Between 27 April and 5 May, Americas Cardroom (ACR) informed its subscribers multiple times that it was undergoing a sustained series of Distributed Denial of Service (DDoS) attacks.
These attacks caused the site to cancel tournaments, refund entry fees, and divert resources toward addressing and mitigating the problem. These Americas Cardroom DDoS attacks date back to December 2014—and more frequently since December, 2017—and it appears that ACR has no solution to this recurring problem.
Americas Cardroom (ACR) is one of the oldest online poker sites in the U.S. Founded in 2001 as part of the Yatahay Poker Network, in 2012, the network rebranded itself as the Winning Poker Network (WPN), and ACR was subsequently relaunched. WPN has landed in the top-ten of online poker sites in terms of traffic per PokerScout, making it an attractive target.
While a single DDoS attack would wreak extreme havoc, imagine what a series of attacks would do. Take a look at the problems ACR has been facing.
Americas Cardroom DDoS attacks: What’s really happening?
A DDoS attack occurs when bad actors attempt to make an online service unavailable by flooding, overloading, and overwhelming it with traffic from various multiple sources. Consequently, the network becomes unavailable to its intended users, thus affecting business.
There are several motivations for DDoS attacks. Among the most common are revenge, activism, blackmail, and for financial gain. Oftentimes attackers will ask for a ransom—recently, Bitcoin is a popular ransom. In this case, ACR stated that it is their policy “to never pay ransom regardless of the cost, as [they] will never give in to cyber terrorism.”
Whereas ACR was initially deemed too small to be an attractive target, because it has recently filled a grey market space in the online poker industry, it has since become an attractive one. A grey market is a jurisdiction in which the legality of Internet gaming operations has not been definitively regulated, whereas a black market is one in which legislation exists to actively enforce laws that prohibit online gaming such as the Unlawful Internet Gambling Enforcement Act (UIGEA) and Illegal Gambling Business Act (IGBA.)
Whether extortion is the driving force behind these Americas Cardroom DDoS attacks is yet to be seen. WPN CEO Phil Nagy believes that a rival site may be behind the ACR attacks; however, his allegations remain unproven. Back in September 2017, ACR sustained 26 separate DDoS attacks over a three-day period that severely crippled the network. At that time, Nagy stated that he was told that a rival poker room was responsible for the attacks but wouldn’t offer any insight as to who that might be. If you’ve got 20 minutes to kill—and the desire to watch—here is Nagy discussing the DDoS attacks.
What is ACR saying about it?
During the most recent series of Americas Cardroom DDoS attacks, ACR took to Twitter to inform followers that it was under another sustained DDOS attacks that forced the site to cancel several scheduled tournaments—including its wildly popular Million Dollar Sunday scheduled for 29 April—and refund players their entry fees.
We are experiencing a new DDOS attack, our techs are working to mitigate it however we have paused all running tournaments
— Americas Cardroom (@ACR_POKER) April 29, 2018
We are having a DDoS attack, out techs are working in order to mitigate. All tournaments have been paused
— Americas Cardroom (@ACR_POKER) May 3, 2018
Due to DDoS attacks, we have suspended some of our regular scheduled events to avoid players from having to go through issues. However, we have prepared the new on demands schedule for the On Demand- In Demand promo. Full details here: https://t.co/dW5OCZUHA6 pic.twitter.com/lITfGD9oDu
— Americas Cardroom (@ACR_POKER) May 5, 2018
We are experiencing a new DDoS attack, all tournaments have been paused. The techs are working on it. Apologies for the inconvenience
— Americas Cardroom (@ACR_POKER) May 5, 2018
Particularly worrisome is that WPN seems to have accepted—and resigned itself to the fact—that DDoS attacks will remain a regular occurrence. In fact, on an ACR blog dated 27 April, the writer stated:
This isn’t the first time we’ve experienced these attacks, and we’re sure it won’t be the last.
Conspiracy theories from the depths of social media
There are many on Twitter who have expressed their own disgust with ACR’s seeming ineptitude to protect its site against repeated attacks and have notated that said attacks tend to occur at the same time as certain high-stakes tournaments—far more than could be a coincidence.
Many players have legitimate concerns.
@ACR_POKER I really want to re-deposit and start playing the summer schedule, but have real concerns for my funds safety, and your ability to prevent all your “ddos” attacks. What is the status of having all this under control?
— Jason Meadows (@TallFatKid) May 24, 2018
I read this tweet by ACR again and the more ticked off it makes me. " For those of you that dont know " That is some condescending unproffesional CRAP to say. A multi million dollar business that cant stop DDOS attacks over DAYS that businesses 1/50th their size stop in a snap
— Jonathan Wilson (@fedayken_) April 29, 2018
Anybody with half a brain and the resources this site has should be able to mitigate DDos attacks, DOS attacks, and friggin BATMAN hacking the site if need be. This garbage is a week long and other smaller sites have dealt with this 10000% better than you guys. GET. IT. TOGETHER,
— Kyle Hilfiker (@KraaazyKyle) April 29, 2018
ACR: If the bots and colluders don't get you, the monthly DDoS attacks will! https://t.co/278y1HlpRr
— Todd Witteles (@ToddWitteles) April 24, 2018
Here is a particularly scathing dig.
In light of all the recent DDOS attacks and cancellations, what is your best new acronym for @ACR_POKER? I'll start: Another Contest Refunded.
— jsmith84poker (@jsmith84poker) May 8, 2018
So @ACR_POKER is over, right? I mean, bots, collusion, DDOS attacks… who would want their money in the hands of such a proprietor?
— Casey J (@dishempire) April 28, 2018
ACR’s support appears to be waning.
Nobody likes these ifs just the only option. Why hasn’t anybody replied once to any of my tweets regarding your MTT schedule, the DDoS attacks, or anything. Don’t you think as players we deserve the right to know? Is it secure yet? WhTs up with MDS? R player funds even safe?
— Charlie C (@_CharlesJoseph_) May 21, 2018
One Reddit user expressed his skepticism with Americas Cardroom DDoS attacks given that the site apparently had a scheduled maintenance for the morning of 29 April when the attacks commenced.
And, of course, the Twittersphere chimed in.
It's not a server issue, it have been numerous DDOS attacks. Apologies for the inconvenience
— Americas Cardroom (@ACR_POKER) April 30, 2018
Strange how all these attacks happen after a server maintenance. I gave your site a second chance and it looks like I regret it. It sucks because I’ve been playing on your site for 7+ years.
— Charles Sears (@fear_these_) April 30, 2018
So, Now What?
These are, indeed, legitimate concerns. Many companies have faced DDoS attacks and have mitigated the dangers accordingly. Why ACR suffers so many—and their timing—raises serious questions to address.
In addition to frequent DDoS attacks, ACR has faced other accusations. Poker personality Joe Ingram expressed his own suspicions about possible cheating at ACR, levying accusations regarding bots and superusers, as well as suspicious activity and win rates among certain screen names.
I will be putting up a video tomorrow discussing what I believe to be wide-spread cheating on multiple different fronts on the Winning Poker Network/America's Card Room cash games and tournaments
— Joey Ingram (@Joeingram1) February 3, 2018
At that time ACR did admit it closed a “tournament registration loophole” and banned those who exploited it.
When one adds these frequent DDoS attacks among the cheating and bot allegations, ACR certainly has some explaining to do.
What are your thoughts on the Americas Cardroom DDoS attacks? Please chime in below.
Until next time.