GGPoker bans player, confiscates funds after discovering exploitation of client-side vulnerability

Haley Hintze
Published by:
Posted on: December 29, 2023 1:04 pm EST

GGPoker today published a security update explaining to its players the circumstances under which a user was able to reverse-engineer and alter the site’s desktop client for Windows, then intercept and alter certain gaming-related data packets being sent between players and GGPoker’s game servers to identify profitable betting spots as they occurred.

The extracted data, which was derived from a “Thumbs Up/Thumbs Down” table-reaction feature first implemented in May 2022, was used by the client-cracking player, “MoneyTaker69”, to “deduce” his all-in equity during any given hand. Though the player could not “superuse” or otherwise see his opponents’ hole cards, the exploit allowed him to identify profitable betting situations with a high degree of certainty.

Armed with the indirect knowledge of the odds of winning, MoneyTaker69 was able to post extremely high cash-game win rates over a large data sample, far beyond what should occur in any iteration of an otherwise-fair game. MoneyTaker69 was also able to use the exploit to take down a major tournament with a first-place payday of almost $47,600, in addition to numerous other, smaller wins.

TwoPlusTwo poster shares details of cheater’s win rates

The matter exploded into the poker world’s collective awareness Thursday evening after a brand new TwoPlusTwo forum poster named “GGSuperUser” posted data displaying MoneyTaker69’s excessive win rates throughout December. The poster also declared that GGPoker had “acknowledged the situation privately” and was “preparing to address it,” which was born out when GGPoker issued its security update on the situation earlier today.

According to GGPoker’s security update, the site confiscated $29,795 in unfair cash-game winnings from the MoneyTaker69 account while banning it from future play. GGPoker also noted that calculations (reconciliation) for MoneyTaker69’s tournament winnings, including the $47,000 score in a GGMasters event, were ongoing. It is likely that much of MoneyTaker69’s illicit winnings had already been taken off the site and that GGPoker will itself make affected tournament players whole..

“We sincerely apologize for the incident, which has caused many poker players to worry about the game’s integrity and shaken their trust in GGPoker to provide the best poker experience,” wrote GGPoker. “We take this incident very seriously and continue to work hard not to disappoint poker players. Additionally, we are actively recruiting to double the size of our technical security team and are enlisting help from renowned security professionals to ensure that online poker is safer than ever.”

GGPoker attempted to block exploit nearly two weeks ago

The exploit, which worked only on the Windows-powered desktop version of GGPoker’s downloadable client, which MoneyTaker69 reverse-engineered and customized the client to display the equity-based calculations. In that single way, the exploit was similar to the original “superuser” client as used in the UltimateBet scandal in the late ’00s. In that infamous scandal, programmers within UltimateBet maintained a parallel client including a testing module where all players’ hole cards were displayed, and that client was recompiled with every software update, then distributed to a small group of inside cheaters, including Russ Hamilton.

The exploit-based cheating on GGPoker involved no direct inclusion of hole-card information, according to GGPoker, but the information obtained from the Thumbs Up/Thumbs Down table-reaction feature still offered potent insight and a significantly unfair edge. The feature, little more than a social-gaming trifle, has since been disabled.

In its update, GGPoker stated that the site thought it had plugged the data leak with an emergency client patch pushed out on December 16. To its dismay, however, GGPoker discovered that MoneyTaker69 had also found a way to block the update, leaving his altered version of the client intact and able to be used for cheating. Why MoneyTaker69 wasn’t banned at that moment wasn’t discussed.

How the investigation started also isn’t crystal clear. In its statement, GGPoker declared that it had “recently spotted unusual game patterns and abnormal game client packets from a user nicknamed ‘Moneytaker69’.” Whether MoneyTaker69’s excessive win rates were first brought to its attention by concerned players was left unaddressed.

GGPoker concluded its statement by thanking the poker community and players’ “hive minds” in helping bring focus to the issue. That passage sidestepped the ongoing debate over GGPoker’s ban of third-party results tracking, which despite its other drawbacks, remains the most direct way to identify highly profitable and possibly-cheating accounts. Within hours, the MoneyTaker69 incident re-energized that debate across much of poker’s social-medial landscape.