Reports began surfacing Monday that players at the offshore online poker site Americas Cardroom (ACR) had thousands of dollars removed from their accounts.
Initial reports came from Poker Fraud Alert with one player reporting an incident on March 13. He said someone breached his account with almost $9,000 taken out. The player reported receiving an email letting him know of the withdrawal that he never authorized.
After attempts at getting help from ACR security were fruitless, the player took to Twitter to detail the situation.
“There may be some potential very shady things (going) on within the site,” the user alleged. “I know anyone I’m tagging in this post doesn’t have anything to do with this situation. I’m just trying to spread the word so this doesn’t happen to others. I personally know that I’m not the only person this has happened to on ACR within the last several months.”
ACR is an offshore site based in Costa Rica that offers online poker and other forms of online gaming to players in the US. However, the site is unregulated in any legal US markets.
The player who initially brought the situation to light said he received an email just two to three minutes before the withdrawal. However, the user had to click on those links to authorize the withdrawal, something he says he didn’t do.
The player reported no one else had logged into his email account and he’d not reset or changed his ACR password.
6) exploitable and easy to override for any knowledgeable hacker.
Support emailed me back and locked my account for a few days for security purposes in order to update my email and then reopened it and had me change my password.(cont)
— GambleGamble (@_WasAllADream) March 22, 2022
The player was frustrated that ACR security only locked his account and had him reset his password. Poker Fraud Alert owner Todd Witteles later reported the player’s account had been credited the $9,000 after the site publicized the breach.
Witteles speculated that the breach may come from someone inside the company.
“I find it highly unlikely that ACR would have credited this guy over $8,800 out of their own pockets if the ‘breach’ had been due to his own inability to keep his account or computer secure!” he noted on the site’s forums. “This looks like security discovered that indeed this was an inside job (‘breaching incident”), so they kicked the guy back his money.”
Others report similar incidents
It isn’t known, however, whether the incident is a result of someone inside the company. After the first incident, Witteles reported receiving reports from other players offering similar tales.
“All of them involve amounts $9,000 to $20,000, with the exception of one bizarre situation where a guy deposited $247 and it was promptly withdrawn and stolen,” he noted. “Oddly they didn’t touch the original $68 he had in the account prior to the deposit.
“All of them have very similar circumstances – no password change, no breach in email, and no sign anything’s wrong. Suddenly a withdrawal is made via Bitcoin, and they’re out the money.”
In some of those cases, the site reimbursed the funds to players’ accounts. Others had yet to receive the funds returned. Witteles posted his concerns to Twitter to let others know about the issues.
I continue to receive multiple reports of ACR accounts being breached, and money withdrawn via Bitcoin. This appears to be an inside job, and is hitting people for mostly $9k-$20k each. Some have been refunded, others not. Get large $ off now to be safe.
RT for awareness
— Todd Witteles (@ToddWitteles) April 5, 2022
Some players responded to Witteles that they’d experienced similar issues. Others reported they’d withdrawn their funds when the accusations surfaced. Some users questioned why the company doesn’t use two-factor authorization for withdrawals.
No comment yet from ACR
ACR emailed USPoker on Wednesday with an update on the situation and stressed that no funds were lost.
“We recently had a handful of accounts that were susceptible to breach due to a credential stuffing attack,” a company representative said. “We’ve patched this vulnerability and zero player balances were lost.”
The company didn’t note whether the breach came from inside or outside the company.
“Something is going on here,” Witteles noted on the site’s latest incident at Poker Fraud Alert. “I don’t believe management is involved. My theory is that one or more rogue employees have a way to get into accounts without having to know the password – or, alternately, can see the passwords somehow.”
This isn’t the first time players have complained of security or game play issues at ACR. In 2020, several players complained of various technical glitches with the cards on the site.
Some couldn’t see river cards while other players weren’t ever dealt cards while in a tournament. Other complaints included:
- Receiving only one card in Texas Hold’em.
- A hand labeled a “misdeal” – a rarity in online poker.
- Incorrect pot splits awarding a losing player in Seven Card Stud Hi/Lo.
- Bots and players with no screen names.
- Tournament suspensions at random.
Legalized online poker in the US
In the US, legalized online poker is currently running in five states including:
- New Jersey
West Virginia and Connecticut have also legalized online poker, but have yet to see any companies enter the market. Many players are hoping that 2022 is the year interstate compacts allow states to join forces for shared liquidity. That would lead to larger player and prize pools.