The Superusual Subjects

It was a busy weekend for celebrating, but while you were all thoughtfully appreciating international women and mothers, I was busy marking a workiversary. It has now been a year since I left a job at GGPoker.

I’ve talked about that chafening experience before (here), so today is about their recent superuser scandal. I don’t have any hard facts to add, but as I glimpsed behind the curtain just 12 months ago I can add some insightful colour commentary.

My stint at the company only lasted nine months, and during that time I was within muffled earshot of noteworthy conversations and some fascinating tantrums, so I got a good feel for the culture.

Based on my experience, I’ll share with you why I think it happened, and whether I think it could happen again. First though, here’s a summary of how we got here and what I’m talking about. 

A superuser is poker’s equivalent to a supervillain. They are players that have somehow gained a powerful unfair advantage over their opponents. Essentially it’s a cheat-mode.

Imagine being able to make your opponent fold against their will with a sly wink, or having the ability to summon the nuts by muttering a magic word. It’s like that, but much less fun or sexy.

By my count there have been two and a half notable incidents in a quarter century of online pokering, so this really doesn’t happen very often. 

The first sniff of the potential for superpowers came in the late nineties, when industry front-runner PlanetPoker published their shuffle algorithm to allay concerns over its robustness. 

An ingenious cyber security firm subsequently cracked the code and could tell you what cards were going to be dealt next. The site limped on for years, but eventually succumbed to strong competition and shame. 

I tried to do deeper research into the incident, but the details are either long forgotten or poorly SEO’d. The free version of ChatGPT had no idea what I was talking about and instead I was treated to a mash-up of details from a variety of later poker scandals.

As far as I can tell, these were white hat hackers that didn’t use their god-like powers to enrich themselves, which is why I’m only counting this as a half-incident. Presumably they derived more satisfaction from the professional challenge than crushing $3/$6 Limit Hold’em (this incident pre-dates the luxury of game selection). 

While there were no known victims in the case, the door for high-tech cheating had been cracked ajar for the world’s great cryptographers and hacking masterminds. Or, in the case of our next culprit, a horrible greedy moron. 

Fast forward ten years, for the first proper superuser scandal at UltimateBet and AbsolutePoker. I’ll treat them as a single incident, because despite the different brand names, it was the same company and perpetrator. 

In this case, the site developers made the error of allowing high-level company insiders to see what cards players were holding in real-time. This was probably intended as a non-malicious, titillating feature, but turned into a catastrophic vulnerability.

Unfortunately, one of those with the magic access was Russ Hamilton, 1994 WSOP Main Event champion and pre-existing millionaire. He used the special access for years to cheat players out of millions of dollars across both sites. 

It’s hard to express how big and shocking this news story was at the time. I suppose it’s like finding out Andre Agassi was winning tennis grandslam tournaments because of an enchanted wig. That is to say, there are several layers of WTF. 

Anyway, he (Russ, not Andre) became increasingly brazen about using his secret advantage and was ultimately brought down by the increasingly watchful and suspicious poker community. 

It was a fascinating and messy debacle, which contributed to the demise of the sites. Although it is important to note that they were also a Ponzi scheme.

That brings us to the most recent superuser skullduggery at GGPoker, which for me combines the juiciest bits of what came before. There’s the technical wizardry of the 90s, the gluttonous stupidity of the 00s, and the heroics of a poker player that brought justice.

This time, a clever crook figured out a way to hijack a feature that shows the percentage likelihood of winning when players are all-in. This is only supposed to be visible when no more betting is possible, but the player managed to switch it on early.

As far as advantages go, it isn’t as prescient as knowing what cards are going to come next, it isn’t as potent as knowing precisely what your opponent holds and it’s nowhere near as  saucy as that wink-fold thing I invented earlier. 

But the simplicity almost makes up for the lack of omniscience. Knowing how likely you are to win during a hand is still a colossal head start. We’re into enchanted wig territory.

GGPoker became aware of the flaw and quickly released a security patch, but the All-in Bandit was a step ahead. He had ring-fenced his client, blocking the software updates and thus keeping the nefarious edge.

Luckily, that’s where the indubitable intelligence of the perpetrator ran out. Like his predecessor Rigged Russ, the scoundrel was playing ugly smash-and-grab poker, and it became obvious something was amiss. A single suspicious player raised the alarm and had the cheat stopped before he had amassed $30K in winnings.

So were GGPoker horribly at fault here, or were they simply the victims of a clever criminal cretin? Oxymoron intentional.

To me, it’s a bit of both. I don’t think they displayed outright incompetence, but they were sloppy and complacent. There really wasn’t any glaring internal error or deliberate malice on their part. They were simply bested by a(n) (initially) very smart hacker. 

That’s not to say they are blameless though. Earlier on I mentioned company culture, and that is where I point the trembling finger of fault. This was a failure of corporate behaviour and attitude. 

GGPoker develops fast. When a passable idea makes it onto their Slack workspace and they decide to pursue it, then they slam their foot on the development accelerator. It doesn’t really matter what direction the company vehicle was facing at the time – it’s full swervy, screechy steam ahead. 

This is mostly because of the irascible billionaire owner. I chose that word not just to sound clever, but because it’s a good fit for the man behind GGPoker. He can move quickly from civilised to spiky, and over small and unpredictable things (don’t mention Sit & Go’s). 

So, when he decides he wants something done with his software, the developers leap into action. They’re clearly a talented and hard-working team, because I was amazed at how quickly they could deliver complex tasks.  After ten years working at PokerStars, I was accustomed to slow, careful software progress – at GG I was getting product whiplash.

That isn’t wholly a bad thing. Slightly scary impatient billionaire tyrant businessmen like Jobs, Musk and Bezos have delivered incredible products and progress. But here it’s part of the problem. 

Rapid pace means ideas are not always fully fledged, and you’re often sacrificing on quality. For example, while I was there they introduced a special game type for the World Cup in Qatar with just a few weeks’ notice. It was a weird poker/sports-betting hybrid tournament that even the staff barely understood.

It began as a throwaway idea to cash in on the football, and somehow morphed into a playable product while it was being built. There were glitches and problems, and players only really got involved because they were force-fed free $10 tickets. 

That was fairly typical for a development cycle. Things would always be getting broken and patched, smashed and fixed, dislodged and gaffer-taped, usually in the name of adding bells and whistles.

Perhaps part of the reason they move so quickly is that they have become efficient at fixing things. It’s a great capability to have, but I think it has bred complacency over the development choices they make.

I’ll give credit where it’s due – they are innovating and investing to make the game more enjoyable for recreational players (thus forcing others to do the same). However, these advances should not come at the expense of core game functionality. 

The feature that displays all-in percentages (that the superuser bent to their advantage) doesn’t need to be there. It’s a nice educational thing to have, but it’s dressing. 

If you are tasked with building a high security prison for a supervillain, then you shouldn’t waste time fussing over the curtains because you’d be an idiot to put in windows. You need to take the time to make good decisions and then execute them well.  

The problems don’t stop at maniacal hastiness. Transparency and accountability were also suspect whilst I was part of their UK operation.

I had regular trouble with data that I needed to do my role well. I was repeatedly assured by technical teams that there were no issues, or that monitoring mechanisms were in place to prevent problems, but it simply wasn’t the case. They were poor at acknowledging fault and opaque with explanations. 

It’s for those reasons that I can’t say I’m surprised that they were hit by a superuser. Unless they tighten up their approach to product improvement, then it’s likely to happen again. There is no place for complacency or world’s-biggest-poker-room arrogance.

This scandal won’t be the death of GGPoker, and nor should it be, but people ought to know a bit more about what it’s like at the industry’s leading site. One failure is forgivable, but anyone playing there should be vigilant.

As for every other operator, I hope they see this as a warning shot, and not simply a chance for schadenfreude and a market share grab.

The poker environment literally conditions its denizens to identify and exploit weakness, so know that clever, unscrupulous people will always be probing at the cracks. In a world of increasingly democratised and rapidly improving AI, that is only going to get worse.

For operators, it is impossible to know that your software is always secure, so every site should be monitoring their players’ win rates (and associated play) in real time. That is a big data and policing challenge, but in a world of increasingly democratised and rapidly improving AI, not an insurmountable one. 

That is how both known super users have been caught so far, and it’s almost certainly how the next one will be discovered. That burden belongs to the sites, not the players.