Roobet Casino - Player’s active balance has disappeared.

On May 29, 2021 at 15:35:36 Pacific Time I won an $81,000 jackpot on the RooBonanza game. I continued to play at high stakes with my account balance varying between $54,000 and $145,968.

At 16:09 Pacific Time I received an email apparently from Roobet asking me to participate in verification steps.

I am familiar with offshore casinos and it is fairly customary for them to engage in verification following large payouts or withdrawals. In addition, I never allow anyone to know I am playing and winning. Despite Roobet displaying names of players and wagers, I have always disabled this feature and played anonymously. Thus I had no cause for concern when I received the email asking for verification.

Unfortunately after an email exchange over the next few hours, my account was locked. My balance at the time, to the best of my record-keeping ability, was about $87,000.

After I was unable to access my account, I checked and found that the emails I received were not from the official Roobet account and I had confirmed my credentials to someone else.

Concerned that someone would drain my account, I contacted Roobet via email (as their live chat does not work unless you are logged in) to advise them my account had been compromised.

I sent several variations of this email to several Roobet accounts with subject lines like URGENT: Account hacked. I sent an email to the "VIP" address I had been previously invited to use. I DMed Roobet on Twitter. I did everything in my power to get attention to this issue.

Unfortunately, Roobet took nearly a whole day to stop the unauthorized activity on my account. They waited so long that my daily rakeback of $8,244.27, issued on the following day (May 30 at 15:06) was allowed to be redeemed.

My balance was not withdrawn, but rather *played to zero.* I do not think there is a scam hacker alive who would get into an $87,000 account and play it down to zero rather than withdraw.

Minutes after my rakeback was disbursed and lost back to them, on May 30 at 15:56, Roobet decided to finally reply to my email and help me regain access to my account. My balance was zero. Again, not a penny was withdrawn. It had all gone back to Roobet.

If this were purely an issue of recklessness, I would take responsibility. However it is abundantly clear to me that someone at Roobet, having the information that I had won a large amount of money, having hacked my account shortly after and playing the balance down, was complicit in this.

The case is only clearer because they waited until just after my $8200 rakeback was awarded and blown away to give me any response at all.

I have requested reimbursement and the casino has refused. I am claiming an amount of $95,244, to represent the amount seized back by the casino in both account balance and rakeback.

I cannot be more clear about this. Roobet waited nearly a whole day to address this, and lost ZERO funds to hackers. They simply played down the balance. There was no reason for anyone but Roobet to know my account was well funded and they sent the email within minutes of my $81k win. They also waited until minutes after disbursing and losing my $8k rakeback to themselves.

I do not know if the executives at Roobet are aware of the corruption that exists here, but they absolutely should be. If Roobet chooses to do the honorable thing and reverse this, I will be happy to advise them and help them determine how to stop this in the future.

Thank you for your cooperation.

Dear Benjamin,

Thank you very much for submitting your complaint and forwarding the relevant screenshots. I’m sorry to hear about your problem. Could you please forward your entire game history in Excel format along with the original emails to petronela.k@casino.guru? Please confirm that you haven’t provided access to your account to anyone else.

Looking forward to hearing from you. Thank you in advance for your understanding.

Best regards,

Petronela

Dear Benjamin,

We are extending the timer by 7 days. Please, be aware that in case you fail to provide the required information in the given time frame, we will reject your complaint.

Hello,

My apologies for the delay. I thought I had to get this history from their limited GUI and was having trouble with it. I am waiting for support to email me a history now. I will email you personally with more information. Thank you!

Hello,

I have sent you all of the relevant emails and history. I am waiting to see if the casino can supply better records. Thank you.

Thank you very much, Benjamin, for the forwarded emails. Could you please advise if, by any chance, you have saved any screenshots of your active balance before your account got compromised? Do I understand correctly that you have requested a game history from the casino?

Yes I will send screenshots now and yes I have requested a complete history. Thank you

Thank you very much, Benjamin, for all the relevant screenshots. I will be waiting for your game history patiently.

Dear Benjamin,

We are extending the timer by 7 days. Please, be aware that in case you fail to provide the required information in the given time frame, we will reject your complaint.

Thank you very much, Benjamin, for providing all the necessary information. I will now transfer your complaint to my colleague Matej who will be at your assistance. I wish you best of luck and hope to see your problem being resolved to your satisfaction in the near future.

Hello Benjamin.

I am sorry to hear about your troubles.

Cases like yours are very complex, and I would like to invite the casino representative to explain what exactly happened.

Thank you for the response.

I do not believe 12 hours is an acceptable response time in the case of emails to multiple support lines to the effect of "my account with $95,000 in it has been compromised." I understand why the casino would say this is acceptable in this reply, but truthfully I think they should be troubled by that standard.

This is the third time the casino has put up a "data breach" as evidence that they are not responsible for this. Respectfully, data breaches have nothing to do with this and are an attempt to make the customer look reckless. Everyone’s email shows up in a data breach search. My complaint is not that someone randomly got my credentials and used them, but rather that someone knew when to contact me to deplete my account.

Again, thank you for your response, but my suggestion to the casino is that it take the occurrence of these situations more seriously. There are numerous issues with the casino’s communication, password reset, and 2FA systems that could be resolved in minutes and prevent this situation from occurring, and I’d be happy to work with them on that from a user’s perspective.

If the casino truly believes this did not happen from inside, I suggest that they re-examine that. And regardless, it seems they should be more concerned with safeguarding than with blaming their customer. That’s puzzling and concerning.

I would like to ask Roobet casino to provide us with more details about the incident.

I am sure you have information about IP addresses and betting patterns from the time when Benjamin has reported the issue.

Please provide me with the details to matej@casino.guru

The requested information has been emailed to the address provided above.

Thanks, Roobet Casino and Benjamin, for the patience.

After a deep analysis of all files sent from both parties, it is clear that:

Approximately 30 minutes after Ben got a big win of $81650, he received a fake email asking him to cooperate for account verification. The email came from a Gmail address, and Roobet Casino is warning players about these types of scams + information that they never ask players about passwords etc.

However, Benjamin was cooperating with this attacker(s), and it took approximately 5 hours till the attacker got full access to Ben's account. Ben was playing during this time using an aggressive gaming strategy, and his balance was changing quickly.

When the attacker(s) finally got the last information from Ben, he lost control over his account. At that time, there was an $84147.95 balance left on his account. The attacker(s) probably tried to withdraw the money (there was no activity for about an hour); however, when they probably realise that they can't do it, they started to play.

With the similar strategy that Ben had, the attacker(s) multiple times got an account balance over $100k and the highest amount, $163k.

From the attacker's behaviour of the attacker(s), it does not indicate that their goal was to spend money as quickly as possible but more likely have some fun. 

After 3 hours, however, an attacker(s) lost all the monies.

If we consider that Ben gave the attackers full access to his account and sent the 2-factor authorization codes necessary to disable/set another device to access his account, and the fact that the attack took approximately 3 hours, we can't blame the casino.

However, 16hours after the attacker(s) got control over Ben's account they were able to log in again, took roowards and lost these monies again. At this point, we believe that the casino should prevent this. Disabling the possibility of withdrawing isn't a sufficient solution for a situation where the player loses control over his account.

It is very unfortunate what happened to Benjamin however he has no right to a refund of $84147.95

However, Roobet Casino should consider compensating somehow the loss of rooward ($8244.27) it was in their power to stop this.

I would like to mention that because Ben was using VPN's and frequently changing the IP's it was extremely hard to detect the security breach and the attacker (s) had full access to Ben's account which Ben gave them.

Thank you.

Roobet casino representative, could you please react to my last post.

Specifically about the rooward part.

Thanks

I apologize for the delay on our end in regards to this case. After some discussion we are unable to return the lost Roowards for this case. What has happened to the customer is very regrettable, and we apologize again that this occurred.

I am not saying that you should reward him back this rooward. But the player informed the casino that his account was compromised and asked the casino to secure his account again. The attack happened at the night during a working day. He was desperately writing to every casino email address that he found and didn't contact the live chat just because it is not possible without logging into the website. You wrote that it took 12h for your support to reply but after 16h still, attackers were able to take this rooward bonus and lost it.

Something like this shouldn't happen in a good casino. (that's my advice) 

Please consider making live chat available for unregistered players or find a way how players can let you know that they need help very quickly. 

I believe that Benjamin should be somehow compensated for this situation. So please consider again if you can offer him some bonus or at least something.

I understand, and these are awful circumstances, but we would not be able to compensate anything close to the affected amount. This is also addressed in our ToS which is agreed to upon sign up:

"You are responsible for safeguarding the password that you use to access the website, your account and for any activities or actions from your account. You are responsible for all actions, activities, and consumed services made from your account, disregarding if you or a third person made them. Any Roobidos lost during bets in games of chance, games of skill, or games of risk made by other people than yourself are your personal loss"

We will certainly take your advice regarding live chat availability into consideration and explore our options in that regard.

Benjamin, we talked a lot about your case, and we conclude that we can't blame a casino in this case.

1. Your nickname is the same as your Gmail address, so the suspicion that the casino used somehow the information about your win is not provable.
2. There is not a standard time frame on how quick should casino react. We suggested the casino to give you at least something, but if they don't want it, we can't blame them. Same as the banks have no responsibility in cases like this. We shouldn't blame the casino in this one.

I am very sorry for what happened to you, and I strongly suggest you read more about security on the internet.

I am sorry, but we must reject your complaint.

I am very sorry, but we must reject this complaint. All the facts are written above.