For people who operate online gambling sites, one of their worst nightmares is the thought of somebody being able to crack the site’s random number generator (RNG) and end up having knowledge of exactly what cards, spins, or dice are about to appear. It is bad enough if the hacker ends up cheating the house out of money, but the worst case scenario is if the hacker also takes money from other players. In a recent revelation, Bitcoin gaming site Primedice revealed that it was the victim of such a violation, losing about $1 million in the process.
The story was told on the website Medium.com by someone named Stunna who appears to be high up in the Primedice organization. Primedice is not an online poker room or elaborate online casino. It instead offers a simple random number game, allowing people to bet on what is essentially a virtual dice roll. After depositing Bitcoins, players can choose a bet amount and either the corresponding amount to win or the win probability (the latter two options are directly related – the higher the win probability, the lower the amount that can be won). Once that is set, the player clicks a button to start the “roll,” upon which the site’s RNG spits out a number from zero to 100, extended to several decimal places. If the number is below the selected win probability, the player wins (for example, if the probability is 90 percent, the number must be below 90). That’s it. The site gives the option to automatically re-roll after a win, a loss, or both, as well as the ability automatically change the bet amount on said re-roll.
In August 2014, Stunna said, Primedice had just launched its third version after a hasty closed beta. Immediately after launch, two players, named Kane and Nappa, aroused the suspicion of Primedice management. The former cashed out automatically, while the latter kept winning and winning. Nappa’s bets were reviewed, but no wrongdoing was found, so the site let him cash out.
In September 2014, the person controlling those two accounts returned under the name Hufflepuff (Primedice may not have realized all the accounts were linked at the time, but definitely figured it out eventually). Hufflepuff put all of Primedice’s other customers to shame, betting $8,000 worth of Bitcoins per second and actually winning. Primedice continually held Hufflepuff’s winnings in order to investigate, but still couldn’t find any evidence of wrongdoing, so it had to let him cash out.
Two days after Hufflepuff’s final cash out, Primedice figured out what happened. Primedice’s RNG combines an encrypted random value from its side (server seed) with one from the player’s side (client seed) to come up with the result of the “dice roll.” The system then shows the player the server seed as a way to prove that nothing was rigged. That seed is, of course, thrown out and a new one is created for the next roll. But Hufflepuff figured out how to break the game:
Hufflepuff found a way to “confuse” our server, and made it give out a decrypted server seed that was also an active seed. This was done by sending it more requests than it could handle in a small time period, think hundreds of requests in under a second. The result of this is that he knew all the information required to corroborate the outcomes of his bets. He knew whether if he would win or lose, and could wager accordingly.
By the time Primedice figured out what was going on, it was too late. Hufflepuff/Kane/Nappa had made off with over 2,400 Bitcoins, the equivalent of about $1 million at the time. The company was actually able to contact him via an internet message forum and demanded the money back, but he retaliated by creating another account and stealing more money; Primedice hadn’t fixed the hole properly. The hacker then sent a message to Primedice threatening to take even more money if the site didn’t leave him alone.
Primedice has published as much information as possible about the thief in hopes that anyone might be able to help track him down and recover the site’s money. Primedice has offered an unspecified reward for information that leads to the return of its Bitcoins.