear ALAZ,

I'm sorry to hear about your account troubles. Resolving account security issues can be challenging, but we will do our best to assist you.

To gather more information, I'd like to invite a casino representative to participate in this case.

In the meantime, ALAZ, please create a timeline of the events that occurred.

Also, please confirm that when your friend set a password and your fiancé enabled 2FA, you were unable to access the account independently (requiring their cooperation).

Hello!

We want to assure you that your account has been secured to the highest standard on our end. No signs of hacking activity or unusual logins have been detected.

For your peace of mind, we recommend that you change your game account password. Once updated, your account will be reopened.

Additionally, please keep in mind that according to our Terms and Conditions:

"It is your exclusive responsibility to ensure that your login details are kept securely. You must not disclose your login details to anyone. The Casino is not responsible for any abuse of your account by third parties due to your disclosure, whether intentional or accidental, whether active or passive, of your login details to any third party."

Best regards,

Nine Win Casino

Dear casino representative,

Could you please confirm that?: (during the mentioned time period)

1. All access to the casino was from the same IP address.
2. All access from the casino was from the same device.
3. All access to the casino was with 2FA.

Thanks.

Good Afternoon Matej,

Have you received the timeline including all images / emails & correspondence I had sent privately to Tomas. If no I can forward to you. The time line in short;

Device A (Desktop)

Device B (Phone) 

Device C (Tablet)

Device D (Phone) 

Device E (Laptop)

On the night of the win let's assume the above devices had access (As I used different devices). The Same day

as the win, all devices were logged out of and a password change took place. On the

27th to ensure safety of funds while I started the withdrawal procedure ALL sessions

were logged out of , 27th the password was then changed on Device F and 2FA

added . At this point Device A,B,C,D,E couldn't access they didn't have new

passwords inputted and all sessions logged out not only this but 2FA had been

added to the account authenticated through ONLY Device F. Withdrawals start

taking place from device F and you will see this is the only device that is accessed

(again Using 2FA).

Then on the 9th/10th I set up 2FA on a different device device G (Iphone and my

only device with access) device F was logged out of , this would have meant at this

time no sessions on A,B,C,D,E,F no current passwords entered and furthermore 2

FA authenticated ONLY to device G.

Since then I have ONLY used device G to access the site. At no point have devices

A,B,C,D,E,F logged in or had up to date passwords / 2FA codes used for one off

access etc. This is how I know this session has taken place with no correct password

entered and no 2FA even though it was active on the account!

After seeking advice, whichever way you look at this if ANY device apart from device

G has accessed this site whether used before or not - it is a clear security flaw.

As per Nine Wins admission (In response) ;

Secondly, we totally agree that the sessions should be closed as soon as the user

changes the password. However, in the case we are investigating now the potentially

fraudulent session was started after the 2FA was set to your account and after the

password change occurred on 2024-07-27 21:47:06 UTC + 0 . Based on these facts

we can conduct that whoever started this session, was in possession of your login

credentials and correct 2fa code.

They also confirm ;

By the time of the next active session 2FA was set up and no other active sessions

were authorized. That makes us believe that normally 2fa should have been

requested during the next login, because this is the procedure of handling the

authorisation (which was confirmed by a test in the course of our internal

investigation).

---

I have since requested the log authentication as this will show the access method (Token, Password, 2FA) used but they refused to send;

"This decision is final and we have all proof

of this fact. For our own security purposes, any documentation, reports and other

such information will not be shared, it is confidential."

Nine win have confirmed ANY device has accessed without having to input a 2FA or current password then it would be a security flaw and the site liable for any loss as a result of an unauthorised session. The burden of proof is with the site to show the "log in" that took place and resulted in a loss of the balance as they confirm 2FA was set up and no sessions active they need to show 2FA was used , they can show this with log audits - the reason they are not is it will show no 2FA was used. It couldn't have been. Even the language used "That makes us believe that normally 2fa should have been requested during the next login" "Believe" / "Normally". Its not right , they have a responsibility to protect the funds , especially after reducing the amounts people can withdraw. If 2FA is on the account (witch it was) and they refuse to prove it was used (Witch it wasn't) that in my mind says it all.

Furthermore - while we have a representative please could I ask them to provide the legal entity that owns/operates NineWin as they have refused to provide me this information also.

Regards,

Hello!

Thank you for your patience. Please be assured that our team is actively working on the case and will provide the required information at the earliest opportunity. We apologize for the delay and thank you for your understanding.

Kind regards,

Nine Win Casino

Hello!

Thank you once again for your continued patience.

We would like to inform you that we are still in the process of gathering the necessary information from the logs, which is taking longer than anticipated. Please accept our sincere apologies for the unwanted delay.

Rest assured that our team is actively working on this, and we will provide the required information as soon as it becomes available.

Best regards,

Nine Win Casino

Hello!

We have gathered the requested information to answer the questions as follows:

1. All access to the casino was from the same IP address: Yes, all access was made from the same IP address.
2. All access to the casino was from the same device: The player has generally used several devices; however, these are the same devices that were used by the player prior to the period in question.
3. All access to the casino was with 2FA: Two-Factor Authentication (2FA) was used to initiate the new session.

Best regards,

Nine Win Casino

Good Afternoon,

Unfortunately, typing yes in a response does not constitute the truth - I have requested proof numerous times and you have refused to send (These emails have been shared with Casino Guru and text and extracted / quoted earlier on. I know this not to be true as only ONE device had access to 2FA. This would mean for ANY session EVEN on a previously used device to be started a 2FA code would have had to have been generated / inputted neither of witch could have been done! Furthermore the only device with access was in a different country at the time of the unauthorised session (this can be confirmed from the IP the messages were sent to Nine win the day after the unauthorised session). Am I correct in assuming The burden of proof lies with Nine win to show it was, yet they refuse to do so?

Matej with my doubts of the integrity of this platform , even more so as I know the response to be untrue , could you please advise the best next steps? Do I have the opportunity to take legal action? Also any company information on Ninewin would be of assistance. I have been advised the original Licence was through Cyberluck (Now bankrupt) and faced legal action / lost due to none-payment of players (coincidently also in October). They are now operating with no licence until they get a new one BUT as far as I'm aware are allowed to continue licenced activity until the new application is accepted or rejected.

I have asked them for the company information but they have failed to provide. Could you assist?

Regards,

Alex

Dear Casino Representative,

Could you please send the supporting evidence to [email protected] so that we can validate your response?

Dear ALAZ,

If the casino does not provide us with the evidence, or if you are dissatisfied with the progress of the complaint, you can always submit your case to the official ADR for GCB-licensed casinos (https://cadre.online/). Please note that the GCB does not handle complaints directly and only responds to reports related to serious violations or unethical practices.

Hello!

The requested evidence has been sent via email. We kindly ask that you review the documents at your earliest convenience.

Best regards,

Nine Win Casino

Good Afternoon,

Could I ask directly & publicly , why this information can be sent to  [email protected] but when I requested this information numerous times I was advised , even in a final response yo would not be able to provide this evidence as it broke data protection?

Matej , please if you could also forward the evidence provided to my email address.

Regards,

Alex

Dear Alex,

Based on the casino's evidence, all the suspicious activity was made from device G. The IP address is a perfect match, and the gameplay aligns as well. The session was created with 2FA (although I'm unsure how the session duration works—it seems unusually long to me).

The activity from my perspective, it looks normal.

I cannot share the evidence provided to me, but I believe that if you contact the casino directly, they should be able to provide you with the evidence you've requested. Based on the data from the casino, I'm not sure how we can assist further in this situation.

Good Afternoon,

I have requested the information from Nine win again. Despite there numerous, previous refusal's to share with me . At the time "Device G" would have been in a different country. So the IP couldn't have matched , this can be proved - furthermore, even if someone has accessed the site of a previously used device this would have HAD to have triggered 2fa otherwise this is a security failure on the websites part weather it be bypassed , poor session management or poor security implementation as this is the whole point of password changes and even more so implementation of 2FA they would be liable for any loss incurred. The fact in this case the salient point of 2fa seems suspicious or "unusually long" is enough for me to request you hold out until I have had chance to examine the evidence they have provided you ,but they refuse to show/send to me (which again is highly suspicious)

I can also confirm since last posting I advised Nine win I would complete a pass word reset to check session logs etc myself - only to have the account closed and told I would be no longer be able to access. I have all transcripts/emails of this - again highly suspicious. I also believe there were still funds in this account (I have been unable to check since I queried the "session" with them) they have advised there wasn't but I know they are already being dishonest.

Regards,

Alex

Hello Alex,

In this situation, I believe the best course of action would be to contact the relevant regulator.

We can only make decisions based on available evidence, and the casino has already provided data showing that the bets were placed from the same IP address, using Device G, with two-factor authentication (2FA) enabled.

You’ve stated that the device was in a different location, but so far no supporting evidence has been provided. Hypothetically speaking, even if someone claimed the device was elsewhere, proving it is extremely difficult. For example, IP addresses can be easily masked using a VPN to simulate a different location. Photos of devices wouldn't be sufficient either, as there's no way to verify the device in the image is yours. Even if you could prove your own physical location, it’s still possible that the device remained at home and someone with access to the 2FA credentials placed the bets.

The core of your complaint is that you were not the person playing. However, the session data aligns with your usual habits, and both the IP and device match your typical use. In these cases, identifying who actually played is critical, but without concrete counter-evidence, we can only rely on the casino’s data.

If you have any suggestions on how to proceed or if you can provide some relevant evidence, I’d be happy to review it. Otherwise, if we are unable to make further progress, contacting the regulator may be your best option.

Dear ALAZ,

We are extending the timer by 7 days. Please, be aware that in case you fail to respond in the given time frame or don’t require any further assistance, we will reject the complaint.

We regret to inform you that, due to the lack of response from the player to our messages, inquiries, and reminder, we are unable to proceed with further investigation or provide potential solutions at this time. As a result, we must close this complaint for the moment.
However, please note that the player retains the option to reopen this complaint at any time in the future should they choose to resume communication. We remain open and ready to assist in resolving the matter should the player decide to reach out again.

Thank you for your understanding.

Best regards,
Matej
Casino.Guru

We’ve reopened this complaint at the request of ALAZ. We would like to allow this case one more chance to be resolved and help both parties involved to reach a satisfactory conclusion.

Dear ALAZ,

When we previously closed this complaint, we did so based on the evidence provided by the casino.

To my knowledge, there has only been several cases where a player successfully proved that the session in question did not originate from their device. In one case, the player was working as a driver at the time and was able to support their claim with CCTV footage, a letter from colleagues, and GPS tracking data that clearly showed their route.

In your case, the casino has presented us with evidence that left us with no other option but to close the complaint.

I understand that you believe the data provided by the casino is forged. If that is the case, I recommend you escalate the matter to the regulator. The GCB has recently issued guidelines requiring all licensed casinos to handle complaints and also to provide access to an ADR (Alternative Dispute Resolution) service. According to these guidelines, casinos must make their ADR provider available by 31 July.

Therefore, you may consider waiting for the casino to announce their ADR and then contact them directly. However, please be aware that you are currently making accusations against the casino without providing any evidence. When you requested the case to be reopened, you assured me that you had additional evidence, but nothing has been submitted so far.

Good Afternoon Matej,

Given the likelihood of legal action needing to be taken I have emailed you direct. This email contains further information.

Regards,

Alex

Dear ALAZ,

I went through all the evidence provided by the casino once again and also reviewed our email communication. I’m reopening this complaint because you had promised to provide new evidence; however, we are still in the same situation.

The casino has shown that your logins perfectly match your previous login patterns. The game history also aligns with your past activity. Additionally, they confirmed that the device used matches your previous sessions and that 2FA (two-factor authentication) was enabled.

Whether 2FA is triggered with every login or not is not something that can be used as a decisive factor in this case. I have also consulted this matter with my colleagues.

As I mentioned before, the GCB has announced that all casinos must appoint an ADR (Alternative Dispute Resolution body) by the end of July. You will be able to submit your complaint there.

I’m truly sorry, but based on the evidence provided by the casino, we must reject this complaint. I regret the negative outcome. Please contact us once you receive a response from the ADR, and we will be happy to reclassify the case based on their decision. In the meantime, feel free to keep me updated via email.

Best regards,

Matej