Schneier on Security
Hacking Slot Machines by Reverse-Engineering the Random Number Generators
The venture is built on Alex’s talent for reverse engineering the algorithms — known as pseudorandom number generators, or PRNGs — that govern how slot machine games behave. Armed with this knowledge, he can predict when certain games are likeliest to spit out moneyinsight that he shares with a legion of field agents who do the organization’s grunt work.
These agents roam casinos from Poland to Macau to Peru in search of slots whose PRNGs have been deciphered by Alex. They use phones to record video of a vulnerable machine in action, then transmit the footage to an office in St. Petersburg. There, Alex and his assistants analyze the video to determine when the games’ odds will briefly tilt against the house. They then send timing data to a custom app on an agent’s phone, this data causes the phones to vibrate a split second before the agent should press the “Spin” button. By using these cues to beat slots in multiple casinos, a four-person team can earn more than $250,000 a week.
It’s an interesting article, I have no idea how much of it is true.
The sad part is that the slot-machine vulnerability is so easy to fix. Although the article says that “writing such algorithms requires tremendous mathematical skill,” it’s really only true that designing the algorithms requires that skill. Using any secure encryption algorithm or hash function as a PRNG is trivially easy. And there’s no reason why the system can’t be designed with a real RNG. There is some randomness in the system somewhere, and it can be added into the mix as well. The programmers can use a well-designed algorithm, like my own Fortuna, but even something less well-thought-out is likely to foil this attack.
I’m just wildly speculating here, but I would imagine that the PRNG algorithms in use are very heavily vetted to ensure that they are random enough, but also predictable enough that the machine is going to pay out at a very precisely determined rate. It’s likely that this engineered imbalance in the algorithm is also what leads to the weakness that’s being exploited.
True randomness could have the machine paying out at above it’s stated range – the companies making these machines and the companies deploying them don’t want them to be properly random, they want it to be very predictable and in their favour.
One reason i can think of not using a TRNG is that, it won’t allow the casinos to earn profit. The current algorithms are designed so that the casinos always end up earning profit (in long term).
Microsoft and a lot of other free libraries and SDKs used simple linear congruential generators for many years, even in cryptography. Not to mention that some of them might have been backdoored.
Developers had no idea about strong random generators algorithms and used default rand() functions provided by such libraries in all kind of applications, gambling included. I have personally seen such an implementation.
I bet that a lot of developers today have no idea that numbers generated with a lcng repeat after a while.
@Lagod – the linked article is a follow on from the previous article
…My own dialogue with Alex began in February of this year, after he read a story I’d written about his agents’ exploits in the US. (“I keep an eye on what becomes public regarding my business,” he explained via email.) His name had already come up twice in the course of my reporting—once from someone close to the fraud investigation in the Eastern District of Missouri and once in conversation with Willy Allison, a casino security consultant who has been tracking the St. Petersburg organization for years.
TRNG or PRNG don’t have a direct influence on the odds of earning profits. (as long as they are not fixed themselves)
A TRNG that comes with a real random string of numbers between 1 and 100 will still make sure that the house wins – if the rules say that the player wins if the number is between 70 and 100. And THAT is how the advantage of the house is created.
My guess is that PRNG have to be used for regulatory reasons as they are easier to check by the authorities.
Having a failure of a PRNG in a one armed bandit allows for even better money laundering, this could be where some of the 100 dollar bills come from that feed the commonwealth banks smart ATMs, that then send the money overseas without any audit.
This article reads like someone is trying to exploit the PRNG, and also extort the company at the same time.
Maybe they could use the random numbers from quantum vacuum, a QRNG:
Actually the story is pretty much a non story as of course those “prngs” are badly tainted. There have also been other cases where attackers didn’t just have a quite good guess but actually knew almost exactly when the next round would win, due to really bad pseudo random which was basically a cycle of some hundred elements and the “random” only changed the order slightly.
Maybe worth mentioning: It’s not just for the evil casinos that the machines are badly tainted. At least in some countries it’s also the state demanding it, usually to close down opportunities for money laundering and similar reasons. I know of at least 1 case/country where (at least officially) the reason is to make sure that the customers have a fair chance to win.
If there’s requirement for win ratio, and PRNG is bad. I would use it fill fixed roll sequence instead of using independent time based results from it. Allocate slot of 100 rolls, place in 30 small wins and 10 medium and one big. This will guarantee that win ratio will be fixed on next 100 rolls to come. Remaining 59 rolls will lose. Even if the PRNG is total disaster, the win ratio won’t change. If there’s possibility to set “bid” then just consume several slots at once and if required, make pre-allocated the batch larger. You can still ‘cheat’ but it’s much harder, and house won’t be the loser.
What Kai said. Casinos need to vet the payout. There is an old saying in the casino industry that if something is unlikely to be true it is untrue. If the odds were truly random there would be no way to vet the results because there would be no way to verify the payouts. In this sense a slot machine is different than a public lottery. A public lottery only cares if the results are truly random because the lottery can never pay out more than what was put in. But the casino can pay out more than what was put in, and thereby go bankrupt, if the payouts aren’t managed properly.
This leads to an interesting question. Should the casinos actually care that their slots are being gamed? Only if it costs them profit. Otherwise they should be indifferent to whole the pool of winners and losers is among their customers.
Many sweepstakes add a trivial steps so they can claim to be “games of skill” rather than “games of chance”. This is to sidestep anti gambling laws. Here we have the gamblers turning a “game of chance” into a “game of skill” and we’re supposed to care.
Apparently it’s only wrong if you don’t own the lawmakers and judges.
When I were a lad, the RNG in a slot machine looked a lot like the mechanism you can see at about 1:08 in the video https://www.youtube.com/watch?v=b81VafxxcHo — The “Puskin Automaton”, sort of the logical descendant of Christopher Strachey’s Poetry program ( https://en.wikipedia.org/wiki/Strachey_Love_Letter_algorithm ) and the Jaquet Droz Writer automaton ( https://www.youtube.com/watch?v=bY_wfKVjuJM ).
Anyway, back in the day there were several people who claimed (or were claimed) to be skilled at “feeling” the state of these mechanical RNGs, although in many cases they were found to be relying more on small holes drilled in the front of the machine (with a palm-held drill, or by an accomplice in the casino’s employ), through which they could insert a stiff wire to “bias the odds”.
Allocate slot of 100 rolls, place in 30 small wins and 10 medium and one big. This will guarantee that win ratio will be fixed on next 100 rolls to come. Remaining 59 rolls will lose.
You’ve just added a vulnerability to the machine. If it’s possible to reverse engineer when the block of 100 rolls starts you can watch and count as rubes play the machine. If a rube gives up on the machine when there are – say – 20 pulls left in the block of 100 and the big win hasn’t come up, take over and play until it does.
The casino still makes its profit, this scheme gives non-counters slightly worse odds and the counter slightly better odds.
“I’m just wildly speculating here, but I would imagine that the PRNG algorithms in use are very heavily vetted to ensure that they are random enough…”
- I worked for about 5 years in the gambling industry writing code for slot-type machines for state entities. I can say that when I was working there, our machines had their PRNGs (code and output) checked by either the regulator itself, or by a company hired to do that task. The main company we dealt with (GLI – link above) used a variety of statistical tests and would look for known defects in PRNGs. One of the incidents I dealt with was that we were poorly seeding our PRNG and we weren’t adding enough bits of randomness frequently enough, which under certain circumstances could make the numbers perfectly, easily predictable. In response, we killed that release, and improved both significantly.
While I cannot guarantee that the wider (less-regulated) slot industry were careful about their PRNGs, the major actors appeared to be. In other words, it was the game design, not the PRNG that determined how swingy the wins were (barring code defects). I can tell you from the data I had that there were weeks where some of our most popular games lost money (due to large progressive payouts occurring on those weeks). When averaged over a year, though, those numbers looked very close to what you’d expect from the payout table.
I cannot speak to grey market machines, the times when they actually got to a regulator, they rarely even passed the initial “will this behave well when shocked with electricity” tests. It’s possible that their PRNGs were also bad, or even favored certain results.
Comments on the article:
“Writing such algorithms requires tremendous mathematical skill…” – writing the original may. The reality for people writing code for slot machines is that we use one of the small number of approved algorithms. If we don’t, we’re unlikely to get it past the regulators.
“Equipped with Alex’s information and software, both obtained online for free, anyone with a smartphone will be able to turn a vulnerable slot machine into a gaudily decorated ATM” – this is silly. The response to a broken game is to shut it down. Even when the casino/lottery doesn’t know why, they’ll shut it down within a few days or less just because the payouts seem unusually high. For most casinos, that would just mean more play on other machines (ones that aren’t broken). In a case like he’s describing, I suspect that nearly the entire industry would be aware within a few hours.
While I can’t comment on if Alex reverse engineered the PRNG, I’ll note that when I was working for a slot machine company, that was one of our biggest fears. Even though the resources needed to reverse engineer against it seemed implausible (at the time), we attempted to guard against this, urged on by our customers and regulators. I have no reason to think that most or all of our competitors didn’t have this in mind. The easiest way to guard against this is to increase the injection of entropy (ideally, it should be greater than or equal to the information leakage).
@SL – “I would use it fill fixed roll sequence” – that’s a different kind of game – it’s pretty much how scratch-off lotteries work. As PRNG implementations tend to be decoupled from the games (Why? because your game isn’t on every machine you sell, but your PRNG is), it wouldn’t make much sense for the larger slot machine companies. Also, as a game design note, a 1% chance of a big win would be far higher (and likely result in far lower play) than any game we implemented, I don’t recall any of our competitors using anything close to a 1% chance of a high win, either. My recollection is that one of our most popular games was a 10 of 10 keno. The top prize was something like a 1 in 8,911,711 event. We also had slot games with similar odds for the top prize.
@Humdee “If the odds were truly random there would be no way to vet the results because there would be no way to verify the payouts.” – at least in the jurisdictions where we worked, the ability to verify recent payouts was a requirement tested both by the regulator (or the company they hired) and the end client (in one case these were the same legal entity). In theory, you needed a physical key to access that feature, among several others (none of which could impact the payout amounts or the payout percentage). That said, other than in a dispute situation, the casino/lottery doesn’t care about the individual pays – they care about he collective ones, over a day, a week, a month, or even a year. If a 92% payout game is paying out at, say, 101% (with a large umber of plays) over a week, they’re going to ask why. If it keeps doing so, or no good explanation comes up, they’ll shut that game down.
I would imagine that the PRNG algorithms in use are very heavily vetted to ensure that they are random enough, but also predictable enough that the machine is going to pay out at a very precisely determined rate.
Err no, you are over assuming.
Just assume the RNG is infact a TRNG and realy does provide a not just truly random output but one that is unbiased as well. Thus it has a flat distribution nomatter what test you throw at it.
Let us assume it chucks out a 10bit unsigned int, but you want it to only give a range between 10 and 990 and still be both truly random and unbiased. All you have to do is throw away any numbers outside the required range. Thus nothing clever. The potential downside is it generates a long sequence of out of range numbers thus it takes an uncertain length of time to output an inrange number.
Thus you have the TRNG running without modification followed by your range filter. There is no reason why the range can not be changed at any time, it does not effect the randomness of the numbers in the chosen range.
You can thus change the range to effect the size of payout to ensure you meet the payout requirments.
I have encountered stupid security many times, specifically in gambling systems, that made errors which would be unthinkable in other computer security regimes.
You can do a back-of-the-envelope calculation and discover that there are 240 bits of information in a shuffled deck of cards. Guess what size seed a random number generator used for shuffling cards is usually initialized with? Guess what size state it has? Did you guess less than 256 bits? Did you guess a lot less? I’ve encountered 32, more than once. Meaning that if you can see seven cards you know the sequence of the entire deck.
The more teams like Alex’s make these mistakes expensive, the more they’re getting fixed. But in the gambling industry, it seems that the ratio of expense incurred to fixes implemented is much higher than seen anywhere else. Casinos literally spend years losing millions of dollars before anybody updates a product, whether software or hardware, to fix even the simplest problems. I don’t know whether the issue is a smaller, more specialized market where the same level of expense to justify some effort has a smaller number of victims to get spread over, or a failure of expertise to cross over from other venues, or simply a cultural question of how security is valued. But there is really a serious problem with security in gambling systems.
And Why do bitcoin casino dice have sharp edges yes, a better RNG would be dead simple to implement from a computer security perspective. But, until the expense mounts high enough, across enough casinos, to justify the replacement of every last slot with a slot where the RNG is actually better, casinos will continue to make more money by having the vulnerable slots on the floor accepting money from the millions of people who aren’t Alex’s team, than they lose to Alex’s team. The fix is a matter of how efficiently they win, not a matter of whether they’re winning or losing.
I think everyone is missing the point. Slot machine payouts are not designed to be random.
They are designed to be addictive. Use your google-fu on “intermittent reinforcement”.
The idea is to pay out just enough, and just often enough, to keep the player at the machine – the longer the better for casino profits.
Those occasional payouts give the gambler a nice but too-brief spike in dopamine. Just the thing to foster an addiction. The susceptible gambler wants more … and more … and chases a dopamine-mediated high with more and more losses.
The payouts are deliberately non-random in order to milk the gambling herd. A truly random payout would result in less addictive behavior and lower profits.
But because the payouts are non-random, they are exploitable in theory. A slot machine gang could try to hack the algorithm responsible for the intermittent, Asi se baila salsa casino addictive reinforcement, by trying to predict when the machine is due to reinforce the player.
This has little to do with the design of any underlying RNG in the slot machine h/w or s/w.
I think everyone is missing the point. Slot machine payouts are not designed to be random.
I don’t think every one is, but there is a second point some are missing,
If you exploit the payout sequence of PRNG rather than change the PRNG sequence to make more payouts the Casino is not realy going to notice.
That is when exploiting the sequence, you are not changing the behaviour of the machine, therefor from that point of view the payout behaviour is as the casino expects.
It’s a bit like knowing which scratch card to buy. The retailer does not see any change in payouts over all, all that happens is you get all the winers whilst other players get all the losers.
Slot machines and other casino devices are NOT random nor even pseudo random, their numbers generators are specifically designed to rook money from the rubes, marks, and suckers such that a pre-determined percentage of the money that the marks insert in to the machines goes toward the House, and gambling oversight agencies set upper limits on the percentage that gambling houses take from the marks.
The pseudo-random numbers for such machines determine the output display which the marks see, they do NOT determine when the machine will pay out, not over time, that’s hard-set in the devices.
Decades ago I lived in Blue Diamond, a township outside of North Las Vegas, and all of the locals laughed at the tourists who think they’re gambling when in reality all they’re doing is handing over a percentage of their money to organized crime.
“Slot machine payouts are not designed to be random.
They are designed to be addictive.”
- We were trying for both. That said, they’re two separate problems. The first is implementing a PRNG well. The second is game design.
Well, yes – from the casino’s perspective, they’re getting x% of every dollar on average, which (with enough plays) tends to come out nearly exactly. That said, from the perspective of an individual player playing a small number of games, it appears random.
That said, back when I worked on slot machines, we had a test bed of 32 slot machines, which we had set up to automatically hit the correct buttons. We’d put in hundreds or thousands of “dollars” into them and let them rip. With rare exceptions, they’d all be out of money in a few hours. New people would be excited to do this at first with the “money” they “won”… but within a few hours, when they had to re-fill some machines multiple times, that stopped.
@Bear ” I’ve encountered 32, more than once.” excellent point. I think this was very common, roughly 20 years ago in VLTs (I can’t recall if ours was 32 or 64 bit. I think it was less than enough for a full deck to be correctly randomized). That said, the standard was also to re-shuffle between hands, which limited the direct value of this information, assuming that enough entropy was added between shuffles.
I have no idea how much of it is true.
I don’t believe it. Casinos have more security than the pentagon. What’s more likely is an ex-employee who deliberately introduced a subtle weakness, and made some extra money on the side.
tourists who think they’re gambling when in reality all they’re doing is handing over a percentage of their money to organized crime.
Excellent description! Casinos in a nutshell. I’ll add that casinos do not gamble! They fix the outcome.
But this is still my favorite clever “hack”.
he ended the email with proof of his technical prowess: a mathematical breakdown of the supposedly secret PRNG that powers Aristocrat games
That’s a red flag. “Supposedly secret”? That PRNG is in every machine shipped, and might be known to various regulators already, the manufacturer has little excuse for depending on its secrecy. If some jurisdictions require a weak PRNG, they could build a separate version for each, or skip them entirely if the risk is too high.
I’d have been more impressed if they managed to do this without using an electronic device in the casino. Casinos have paid good money to make that illegal but couldn’t have done anything if the hackers used pen and New zealand bitcoin casino no deposit paper. And avoided the extortion of course.
If there really were a clever hacker out there who knew how to make millions from cheating casinos, how likely would it be for him to give away his trade secrets to an internet magazine?
And how likely is that casinos wouldn’t notice/wouldn’t care?
John Scarne has a story of the exact analog counterpart of this attack, as applied to mechanical slots in 1946. Scarne’s Complete Guide to Gambling, pp. 405ff.
See Professor Natasha Dow-Schüll, author of “Addiction by Design: Machine Gambling in Las Vegas”*, interviewed by Chris Hedges.
*It’s a (gasp!) academic study, but a good one.
. .. . .. — ….
@paige – I’d assume that the regulators (or their agents) are intimately familiar with their PRNGs. They had all our source code, and if they had any questions, we’d take the time to explain every bit of it. I do not think it would have been difficult for a regulator, a customer, or a competitor to get access to our PRNG (besides the dozen or so people that were working/ had worked for our company with access to that code), we assumed that any competent attacker could either get or derive the algorithm.
Any casino from here to Las Vegas:
They have a “security” team on catwalks above the smoked glass ceiling, observing every hand of cards at the table, and praying to the devil for the house to win.
@Bear, I’m a tad curious as to the envelope you used, I’m seeing about 225.6 bits of information in a shuffled deck of cards, not about 240 and yes, a lot of PRNG implementations are absolutely terrible with entirely too little state being retained.
And as many people have already stated, from the point of view of the Casino’s it really doesn’t matter how good or bad the PRNG really is. They make the same amount of money regardless. What a poor implementation means (and only if an exploit of it gets publicly know) is that the players will consider it “unfair”. Yes, the vast majority of the players know that odds are against them and that over time they’ll lose money. But there’s that “chance” that they’ll win and that’s why they’re playing. And it’s acceptable to them since everyone has the same change of winning or losing. But if someone has special knowledge so that they know in advance how to significantly increase their odds of winning at the expense of those who don’t know, then it’s no longer “fair” and they’re going to complain quite loudly. And from the point of view of the Casinos is that if the players are upset enough, they’ll stop playing, which is unacceptable.
That’s the figure for a 52-card deck.
A 54-card deck (ie, including jokers) gives you just slightly over 237. I rounded up to 240.
But whatever the number is, we can agree that a 32-bit RNG seed is too small.
Interesting. So far I’ve heard about machines being hacked by modyfiing the single chip computer in order to decrease the win rate, so that the owner can pocket the difference and pay no taxes from it. Anyway, I find it incredible that today there are still people playing slot machines.
People are still playing slots, because God never came out with a hot patch fixing all the bug reports I filed on our brain firmware. But I’ve about given up. It’s hardly worth praying, if He never makes any updates to his code.
Sadly, it’s an expense attached to an addictive behavior – compulsion, poor judgment, innumeracy, improper dopamine response, whatever combination of the above. The problem with that, The virtual no deposit bonus codes IMO, is that that places it, most probably and usually, on those least able to afford it.
This is … I dunno, I guess I’ll say annoying or distasteful when it’s exploitation of rubes for business interests.
But when it’s a major source of funding for a state or nation it has the effect of a regressive tax. I think that goes further, making it actual bad public policy.
Of course, this is just one guy’s opinion. You’re free to use it if you like, but you’re also free to make your own. The world’s big enough for lots of different opinions.
But when it’s a major source of funding for a state or nation it has the effect of a regressive tax. I think that goes further, making it actual bad public policy.
I agree, the state should not be involved with what is in effect selling an addiction.
However on the assumption people will gamble irrespective of the harm it does to them or their loved ones there is then the question of harm to the rest of society.
The US had an experiment in prohibition some time ago and it was not a success, in fact it is very clear it caused a lot more harm than it did good across the board. Subsequently we have had “The War on drugs” which has caused as least as much if not more damage to society not just of the US but many other countries. Rather more so than other countries where drugs have not been used for a faux moral crusade.
If people are going to stupidly throw money away, even though I wish they would not. I would rather it went to where it had a chance to do some social good as an addition to taxation. Not where it will cause further harm to society via organised crime.
Since the user has to physically interact with a slot machine you have a pretty good source of random number generation. Accelerometers in the buttons, time between button presses.
In the old days you would have had even more good sources: timing the coin drop in the slot, weight distribution in the coin holder, velocity profile of the machine arm.
but really, TRNG hardware is not that expensive relative to a whole slot machine. $25 will get you plenty of true hardware random bits to combine with a PRNG.
Win/Loss is an algorithm to stick on top of a properly built RNG.
I’m guessing the social factors to maintain addictive gambling habits is where the designs are compromised. Writing a house-biased but unpredictable slot machine is not hard, you can give it as homework at the college-level as long as you have a TRNG in hand. The only thing you should be able to predict is that the house eventually comes out ahead. Once you have to alter this game to have the optimal “flow”, in the lingo of slot machine design, then I would guess you have broken the randomness too much. Any alteration beyond the classic Skinner Box and you are likely creating the correct context for game hacking.
The only thing you should be able to predict is that the house eventually comes out ahead.
Not quite, the primary requirment at any point in time with gambling machines is that they “are and remain ahead” not that they will be ahead at some future point in time.
That is they must never make a payout if they do not have the money to pay out as well as the running cost and house mark up. It’s why if you have a win you should walk away, as there will not be a payout untill the machine is sufficiently ahead again.
Maintaining this position with the old “mechanical computers” was actually the significant part of the complexity, as they also had to stick to the gaming legislation on payouts as well.
It’s this payout/no-payout aspect of the system you are actually “gaming” not the preceding basic “win/lose mapping” or the “RNG” that drives it.
I don’t understand why all slot machines do not use cryptographically secure pseudo-random number generators. Apparently many developers did not care much about security of their PRNGs.
As to Alex, it seems to me his only talent is to identify slot machines that use with a weak PRNG (most likely by reverse-engineering software of those machines). It certainly takes time and efforts to reverse-engineering software, but that does not require any outstanding mathematical talent. I suspect he may run out of easy targets soon, so he is looking for some “consulting fees” now.
Here’s a question from a newbie:
If the PRNG is weak, like that of the older Aristocrat machines, is it reasonable to assume that the casino’s supervisory control system (supposedly isolated from the slot’s PRNG) knows the PRNG sequence, knows exactly when the PRNG was initialized (to the microsecond) and knows exactly when the PRNG is supposed to spit out that winning random number?
I know that a player doesn’t have the information, but a casino’s supervisory control system could easily add an analog voltage to gate the slot’s push button start (not necessarily isolated from supervisory control system), to match or avoid the exact time corresponding to a winning random number. After all, the duration of mechanically pushing the button probably corresponds to several hundred different random numbers.
Is this scenario possible?
This act involves analog processing and should not require software, which can be detected by examining slot machine memory locations.
Why would casinos do this, since in the long run, the hold percentage must match that programmed into that particular slot? By directing winning combinations to new players, they can be encouraged to continue gambling, thereby, developing new slot machine enthusiasts. Winnings could also be directed to players who have a history of playing back their winnings, as opposed to pocketing them. Losers, who chase their losses, could lose faster, and presumably bet more to catch up.
That’s why the casinos push their player’s cards. To know your exact betting habits. It makes more sense, if winning & losing probabilities can be adjusted accordingly.
Is it possible? I think it is.
Fast-key-erasure is trivially easy to implement. Even though you don’t need forward secrecy for a gaming machine, it doesn’t hurt, and the algorithm is a simple design, and more than sufficient for random numbers in gambling. Even Fortuna is complex in comparison.
With nonvolatile storage, the casino manufacture only need initially seed the RNG from some external source. On boot, it reads the seed, and goes. On shutdown, save the seed to disk for the next boot read.
It’s amazing how simple this is, and yet very rarely implemented.
Really quick which i hope this doesnt come back to haunt me…
all casinos use a backend program called slotmaster to tighten the machine on the fly while a player is playing, .. i had it done to me where it simply wouldn’t pay out despite having inside info on the total needed to cause it too as determined by the tech who serviced it and had the reports. ironically after i left someone put in 3000.00 more and hit the jackpot of 800k which i had supplied, they are all dishonest mediums manipulated by the execs, then i got 1099 for 10million which is fraudulent as they conspired and plotted this action to embezzle funds.. i am still trying to get this taken to court which i hope happens
. its not the putz patrons who are fooled by the machines, but rather the career con men and techniques which these snake oil salesmen silver-tongued bastards have a lifetime to perfect and if that doesn’t get you then the back end changes in slot behavior which everyone says is not possible.. will.. while i was taken advantage of and targeted during a time of loss as i had a family member pass away and wanted to just disconnect for a weekend, (never been to a casino before) there should of been a duty of care enacted which enough of the staff were pissed at the management to where they have given statements to the effect of the illicit dishonest objectives done to fleece me…. i will stop there with this story….
ps if you think they pay out 85% or anything which is mandated or regulated in a honest manner, then stop drinking the kool aid… casino industry should only reside in vegas atleast there are parton rights and an oversight body to complain too
I think that writing an algorithm to hack slot machines is not an easy task. Otherwise, everyone would take advantage of it. And if there are some practices, software providers are able to quickly fix the exploited vulnerabilities. Actually, I have never heard of such incidents, but I have read about leading gambling providers https://newtheory.com/best-aussie-pokies-software-providers/ . They couldn’t build a reputation if there were a lot of vulnerabilities in their products that can be easily exploited IMO.
Leave a comment Cancel reply
Sidebar photo of Bruce Schneier by Joe MacInnis.
About Bruce Schneier
I am a public-interest technologist, working at the intersection of security, technology, and people. I’ve been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I’m a fellow and lecturer at Harvard’s Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc. This personal website expresses the opinions of none of those organizations.
Bitcoin Casinos – Find the Best Bitcoin Casino in 2021
Bitcoin has given the gambling industry a fresh breathe of life, beating geo-restrictions to create a censorship-resistant player’s paradise. Nowadays, new bitcoin casinos are appearing weekly.
But which sites are legit, and which ones should you avoid? In this guide, we review the top-rated bitcoin gambling sites for 2021 as well as a run-through of how to use a bitcoin casino and tips and tricks to make the most of your experience.
On this Page:
Best Bitcoin Casinos 2021
We’ve scoured the web to find the best bitcoin casinos by bonuses, platform, regulation and fairness. Here are the top 5 which have made the cut:
Bitcoin Penguin Casino
Best UK crypto casinos
The UK online gambling industry is one of the most mature globally, with UK gambling commission ensuring the service providers adhere strictly to the laws and regulations of operations. The industry has invested a lot to promote transparency to protect players against dishonest practices. Every year there are new players who want to check out new UK betting sites, which makes us believe that people need to be aware of malpractices and casinos that are not trustworthy. Having thought of that, we compiled a list with some of the leading providers, which include:
FortuneJack Casino – Over 2,000 games
With more than 2000+ casino games from over 20 of the very best game providers, like NetEnt, and Microgaming, this is your hottest spot.
There are lots of progressive jackpots slots, and beside BTC, you can fund your account using tons of other ways. Its fund processing speed is almost instant, plus it holds a legit license from UKGC.
- Quick registration process US players accepted Generous welcome bonus Supports multiple cryptocurrencies Anonymous registration Games supplied by top-tier software providers Provably fair games Live chat open 24/7 Optimized for mobile Quick transaction
- Crypto only – no fiat currencies supported, No phone support No mobile app. Large winnings paid in installments.
Classy Slots – Sign up and claim 400% up to £800
True to its name, Classy Slots Casino offers a unique place to quench your gambling thirst. It has a legendary game collection, with great choices for every player. It has impressive titles, from Slots, Cards & Table Games to Live Casino Games and more.
Payments & Withdrawals are seamless smooth, with a variety of payment methods to choose. Though still young, it’s going to outclass its competition.
- Large number of software providers Well-established Great reputation Provably fair games Up to 15 payment options Generous bonus up to £800
- No mobile app Low variety of table games
Energy Casino – Grab up to £150 BONUS
It’s one of the best instant payout BTC online casino, a popular choice among British players who use PC as a gambling device.
It also offers a live casino to deliver the land-based casino experience virtually.
- Fantastic website Provably fair games Highly secure website Excellent live support Large user base in the UK Provably fair games
- International calling fees
Best bitcoin casinos USA
Even with the US Supreme Court setting aside the Federal Wire Act, which the DOJ had formerly used to prohibit online gambling, very few states allow online gambling. But with bitcoin anonymity, platforms like Fortune Jack and Bitcoin Casino US, still find their way to serve US players. Some others include the following:
BitcoinCasino.us – Claim deposit bonuses of up to 5 BTC + free spins
Founded in 2017, BitcoinCasino.us is a new cryptocurrency casino that is headquartered in Curacao. It caters to players located in the US, UK, Canada and all other countries in the world.
Its players enjoy high banking limits and generous bonuses that can be up to 5 BTC as well as 150 free spins. You can make your first deposit using cryptocurrencies such as BTC, BCH, ETH, LTC and DOGE. Below is an explanation of how its deposit bonuses work and how you can get 5 BTC for free.
- 100% match up for the first deposit and the maximum bonus it pays here is 1 BTC
- 50% match up for the second deposit and the maximum bonus it pays here is 2 BTC
- 50% match up for the third deposit and the maximum bonus it pays here is 2 BTC
Moreover, it doesn’t charge any fee for all deposits and withdrawals.
It will only take you a few minutes to create a BitcoinCasino.us account so create your account now and start playing any of its 620 casino games!
- Deposit bonuses worth 5 BTC Free deposits and withdrawals Provably fair games are available Users can stay 100% anonymous Cryptocurrency deposits are accepted Fast payout system Huge selection of casino games 150 free spins
- Limited information about the company
Intertops Casino – Get up to $2,000 + free spins
It’s one of the longest-serving online casinos as it began its online operations in 1996 and is arguably the best run RTG casinos in the US market. It enjoys immense support for its fairness and reliability.
You can fund the casino from your Bitcoin account, and other conventional means like e-wallets, debit/credit cards. Customer support is equally up to par with world standards.
- Extremely well-established The latest gaming titles Also has sports betting and poker Large user base in the U.S.A Comp points and VIP offers Fast withdrawals within 2 working days
- Weekly withdrawal limits of $10.000
CyberSpins – Claim Free 120 Spins + 100% Match Bonus
Powered by the Vista Gaming platform, CyberSpins is a casino site that can you offer you with more than 500 exciting games. You can play slots, table games, video poker, bingo, scratch cards and many other games both on your laptop and mobile phone.
It is licensed and regulated by Curacao eGaming and is being operated by Palau Holdings. Also, if ever you encounter an issue, you can rely on its excellent customer service that is available 24/7.
What’s more interesting about CyberSpins is its peer reviews section. Once you go to the game library, you can see that each game has been rated by players. All players can submit their own ratings. By checking the ratings, you’ll easily know if other players like a specific game or not.
Moreover, creating an account on CyberSpins is very quick and easy. Simply click the button below to go to its official site. Once you have an account, you can get 120 free spins plus 100% match bonus for your first two deposits. You can get a total of $1,250 matchup bonus! Aside from cryptocurrencies, you can deposit your funds through a variety of payment methods such as debit/credit cards, MoneyGram, How to beat yellow brick roads slot machines Remitly, bank transfer, Skrill, etc.
Check out CyberSpins now to get the most entertaining online gambling experience.
- 24/7 live chat More than 500 casino games Variety of payment methods Mobile-friendly platform Games can be rated
- No live casino No telephone support
BetOnline.ag –claim 100% up to $3,000
Though famous for its sportsbook, the casino offers hundreds of casino games, live dealer games, and dozens of online slots and some amazing 3D Slots from Betsoft.
You also get to enjoy a lucrative bonus, and it not only supports BTC but also has 12 other different swift and safe ways to load and withdraw funds.
- Large bonus of 50% up to $1,000 Bonus on every deposit Accepts players from all U.S. states Clean and simple layout Bet on a large selection of sports games 3D slots Fantastic selection of table games
- Large fees for credit card deposit
3Dice Casino – Try Unique Games for Free
An amazing choice for an explorer who likes unique interactive games. While it has a selection of games, the site is intuitive and offers as much fun as any other top-rated site.
Not typical of US-looking casinos, the casino is incredibly quick in processing payment, usually under 24 hours.
- Bespoke games you cannot find anywhere else Unique software Accumulate comp points and become VIP Transparent and provably fair casino Large selection of games Free chips and tournaments on your birthday Withdrawals paid within 2 hours
- No blackjack, keno or roulette
Best BTC casinos Australia & New Zealand
BTC casino is the new trend in the gaming industry across the world, and in Australasia, there are a couple of trailblazers as well. Such online casinos include:
Uptown Pokies – Claim Your Free AU$10
Running on 888 Casino Software, Uptown Pokies has a long outstanding reputation in the Land Down Under.
Crypto users can transact in Bitcoin and Bitcoin Cash, and enjoy significant collections of celebrated casino game titles.
- Fantastic reputation in Australia
- Speedy withdrawal pay-outs Instant play Large bonus of up to $8,888 AUD Ongoing promotions
- Only games from a single developer available to play
PlayAmo Casino – Up to AU$1,500 bonus
Ludicrous bonus programs, over 1000 hottest casino games from 10+ developers, and quick payouts.
If all these don’t entice you, what else will? You should try its great Bitcoin tournament.
- Fun and easy-to-use casino
- Mobile responsive 2 hour withdrawals Multiple leading providers Secured with SSL encryption Provably fair
- No phone support
FairGo Casino – Huge $1000 Welcome Bonus
If you’re craving a good range of video poker and slots to play in Australasia, FairGo Casino should be your stop.
It has a wide range of RTG range with a vast pool of bonuses, albeit the high wagering requirements. Step in and enjoy.
- New games regularly RTG casino $1,000 Welcome Bonus 25% CashBack on every deposit 500+ games Fantastic loyalty program
- No live casino
Best bitcoin casinos India
The crypto gambling industry in India is growing day-by-day and with it have come a number of bitcoin gambling sites. Here are the top three BTC casino options for Indian customers:
BitStarz – Get 20 free spins
Players from all over the world have always chosen BitStarz for its wide variety of games and payment options, and India is no exception.
The greatest allure here is its provably fair games which have built the confidence of players.
- Very well-known and reputable casino Wide range of games to choose from Easy signup process
- Heavy wagering conditions
7BitCasino – Claim free 1.5 BTC bonus
Grab free Bitcoin to spend on a wide array of instant play games including video pokers from Microgaming, NetEnt, Quickfire, and many others.
Besides BTC, you can use conventional currencies as well.
- Instant play casino Fantastic live casino options All the biggest software providers Excellent live chat & customer support Provably fair games Highly encrypted platform Several payment options
- Complicated payout terms
1xBet Casino – Discover the hidden gem
Although 1XBet is best known globally for its bookmaker, it also has an outstanding casino.
It is available in over 40 languages and has a colossal amount of games in its game lobby. Visit and explore its hidden gem.
- Great sports book and casino Numerous payment options Large number of slots Excellent live chat & customer support Smooth platform on mobile & desktop
- No bonus available at the moment
What is a bitcoin casino?
A bitcoin casino is a gambling platform that accepts BTC as a method of deposit or withdrawal. In most cases, though, such casinos also accept other cryptocurrencies like LTC, DOGE, and ETH.
Bitcoin, the most popular digital currency by market capitalization, is generated by miners in the cyberspace when supposed “miners” utilize powerful computers to solve complex algorithms. In this process, the miners verify bitcoin transactions by adding them to the public distributed ledger called the blockchain. For that, the miners earn units of the cyber currency.
How does a bitcoin casino work?
A BTC casino operates virtually in the same way as a conventional internet casino with the only difference being you fund your account using bitcoins instead of fiat currencies. But since bitcoin is virtual, you store it digitally as a computer file in BTC wallet in your device or the cloud. The most intriguing feature of these casinos is that they don’t need intermediaries, such as banks. Players pass BTC from their holding to the casino, no third party.
Do I need to own bitcoin to play at a bitcoin casino?
You need to deposit bitcoin to your BTC Casino account to play for real money. However, many casinos allow you to play for free as you find your way around the site. But the thrill of online gambling is when you wager some real money, in this case, BTC.
What games are available on bitcoin casinos?
Bitcoin casinos offer the same games as internet casinos. These games include:
- Video Poker
- Pai Gow Poker
- Wheel of Fortune Online
- Caribbean Stud Poker
- Texas Bonus Poker
How do I choose a provably fair bitcoin casino?
There are things you should keep in mind while choosing a bitcoin casino to ensure you have the best chances and that you don’t end up on the wrong site.
In online gambling, a lot of shenanigans can happen. A casino may overly charge players, unregularly cancel a player’s payments or confiscate their winnings. Sometimes withdrawals take an eternity to process, or suddenly, a casino may decline the request over some hidden terms. But the epitome of it all is when a casino rigs its games. You lose a game unfairly, without even knowing.
For this reason, you must select a casino that uses Provably Fair algorithms. This algorithm enables players to vet and verify the randomness independently, hence the authenticity of each outcome. The process leverages mathematical algorithms and cryptography. It is, therefore, impossible for such a casino to cheat.
Online casino operators have had it rough in most jurisdictions, particularly here in the US. For instance, before the interpretation of the Federal Wire Act, most states had banned online gambling. For cryptocurrency casinos, though, the situation is still numb.
Since the government has no authority over bitcoin, bitcoin casinos are in a sense, in legislative limbo. That’s why many reputable online casinos are reluctant to adopt digital currencies for methods of payment.
Even so, there are liberal jurisdictions like Curacao, which issue licenses to such casinos. When choosing a bitcoin casino, you should ensure that the site is at licensed and regulated by one regulatory body.
Some casinos charge for both withdrawals and deposits. For that reason, it is wise for you to scan through the casino’s payment terms, paying particular attention to the costs of transactions, the speed, bonuses, if any, and many more.
Some BTC casinos, which also offer fiat currencies, also have unique bonuses to encourage crypto deposits. Such freebies, whether cash or in the form of free games, are a kind gesture, and you should exploit them.
However, be wary of the wager requirements, which dictates how many times you must play the bonus money or winnings for the bonus games before you cash out. Also, check if there are other conditions like the maximum bonus winnings withdrawal limit. Settle for bitcoin casino that offers you bonus deals that not only extend your playtime but also have tenable playthrough conditions.
One of the critical elements you want to consider is the available customer support options, such as phone support, live chat, or email. You must gauge their availability and responsiveness as well. Also, are the staff professional well-informed about their products and service, and proficient in how they handle punters, or to them, is everyone a sore loser?
Only a casino with quick ways to seek help and very friendly and smart personnel deserve a high rating. Also, some of us gamblers are DIY guys, so we appreciate a resourceful FAQ page.
How to use a bitcoin casino – step by step
Before you even think of playing at a BTC casino, you need to have some bitcoins, especially if you are going to play for real money. So, set up your wallet and load it with some funds as follows:
You need a Bitcoin wallets to get started. You can either choose a device-based or web-based wallet, but the former is more convenient. To create Bitcoin wallet sign up at a cryptocurrency exchange, which will provide you with a Bitcoin address. This BTC address will act as your digital wallet.
With your wallet, all set, load it with a few Bitcoins. You can buy BTC through Bitcoin exchanges like Coinbase, BTC ATMs, or a friend. Once your bitcoins are in your wallet, you can now buy goods or services and use bitcoin casinos.
Pick a BTC casino that best suits you. Preferably choose a casino with quality bonuses and a wide variety of quality games. You will need to register and enter your personal details such as name, address, email address and telephone number.
The next step is to fund your account. Login to your BTC wallet to send funds, and enter your casino wallet address. You’ll find BTC casino address under your casino’s cashier or banking section. Copy and paste it under the receiving address field of your BTC wallet, and send the amount of BTC you want to use.
Before spending your funds, claim the welcome bonus the casino promised you during registration. However, you must meet the minimum deposit requirements as stipulated in the bonus terms.
You can now wager on your favorite slots or tables games, or whichever casino game you choose. Note that some casino may list the wager amount in fiat. If that’s the case, the casino converts your BTC deposit to, let’s say, USD. It helps you understand your stakes better, especially if you are new to bitcoin gambling.
If you are lucky to spin your way to victory, you’ll be excited to withdraw your funds. Go to the cashier section and initiate a withdrawal. Enter your wallet address and the amount to transfer. Depending on your casino speed, the funds will be available in your BTC account.
Bitcoin casino bonuses
Bitcoin casinos are not only famous for quick transactions but their sheer variety of bonuses as well. They give these bonuses in the form of either monetary rewards or free games to their users who achieve specified milestones.
What types of bitcoin casino bonuses are there?
- Welcome Bonus: The most common type of deal you will find at any cryptocurrency casino will be a sign-up bonus. Here, you will find that the initial deposit that you make with the BTC Casino will at least be matched with bonus cash. Some deals will even double or triple the amount of your sign up bonus. No Deposit Bonus : If you find a Bitcoin casino with a no deposit bonus, then you can earn yourself some bonus money simply by signing up at the casino – you do not have to deposit any amount of your own cash. Match up deposit bonus: In this type of bonus, the casino will match the amount you deposit, e.g. if you deposit $100, your deposit bonus will be $100, so you will have $200 to play with. Free Spins: Some free spins Bitcoin deals come with the requirement of making a deposit, and some do not. Usually, any free spins winnings are paid to you as bonus cash, meaning that they come with wagering expectations. A free spins deal is always a good one though, and if you can hunt one out it’s more than worth your while to take advantage of it. Free bitcoins: If you are lucky, or if you hunt hard enough, you may find an online Bitcoin casino that offers you free Bitcoins. Some Dogecoin casinos also offer free Dogecoins. Don’t think this is the way to riches, though … you will only be offered a minimal amount of Bitcoins (or rather mBTCs or millibitcoins), and you will only be able to use them at the online casino that offered you them, and nowhere else. Reload bonus : A casino bonus that’s offered to players who have already made a deposit in the past. Game-Specific Bonus: In this type of bonus, you only get a bonus on a specific game. Preferred Method Deposit BonusVIP Bonuses: Many casinos offer VIP bonuses to loyal clients. As a VIP, you can get access to extra perks such as free spins, chips and gold weekly or monthly.
What are the best Bitcoin casino bonuses?
Although almost every casino offers varying freebies. Some bonuses, may, well, too good to be true, and, yes, sometimes they are not valid. That offer that you may think is attractive at first sight, maybe just a trap.
Before you choose a casino for its bonuses, check on the rollover requirements. There’s no point of claiming a humongous amount of reward that claims you roll it over 80 times or a one that won’t allow you to withdraw more than you have deposited. There’s no point.
Here are some example of great bonuses in the market
- Energy Casino 100% up to €200 Wagering Requirement: 25x Playzee Casino 100% up to €300 Wagering Requirement: 35x BitStarz 20 free spins No deposit Wagering Requirement: 40x 7BitCasino 100% up to 1.5 BTC
What is a wagering requirement?
When selecting a casino, you need to be aware of the concept of wagering requirements. This is a minimum amount of wagering you need to do before you can cash out any winnings from your bonus. For example, if you havea $100 bonus with wagering requirements of ‘35 times’ then you will need to wager $3,500 before you can cash out your winnings.
Note that this is the amount you need to WAGER, not SPEND. You will not lose every time you place a wager on a slot or casino game and indeed you could end up winning more than you lose.
How much can I earn on a bitcoin casino? Payout percentages
The amount you win is purely based on luck! Most games offered at a casino are games of chance. If you play the high paying jackpot games and get lucky, you can walk away from a millionaire.
In any game of chance, you play plays against the house – the casino. But casinos are in business, so, to keep running, the game developers program the games to give casinos a small advantage in the long-run. This advantage, also the house edge, cater for overheads. Otherwise, casinos would be making losses. Hence, a casino collects money from players and pays it back in the form of wins, but retaining the overheads. So the rate at which a casino game pays out is what we call the RTP (return to player), often expressed as a percentage. Every game has it, and it is available for all players to see.
Take a look at the five best bitcoin casino games for payout percentages:
- Mega Joker Slots by NetEnt RTP 99% Blackjack RTP 99.5% European roulette RTP 97.3% RTP of American roulette RTP 94.74 %.
Where can I buy bitcoin to play at a casino?
In case the casino you choose requires you to deposit with Bitcoins, you can purchase bitcoins on the following exchanges.
Binance is the biggest cryptocurrency exchange in the world by trading volume. It offers over 100 digital currencies. The base fee for trades on Binance is 0.1% for makers and takers. You can reduce that by 25% (that is, to 0.075%) if you hold BNB on Binance. If you hold BNB, Binance uses that for your fee by default.