Tuesday, February 14, 2012

Just Conjecturin', Volume 41: The Episode in which I Discover I'd Moved to Afghanistan

I've been watching, with some interest, these recent developments regarding "Yukon" Brad Booth, amid the posting of links to a cryptic video by Booth on a prominent poker forum. What's Booth up to? I can't say for sure, though I am aware of tales from multiple channels that Booth had received one payment categorized as a "special refund" not too many months ago, and then a second payment didn't happen as promised. I've heard specific numbers in two instances, but both are lower than the $500,000 figure bandied about elsewhere. Nonethelss, all I've heard is hearsay, just secondhand stuff, and it might be true or might not.

I'd like to see Booth come out with whatever information he has. And shoot, Russ Hamilton can call me any time he wants to -- I'd be happy to talk with him. (Come to think of it, one of the Russ Hamilton records in the leaked UB records does have a phone number attached to it; I might have to check whether it's still good....)

Which brings us back, a bit more seriously, to the topic of those leaked UB files and a couple of the less useful fields included therein. These two fields are included only in records belonging to American UB players and contain misinformation designed to provide a false city/country combination to at least one third-party payment processor, among the several that were being used in the 2008-09 timeframe by parent company Absolute Poker. I'm revisiting this topic here just to put this little side tale to rest, since it doesn't have much to do with the cheating scandals, but is instead more an explanation of some of the corporate shenanigans poker sites had to do to keep the financial spigots open to and from their American players.

No one's yet confirmed the exact purpose for these two US-only fields, but the person most likely to be able to describe the fields' use is AP's Brent Beckley, and he's not talking much these days. We'll plow on ahead anyways. Deep in the records for each UB player, at some point in time after they'd been converted over to AP for Cereus Network use, two fields were added, showing this unlikely city/country combination. These did not appear on every US player's account among the records that were leaked late last year, but they were present on a majority of the roughly two million US records.

Sharp-eyed observers noticed that one of the Brent Beckley records I published last time out included two fields, "Sichuan" and "China", while two of the Russ Hamilton records in Vol. 39 carried similar field combinations of "Batna, Algeria" and "Obla, Ukraine". Here's how these fields appear when viewed in Excel:




In case you're wondering, that's my record that's highlighted. So when did I move to Afghanistan? As you can probably guess, I didn't. Filtering this data shows that there were 125 of these highly improbable city/country combinations repeated over and over again, pasted into these two extra fields for each American player.

The fields seem to have been designed to not cause confusion with real city-country combinations that might appear. In addition to places like Algeria and China and Afghanistan where Absolute Poker had no (or very few) real cash customers, a few Western locales were mocked up as well, though these were munged to show something like "British Columbia, Canada", "Southern Finland, Finland" or "See Also, Italy".

It's all garbage, and clearly the result of a batch programming process designed to dump a made-up city and country combo into these two extra fields. The above image shows how the file appeared after the processing was done, though a copy of each player's real-life state of residence was also included a copy of fields further to the right. That "IL" entry, for example, is correct.

There are really only two possible explanations: It was either done to fool a specific payment processor, or it was done hand-in-hand with a favorite processor to provide false city/country info, the purpose being to fool a bank nearer in the processing chain to the actual customers. Most likely, this would be a major American bank serving as a funnel for EFTs and other payments. I tend to favor the "working-hand-in-hand-with-a-processor" answer, since the processors themselves shouldn't have been reprogramming any information received from AP.

Is it important in the tale of the scandals? Not really. It's just an interesting little diversion. What it does do is demonstrate the lengths to which AP and other sites had to go to continue servicing US players, post-UIGEA.

Wednesday, February 08, 2012

Just Conjecturin', Volume 40: Three Records

For various reasons, I'm going to release three records culled from the roughly three million UB records accidentally leaked a couple of months ago by whom I believe to be an Israeli spammer. Before getting down to the records themselves, I'd like to reaffirm a few things about the more than 200 data files that were leaked.

1) The files were not Cereus Network databases specifically, but the working material for spammers who had data from many sites. It just so happened that the largest share of the data was from UB.

2) The vast majority of the Cereus Network files were UB records, not AP ones. Despite Todd Witteles' assertion that a couple of his AP accounts are present, I've been unable to pinpoint a single record elsewhere that I know to have originated as an AP account.

3) The records included both real- and play-money accounts, and my best estimate based on known populations of certain types of accounts is that roughly 60% of the US player records are present in one form or another, split across many files.

4) Despite these largely being UltimateBet records, they have been transformed with new AP account numbers, in a batch process that looks to have been done over several nights around Thanksgiving of 2008. The actual date of the databases is somewhat later, and buried in one of the many files are the first couple of "UB.com" test accounts. It's a strong indicator of when these databases were created.

Ok, that's out of the way. I continue to search and sift these files for records of interest, and while I've found several hundred records of interest, I'm choosing today to publish three, with a fourth on an unrelated matter coming soon. These three are Brent Beckley accounts, but these are Beckley accounts from the UB side of the operation, not the AP stuff. It's almost certain that Beckley had many more accounts over on the AP side.

Without further ado, Beckley account #1:


BRENT BECKLEY Canada BRENT@BRENTBECKLEY.COM 3329A YONGE STREET Male 6/3/1980 TORONTO ON M4N2L9 Canada 186.15.17.68 7/18/2010 17:39 1 200000 0 (Toronto cel-phone number) 0 0 7/18/2010 17:39 UltimateBet.Com Blacklist User 0 E362B3E8-4477-5D1E-87D7-7A534447B209 47:05.6 Other 47:05.6 Ontario Y N IN 0 0 0 ecs_hn

This account shows just a tiny bit of play in 2008 when one checks the various online tracking sites, evidence that Beckley just dabbled on the UB side. The brentbeckley.com domain once existed but is now defunct. The "Blacklist User" tag is interesting, as it's a code applied to many accounts where shenanigans of many types occurred, but one can find the same code on accounts used for credit-card fraud, collusion, and other offenses against the site.

Account #2:

Brent Beckley United States bbeckley@fiducix.com 91 Campus Drive PMB 1512 6/3/1980 Missoula MT 8331632 M0RNINGW00D 59801 196.40.37.120 7/23/2008 22:41 99000 25943 (Atlanta-area phone number) (Atlanta-area phone number) 421.25 0 7/23/2008 22:41 UltimateBet.Com 0 Test(ALL) 0 Male Other Sichuan China Y MT 0 0 0

"M0RNINGW00D" was a test account, probably used lightly in-house in connection with the transition to the unified Cerues Network and the creation of the new UB.com. It doesn't show up in any hand-tracking databases as far as I can tell. The "91 Campus Drive" comes from the boys' old SAE frat house, and the fiducix.com is a known business entity associated with the corporation operations of AP. The account's just a jumble of marginally interesting info.

Then there's account #3:


BRENT BECKLEY Canada BRENT@CASCADEDEVELOPMENTS.COM (Boise ID street address) Male 6/3/1980 TORONTO ON M4N2L9 Canada 200.122.182.37 11/24/2008 17:58 Television 257000 5000 (same Toronto cel-number as above) 0 0 5/15/2009 17:10 UltimateBet.Com Bronze VIP 0 {65A4971C-F69D-4257-A446-FD6A401E1B8D} 45:55.2 26:29.1 Television 26:29.1 Ontario Y N PW 0 0 0 03:4

To me this is the most interesting record of the three, and its account name was deleted from these records. The Boise street address (Cascade St.) corresponds to a listing for Beckley's mom, Debbie, but it's the "CascadeDevelopments.com" entry that warrants further digging. I would characterize that as a lead as to where some small bit of money might have went, as one can follow the domain link to various Beckley business-network entries, such as this info from Naymz:




It's no longer really a question of what happened to millions from the AP funds -- it's more a process of identifying all the possible channels that might have been used. Since Beckley's up for sentencing fairly soon, I'd be remiss in my civic duty if I didn't do my part to open up Cascade Developments as an operation worth investigating.