CrazyMarco, a well-known online tourney player, played in a 1K AP tournament on 9/12/07. The tournament was won by a player named POTRIPPER who made a crazy call with T high against Marco’s 9 high flush draw. In the following days, Marco emailed with AP support and asked for a hand history so he could review POTRIPPER’s play at the final table. There were rumors that POTRIPPER could see hole cards and he wanted to follow up because of the possibility that he was cheated. On Friday Sept 21st, AP sent Marco a huge excel file (10 mb and a full 65,536 rows, the excel limit for most versions being used currently). He didn’t think much of it and it was too scambled and complicated to analyze, so he put it on the backburner for the time being.
Fast forward a few weeks. Marco, along with his roommate Jared “TheWacoKidd” Hamby, decided to take a look at the file. This happened sometime around October 12th or 13th as I understand it. They realized soon after that AP had send Marco ALL of the hole cards in the hand history. This, of course, allowed them to watch how POTRIPPER played and to examine what hands were at the table when POTRIPPER was/was not playing hands. It quickly became apparent to all who saw the history that POTRIPPER was cheating and, somehow, knew peoples’ hole cards. You can view the hand history on PokerXFactor here. One thing to note is that the spreadsheet only had the first 2 hours and 20 minutes of the tournament because of the Excel line limit, so the hole card access somewhat cuts off around hand 94.
Anyway, I noticed posts talking about this Excel file. On Saturday, MrTimCaum sent me a copy of the spreadsheet. I started to play around with it and noticed that there was random IP/email/user id data interspersed with the player actions. It wasn’t clear at first exactly what the info meant. It didn’t seem like the info pointed to people at tables for the following reason (click image for full size):
The IP info looked something like that. It told me when someone “entered” a table, what their email was, what their IP was, what their user id was, etc. Note that I changed all of the info in this line to protect the privacy of the real data. I put in my email address for the hell of it. Anyway, there were 845 lines with either “TABLE_ENTER” or “TABLE_LEAVE” and through some analysis, I realized that there were tons of players in the event who I knew and they never appeared in the “TABLE_ENTER” or “TABLE_LEAVE” lines. Eventually, we figured out that Enter and Leave lines were recorded for people who were logged into the software and opening or closing the table, but not seated at the table.
Next, I analyzed the lines related to table 13, where POTRIPPER was seated. 2+2er snagglepuss, who I forwarded the spreadsheet to, had already pointed out to me two sketchy observers, one of whom opened up table 13. And when I looked at the data, I noticed something a little weird. One of the sketchy observers opened up table 13 and he was user number 363! This number is incredibly low and I instantly knew that the account had been created by AP or someone who was associated in some way with AP. It had to be a test account of some kind to be made that early in the system. Here’s a screenshot (click image for full size):
I am still hiding some of the sensitive info, but this line in the spreadsheet was probably the key to cracking the case in my opinion. It showed a number of things:
- A Costa Rican IP address (and this IP address becomes more important)
- An observer entering the table and never leaving the table until at least 11:20 PM (or over two hours later when the spreadsheet cuts off)
- A very very low user number that indicates AP involvement in some way — not that the company as a whole knows, but that SOMEONE on the inside was involved.
The next step was to cross reference the IP address within the file. When I did that, some info on the other “sketchy” guy came up (click image for full size):
Once again I blacked out some of the info, but the important thing is that SCOTT@RIVIERALTD.COM had the same IP address as user 363. He stopped by table 9 for whatever reason for about 20 seconds. The only real significance of table 9, as far as I know, was that Mark Seif, an AP sponsored player and AP co-owner (I think?) was playing on it. That doesn’t mean that Mark was involved, but it is a relevant fact with regards to table 9.
The next step, which I think I did the next day, was to figure out some info on rivieraltd.com. I pinged the domain and found the IP to be 126.96.36.199. Note that someone has since changed this, but the IP can still be connected to the mail server as of this writing. Then upon doing further research on that IP address, I traced it to what I believed to be the Kahnawake gaming commission. I posted my findings on 2+2 and P5s. Then a poster on P5s named JackBileDuct pointed out the following:
188.8.131.52 is mail.riveraltd.com telneting to it on port 25 gets a greeting from a mail server. It *IS* a mail server.
Also that IP is NOT the Kahnawake Gaming Commission. Are you ready for this… It is AP.
Mohawk Internet Technologies MIT-BLK-01 (NET-66-212-224-0-1)
184.108.40.206 – 220.127.116.11
Absolute Entertainment S.A. MIT-ABPOK-02 (NET-66-212-244-128-1)
18.104.22.168 – 22.214.171.124
Go to http://www.arin.net and enter the IP address in a whois search. That connection is from one of their own IP’s….
CustName: Absolute Entertainment S.A.
Address: Plaza Mayor 2nd building 2nd floor
City: San Jose
That might be kind of technical, but the general idea is that the email address was hosted by Kahnawake but actually belong to AP! So this SCOTT@RIVIERALTD.COM fellow was actually connected to AP. This was overwhelming evidence in my mind… remember:
- There was a low numbered user watching the table (and probably sharing hole card info) with the suspicious player POTRIPPER
- The low numbered user was connecting from Costa Rica
- An AP-associated person was on the same IP address and even though he wasn’t watching table 13, he revealed himself nonetheless
My head was spinning. I kept posting more and more of these revelations online. One issue was that I didn’t know who Scott was. So I sent out a feeler email (PM in some cases) asking various places to check on the IP address that was used by the two sketchy accounts.
Sure enough, I woke up Tuesday morning to find a rash of evidence sitting in front of me. 2+2 moderator Adanthar found that the IP address was used by a 2+2 account with the login name scotttom. P5s admin Adam Small told me that he knew one of the AP owners was named Scott (although he didn’t say the last name). A few other sources who do not want to be named told me that Scott Tom was associated with that IP address. It was also pointed out to me that there was an online blog post where some girl said that Scott and Phil Tom (brothers I think, although only Scott seems to have been implicated) were AP owners and executives. Adanthar posted his findings on 2+2 and revealed that he’d connected the somewhat mysterious IP address to an actual person. Also, other sources that do not want to be named confirmed that the IP address was a residential cable modem tied specifically to the Tom family.
So that’s how everything was tied together on as simple a level as I can make it. I am not including a ton of various leads that I’ve followed or some of the inside info that I received, but this is the general gist of it. I’ll post more as time goes on, especially on things like the media, AP and community reactions to this stuff.