A coordinated scheme in which an as-yet-unidentified identity thief and fraudster was able to access and steal up to $10,000 each from numerous American poker pros' checking accounts has come to light in recent days.
Todd Witteles, the owner of PokerFraudAlert and perhaps the scheme's first victim, has published an extensive thread on the thefts after gathering information for several weeks.
One of Witteles's banking accounts was hit on October 20 for $10,000, which was quickly cashed through a casino payment system to a phony Venmo account. Witteles has researched the issue over the past week, and he points the finger at loose controls at both Venmo and Global Payments Gaming Solutions, a popular corporate payment processor used by BetMGM, WSOP.com, and many other companies who implement eCheck services and other forms of bank-account transfers for their users.
Witteles went public with his research late Tuesday after learning that other well-known poker players had been similarly robbed in recent days, including Joseph Cheong:
Indeed, Cheong and Witteles aren't the only victims. Kyna England quickly added her name to the list:
Speaking to Poker.org, Witteles also confirmed David Bach, Sam Panzica, and Clayton Maguire as having publicly confirmed that they were among the fraudster's victims. Brock Wilson also acknowledged being another victim in a response to Cheong's Twitter post. Witteles also stated that at least four other players told him they were victimized but didn't want to be publicly identified, including one player who he described as a "big name". Witteles believes as many as 20 other players may already be victims of the scheme.
Witteles theorizes likely mechanics of fraud
In his series of posts at PokerFraudAlert, Witteles detailed what he believes is the likeliest explanation behind the string of thefts. None of his claims have been verified independently, and some of the casinos who were utilized by the fraudster(s) for cashing out the stolen funds are just becoming aware of the situation. BetMGM, for instance, immediately contacted Cheong when it became aware of the stolen money being funneled through its online site.
Witteles believes that the core flaw enabling the string of thefts is the ease with which repeat transactions can be done through Global Payments Gaming Solutions. He asserts that only the initial transaction done through Global Payments is thoroughly vetted for authenticity of a user's identity, and after that, similar transactions using that person's name and the same bank-account number pass through Global Payment's system with little or no recurring checks.
If the thief was able to steal a player's identity and bank account number from any casino's system, he could then attempt to use that same information to attempt fraudulent deposits to any other U.S.-based casino, online or live, that uses the Global Payments network. From there, as Witteles theorizes, it's another simple jump to creating a couple of fraudulent Venmo accounts to offload the stolen money. One of the Venmo accounts would be in the victim's name, using the stolen identity, while the second account would be used in a Venmo-only transaction as the real destination of the stolen funds.
Witteles attributed the theft in his circumstance to an eCheck deposit he made on WSOP.com in June 2022. He then suggested eChecks are also be a core element of the situation, writing, "If you have deposited to any real money, legalized US gambling site in the past, using eChecks, you are vulnerable to this exact same theft. It is more likely you will be victimized if you are a known name in poker."
Witteles added in a separate post, "Every single person victimized, to my knowledge, had the money stolen from the bank account they used for past eCheck deposits on legalized gambling sites. This is very significant. If you never did eCheck deposits (where the money is directly drawn from your bank account) via legalized online gambling sites, there is a high chance you will not be affected by this. To my knowledge, there have been no victims who exclusively used credit cards, PayPal, or cash-at-the-cage deposit methods. Again, as I talk to more people, this might change, but this is what I am seeing so far, and it remains consistent with my theory regarding how all of this occurred."
BetMGM link common to several of the known thefts
The identity theft and bank fraud appears to have been done entirely online through remote deposit/cashout options made available by many casinos as a convenience to their gaming customers. As Witteles note and as Cheong experienced first-hand, the fraudster likely exploited a systematic flaw, in that deposits can be quickly withdrawn without any actual gaming taking place.
From the information Witteles has gathered, the fraudster has made use of online deposit/withdrawal frameworks offered by BetMGM, Borgata New Jersey, and California's Viejas Casino. All may be using the Global Payments Gaming Solutions services as a front-end solution providing these banking services.
Witteles also detailed several steps players can take as possible safeguards against similar thefts in the future, first and foremost being to not use any eChecks framework. He also recommended safeguards closing any checking account used to fund online-gambling accounts (perhaps even switching to a different bank), and temporarily freezing your credit line. He reiterated that Global Payments appears to be the common denominator behind all of the known thefts to date.
Where the liability lands for the thefts remains uncertain, with the casinos and payment-processing firms barely aware of the situation at the present time. Should Witteles' theories on the thefts pan out, the affected players would have grievances against the casinos, who in turn would likely be able to recoup the thefts from Global Payments, the provider of the white-label banking services. The immediate needs, however, are for the corporate entities involved to plug the security hole and to begin tracking down the chain of money transfers to any identifiable perpetrators. Such an investigation will take some time to reach a resolution, and as often happens, the stolen funds may be unrecoverable from the thief or thieves involved.