Miami-Dade County

Russian hackers beat system for big payouts. And casinos can’t do a thing about it.

Aristocrat slot machines at the Magic City Casino in Miami. These, however, are not the models targeted by Russian hackers.
Aristocrat slot machines at the Magic City Casino in Miami. These, however, are not the models targeted by Russian hackers.

If you see a guy wandering the aisles of South Florida’s casinos, pointing his cellphone at the slot machines, don’t bother offering to help him snap a selfie. Rather than a hopelessly inept tourist, he’s more likely a cheater, using his phone to exploit a security gap that, by some estimates, has cost American casinos millions of dollars in slot-machine losses.

The scheme to rip off the slot machines was devised by everybody’s favorite villain of the moment, Russian hackers — including, allegedly, one from Hallandale — who obtained a used machine and reverse-engineered it to figure out the mathematics behind its computerized jackpots.

Then they sent players into American casinos and used cellphones to alert them to the exact instant they should hit the “spin” button on the slot machine to win.

The result: What security experts say is the most lucrative cheating scheme ever devised against the $70 billion-plus slot machine industry, and one that may prove very difficult to stop.

“This is a major concern,” said John Grochowski, author of seven books on gambling, including one on slot machines. “The tradition of cheating on slots goes way, way back. The manufacturers and casino owners do all they can to promote security, and the computer machines are not as vulnerable as the old mechanical machines.

“But if people get hold of a slot machine’s internal workings, stuff happens.”

Though the slot-machine hacking ring was uncovered in 2014, when the FBI arrested four Russians and charged them with cheating at casinos in Missouri, California and Illinois, details of their scheme only began leaking out this spring, at gambling industry security conferences around the country.

Paradoxically, the cheating had its roots in Vladimir Putin’s 2009 decision to eradicate casinos in Russia. That left the owners with thousands of useless slot machines, which they began peddling dirt-cheap to anybody who asked. Inevitably, some of them fell into the hands of gangsters who pulled them open to see if there was a way to beat them.

Computer chips and video monitors have replaced the mechanical gears and little glass windows of old, but slot machines still play much the way they always have: A gambler hits the spin button, then watches an array of numbers and symbols spin across the screen. Where they come to rest — just like the row of three cherries in the old days — determines a jackpot, and how much.

The big difference is that the cherries and oranges are no longer printed on little wooden reels. They’re video images generated randomly by computer chips — or almost randomly, which is the catch.

“Computers are not really random,” said John Robison, author of “The Slot Expert's Guide to Playing Slots.” “When you ask a computer to add two plus two, you want the answer to always be four, not three or five. Computers don’t do ‘random’ at all.”

Instead, they use something called a pseudorandom number generator that starts with a small collection of digits — in the early days of computers, it was often something as simple as the time and the date — and manipulates them into seemingly endless sequences of numbers so long that they appear to be random, but aren’t.

“The reason we call them ‘pseudo’ is that if you look at the stream of numbers they generate, they satisfy many of the qualities of randomness,” explained Robison. “But in the end, there are always patterns. It may be two billion times before the pattern repeats, but it’s going to repeat.”

After crunching a lot of numbers, the Russians came up with a computer program to spot those patterns and break into them at the most favorable spots. (The slot machines’ computer chips continuously generate their stream of numbers, whether or not the reels are spinning, so the key to success is to spin just before a winning combination is on the way.) And they devised an ingenious system to link their computers in St. Petersburg with their foot soldiers in American casinos. A Russian gambler would play a slot machine about two dozen times, transmitting the results back to St. Petersburg for analysis. Soon St. Petersburg would start replying via a specially designed phone app that would buzz the gambler’s cellphone a quarter of a second before he should hit the slot machine’s spin button.

“It’s as if the gambler had a little genie sitting on his shoulder saying, ‘Not yet... not yet... not yet... NOW!’” said Robison. “It didn’t always work. The gambler might hit the button an instant too quickly, or not quickly enough. If you’re off just a little bit, you could miss the opportunity. But it worked often enough to make them a lot of money.”

In hopes of staying under the casinos’ security radar, the Russian gamblers generally limited themselves to winnings of around $1,000 before moving on to another machine. Even so, casinos know exactly what percentage of the money that goes into slot machines is supposed to be paid back out (in the United States, it’s usually about 95 percent) and eventually their bookkeepers smelled a financial rat.

The first apparent examples of cheating were reported in 2011 in Europe, where some slot machines made by the Austrian manufacturer Novomatic started dispensing jackpots with suspicious regularity. But nobody understood exactly why it was happening until 2014, when Missouri’s state Gaming Commission noticed a similarly generous series of payouts by a line of slot machines called the Mark VI manufactured by the Australian company Aristocrat.

Reviewing security tapes, Missouri casinos soon spotted an odd phenomenon: Men playing the Mark VI slots while holding their cellphones close to the machines. The FBI was able to identify one of them and follow him, leading to more conspirators. On Dec. 10, 2014, the bureau arrested three men from Moscow: Murat Bliev, then 36; Igor Lavrenov, 28, and Ivan Gudalov, 32.

The fourth man arrested, 38-year-old Yevgeniy Nazarov, 38, lived in Hallandale with his wife and two children. Born in Kazakhstan, according to court papers, he became a legal U.S. resident in 2012 but had been in Russia less than a month before his arrest. Nazarov’s wife told the FBI he was a driver for a South Florida tour-guide service and had traveled to Russia to firm up plans for opening his own tourist company. (Two of the other men, Gudalov and Lavrenov, had flown from Moscow to Miami at about the same time Nazarov did, according to the FBI.)

The three Moscow men eventually agreed to plea bargains of two years in prison apiece. The charges against Nazarov, however, were dismissed, and even before that, his bail was set at $25,000, a startlingly low amount for a defendant who just weeks before his arrest had visited a country that has no extradition treaty with the United States.

Nazarov’s whereabouts these days are a mystery. Broward County court records show that his landlord filed suit to evict him from his rental unit in a high-rise South Ocean Drive condo building in Hallandale in December. The building’s managers say he left “a couple of months ago” and they don’t know where he went. The Justice Department declines to answer questions about Nazarov, but a spokesman for Aristocrat said that he turned informant on the cheating ring and "continues to assist the FBI with their investigations."

The investigation continues because the cheating does, too. Recent arrests of Russian slot-machine hackers in Singapore and Peru seem to confirm the suspicion of industry security experts that the FBI took down only a tiny part of the operation.

Update, May 1, 2017: 

A spokesman for Aristocrat who contacted the Miami Herald after this story was published said the company's slot machines were built to legal specifications and  are no more vulnerable to cheating that anybody else's.

"All Aristocrat products are built to and approved against rigid regulatory technical standards," the spokesman said. "These standards include strict adherence to all aspects affecting the security and integrity of our games.  There is no suggestion that our products fail to meet these standards in any way.

"In fact, despite extensive testing and investigation, neither Aristocrat nor the relevant authorities have been able to identify defects in the targeted games, or any of our software or hardware, that would make them more susceptible to unlawful activity or would make this type of security breach more possible than any other products."

The apparent participation of a South Florida man in a massive international gambling conspiracy raises an obvious question: Did the cheaters hit Florida’s casinos? The answer is, if so, they weren’t caught.

“We have not seen slot machines being hacked or electronically manipulated in Florida, going back to when the first slots were up and running,” said Stephen Lawson, a spokesman for the state Department of Business and Professional Regulation, which regulates casinos. “We haven’t recorded a single case of that.”

But it may also be true that nobody in Florida has been watching for the Russian hackers. Lawson said he hadn’t about the case until a Miami Herald reporter asked him about it. Neither had Alex Havenick, co-founder and vice president of Miami’s Magic City Casino. “That’s a little surprising, because we always have our ear to the ground for that sort of thing,” Havenick said. “And we have slot machines made by Aristocrat — all Florida casinos do.”

Havenick nonetheless doubts the Russians did any of their dirty work against his 800 or so slots, which are the heavy financial hitters of a place that can’t offer table games like blackjack because of Florida law on racetrack casinos.

“Everyone is out to protect their slots,” Havenick said. “If we saw a guy taking pictures of a slot machine with his phone, we’d probably have said, ‘That’s weird,’ and asked him to leave. It’s not actually not that hypothetical. We’ve had had competitors come and look around at what we’re doing — one had his phone out and was taking pictures, and we asked him to go.

“When stuff happens that’s out of place, we usually go and investigate what’s going on.”

Still, the chink in the security armor of slot machines — that pseudorandom number generator — remains, vulnerable to attack to anybody with the patience and computing power to attack it. “Aristocrat is a major slot manufacturer — the third largest in America — and there are thousands and thousands of its machines out in the field,” said Grochowski. “Almost every casino has them. What percentage are vulnerable I’m not sure, but even if its small, you’re potentially talking about a lot of money.”

Attempts by the Miami Herald to reach Aristocrat and Novomatic, the two manufacturers whose slots have so far been affected by the Russian cheating, were greeted with silence. Perhaps that’s because there may not be much the manufacturers can do about it. “There’s no way to really fix it,” said Robison. “We can’t put randomness into computers.

“The most effective way to combat the cheating may be for the casinos to increase their vigilance. The behavior you have to exhibit to use this method is very unusual. Sitting there for long periods of time, pointing your cellphone at the machine, waiting to hit the spin button, this is just not the way people play slot machines. It’s pretty easy to spot if you’re looking for it.”

Others, however, note that slot-machine technology has successfully evolved many times over the years. Slots have been under siege by cheaters since about two minutes after they were invented, yet they’ve survived. Shadily inclined gamblers have attached coins to threads so they could be yanked back after triggering the machine’s play. They used a claw-like device known as the monkey’s paw to, well, monkey with the slots coin counters, making them overpay. They manipulated the reels with magnets.

The most brazen of all may have been the early 1990s gang-attack on so-called Big Bertha slots — the huge machines usually placed near a casino entrance that play for $1 or more. A crowd would form around the machine while one of the cheaters played. Then a very small woman would pry open the little door at the Big Bertha’s base, climb into the cleaning and inspection space inside, and shut herself in for a couple of hours to physically grab the machine’s reels and stop them in winning combinations.

“The manufacturers are just going to have to find a way to build new security into the games,” said Grochowski. “They had to figure out a way to make the machines not so vulnerable to coins on string, Monkey’s Paws and magnets. And they’ll have to do it for cellphones, too.”

But what might seem like the easiest solution — banning cellphones from casinos — is about as likely as banning wallets.

“These days, if a place — not just a casino, but anyplace — won’t let people have their phones, they’re just not going to go in,” said Havenick. “And that includes me.”