Dude Finds Flaw in World’s Biggest Gambling Site, Steals $1M in Bitcoin

An online gaming/gambling site lost $1 million in bitcoin to an attacker who exploited its random number generation (RNG) system.

A leading and apparently the biggest online gambling website Primedice Bitcoin has suffered $1 million loss after one of its members (players) discovered a way to game the system.

The user disguised himself as “Hufflepuff” and devised a method to hack the site’s dice roll game through which people win Bitcoin.

primedice-gambling-site-hacked-bitcoin-stolen
Image Source: Rebel Mouse

Primedice’s CEO says that they are announcing a reward for anyone who could provide leads to recover the lost amount.

The company although discovered that “Hufflepuff” was playing with the site’s system, but the user rejected their request to return the funds.

In August 2014, the third version of Primedice was released and shortly after its launch the team identified unusual patterns from two of its members/players. One of the players won bets while the other cashed out automatically.

However, the team couldn’t detect any wrongdoing.

After almost a month a delayed cashout occurred and the winning player made a new account from which the largest bets in the history of Primedice were made. Hufflepuff, the bettor, was betting more than $8,000 in bitcoin per second for hours.

However, once again the team couldn’t identify wrongdoing and kept on paying Hufflepuff his winnings.

Eventually, they identified that some accounts were sharing same server seed as the game displays the player an encrypted randomly generated value before the bet, which is called the server seed. This seed is to be shown to the client seed by the player and the system combines the two random values in order to evaluate win or loss.

Not a good time for Bitcoins

Since Primedice sends out decrypted seed, therefore, it was apparent that manipulation cannot happen. Nevertheless, Hufflepuff identified a way to make the server give out a decrypted server seed, which at the same time was an active seed. This is how he was able to corroborate the results of his bets.

Primedice’s house edge is just 1% that’s why it became difficult to pinpoint that some member has figured out its system. The gaming site’s team although noticed that “Hufflepuff” was winning big time, but they couldn’t understand how and why.

Since bitcoin transactions remain anonymous and irreversible, therefore, Primedice is facing a tough challenge in tracking “Hufflepuff” and in forcing him to return the funds.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.