Epic bet fails due to its KYC verification

I am requesting a refund of CLP$2,300,000. A minor gained access to the platform and managed to compromise the Know Your Customer (KYC) verification system using financial and residency documents modified with artificial intelligence.

Epicbet's security system failed to detect the digital manipulation of documents, allowing massive deposits. I have presented evidence of this technical flaw to the casino, but their support simply cites password confidentiality clauses, ignoring their objective responsibility for identity verification and the protection of minors under their Anjouan license. A formal complaint has already been filed with the regulator (Anjouan Gaming Board).

Hello, if you have already informed Anjoan, I guess this request serves more as a word on sharing.

Well, from another perspective, deposits are usually not in direct relation with the KYC; withdrawals usually are. Therefore, falsifying documents could potentially hinder successful withdrawals, but it might not resolve the deposit problem, if I'm not misunderstood. In any case, I understand that this minor broke the rules and I also understand that the situation is very unpleasant. Feel free to add more if that is okay with you.

"Thank you for your response. I would like to add crucial information so that this case is not seen as a simple password oversight, but as a systemic security failure:

1. Account validation before deposits: In this specific case, the minor not only made a deposit, but the Epicbet system also requested and accepted document verification (KYC) while the transactions were being processed. The fact that the casino's biometric software accepted AI-modified documents to validate the account is what allowed the deposit flow to continue.

2. Failure to fulfill the 'Duty of Care': If a casino accepts AI-generated forged documents, it demonstrates that its security protocols are vulnerable to identity fraud. This not only affects the minor but also jeopardizes the integrity of Anjouan's license, as the operator is processing funds from a synthetic identity.

3. Contract invalidity: Since the user who 'signed' the contract is a minor and their identity was incorrectly validated by the casino's technology, the contract is void ab initio. The casino cannot profit from funds obtained through a breach in its own technical security.

4. Case Law: In cases of 'Social Responsibility Breach', when the operator fails to detect a vulnerable or underage player due to deficient verification systems, the regulator usually demands the full restitution of deposits (Net Losses).

I request that Casino Guru keep the complaint open and ask Epicbet for a technical explanation as to why their Liveness Detection system did not flag the AI ​​documents as fraudulent.

"I am providing the official response received from Epicbet's Support Team Lead (Andres). In their email, they explicitly refuse the refund by citing the following Terms and Conditions:

• T&C 3.9.2: Regarding the user's responsibility to keep login credentials confidential.

• T&C 3.1.3: Regarding the user's obligation to provide truthful information during registration.

My technical rebuttal to this response is as follows:

1. Irrelevance of Section 3.9.2: The operator is attempting to treat a KYC bypass as a simple 'lost password' or 'shared account' issue. This is not about credentials being leaked; it is about the fact that their security system validated and approved an identity that was synthetically created by a minor using AI.

2. Failure of Duty of Care (3.1.3): While 3.1.3 requires users to be truthful, international gambling regulations (including Anjouan's) require the operator to have competent forensic systems to verify that truth. If an operator’s 'Liveness Detection' and document analysis fail to flag AI-manipulated IDs, the operator is in breach of its AML and Social Responsibility obligations.

3. Invalidity of Contract: A contract with a minor is void from the beginning (void ab initio). The operator cannot claim a violation of T&Cs to retain funds when the contract itself was never legally valid due to the age of the participant and the failure of the casino's verification engine.

4. Bad Faith Communication: I have also attached evidence (Error 550 5.1.1) showing that Epicbet’s official compliance and management email addresses do not exist, leaving players with no path for escalation other than this mediation."

Well, this makes sense, but it still lacks the other perspective. Do you think the individual who intentionally planned to impersonate someone else falls outside the scope of this issue? Is the casino solely responsible for someone else's plan to fake his identity?

If someone breaks those specific rules, the money will be voided in 99% of cases because it is common knowledge that minors are not allowed to register, and forging documents to pretend not to be a minor is against all rules.

Hence, I believe this is quite a one-sided communication. But as I said, I understand this must be challenging to deal with. Best of luck to you.

"I completely understand the perspective that the minor acted in bad faith. However, this mediation should not focus on the moral behavior of a minor, but on the technical liability of a licensed operator.

1. The Casino as a 'Gatekeeper': The common knowledge that minors are prohibited from gambling is exactly why regulators mandate that casinos invest in sophisticated forensic verification software. If a minor can bypass these rules using AI, it reveals a critical security breach in the operator's infrastructure.

2. Technical Failure: The minor's plan only succeeded because the casino's software validated and approved the documents. Had the casino's system fulfilled its technical duty to detect digital tampering, the account would have been flagged immediately, and no deposits would have occurred.

3. Duty of Care: Responsible gambling laws dictate that the burden of prevention lies with the professional operator. By accepting a synthetic identity, the casino acted as an inadvertent facilitator.

The contract is void ab initio because the verification engine failed to perform its core function. I am asking for the casino to be held accountable for its technological negligence, which is a requirement of their Anjouan license."

Well, I understand why this situation raises strong reactions, but it’s important to separate technical expectations from actual regulatory practice.

First, the fact that a minor was involved does not automatically shift full responsibility to the casino. Online gambling rules are built on shared responsibility. Operators must implement age verification and KYC checks, but users are also required to provide truthful information. When an account is created using falsified or AI-manipulated documents, this is considered deliberate circumvention of safeguards, not a standard verification failure.

Second, while contracts with minors are generally considered void, this does not automatically create a right to a refund of losses. Regulators are careful about setting precedents that could encourage abuse, such as using a minor’s identity to gamble and then requesting refunds after losses. In most jurisdictions, the typical outcome in such cases is account closure and forfeiture of funds, not reimbursement.

Third, KYC and liveness detection systems are risk-based controls, not guarantees of perfect detection. The existence of increasingly sophisticated document manipulation does not by itself establish operator negligence. What regulators usually assess is whether the operator had reasonable verification measures in place and whether they acted appropriately once the issue was identified.

Finally, licensing authorities do not mediate disputes in the sense of negotiating outcomes. Their role is to determine whether the operator complied with applicable rules. A failure to detect a sophisticated fake identity does not automatically mean the operator breached its obligations or becomes liable for losses incurred through deliberate misrepresentation.

Protecting minors is a critical goal, but presenting intentional rule-bypassing as operator liability risks creating misleading expectations and potentially encouraging further misuse of the system.

"I appreciate the mediator's perspective on shared responsibility. However, I must clarify a fundamental distinction in this case that moves it from 'user fraud' to 'operator negligence':

1. Active Validation vs. Passive Failure: This was not a case of a minor simply typing a false birthdate. The casino's system actively requested, processed, and officially approved the uploaded documents. When a licensed operator’s software flags a document as 'Verified,' it grants the user a legal expectation of security. If their 'Reasonable Measures' cannot distinguish an AI-altered ID, the measure is, by definition, not reasonable for a high-risk financial industry.

2. The 'Incentive' Argument: I understand the concern about creating incentives for refund abuse. However, there is an even more dangerous precedent: allowing operators to profit from unverified and illegal deposits. If an operator can keep $2,300,000 CLP deposited by a minor because their own security failed to catch it, the operator has no financial incentive to improve their KYC technology.

3. The 'Void ab Initio' Principle: Under international contract law, a contract with a minor is not just 'voidable,' it is void from the beginning. Therefore, the casino has no legal title to these funds. Confiscating the funds (as the mediator suggests) would be appropriate if the money were 'winnings,' but these are original deposits that should never have been accepted.

4. Regulatory Non-Compliance: The Anjouan Gaming Board’s standards require operators to prevent underage gambling. If the software 'Approved' the minor, the operator failed the regulator’s primary objective.

I request that Casino Guru asks the operator to provide the Audit Trail of the KYC process for this account. We need to see why their system gave an 'Approved' status to a fraudulent document."

"I appreciate the mediator's perspective, but we must address a critical technical fact: the casino’s system provided an 'APPROVED' status to the documents. This was not a passive entry; it was an active validation by their forensic software. If a licensed operator cannot distinguish AI-generated documents, they are operating with a critical vulnerability that compromises the integrity of their Anjouan license. I am not requesting a refund of 'winnings,' but the return of deposits made under a contract that is legally void."

Hello, I get that right from the start. However, Casino Guru does not ask casinos to do Audit trails.

As I was trying to explain to you, Casino Guru resolves issues in line with our Fair Gambling Codex 👈. You have not submitted a complaint, so no mediator has spoken to you yet. You are welcome to submit your request; my colleagues will then explain the rest to you.

As far as I concluded, you already contacted the licensing authority. is that so? In that scenario, you are in an official position, and it makes sense to defer to the authority's decision.