Fraudster stole up to $10,000 each from poker pros, likely due to a legalized betting payment processor breach. I was one of the victims.

[Dan Druff]

(Updated 11/16/22 at 12:40am)

On October 20, an account was quietly created in my name on legalized sportsbook BetMGM West Virginia. I never had an account on any BetMGM site, and in fact I have never set foot in West Virginia in my life.

The fraudster creating my account had a lot of information about me. He had my full name, my address, and at least the last 4 of my social security number. Using this information, he deposited $10,000, which came right out of my bank account.

The perpetrator was likely not in West Virginia. He could not place any bets, but that didn't matter. Gambling wasn't his plan. On the same day he created my account and deposited, he hit the cashout button. He did a cashout of $7500, to a Venmo Debit Mastercard, created specifically for this purchase. The debit card was connected to a phony Venmo account, also made in my name. I already had an existing Venmo account, but this wasn't affected. This was a brand new Venmo, also in my name, created just for the purpose of getting the stolen money out.

Once processed, the fraudster then transferred the money out to another Venmo account in another name, which is how he made off with the money.

But what happened here? How did the scammer get all of my information, why was I targeted, and how did he know I had $10,000 in that particular bank account to steal? And how did he do all of this so quickly -- all on October 20th? (The last $2500 was withdrawn in similar fashion, on November 4.)

It turned out I wasn't the only victim. And it turns out that known poker pros are the ones being targeted.

Read on...

[Daly]

Ill say this…. Of all the poker pros in the world he could have targeted….. he picked the wrong one.

[Dan Druff]

I have been quietly investigating this behind the scenes. Until today, I did not make it public, because I hadn't seen any information on Twitter that this had occurred to other poker pros, and I wasn't sure if it was aimed solely at me, or if it was part of a pattern victimizing multiple people.

That all changed today when Joseph Cheong, a prominent Vegas poker pro, tweeted the following:

Embedded Tweet

https://twitter.com/subiime/status/1592597068484587521


Since then, various poker pros have come forward that they have been hit by this exact same theft. In addition to myself and Joseph, other victims include Kyna England, Sam Panzsica, David Bach, and several others. It is likely there are a lot more victims who have not come forward yet. I am still collecting names of victims and attempting to get in contact with them. If you were a victim, please DM me on Twitter @ToddWitteles, or text me at (775) 372-8355.




How Does the Perpetrator Steal the Money?

This is a deposit/cashout scam, which is a combination of bank account fraud and identity theft. The perpetrator has extensive knowledge of electronic payment systems, and has engineered a way to impersonate poker pros, set up phony accounts in their name, and utilize those accounts to steal money.

The scammer has access to certain items of personal information of the victim: Full name, address, last 4 digits of the social security number, and date of birth. The scammer might also have access to a history of that bank account being used on other legalized online gambling platforms, so they might know who to target and for how much. More on that later.

The scammer then sets up a new account on a legalized betting service, usually in a jurisdiction where the player is unlikely to have an account. Since my address is in California, he set up fake accounts for me at three east coast online sports books, starting with BetMGM West Virginia. For some people outside of California, he set up accounts on the cashless casino system at Viejas Casino, which is located near San Diego.

The fraudster then makes a deposit from the victim's bank account. He does not need the victim's bank account number. A payment service called "VIP Preferred", offered by Global Payments Gaming Solutions, allows the scammer to access previously used bank account information, provided the victim has used eChecks in the past on one of many legalized gambling sites. He uses the bank account which was used previously to deposit to these sites, which was saved and held by the payment processor. The deposit is usually correlated to the limits on the account, which is set by the payment processor. If the person has high limits, the fraudster hits them for $10,000 or thereabouts. If the account has lower limits, he hits it for less. Sometimes a "test" transaction is made, in order to see if the account works at all. The bank account theft is done via an eCheck system, which is available on nearly all legalized gambling platforms.

On the same day, the fraudster creates a new Venmo account in the victim's name, and establishes a Venmo Debit Mastercard with that account. If the victim already has a Venmo account, that existing account is not affected. This is a brand new account which is created specifically to receive the stolen money. The fraudster then initiates a withdrawal from the gambling account, and enters the debit card's account number to receive the funds. When the funds transfer to the debit card, the fraudster then has it in the fake Venmo account. He then sends the funds to other Venmo accounts (not in the victim's name), in order to get the money off.

Sometimes multiple gambling accounts are created by the fraudster, for each victim. This is done to circumvent deposit/withdrawal limits. For example, I had two BetMGM accounts and one other sportsbetting account created in my name, in three different east coast states. However, I was able to shut down the latter two before any further damage could be done.




But how does this work? How does the scammer get all of this done so quickly, and why aren't sites like BetMGM doing more to ensure that the person making these large transactions is legitimate? And how is the scammer getting all of this sensitive personal info?

Read on...

[Sanlmar]

You fucked with the wrong Marine

[Dan Druff]

A Treasure Trove of Identity Info

Online gamblers want to deposit and bet quickly, but how do they do this? How can legalized online gambling sites allow large deposits for new accounts, and be sure that the person creating the account is really who they claim to be? How can they be sure that the new gambler has the funds to cover their large eCheck deposits?

The gambling sites themselves do not get involved in such matters. Instead, they farm it out to a payment processor, which takes the burden upon themselves to perform such verifications.

When you want to deposit for the first time to a legalized online gambling account, the processor asks for a LOT of personal information, which they use to quickly look into your background. This includes a possible credit check. They will also sometimes ask you identity-establishing questions, such as requiring you to take a multiple choice "test" regarding past addresses you were associated with, people who have lived with you, places you've worked, etc. Once you pass the identity test, they will use the information they researched about you to determine the highest amount of money you are allowed to deposit via eCheck, and you are good to go. Sometimes this is done by a human being, and sometimes it's done by an automated system. The processor also might quietly enlist the help of third party companies specializing in fraud prevention.

Once all of this is established for the first time, depositing is a lot more painless. They've already done all of the vetting, so the eCheck deposit goes through quickly and without any further concern. You will see it draw from your bank account a few days later. You're essentially given a certain level of trust, based upon your credit and history.

While all of this sounds fine on the surface, unfortunately it opens the door for a lot of potential fraud. That appears to be what has happened here.

Remember, since the stringent verification is only done the first time around, this opens the door for scammers to impersonate you and use the fact that you already passed verification in order to steal from you.

Read on...

[Dan Druff]

Introducing Global Payments Gaming Solutions

You may not have heard of Global Payments Gaming Solutions before, but if you have deposited to a legalized online gambling site before, you have likely used them without realizing it.

Global Payments does the processing for most legalized online gambling sites in the US. When you deposit to WSOP.com online, it might feel like WSOP is processing the payment, but they're not. It's being done by Global Payments. Same with BetMGM. Same with many other US online gambling entities. It is made to feel seamless, as if you're depositing with the BetMGM or Caesars, but in reality it is Global Payments doing the work. In fact, your bank statement shows the name of the gambling site/app, not Global Payments.

The fact that Global Payments is used so widely is actually a huge problem. This allows anyone who has successfully deposited large money processed by Global Payments to easily deposit again, without the same level of identity checking as done the first time!

For example, let's say you have deposited $4,000 in the past to WSOP.com, via eCheck, and it was processed by Global Payments. If you make a new account on BetMGM, which is not related to WSOP.com, Global Payments will again process your deposit there. Rather than having to go through a rigorous check when you deposit on BetMGM, Global Payments will see you already passed that check, and if your personal information (name, social security number, date of birth, address) matches their records, they process the payment quickly without further scrutiny!

This allows a fraudster with access to such personal information to create new accounts on other legalized gambling systems which utilize Global Payments, and easily steal directly from your bank account you previously used with them!


This is exactly what happened to me. I last deposited to WSOP.com back in June 2022, while I was in Vegas for the WSOP. Since I am a middle-high stakes player, I deposited a few thousand dollars. I used an eCheck.

The fraudster created a phony account on BetMGM West Virginia on October 20, using my personal information he obtained (likely from Global Payments somehow), and used it to deposit $10,000 into the fake account. Note that the scammer only needed my name, address, date of birth, and last four digits of my social security number in order to commit this theft! The bank information was already stored at Global Payments, and made fully accessible to the scammer with his fairly basic information! The deposit went through quickly because I had a good history through Global Payments in the past, and they trusted me to be good for the $10k. This also allowed the scammer to make a same-day withdrawal to a different account (the Venmo debit card), without Global Payments finding it was suspicious.

If you have deposited to any real money, legalized US gambling site in the past, using eChecks, you are vulnerable to this exact same theft. It is more likely you will be victimized if you are a known name in poker.

This is a huge problem, and Global Payments has a lot to answer here. I do not have proof of their system being at the center of this, but all known breaches have Global Payments as the common denominator, and indeed the bank accounts victimized were the ones Global Payments processed in the past, from what I've seen.

It appears that the fraudster has been using BetMGM, Borgata New Jersey (related to BetMGM), and Viejas Casino cashless gambling in San Diego, as vehicles to commit this fraud. There may be others. I am still looking into it. It appears that the fraudster is doing this all from the comfort of his own home, without having to travel to these locations.

But what can you do to see if you're a victim? And how can you avoid this occurring if it hasn't happened yet? And do BetMGM and the others have any culpability here in their failure to prevent their system being used this way? And how is the scammer traversing so many states around the country to do this?

Read on...

[Sloppy Joe]

(Sorry for the hassle, hope it's resolved soon)

[Dan Druff]

Are You Vulnerable?

Before I go on with more details regarding the scam, I'm sure you're wondering if you might be vulnerable here. After all, you're probably a poker player or gambler yourself, and you might have gambled on a legalized online betting platform over the last several years.

It appears that this scam is being primarily targeted against known poker pros. If you are not at least a semi-known poker player, the chance of you being a victim is much smaller. It appears that the fraudster was specifically looking for names to target -- ones he assumed had previously utilized deposits processed by Global Payments -- and went from there. I have concluded this because one of the known poker pros was only targeted for $50, and this was after they had only deposited $250 back in 2020. Clearly they were not targeted for a past $250 deposit, so it is likely they were targeted by name, and the $50 was probably some sort of test. I have not yet received any reports from complete unknowns in poker being victims. However, that might change, and I will update you over time.

Interestingly, it appears I might have been one of the first victims -- or perhaps the first. All victims I've spoken to were hit in November, many in the past week. The $10k stolen from me occurred on October 20th, predating all other known victims by almost two weeks. Unfortunately, this might mean the perpetrator is someone who reads my site or listens to my radio show, and figured I would be a good first target. If you were victimized before October 20th, please let me know, as that might be a clue.

Every single person victimized, to my knowledge, had the money stolen from the bank account they used for past eCheck deposits on legalized gambling sites. This is very significant. If you never did eCheck deposits (where the money is directly drawn from your bank account) via legalized online gambling sites, there is a high chance you will not be affected by this.

To my knowledge, there have been no victims who exclusively used credit cards, PayPal, or cash-at-the-cage deposit methods. Again, as I talk to more people, this might change, but this is what I am seeing so far, and it remains consistent with my theory regarding how all of this occurred.




Prevention of Future Fraud

Here is what you can do to from being a future victim of this scammer, even if you haven't been hit yet.

1) For now, do not use eChecks or bank accounts to deposit to any online gambling site.

2) Identify the bank accounts you used in the past to deposit to WSOP.com or other legalized online gambling sites. Close them, and start a new bank account instead, with a new number. You might want to do this, even if not victimized yet, especially if you are a known name in poker. Do NOT link the two accounts in any way, and do NOT attach the closure to the new account. For example, you should NOT tell the bank, "I'm afraid this was compromised, I want to close the account and open a new one", or they might forward future fraud transactions to the new account! Instead, simply open a new account, then transfer the money over, then close the other one. Do not worry about other accounts at banks not previously used for these eChecks, and do not worry about other accounts at the same bank. It is likely only the specific account(s) used for past eChecks are vulnerable!

3) If you were victimized, go online to the three credit bureaus and put a hold on new accounts being created in your name. This will protect you from the fraudster creating new bank accounts or new credit cards with the information he has. If you were not victimized yet, it's not as important to do this, but you might want to anyway. Here is an article regarding how to accomplish these credit locks.

4) If you were victimized, contact Venmo, and ask if a phony account was created in your name. If so, have them close it. This account would have been created in October or November of 2022. Venmo's phone number is (855) 812-4430. Do not worry about your existing Venmo account, if you have one, as this was unlikely to have been affected. It is possible some of your stolen money might still be there, as Venmo's bot has auto-locked some of these fraudulent accounts for suspicious activity.

5) If you were victimized, contact your bank, and ask for the money back. After an investigation which might run as long as 3-4 weeks, you will probably get the money returned. Also call local law enforcement and make a report. Do not bother with the FBI's IC3 site, as it is unlikely they will take action, since they will lump it in with Nigerian type scams they see all the time.

You probably do not need to bother to change your passwords anywhere. This does not appear to be a breach of any existing online banking accounts you hold at financial institutions. If you will feel better changing your passwords, go right ahead, but I don't see it necessary at this point.




But how was this scammer signing up so many accounts in so many different states? And why was BetMGM's security so lax to allow this to happen? I'll explain this in the upcoming posts.

Read on...

[BCR]

Who was the scammer from WV way back in the old days? I want to say Stevebets?

Edit-stevebets was another dude. I just remember a prolific poker scammer from way back who, I think, occasionally would pop up on NWP