- Alex, the guy who deciphered the PRNG used by slots and made millions
- Slot machine frauds, HW manipulation, and special tools
- Slots and software glitches
- Appendix: How Alex’s algorithm might work
Properly designed slots which work with true Random Number Generators are theoretically unbeatable. But in reality, there are many documented cases of players who managed to trick slots into paying them out much more than the casino owners’ had hoped.
Many of these tricks are blatant theft. These usually include tools to manipulate a slot machine’s hardware, namely its coin dispenser or note acceptor. Some cases involved a casino insider who helped to manipulate the slot machine.
In another group of cases, players were just unusually lucky. They managed to find a software glitch and used it in their favor.
However, by far the most interesting case is the story from the very recent past (2009-2017) of a Russian guy from St. Petersburg, who managed to successfully predict the spin outcome on certain models of slot machines and used this to his advantage to milk millions from casinos around the world.
This story is so mind-blowing that I have decided to spend some time with it, and delve in for a deeper analysis of the techniques he used.
The credit for publishing the details about this story goes to wired.com and Brendan Koerner .
Alex was working as a freelance programmer and hacker when a Russian casino hired him to manipulate the RTP of some Novomatic slot machines. To do the job, Alex had to learn in detail about how these machines work internally. He also learned about PRNG (Pseudo Random Number Generators), how they work and how they are used in slot machines. The breakthrough happened when he had spotted that slot machines were using an insecure PRNG algorithm that might be predictable.
The true RNG uses electromagnetic noise to generate completely random and completely unpredictable values. The PRNG works in a different way. It starts with a predefined value and then mashes it with some other inputs to generate an infinite series of values. The output values of PRNG seem completely random and impossible to predict at first glance. However, if the PRNG uses a weak algorithm and you know exactly which one, then you may be able to predict the next random number.
If the PRNG uses a weak algorithm and you know exactly which one, you may be able to predict the next random number.
Alex had apparently noticed that the algorithms used by some slot machines were weak, and decided to use this to his advantage.
Over the next few years, he managed to lay the groundwork, preparing for what would become a much more sophisticated operation:
- He reverse-engineered several popular slot games.
- He developed an algorithm which can figure out the current PRNG parameters and predict outcomes of future spins based on two dozen spins of a slot.
- He developed an iPhone application which used the predicted outcomes to tell the player when exactly to press the spin button to win.
- He hired tens of on-floor agents, who were tasked with milking casinos around the world for the following 6-7 years.
Alex claims that during the time he and his team managed to make millions of dollars.
Was Alex’s system legal and morally acceptable?
The technique he developed doesn’t include any prohibited manipulations of slot machines. That’s in huge contrast with many theft techniques described later in this article, which fool slot machine hardware to dispense more money than intended. Alex’s strategy is based on pure math from his own observations, and thus can be considered a valid and clean "how to beat slots" strategy.
Many gambling experts (including me) consider Alex’s actions to be entirely clean and morally acceptable. I would compare it to card counting in blackjack, bonus hunting or advantage betting. Casinos are putting these slot machines on the floor voluntarily, and it’s their problem if someone smart can predict the outcomes and take an advantage of that.
This strategy wasn’t technically illegal in many jurisdictions. So even if casino security guards managed to catch one of his agents, they only confiscated his winnings and banned him from further access to the casino.
But casinos (especially land based) are huge companies with a lot of money, and strong connections to the local authorities. When casinos spotted that there was an organized group using their slot machines as ATMs, they no doubt pulled some strings. Authorities and casino lawyers eventually managed to find a crime which corresponds to what this group was doing. Namely, "conspiracy to commit fraud". This resulted in the arrest of 4 of Alex’s agents in Missouri in 2015 (who were later charged and sentenced to 2 years in federal prison) .
That was the breaking point of the story, and some agents started to talk more openly about the details of their milking system. The group had very likely become known to most casino security officers around the world, and another arrest followed in Singapore .
Alex’s attempt to work with slot manufacturers
Alex, recognizing that was becoming too risky for his agents to continue using this system, decided to make last attempt to use his know-how to make money. He contacted Aristocrat – the manufacturer of the slot machines he managed to compromise - directly. Hoping for an 8-digit reward, he offered his services in improving the PRNG algorithms and fixing all of the security issues. At the same time he threatened that if Aristocrat didn’t accept his offer, he would sell this sensitive information to their competitors. However, Aristocrat has refused to play his game, despite the fact that he has provided them with all the mathematical details about their vulnerability.
When Aristocrat refused Alex’s offer, he decided to give it one more chance, and push a little further by publishing the details of his story. He contacted Brendan Koerner - a man who had already covered known facts about his story in this article.
Brendan agreed to continue with the story, and published another article with a lot of new details directly from Alex. If that hadn’t happened, you wouldn’t be reading about them in my article.
In any case, for me, this is the biggest gambling story of the 21st century. I definitely look forward to the next chapter and also for the movie. I hope that Hollywood will do it justice. Popcorn prepared.
How big was it and what are the consequences?
There is quite a lot of evidence that Alex has managed to successfully apply his strategy on an outdated Aristocrat MK IV slot machine. Aristocrat itself recommends their customers now replace these machines. Despite that, there are still thousands of these machines in many casinos around the world. However, most casinos shouldn’t have any problem replacing them when necessary.
Alex claims (and there are some signals supporting his claim ) that in 2009, he started to decipher the PRNGs of some older Novomatic cabinets. However, it is very likely that Novomatic managed to remove this vulnerability with a security update in 2011. Maybe this Novomatic patent for System and Method of Centralized Random Number Generator Processing from 2013 also had something to do with that.
He also claims that he managed to do the same with some machines made by Atronic.
By far the strongest claim from Alex is that he found a similar vulnerability for the Aristocrat Helix cabinet. Helix is one of their current models, so if Alex wasn’t bluffing, then Aristocrat may have an even bigger problem - especially if it is not possible to fix with a security update or minor chip replacement. But on the other hand, Aristocrat is a huge company with $2 billion annual revenues and $500 million yearly profit. So they will very likely survive it (with major internal HW replacement and damage to their reputation, in the worst case scenario).
Anyway, don’t expect too much fun. Even if Alex decides to publish more details about his algorithms, casinos will very likely turn off all affected slot machines before ordinary people have a chance to use this to their own advantage.
If you want to have fun, get your own Aristocrat cabinet and do your own reverse-engineering. I bet that with one of my friends who is a specialist in microelectronics we would be able to do it if we wanted to. ;-)
A true story, or an urban legend?
There is a lot of indirect evidence that the story as described by Alex is true. Authorities wouldn’t have arrested and sentenced his agents in 2 countries if it wasn’t true. Novomatic wouldn’t have investigated slot machine manipulation, and wouldn’t have released security updates if it wasn’t true.
But don’t slot manufacturers have dedicated security specialists? How could these huge companies overlook such a vulnerability?
I’ll tell you that quite easily.
I have worked as a software developer for 10 years and I can say that security threats can easily be overlooked. This is even more likely for new and unknown types of attacks like this one. Even if there was some security manager in charge at the time, he was trained to mitigate only the threats that were known to him at the time (monkey paw etc.). If the development team didn’t have a true expert on board who would be able to predict new vulnerabilities and raise his hand, then this PRNG threat could have been easily overlooked.
The regulators only required PRNG to generate a uniform distribution of generated numbers. This is what even simple PRNGs do. The unpredictability (cryptographic security) doesn’t have to be tested at all.
The PRNG concept sounds like something alien to most "business people". They only care about a few things. They are satisfied when a slot machine:
- doesn’t crash,
- is liked by players,
- makes money.
Also, the software in slot machines often survives several generations of cabinets with just minor updates. And why change something that has worked without problems for the last 15 years, right? Therefore, it is quite possible that even many modern machines use parts of code from the early 90’s.
My technical analysis of Alex’s system
I know that many of you are eager to learn in detail how Alex’s system worked.
That’s why I took all the published details and decided to demonstrate how reverse engineering can be used to predict the future outcomes of a PRNG slot. Check out my technical analysis at the end of the article.
As I previously stated, I believe that Alex’s system was morally acceptable and even legal in some jurisdictions. However, not all ways that have been previously used to "beat" slots are like that. There are numerous illegal ways in which slots have been cheated in the past.
Most of the recorded slot machine frauds have something to do with hardware manipulation and/or special tools used to "fool" the slot machine and make money.
It’s important to point out that hardware manipulations and the usage of any tools to change the way slot machines work are illegal. That means that you might as well take an axe and smash the cabinet to get to the money storage area. From a legal standpoint, you would be doing pretty much the same thing.
Some of them occurred repeatedly, while others were a one-time operation. What all of them have in common is the fact that they only work with the physical slot machines you can find in land based casinos. Online casinos are protected, as players need to be physically near a slot machine to manipulate it.
Also, as casinos were being continuously defrauded, they started to implement further security measures and hardware updates that have made most of the frauds I will talk about impossible to pull off today.
Okay, let’s get to it. Here are some of the ways slot machines have been cheated in the past.
Fake coins or tokens
The first slot fraud I will mention is very simple. It includes fake coins or anything else slot machines register as a form of payment. If you are able to manufacture something that the machine "thinks" is a coin, you can use it to make money.
Of course, you must be able to manufacture the coins for less than their nominal value. Otherwise, you wouldn’t be very profitable.
There is one famous example of a man who managed to use this technique very successfully. Louis Colavecchio is an American casino counterfeiter also known as "The Coin". He and his gang managed to fabricate considerable amounts of fake coins and casino tokens and use them to make money in the casinos of Atlantic City and Connecticut. He was caught and later became quite famous, thanks to The History Channel, which made a documentary about him.
Coins on a string (Yo-Yo)
If you ever played with a Yo-Yo, you know that it goes down and up when handled correctly. And that’s exactly what a coin on a string does. First, it’s inserted into the slot machine and allowed to go far enough for the machine to register it and start a game. Then it is pulled back out and used again and again.
This technique is very similar to fake coins, but it eliminates the need for large-scale fake coin production. With a coin on a string, pretty much everybody could try to defraud a casino. Of course, not everyone did, and not everyone who did was successful.
The technology used to judge the coins’ validity kept getting better and better, which made tricks like fake coins obsolete, or at least much harder to pull off. Slot machines started using a light sensor to register payments and figure out whether the coins were fake or real.
A shaved coin was registered as a valid form of payment, but fell through the physical comparator that was used to measure the size of the entering coins. The coin was therefore returned to the player and ready to be used again.
If the slot machine required the coin to match the size requirements, another object was inserted into the machine with the shaved coin itself. This object matched the size of the coin perfectly and stayed in the machine, while the shaved coin "fooled" the optical sensor and fell out of it.
The previously described ways to beat slots had something to do with how money was inserted into the machine. The next slot cheat, as well as a lot of the following ones, are different. They affect the ways slots pay out money, more specifically coins.
You have to think about the old type of slots that just paid out coins directly every time a player won something. They had a mechanical coin counter which was used to count the coins exiting the machine to pay out just as much as the player had won.
In this cheat, a coat hanger (or something similar in shape and form) was pushed into the area alongside the coin counter, which affected its precision. That meant that the slot kept paying out more than it was supposed to, which made playing more profitable in the long run.
A top-bottom joint was a tool that consisted of two parts… you guessed it – the top and the bottom, more specifically a metal rod bent to form a circle (the top) and a long guitar string or some other thin wire (the bottom).
The top-bottom joint is one of the most well-known tools used to defraud casinos. It was very popular in the 70s and 80s. It took the term "emptying out a slot machine" to an entirely new level.
The bottom part was inserted into the bottom of the machine, where it came into contact with the machine’s internal electrics, drawing a small charge from it. The top part was then inserted into the coin slot, which completed the circuit and forced the machine to pay out all the coins it had inside.
Monkey paw was created by a legend of the art of cheating slot machines and casinos – Tommy Glenn Carmichael. But to get to the monkey paw, we first have to go back to the top-bottom joint. Carmichael owned a TV repair shop that wasn’t doing very well. So, when his friend Ray Ming introduced the top-bottom joint to him, he decided to try it out.
He had some success with it, but was later caught and sentenced to 5 years in prison, not only because of his cheating, but also because of his previous convictions. Then he realized that the tool he had been using (the top-bottom joint) was already pretty well-known. He realized he had to figure out something new to succeed in the field of defrauding casinos.
That’s why he invented the monkey paw. He got himself a video poker machine and began experimenting. Carmichael managed to create a very simple yet functioning contraption. He attached a metal string to a bent metal rod, which he later inserted into a slot machine’s vent and moved it around until he found the switch for the machine’s coin hopper. He pulled it and got everything that was inside the machine.
As slot machines became more technologically advanced and secure, they stopped using mechanical systems to count money. They started using optical sensors, which made the majority of the aforementioned cheats obsolete. But Carmichael adapted to the change, and figured out a way to fool the new systems.
He made a small device that could "blind" the optical sensor, making it unable to detect how much money was inserted into the machine and how much was being paid out. Since the machine thought the correct amount hadn’t been paid out yet, it kept paying out more and more money, making the cheaters richer and richer.
The piano wire method of cheating slots has nothing to do with inserting or paying out money. The piano wire was used to change the outcome of the game, which makes it a very unique form of cheating.
It dates back to 1982, when slot machine reels were still mechanically operated. The piano wire was inserted into the slot machine’s rotating insides. The wire was used to jam the clock used to measure the wheel rotation, which meant that players could manipulate the spin’s outcome.
The group of people who tried to pull this operation off managed to hit a $50,000 win. However, they were being filmed during the entire process, and were arrested later on. Their success was short-lived, but they really managed to change the outcome of the game using only a piano wire.
Dennis Nikrasch managed to do things differently. He also bought a slot machine to "play" with at home. He figured out that the machine’s chip could have been reprogrammed to manipulate the outcome of the game. The reprogrammed chips could then have been installed into the casinos’ slot machines and used to make a lot of money.
And he didn’t keep this information to himself. He ordered a load of these chips, reprogrammed them, got his hands on slot machine keys and replaced their chips. And "just" like that, he managed to run a successful operation that made him rich. He was, of course, later arrested in 2004, and died in 2010.
Although this way of beating slots is not technically a cheat or a fraud, I decided to make it a part of this article. Slots are programmed by people. And people make mistakes. A programming mistake can lead to a software glitch that can later (knowingly or unknowingly) be exploited by players.
There are many documented instances of software glitches that have resulted in huge wins:
- In 2015, a 90-year-old woman from Illinois won $41 million while playing a Miss Kitty slot machine. The casino rejected to pay her out.
- A man in Austria won a €43 million jackpot. However, the casino insisted that he only hit 4 of the 5 symbols needed to trigger the jackpot. Therefore, his win wasn’t paid out and he was offered 100 bucks and a free meal instead.
- A woman in New York managed to hit an amazing $42.9 million jackpot. The machine had a maximum payout of $6,500 and the huge win was just a glitch. The casino insisted that she was only entitled to the $2.25 from her spin.
And I could keep going. The point is that huge wins that happen due to a software glitch are pretty much never paid out. And what’s even worse, some shady casinos might actually be using this to not pay out real wins by blaming them on a glitch.
However, a software glitch doesn’t always have to result in hitting a jackpot. It might instead provide a player with a stream of smaller wins, or misinterpret the money inserted into the machine in a way that favors the player. Instances of this kind can stay under the radar, and can be exploited by crafty players.
You have to be extremely lucky to find this type of bug though. And even if you managed to do it, you can never be sure that you will actually get to see the money.
But remember, fortune favors the prepared mind. :)
Let’s start with summarizing all that we know about his strategy:
- Alex required results of about 24 spins to predict future outcomes.
- Agents waited for the right time to press the spin button.
- Brendan Koerner managed to track the origins of the PRNG algorithm (from the mathematical evidence provided by Alex) to the book The Art of Computer Programming.
Disclaimer: the following technical analysis is just my speculation as to what engineers at Aristocrat could have done wrong, and how Alex could have exploited it. Despite the fact that I took all information available at the time into account, the real exploit could have differed in minor or major details.
The PRNG that might have been used in Aristocrat cabinets
The simplest PRNG algorithm described in The Art of Computer Programming which gives satisfactory results is actually quite simple:
RNG = (a * PreviousRNG + c) mod m
This algorithm, known as Linear Congruential Generator (LCG), is still used as a default PRNG algorithm in many programming languages (e.g. Java).
Could Aristocrat slot machine developers simply have used the default RNG algorithm provided by the programming language they used? Or could they have used the simplest PRNG which meets the requirement of uniformity?
I think that it’s possible scenario. This default algorithm works and meets the criteria of uniformity of generated random numbers. It might have met all the criteria programmers were working to in the requirements specification.
How to crack a simple PRNG
Now let’s speculate on how bold Alex could have exploited this algorithm.
The first step is to get to know the exact parameters of the algorithm (parameters a, c and m). This is the easy part, as these parameters are written in every slot machine. Alex just had to read the binary code from the cabinet memory and decompile it. This is a task which any specialist in microelectronics can do if he is equipped with the proper tools.
But knowing just the a, c and m parameters alone isn’t enough. With the decompilation, you can actually read the parameters of all PRNG algorithms – even the cryptographically secure ones. To be able to predict and exploit the RNG sequence in a real slot machine placed in a casino, you’ll also need to know something else – the current RNG seed value.
2. Finding the current RNG value
The LCG PRNG algorithm is generally characterized as easily predictable. This means that just by knowing 3 random numbers you are able to calculate a, c, m parameters and easily predict the next numbers in the sequence.
Don’t be confused with that, as this wasn’t the exact task Alex was facing. Alex already knew a, c, and m parameters from the decompilation, but he didn’t know the current RNG state value. He was able to observe the produced random numbers indirectly by watching the positions where the reels stopped in recorded spins.
The key point is that logic of a slot game is deterministic and programmed inside the cabinet. So it can be decompiled, reverse-engineered and simulated somewhere else. The game logic usually takes a random number and uses some mathematical operations to determine where each reel should stop.
The slot machine reels usually have around 50 to 100 symbols out, three of which are displayed on the screen. The combinations may sometimes repeat, and reels can have a different length, but let’s assume that there are 50 unique combinations on each reel. The random number selects one of these 50 combinations, so just by looking at the first reel in the first spin you can eliminate 49/50 (98%) of potential random numbers.
If the game has 5 reels, then on average just one of 312 million random numbers gives the exactly the same result as the one observed by a player.
If you know the outcome of many consecutive random (*) numbers, then you’ll very soon end up with just 1 initial random number which gives the desired outcome for all spins. In fact, the number of spins you need is proportional to the length of the initial random number.
So you just need to simulate all the possible random numbers and voilà… well, not that fast.
If a slot machine used random numbers which are 64 bits long, then simulating all of them would require too much computational power (544 years on my laptop). Alex still needed to get a little unintentional help from Aristocrat’s developers. I found 2 things they could have done to help Alex:
- Use a RNG state that is too short (32-bit).
- Use the random number in a way that it can be used to help find the current RNG state.
1. Too short (32 bit) RNG key
Aristocrat MK IV cabinets were developed on a 32-bit ARM 250 processor. If the slot developers decided to also use a 32-bit random number seed, then there are just 4,294,967,296 possible RNG states. It may look like a lot, but current computers are very fast and this number of options can easily be examined by brute force (takes 4 seconds on my laptop).
However, I consider this option less likely. Moreover, a 32-bit random number is too short to cover all possible results in some games (5 reels * 90 symbols).
2. Using a random number in "an easy to exploit" way
Let’s now assume that there was a 64-bit RNG state in use. How do you use a 64-bit number to deterministically stop 5 reels by 50 symbols each? The easiest approach which preserves uniformity would be the following:
Pos1 = RND modulo 50
Pos2 = (RND / 50) modulo 50
Pos3 = (RND / (50*50)) modulo 50
Pos4 = (RND / (50*50*50)) modulo 50
Pos5 = (RND / (50*50*50*50)) modulo 50
Each reel now uses its part of a random number, and there are no correlations among the individual reels. Provided the random numbers are uniform, then there is a uniform chance of any possible game outcome (**). Regulator approves.
Now the exploit:
If you know the reel positions, you can easily calculate the end of a random number (RND mod 50^5):
RndEnd = pos1 + pos2*50 + pos3*50*50 + pos4*50*50*50 + pos5*50*50*50*50
Will this help you to guess the current RNG state? It will, actually. It will help you a lot.
Now you don’t need to simulate all possible random numbers, but just those that end in RndEnd. Or, to be more specific, all random numbers which match the pattern RngEnd + X * 50^5:
- 1 * 312500000 + RndEnd
- 2 * 312500000 + RndEnd
- 3 * 312500000 + RndEnd
Now out of 2^64 possible values (18466744073709551616), you’ll need to try just 59029581035. Both are huge amounts of possible values, but while on my laptop the simulation of the first would take 544 years, the simulation of second would be completed in 60 seconds. That’s a huge difference.
And that’s it. Now you know the random number and you can predict future spins.
The real RNG exploit Alex used could be different, but I bet it has a lot of common with the process I have described here.
(*) In reality Alex didn’t know the outcomes of consecutive random numbers, but he knew the outcomes of random numbers which were quite close in the sequence.
Alex’s agents had to wait for certain moment to press the spin button. This indicates that Aristocrat MK IV cabinet continuously generates random numbers with some frequency (in some jurisdictions it’s a legislative requirement). When a player presses the spin button, the current random number is used to determine the spin outcome.
Note that the frequency of generating random numbers must be also programmed inside a slot machine. Therefore, it can also be easily read and predicted after code decompilation.
Let’s assume that the RNGs in a slot machine are generated with a frequency of 100/second. Playing 24 rounds might take around 60 seconds, so there are about 6000 random numbers involved, out of which 24 have been used to calculate the spin outcome. The task then is to calculate the first random number which gives the outcome of the first spin, and also the outcomes of the remaining 23 spins when cycled further within the following 6000 cycles. This simulation is also easy to do; it just takes a few times more (with proper optimizations).
(**) To get perfect uniformity, you would have to throw away numbers which are greater than 2^64 – 2^64 mod (50^5).
Interesting links for more on these discussions: