I posted a summary of how things went down, along with screenshots, on my blog: http://www.natarem.com

Here is a x-post of what I put on my blog, but I had to remove the screenshots because they are too wide.

Hopefully this will explain it clearly for people.

---------

Okay, so, anyone who follows 2p2 or P5s or a lot of other forums has probably noticed all of the Absolute Poker uproar. If you don’t know about it, here’s the basic idea…

CrazyMarco, a well-known online tourney player, played in a 1K AP tournament on 9/12/07. The tournament was won by a player named POTRIPPER who made a crazy call with T high against Marco’s 9 high flush draw. In the following days, Marco emailed with AP support and asked for a hand history so he could review POTRIPPER’s play at the final table. There were rumors that POTRIPPER could see hole cards and he wanted to follow up because of the possibility that he was cheated. On Friday Sept 21st, AP sent Marco a huge excel file (10 mb and a full 65,536 rows, the excel limit for most versions being used currently). He didn’t think much of it and it was too scambled and complicated to analyze, so he put it on the backburner for the time being.

Fast forward a few weeks. Marco, along with his roommate Jared “TheWacoKidd” Hamby, decided to take a look at the file. This happened sometime around October 12th or 13th as I understand it. They realized soon after that AP had send Marco ALL of the hole cards in the hand history. This, of course, allowed them to watch how POTRIPPER played and to examine what hands were at the table when POTRIPPER was/was not playing hands. It quickly became apparent to all who saw the history that POTRIPPER was cheating and, somehow, knew peoples’ hole cards. You can view the hand history on PokerXFactor here. One thing to note is that the spreadsheet only had the first 2 hours and 20 minutes of the tournament because of the Excel line limit, so the hole card access somewhat cuts off around hand 94.

Anyway, I noticed posts talking about this Excel file. On Saturday, MrTimCaum sent me a copy of the spreadsheet. I started to play around with it and noticed that there was random IP/email/user id numbers interspersed with the player actions. It wasn’t clear at first exactly what the info meant. It didn’t seem like the info pointed to people at tables for the following reason:

[SCREENSHOT REMOVED]

The IP info looked something like that. It told me when someone “entered” a table, what their email was, what their IP was, what their user id was, etc. Note that I changed all of the info in this line to protect the privacy of the real data. I put in my email address for the hell of it. Anyway, there were 845 lines with either “TABLE_ENTER” or “TABLE_LEAVE” and through some analysis, I realized that there were tons of players in the event who I knew and they never appeared in the “TABLE_ENTER” or “TABLE_LEAVE” lines. Eventually, we figured out that Enter and Leave lines were recorded for people who were logged into the software and opening or closing the table, but not seated at the table.

Next, I analyzed the lines related to table 13, where POTRIPPER was seated. 2+2er snagglepuss, who I forwarded the spreadsheet to, had already pointed out to me two sketchy observers, one of whom opened up table 13. And when I looked at the data, I noticed something a little weird. One of the sketchy observers opened up table 13 and he was user number 363! This number is incredibly low and I instantly knew that the account had been created by AP or someone who was associated in some way with AP. It had to be a test account of some kind to be made that early in the system.

[SCREENSHOT REMOVED]

I am still hiding some of the sensitive info, but this line in the spreadsheet was probably the key to cracking the case in my opinion. It showed a number of things:

• A Costa Rican IP address (and this IP address becomes more important)
• An observer entering the table and never leaving the table until at least 11:20 PM (or over two hours later when the spreadsheet cuts off)
• A very very low user number that indicates AP involvement in some way — not that the company as a whole knows, but that SOMEONE on the inside was involved.

The next step was to cross reference the IP address within the file. When I did that, some info on the other “sketchy” guy came up.

[SCREENSHOT REMOVED]

Once again I blacked out some of the info, but the important thing is that SCOTT@RIVIERALTD.COM had the same IP address as user 363. He stopped by table 9 for whatever reason for about 20 seconds. The only real significance of table 9, as far as I know, was that Mark Seif, an AP sponsored player and AP co-owner (I think?) was playing on it. That doesn’t mean that Mark was involved, but it is a relevant fact with regards to table 9.

The next step, which I think I did the next day, was to figure out some info on rivieraltd.com. I pinged the domain and found the IP to be 66.212.244.147. Note that someone has since changed this, but the IP can still be connected to the mail server as of this writing. Then upon doing further research on that IP address, I traced it to what I believed to be the Kahnawake gaming commission. I posted my findings on 2+2 and P5s. Then a poster on P5s named JackBileDuct pointed out the following:
<blockquote>
66.212.244.147 is mail.riveraltd.com telneting to it on port 25 gets a greeting from a mail server. It *IS* a mail server.

Also that IP is NOT the Kahnawake Gaming Commission. Are you ready for this… It is AP.

Mohawk Internet Technologies MIT-BLK-01 (NET-66-212-224-0-1)
66.212.224.0 - 66.212.255.255
Absolute Entertainment S.A. MIT-ABPOK-02 (NET-66-212-244-128-1)
66.212.244.128 - 66.212.244.255

Go to http://www.arin.net and enter the IP address in a whois search. That connection is from one of their own IP’s….

CustName: Absolute Entertainment S.A.
Address: Plaza Mayor 2nd building 2nd floor
City: San Jose
StateProv:
PostalCode:
Country: CR
RegDate: 2006-08-16
Updated: 2006-09-26
</blockquote>
That might be kind of technical, but the general idea is that the email address was hosted by Kahnawake but actually belong to AP! So this SCOTT@RIVIERALTD.COM fellow was actually connected to AP. This was overwhelming evidence in my mind… remember:

1. There was a low numbered user watching the table (and probably sharing hole card info) with the suspicious player POTRIPPER
2. The low numbered user was connecting from Costa Rica
3. An AP-associated person was on the same IP address and even though he wasn’t watching table 13, he revealed himself nonetheless

My head was spinning. I kept posting more and more of these revelations online. One issue was that I didn’t know who Scott was. So I sent out a feeler email (PM in some cases) asking various places to check on the IP address that was used by the two sketchy accounts.

Sure enough, I woke up Tuesday morning to find a rash of evidence sitting in front of me. 2+2 moderator Adanthar found that the IP address was used by a 2+2 account with the login name scotttom. P5s admin Adam Small told me that he knew one of the AP owners was named Scott (although he didn’t say the last name). A few other sources who do not want to be named told me that Scott Tom was associated with that IP address. It was also pointed out to me that there was an online blog post where some girl said that Scott and Phil Tom (brothers I think, although only Scott seems to have been implicated) were AP owners and executives. Adanthar posted his findings on 2+2 and revealed that he’d connected the somewhat mysterious IP address to an actual person. Also, other sources that do not want to be named confirmed that the IP address was a residential cable modem tied specifically to the Tom family.

So that’s how everything was tied together on as simple a level as I can make it. I am not including a ton of various leads that I’ve followed or some of the inside info that I received, but this is the general gist of it. I’ll post more as time goes on, especially on things like the media, AP and community reactions to this stuff.

You and Adanthar do some amazing work. Keep it up and bust these mofo's.

pu_s

Amazing work. Although I love reading this and find it intriguing, I think nothing more should be posted on this. The community has by far more than enough information to know that this has happened. I think it's pretty easy to conclude that the criminals behind this are reading P5's and 2+2. Posting anything more on this is only going to help them. I would be very careful, you never know who you are dealing with, this could have the potential to get very ugly. Im sure you have already taken precautions but please have multiple copies of the factual evidence stored at several safe places. I would even advocate removing this post and and others with this much evidence.

Again, simply amazing and take care!

I'm guessing you didn't read the other posts.

I guess I've resigned myself to the fact that I might be at risk here. The evidence I posted has already been posted on 2p2 and elsewhere online.

Also, it should be noted that I wasn't the person who posted that it was Scott Tom who is apparently the owner of the IP used by #363 that day. Adanthar did.

On top of the fact that snagglepuss, Josem, Adanthar and a number of others helped along the way. I gave myself way more credit in that blog entry than I deserved.

how do you know the internet so well

This tom guy is apparently the CEO of AP. My question is why would a CEO of a billion dollar industry need to steal this money? , And in such a sloppy manor. Makes me think it may have been someone close to him.

note to self: never do anything to piss nat off.

amazing work nat, much apprecciated

thats definitely the sickest part of the story - why would he need to risk his steady million dollar rake income for a few extra thousand in such a blatant way

Why do people keep saying this is why we need it regulated? With people like Nat, Dandruff, and many others, who needs regulation? We already have it. We have scatter plots that show infinite aggression on the river and unusually high win rates, internet detectives, etc. The players are smarter and have a lot more to lose than some government agency in charge of oversight. Self regulation makes much more sense. I actually feel like online poker is even safer now. Thanks to all involved!

Nat,

I've been trying to follow this with my technical enquiring mind. I'm not an IP nut but I'm trying to understand this statement:

Once again I blacked out some of the info, but the important thing is that SCOTT@RIVIERALTD.COM had the same IP address as user 363.

In the screenshots you show user 363 with IP address 200.122.xxxxx.62374 and scott@rivieraltd.com with IP address 200.122.xxxxx.63146

In another part of your post you talk about scott@rivieraltd.com having the IP address 66.212.244.147 and that this IP address belongs to AP as the subset 66.212.244.128 - 66.212.244.255 of the range 66.212.244.0 - 66.212.244.255 that belongs to Mohawk Internet Technologies.

Given that the last 4 digits of the 363/scott IP addresses are different why do you say they have the same IP address, when you make this distinction for the Mohawk/AP IP addresses?

What is the practical implication of the file showing these two distinct observers (363 and scott) connecting from a similar, but not exactly the same, IP in Costa Rica? Are they two different computers on the same LAN?

I'm just trying to understand why user 363 and scott are the same person and, if so, why would one user be permanently observing table 13 and never observing another table (i.e. why wouldn't user 363 just have opened-up Table 9 for 20s instead of the other user account)?

Great work btw.. but im a lil confused on this one point here:

1. <LI>There was a low numbered user watching the table (and probably sharing hole card info) with the suspicious player POTRIPPER <LI>The low numbered user was connecting from Costa Rica <LI>An AP-associated person was on the same IP address and even though he wasn’t watching table 13, he revealed himself nonetheless << I was under the impression that this was user 383 and was there the whole time.. SO in addition to Pot RIpper (not on said IP) user 383 and another AP Ip were watching the game? this part confused me</LI>

Z,

The mail server that handles @rivieraltd.com email addresses is at the IP 66.212.244.147. That IP comes from the Mohawk datacenter and is subdelegated directly to AP. So that mail server lives within the AP network. The user with the @rivieraltd.com address with a user ID of 363 had the same IP as pottripper which was an IP fom Costa Rica and linked to Tom's home cable modem.

What I find wierd, is why would the CEO of a company, who is obvouisly making millions and millions of dollars, want to cheat so blatantly that it will obviously ring some bells, when the money he makes playing online even cheating probably doesn't even come close to his salary?

Jack,

Sorry, but now i'm really confused. Nat says in his blog that the two observers, user 363 at Table 13 and scott@rivieraltd.com at Table 9, had the same IP address. He didn't say anything about POTRIPPER's IP address also being the same.

All I'm asking is that as the two observer IP addresses in the screenshots look different to me (the last four digits), why does Nat say they are the same?

Where is the info about POTRIPPER's IP address also being the same, I don't recall seeing that anywhere?

Thx,

Z