Missing Poker Funds, Fraudsters, and Callous Corporates

It’s the story that just keeps going and getting more absurd at each turn. A poker player notices $10,000 missing, posts about it, and many other poker players begin to chime in with similar stories which all occurred within the span of a few months. Within the next few weeks, sports betting accounts across many states are being hit and operators are scrambling to contain the damage. Perhaps the worst part being that this should have been easily prevented by either the payment processor or the sportsbook/poker site.

It is important to note that before all of this, offshore online poker site ACR was hit by a ‘credential stuffing’ attack early this year. This is where fraudsters buy/obtain a large list of email/password combos and other personal info, often from previous breaches elsewhere, and use them to gain access to accounts en masse. This is the same strategy that was used against the sportsbooks.

Whether or not it is the same fraud ring is still unclear, but quite a large coincidence indeed. The tactics are very similar and not much time has passed since ACR was hit, back in the spring of this year. But unless the fraud ring is identified (and hopefully brought to justice) it is nearly impossible to be certain that it is the same group in both incidents.

In the case of the poker players though, it was even easier for the fraudsters to exploit a severe vulnerability in a major payment processor Global Payments. Global Payments handles certain kinds of payments for many of the regulated online gambling sites. A crucial detail is that once a user verifies their banking information, Global Payments stores the info to presumably make it easier for future payments.

They only required a few pieces of personal info to access this information, so the fraudsters created accounts at other sportsbooks and made the largest deposit possible from the users bank account. They then withdrew it to a Venmo account under their control and then off of Venmo. From there the trail seems to grow cold, which isn’t too surprising given all of the potential directions and hops the money could take on its way to the fraudsters wallets.

Global Payments was slow in gaining control of the situation and seemed to try and sweep things under the rug until the situation exploded across social media and then to major media outlets. What was even more absurd was that many users reported that Global Payments was trying to collect the money from them, even though all signs point to Global Payments being at fault. Much of the blame could be placed on the regulators and operators though, as they rushed the whole process in order to get betting up and running as soon as possible in many states. It is absolutely terrible optics for regulated sites to have worse security than their unregulated offshore counterparts.

Regardless of where the blame ends up, users need to be proactive in protecting themselves and ensuring they are not low-hanging fruit for the fraudsters. The main lesson from this incident is to avoid using the same passwords across different sites. Also avoid clicking links/files in suspicious emails and pay close attention to web and email addresses. In many cases, users were tipped off in time by noticing the payment requests or strange 2FA requests. There is a vast amount of other tips and information out there to help users protect themselves and it can be well worth the time to read up on it. As the old saying goes – “An ounce of prevention is worth a pound of cure”.