Poker is a game of incomplete information. Some things are known, some are unknown, and decisions are made by combining what players know with the suppositions they make about the things they can’t know.

In the long run, it’s the players who arrive at sharper suppositions and make better decisions who win the money.

Provided, that is, that the amount of known information is the same for everyone.

As 2023 wound down, GGPoker, an online poker site that is not regulated in any U.S. state but that is offered in more than 50 countries — and as near to the U.S. as the Canadian province of Ontario — found itself embroiled in controversy because of an information imbalance. GGPoker was home to a “superuser” scandal.

On Dec. 28, a poster on the TwoPlusTwo poker forum laid out the details of highly suspicious play by someone using the screen name “Moneytaker69.” The next day, GGPoker released a statement acknowledging that its software had indeed been hacked and that Moneytaker69 was playing with a distinct information advantage.

“GGPoker recently spotted unusual game patterns and abnormal game client packets from a user nicknamed ‘Moneytaker69,’” the statement read. “Our technical security team investigated the issue, identified a client-side vulnerability, and fixed what caused these unusual circumstances. We have banned the user and confiscated the unfair winnings, equating to $29,795.”

Not quite the hole picture

Based on the information GGPoker has shared, Moneytaker69 did not have access to opponents’ hole cards — the Holy Grail of balance-tipping information for a cheater in peer-to-peer online poker. Rather, the account appears to have gained access to win probabilities at each stage of a hand — percentages that can tell a player whether they’re far ahead, far behind, slightly ahead against a drawing hand, etc.

“Under a specific set of circumstances related to the ‘Thumbs Up/Down Table Reaction’ feature,” GGPoker’s statement explained, “which involves decompilation of our Windows game client, interception of network traffic, and alterations of our game packets, Moneytaker69 was able to customize his own game client. These customizations could only be made to our Windows desktop game client since part of our desktop client leverages the Adobe Air framework, which has attack vectors that other frameworks do not. At no point was the user able to access our servers or server data, including others’ hole cards. Through this customized game client, he was able to deduce all-in equity by exploiting a client-side data leak vector.”

GGPoker learned about the breach nearly two weeks before the poker community caught wind of it, and the site acted — unsuccessfully.

“Our engineers detected this vulnerability and issued an emergency update on December 16th to disable the Thumbs up/down table reactions. However, the user was already in possession of the customized game client, which he blocked from receiving further updates, and was able to continue to accumulate the data leak during the flop and turn. Through this accumulated data, he could guess his win probability with reasonable assurance.

“We have since issued security patches to prevent further client-side data leaks of this kind and have added solutions that will detect and prevent players from customizing the game client to their benefit. We will refund $29,795 to the affected players and also reconcile the payout for the impacted tournaments in the next 24 hours.”

Jack-high strikes again

Here’s one example of a hand played by Moneytaker69 that only makes strategic sense if the player has unfair information access: On a flop of Q-A-7 with two clubs, Moneytaker held J-2 offsuit, bet into 5-4 of clubs (a flush draw), and called the opponent’s raise. An offsuit 6 on the turn gave the opponent an open-ended straight draw to go with the flush draw, Moneytaker69 bet, the opponent raised all-in, and Moneytaker69 called.

Moneytaker69 had jack-high, and against any pair — actually, against anything other than a small drawing hand or a pure bluff with small cards — would be a huge underdog and should certainly fold in this spot given the range of realistic possibilities.

It’s only mathematically correct to call here if you have illicit information telling you that you’re a 52/48 favorite to have the best hand after the river card comes out.

(What is it these days with shady-looking “hero calls” with jack-high against drawing hands?)

Further breakdowns of Moneytaker69’s play showed the account entering more than half of all hands (53% VPIP, an extraordinarily high number at a full table) but rarely three-betting pre-flop. So Moneytaker69 was seeing lots of flops without committing much money — precisely what any good poker player would do if they were expecting to know where they stand after the flop and turn.

Not the first, not the worst

While this appears to be the most noteworthy “superuser” scandal in online poker since legalization began in the U.S. in 2013 — although, to reiterate, this did not occur on a regulated U.S. site — it’s far from the most notorious case the online poker world has ever seen.

For those who’ve followed poker long enough, the Moneytaker69 news immediately brought back a rush of memories of the scandals at AbsolutePoker and UltimateBet — two unregulated sites on the Cereus Poker Network — during the 2000s online poker boom era.

It is believed that more than 30 people were involved, but the biggest name accused was 1994 World Series of Poker Main Event champion Russ Hamilton — the only Main Event champ whose banner no longer hangs at the WSOP.

Playing under an assortment of screen names on the two sites, the perpetrators were able to play from approximately May 2004 to January 2008 in what was known as “god mode,” having received access to other players’ hole cards in real time.

Whereas Moneytaker69 is alleged to have made off with tens of thousands of dollars of other players’ money, the Cereus Poker Network scam is said to have siphoned in excess of $50 million.

In a relative sense, the GGPoker incident appears to have been smaller scale, for a shorter period of time, with a marginally less invasive information hack. But it is no less troubling to a poker community that cares about the growth and the integrity of the game.

Could the same thing happen at a regulated site?

The GGPoker statement issued last week concluded, “We sincerely apologize for the incident, which has caused many poker players to worry about the game’s integrity and shaken their trust in GGPoker to provide the best poker experience. We take this incident very seriously and continue to work hard not to disappoint poker players. Additionally, we are actively recruiting to double the size of our technical security team and are enlisting help from renowned security professionals to ensure that online poker is safer than ever.

“We would also like to thank the poker community. This incident further proves the power of our community and the poker players’ hive minds, as constructive community feedback gave us great confidence in resolving the issue. We will continue to take community feedback seriously and open our ears to all comments and suggestions. Let’s build a safe future together.”

The apology and forward-thinking ambitions appear well-intentioned, but there remain questions about whether all of the taken money has been or will be returned to the wronged players and why public acknowledgement came on Dec. 29 — after the TwoPlusTwo reveal — rather than around Dec. 16, when GGPoker first acted.

There is also the ongoing question of how common this sort of cheating is at any online poker site. After all, if someone had access to hole cards or win probabilities and used it more judiciously and wasn’t so greedy, they could keep going and never get caught.

Maybe there are people out there right now doing just that.

As far as the poker community knows, nothing like this has been perpetrated at any regulated U.S. site. Maybe there are sophisticated hackers staying under the radar; maybe careful, diligent regulation has prevented such vulnerabilities.

The expansion of online poker legalization has been alarmingly slow — from 2013 through 2023, only New Jersey, Delaware, Nevada, Pennsylvania, and Michigan have legalized and launched, while West Virginia did the former in 2019 and is expected to do the latter in the near future.

Online poker apps will never earn operators and states as much money as online casino apps or even mobile sports betting, but few would have envisioned back in 2013 this level of indifference a decade later.

Certainly, any ongoing perception that online poker games aren’t on the level doesn’t help. Players need to have trust in the software and the sites, and state governments and regulators need to believe they aren’t setting themselves up for scandal.

The unearthing of the GGPoker violation is a reminder of how things can go wrong. Regulated sites in the U.S. can ill afford such a failure.

Photo: Getty Images