I Exploited a Blackjack Bug for Thousands of Dollars

Yes, it's possible to win money from an online casino. You just need to know where to look.

In 2005, my brother noticed some odd behavior while playing Blackjack on the gambling site ParadisePoker.com. They had just released a new version of their software that allowed players to play Blackjack in addition to their poker offerings, so the new game had just been exposed to the public for a few days.

The Bug

My brother said that whenever the software asked you if you wanted InsuranceIn Blackjack, you can make an Insurance side-bet when the dealer has an Ace showing. You get paid 2:1 if they have a 10 as their hole card (completing their Natural Blackjack). You can bet up to half of your initial bet. , there was a noticible delay before the window popped up when they had a Ten in the hole. When their hole card was not a Ten, there was no delay.

This was a HUGE boon to the player!

If this were true, that means that you could make a perfect Insurance bet every time and basically turn a loss into a push whenever the dealer had an Ace showing with a 10 in the hole. In a hand like this, you would usually lose your initial bet. A bug like this would save a player one full bet every 42 hands or so.

What is the Insurance Bet?

Insurance is offered in the game of Blackjack when the dealer has an Ace as their initial upcard. The player is offered "insurance" to "protect" them against the dealer having a Blackjack, and the insurance bet can be (up to) half of their initial bet. If the dealer has a Ten in the hole, then their insurance bet wins 2:1, essentially resulting in a push, since the initial bet would have lost.

The Insurance bet is usually a horrible proposition for the player, with a house advantage ranging from 5.9% (single deck) to 7.7% (infinite deck).

You can make an Insurance bet when the dealer has an Ace showing. If they have a 10 in the hole, you win your Insurance bet, which pays 2:1. This is usually a losing proposition.

I couldn't believe that something like this could be released to the public unnoticed by their testers, so I opened up their program and played a few rounds to see for myself. After winning several Insurance bets, I was able to confirm that my brother was correct!

The Edge

The normal overall house advantage for the game of Blackjack is about 0.5%. The bug allowed you to tip the edge in the player's favor by much more than that!

There was one case where the bug didn't telegraph the hole card. If the player had a Blackjack and the dealer had an Ace up, the unnatural pause would be present, regardless of what the dealer's hole card was.

So to estimate the change in Expected ValueThe predicted value of a unknown outcome, calculated as the sum of all possible values each multiplied by the probability of its occurrence. (EV) due to this bug, you can use the following formula:

\begin{align} \Delta_{EV} & \approx P_{Dlr\,Ace\,upcd} \times P_{Dlr\,10\,holecd} \times (1 - P_{Plr\,BJ}) \times Win\,amt\\ \\ & \approx \frac{1}{13} \times \frac{4}{13} \times (1 - \frac{8}{169}) \times 1 \, unit \\ \\ & \approx 2.255\% \\ \end{align}

The estimates above are based on an infinite deck.

This turns a game with a ~0.5% house advantage into a game with a 1.755% PLAYER ADVANTAGE!

This is amazingly high, considering that highly skilled card counters typically have an overall advantage of around 1.5% to 2% over the house! With this bug, you could have all the gains of card counting by playing (mostly) basic strategy! And the variance would be a lot lower, too, since you'd mainly be betting the same amount!

The Win

I only had a few hundred dollars my Paradise Poker account, and I actually lost it all before I was able to get any traction. Even with a 1.8% player advantage, you can easily lose money due to variance, especially with such a small amount relative to your bet size (I was betting $25 per hand).

To supplement my funds, I initiated a $1000 deposit, which took another day to process before I was able to use it.

After the deposit was cleared I was able to comfortably bet $25 per hand until my bankroll doubled to $2000. It doubled again to $4000 and I eventually got to the point where I was betting the table max of $300 per hand and steadily winning.

How I looked when I was stacking Paradise Poker's chips.

I stayed up all night playing until I couldn't keep my eyes open. I was almost up $10,000 and I decided to call it a night and went to bed. In addition to not being able to stay awake, I didn't want to cross any significant thresholds that might set off alarm bells with Paradise Poker's team. I also wasn't sure whether online casinos were required to issue Currency Transaction Reports (CTR) for wins over $10,000 (brick and mortar casinos will issue these on large cash winnings), so I stayed shy of winning that amount.

The bug was already "in the wild" for over a week and there was no reason to believe it would be fixed soon. I didn't want to win too much in a single session in an effort to stay under the radar.

The next day before I could start playing, my brother informed me that the bug had been fixed. Logging in, I quickly verified that he was right. The gravy train had come to its final destination.

The End of the Line

I quickly made a withdrawal request for half of my winnings. The next day, I requested the other half. I didn't want to be accused of cheating or any other punishible acts, so I wanted to make sure I was able to get my money off the site before they could accuse me of any wrongdoing.

Thankfully, the withdrawal requests were honored without any issues.

Is this Cheating?

Let me be clear. This was NOT cheating.

If you're not using anything but your brain to beat a game offered by a casino and you're playing by their rules, I don't see how anyone could view this as cheating. No servers were compromised. No accounts were hacked. No funds were transferred from other players. We were just able to recognize a pattern that made optimal play profitable for the player.

What Caused this Bug?

I haven't been able to confirm, but I would guess that the bug was a result of additional processing happening when the dealer has an Ace with a Ten in the hole. When the dealer has a 2 through 9 as their upcard, I would doubt that the hole card were even "dealt". There is no need to deal the hole card while the player is still making hit/stand decisions, and doing so might even be a security risk for the site.

In many computerized gambling systems, random decisions are not decided until they are needed. A big reason why is because it reduces the liklihood of being exploited by hackers.

If the value of the card is stored in a database or even in memory, it could be subject to compromise. If their systems were breached or if a rogue employee wanted to cheat the system, it could be possible to access the value of the dealt card and make decisions based on it, making massive amounts of money off this added information.

In most computerized gambling systems, your fate isn't sealed until you commit your decision. For example, in Video Poker, the computer doesn't know what cards you will draw until you tap the DRAW button. You will get different cards depending on when you tap the button.

For example, if the dealer has a 9 as their upcard and you could determine that the hole card was a 7, then you'd know the dealer had a 16 total, which is the worst possible starting hand for a dealer. Knowing this, you might stand on a 15 when you would normally hit. This would be a huge flaw that a bad actor could exploit and gain an advantage of around 10%!

So when the dealer had an Ace showing, their servers would likely have to go through the extra steps of actually dealing a card (or just eliminating the Ten as a possibility). When the card was determined to be a Ten, then many aspects of the hand could be finalized as the system would know that no additional cards would be dealt. This could also explain why the delay was present when the player also had a naturalA starting hand of 21 in Blackjack. Also called a "Natural Blackjack" or just "Blackjack". A natrual hand in Baccarat is a starting hand of 8 or 9 by either the Banker or the Player and no cards are drawn. 21.

And their fix was very likely to just add the delay there artificially. At least that's how I would have first approached the solution, as it would be easy to implement and would have masked the solution sufficiently. The other option would have been to only check for a Ten after the player decides whether he wants insurance.

Epilogue

I eventually wrote about this exploit and the story was published by 2600: The Hacker Quarterly in their Summer 2005 issue. The article was also re-published in their hardcover book The Best of 2600: A Hacker Odyssey.

2600: The Hacker Quarterly - Summer 2005 issue.

This blog post is a little more detailed than that original 2600 article, where a lot of details were cut out in the interest of brevity.

ParasidePoker.com has since been taken over by SportingBet.com (not because of this bug!). Later in my career, I coincidentally happened to work with Paradise Poker's former head of payments, security and fraud, who worked there at the time of the exploit. He told me the company was well aware of the bug as it was being exploited. They were considering pulling the plug on the game while they re-tooled the software, but the amazing thing was they were still making significant money on the game! There were a few whaleA whale is a gambler who likes to bet large sums of money. They are generally welcomed by casino staff. players who were down 6 figures, so they decided to keep the feature up while they fixed it.

Even with a handful of guys like me and my brother exploiting this flaw, the amount of money being lost by losing players was eclipsing the 2% house edge the keen-eyed players were enjoying.