Russian Team Targets U.S. Slot Machines

In a long-running but publicly unknown scam, a team of Russian criminals have been swindling slot machines around the world in a con worthy of Ocean’s 11. Rather than the online casino scams you might expect from expert Russian hackers, this organization has spent years reverse engineering the algorithms of physical slot machines.

Wired explains how organized slot crimes like these got off the ground when Russia outlawed most gambling in 2009. Casino owners were forced to sell their inventory, including slot machines, to any buyers who would take them, in some cases counterfeiters or other criminals. One organization, based in St. Petersburg, has apparently spent years playing on these old machines and deconstructing their hardware in order to study their algorithms.

While slots do depend on highly complex algorithms that are, at least in the U.S., subject to serious vetting by gaming officials, these algorithms are not truly random. Authentic random number generation can only be created by natural phenomena; instead slot machines rely on PRNG or pseudorandom number generators. These codes work by running a “seed” number through a mill of inputs pulled from things like a machine’s internal clock. This generates a random sequence that’s complex enough to place in casinos worldwide, but not totally impossible to solve.

The St. Petersburg team was able to reverse engineer these PRNG algorithms. However, they would still need to observe the game play of the real machines they were planning to swindle before they would be able to predict wins. While knowing the underlying algorithm is a necessary step, the seed patterns don’t run the same way at the same time in all places. The hackers would need a way to observe the machine’s game play and analyze it against the known algorithm in order to accurately predict wins.

Perhaps unsurprisingly for a team dedicated enough to spend years reverse engineering code, the Russians found a workaround for this problem. They would send three or four team members into a casino and have them play a few rounds of slots on various machines that matched the model of their own hacked machine (an older but not uncommon Aristocrat make called Mark VI). The on-the-ground team members would record video clips of the game play with their smart phones, then upload the footage to an analysis team back in St. Petersburg. Once the analysts cracked the code, the on-the-ground team member would return to the machine and, by receiving specially timed phone vibrations, be able to hit spin at just the right moment to garner a large payout.

It isn’t a foolproof system—not every spin is a win, and the system isn’t designed for capturing jackpots. It’s very imperfection is part of what makes this kind of scam hard to catch, though. Team members would walk away from a machine after winning a cool thousand or so, diverting overt suspicion. Played out over multiple machines by multiple players over several days, however, the team could get away with upwards of $250,000 per week.

Only a few members of the St. Petersburg team have been arrested thus far. Because the scam depends on the player’s’ ability to game a complex algorithm rather than an inherent bug in the software, slots vendors and casino owners have no real recourse to stop the con. Their only option is to replace the affected games with new models, but at such a high cost that most casinos have accepted taking the loss from the scammers instead.