Casino exploits

This coincidence raises at least two possibilities. The first is that Alex sent Aristocrat a fake proof full of mathematical in-jokes and wagered that the company’s engineers would be too dense to realize that he was putting them on. The second is that Aristocrat has been basing some of its PRNGs, at least in part, on an algorithm that is at least 36 years old and which has long been in the public domain.

If the latter is the case, then Aristocrat—like all slot machine manufacturers—has a ready defense against any suggestion that its PRNGs are too feeble. Because government regulators must vet and approve all PRNGs before they’re used in casinos, those regulators are easy to blame when hackers like Alex find flaws in the code. “Every single Aristocrat game that is on a venue floor—regardless of where it is—has been approved by the relevant regulators and complies fully with the standards required at the time it was placed,” a company spokesperson told me.

Aristocrat has held fast to its refusal to negotiate with Alex, a decision that not all of its corporate peers have made when dealing with similar crises. In fact, plenty of companies confronted by hackers with damaging information have opted to play ball and transmit the requested bitcoins to their tormentor. “You might be able to live with the cost of paying off the lawsuits and that sort of stuff, but the potential reputational damage might be too much to bear,” says Steve Stone, a leader of IBM's X-Force Incident Response and Intelligence Services division, which advises client on how to handle cyberextortion. But he adds that those companies often rue their decision in the long run, since—as Tracey Elkerton implied in her phone call with Alex—black-hat hackers aren’t known for being merciful: “It’s not all that unusual to pay and then they come back and say, ‘Oh, now we have two things.’ And then it’s ‘Now we have three things.’”

Having failed to persuade Aristocrat to strike a deal, Alex is now toying with the idea of approaching IGT, another slot machine manufacturer; Alex claims to have recently deciphered the PRNGs for games that run on machines made by Atronic, an Austrian company that is now an IGT subsidiary. “I have to say they are a bit more robust [than Aristocrat’s] and some machines did give me the pleasure of a challenge, but they are still generally weak,” he boasts. “An engineer’s mind is just too linear. They don't understand the psychology of dismantling, they just don’t know where and how a hacker is going to strike. So they leave a number of doors open for me to enter.”

Alex also claims to be engaged in selling his milking system to interested parties. One of his customers, he says, was a New York-based crew of alleged Russian and Georgian mafiosi, 33 of whom were indicted in June for racketeering, fraud, and other crimes. According to confidential government informants, this crew, known as the Shulaya Enterprise, brought an Aristocrat Mark VI slot machine to a Brooklyn aparment in September ; four months later, the group began fleecing casinos in Pennsylvania by using “electronic devices and software designed to predict the behavior of particular models of electronic slot machines.”

When he inevitably tires of the slot-machine racket altogether, Alex is prepared to exit the industry in a blaze of mischief. “Sometimes I fantasize about just putting my tech out there for everyone to use,” he says. This would result in what he terms his “zombie apocalypse” scenario: Equipped with Alex’s information and software, both obtained online for free, anyone with a smartphone will be able to turn a vulnerable slot machine into a gaudily decorated ATM.

“Can you imagine something like that?” Alex asks. “It could uproot the entire slot machine industry. And the world just might become a slightly better place. Well, for most people at least.” Should that future come to pass, the losers will only have their mathematical sloppiness to blame.

Brendan I. Koerner (@brendankoerner) is a WIRED contributing editor and the author, most recently, ofThe Skies Belong to Us: Love and Terror in the Golden Age of Hijacking.