How to Detect a Poker Bot Farm

How to detect a poker bot farm article cover image. A robot arm holds four poker cards.

Worried a poker bot farm is hiding on your iGaming site? Use these tools to protect your business and players

Summer 2020 will make history in the iGaming community, as a data leak exposed one of the biggest poker bot rings ever found. And the numbers are staggering, even when the dump only looked at a fraction of the bots’ operations:

  • 60,000 sessions played
  • 50 poker sites targeted
  • $675,000 earned in rakeback
  • $3M earned in winnings 

It was a remarkably sophisticated attack, and understandably, players were furious. Had they been losing money to organized criminals? Were those company’s security too lax? 

And how should you deal with poker bot farms before they create a PR crisis for your igaming platform? All the answers below.

The Attraction of Online Poker Tables

iGaming attracts all kinds of fraudsters for bonus abuse, account takeover, credential stuffing, and transaction fraud, to name but a few. The quick access to money makes them a high target, as they essentially act as online wallets. 

But poker tables are the most frequently targeted games, and for two good reasons. Firstly, fraudsters can increasingly deploy software, or bots, that automate online play. These still require some oversight, which is why all the sessions logged in the data dump were from bots who operated between 9-5. They were probably monitored by fraudsters who took it as a job.

Secondly, the fact that poker is a multiplayer game adds another layer of complexity in the form of player collusion. 

Put simply, it’s a coordinated effort between players to consolidate a win by having other players lose on purpose, and it’s a huge problem for a variety of reasons. In fact, it’s such a huge problem that online casinos won’t even offer signup bonuses for their poker games.

The Rise of AI-Driven Poker Software

Everybody is familiar with the high stake games between human chess players and machines, but advances in artificial intelligence and machine learning mean that researchers are increasingly turning towards more complex games like poker.

As poker combines mathematical skills with human traits like psychology and deception, it was previously thought impossible to learn for computers.

But the University of Alberta Computer Research Group in Canada, for instance, is at the forefront of AI-driven software that can replicate poker player behaviour. As of 2020, the group has released five open-source programs which attempt to “solve” different poker games, and make them unbeatable. 

The problem? The code is fully open source. The program Polaris, for instance, designed to play texas hold’em poker, is extremely popular for deploying poker bots. 

While these bots tend to play on the lowest limits, even tournament players cannot rule out that they are playing against bots, especially during the middle and late phases, which are strongly influenced by a player’s mathematical skills.

And as technology continues to evolve, it will become harder than ever to differentiate between human players and machines. 

When Fraudsters Organize

In a normal poker tournament, players are unable to communicate with each other. The practice is called Ghosting, and it is not only hard to pull off, but also prohibited.

However, in the online world, it’s nearly impossible to enforce a policy that prevents players from sharing advice. 

And if the players had planned to work together beforehand, in the form of collusion, it becomes even more challenging to spot connections between the players, which creates all kinds of risks:

  • Loss of player confidence: The poker economy is a pyramid, where the money rises up to the top 1% and the rest is eaten up by rake or goes to the house. Operators recognise this and do what they can to protect the middle and bottom of the pyramid in feeling safe and that they have a chance to win. But when bots are involved, that trust is eroded and players will move to other operators’ tables.
  • Negative PR: as we’ve seen from the backlash against operators whose tables had been infiltrated by bots, players will turn on the company for not doing enough. 
  • Money laundering risk: organized crime syndicates can use poker tables on iGaming sites to launder their money – incurring potential huge AML fines for your company.
  • Expensive damage control: not only will your players migrate to other sites with better reputations, you will also be flooded with a request for refunds. Whether you return the lost funds or not, the damage has already been done as your support team will be overwhelmed, and your reputation hurt.

How SEON Can Detect a Poker Bot Farm

We’ve written extensively about how the SEON anti fraud platform can help spot hidden customer connections, and leverage device fingerprinting to get a good idea of who your users are. 

But today, we’ll look specifically at the data found in that huge 44GB data dump, and demonstrate how SEON could have helped expose the bots.

But first, let’s examine exactly how the poker bot farm ring worked in that particular scenario. 

  1. The fraudsters somehow found players willing to sell their accounts and personal information. These included passport photos, address verification ad bank statements. It’s worth noting that these were real people, not synthetic IDs.
  2. Virtual Machines were created, and IP and device information were faked so that the connections looked like they were from areas near each player. You can read more about the kind of tools fraudsters use for device spoofing here.
  3. Each virtual machine was loaded with all the necessary information including ID data, poker software, payment processor details. They then create a new account for each identity.
  4. A fraudster “employee” comes into work every day and launches the program. They create screenshots, and manually oversee any issues with the bot. 

The steps that are of particular interest for us here are number #2 and #3, both of which relate to the onboarding or registration stage. Here are the verification checks we should apply:

IP Analysis

The fraudsters have used proxies designed to spoof local IP addresses. A basic IP check wouldn’t have done much, but running it continuously might have helped uncover suspicious logins. 

Device Fingerprinting

Similarly, this particular group of fraudsters had access to spoofing technology designed to trick analysis tools. Once again, a sophisticated desktop emulation might not give results immediately. 

Email Analysis

This is most certainly where SEON would have alerted your company of the risk. Most of these players had similar email addresses, such as firstnamelastname@yahoo.com, with a few numbers thrown in for good measure. 

SEON’s string analysis feature, for instance, can examine an email handle to ensure it’s not too generic. We also check what kind of domain is used, and involvement in a data breach actually lowers the risk score, as it is a sign that you’re dealing with a mature address.

Screenshot of our email analysis tool. Presenting an example where below the given fraud score, our product provides a written reason why the address got the particular score.

And it’s worth noting that the risk scores and alerts are customizable based on your industry needs. While some businesses might tolerate throwaway emails, users who give disposable contact details along with their real IDs should certainly increase suspicions.

Phone Analysis

Had the fraudsters created virtual phone numbers, SEON would have immediately increased the fraud risk after performing a reverse phone lookup.

Social Media Lookup

A key part of digital footprint analysis. If we’re detecting bots, we can clearly see that few of the fraudsters had linked social media accounts, which increases the risk score. 

Screenshot of our Social Media Lookup, showing several social media icons, and highlighting the ones on which the user has a profile.

Custom and Velocity Rules

More of a theoretical solution, as velocity rules attempt to understand player behaviour. You would have needed to keep the system running until our Machine Learning engine spotted suspicious patterns, or an afraid manager could have deployed and tested these rules.

For instance:

  • Time frame between first and last game: the bots ran from 9-5 Monday to Friday
  • Risky countries rules: in this particular case, Ukraine, Russia, etc…
  • Betting strategies: most of the bot accounts were found on tables with stakes between 10NL and 200NL. Other technical statistics such as post-flop Agg% and comparing stats with banned bots. 

It’s worth noting at this stage that SEON lets you create custom fields specifically to analyze this kind of data, which wouldn’t be taken into account by a standard transaction fraud solution.

Don’t Let Poker Bots Hurt Your Reputation

A poker bot farm by itself doesn’t necessarily hurt your operations. In fact, shadier iGaming companies have been known to populate their games with bots along with real players. Similarly, the best poker players have no problem playing against them.

The issue, however, is that the majority of your players will feel cheated if a poker bot farm operates on your platform. And as the leaks in 2015 and 2020 show, they will take matters into their own hands to find suspicious behaviour, and will complain to you directly.

Luckily, even the most sophisticated bot rings can be spotted with a combination of digital footprint analysis at the point of registration, and powerful custom rules created by your fraud managers. 

These are just two of the many tools SEON delivers so that you may keep players safe, and your business reputation intact.

Learn more about our products!
Products

Sign up to our newsletter

Newsletter