In one of the most intriguing and entertaining TwoPlusTwo forums threads in recent memory, an anonymous Americas Cardroom (ACR, part of the Winning Poker Network, or WPN) user, going by “Themadbotter,” announced earlier this week that he had been using an AI bot on the site for the past six months, but had decided to stop. According to Themadbotter, his bot had earned a total of $30,000 over this period, but required constant attention and tweaking to remain profitable and undetected, and that this overhead had caused him to decide to scrap the project, take his winnings and retire.

The botting arms race

The possibility that one’s opponents are not humans at all, but rather computer programs has been a source of both irrational paranoia and legitimate concern since online poker was first invented. For some, the fear is that the players making bad plays and catching lucky aren’t simply bad players, but AIs operated by the house, with the deck rigged in their favour. That is probably rarely, if ever, the case, but that doesn’t mean the bot problem isn’t real. Free money is a fantasy held by many, so anywhere profits are to be made online, it’s guaranteed that people are out there attempting to figure out a way to automate the process.

In the early days of online poker, it wasn’t too much of a problem, simply because poker AI was not yet at the point where it could consistently beat even marginally competent human players. Bots running on multiple accounts could still profit by sharing hole card information, of course, but human players could cheat the same way, and sites have ways of detecting such collusion via statistical analysis.

The days when the weakness of the AIs themselves was enough to protect online players are long gone, however. Limit Hold’em has already been solved for heads-up play, resulting in the unbeatable bot, Cepheus. No-Limit is much more difficult to actually solve, and non-heads up formats don’t actually have a solution in the strict sense, and yet the best bots out there, such as Claudico, the Tartanian series and SlumBot, are already at the point that they pose a tough challenge for top pros. For simpler, shallower-stacked formats, where the same types of situations are repeated often, it’s no longer particularly difficult to create an AI which can grind out a small profit in a fairly systematic way; indeed, even the real human winners in those formats tend to be playing in a highly formulaic manner.

How serious is your site about security?

The nature of AI research is that its acceleration is always greater than that of human progress. Computers take longer to catch up with us in some things than they do in others, but once they’ve passed humans, it’s exceedingly rare that we turn the tide; rather, the gap tends to widen at an alarming and ever-increasing rate. This spring, we may very well have witnessed the last game of Go won by a top human over a top AI, and one suspects that we may reach a similar threshold in poker soon.

If the human brain itself is no longer adequate defence against exploitation by poker bots, that leaves site security as the last line of defence. Unfortunately, that battle is likely a losing one as well, as botting communities come up with increasingly sophisticated ways to elude detection. In any case, whatever methods are used, the magic bullet for bot-users is simply to have the AI running on a separate machine and displaying moves to a human middleman. PokerStars has attempted to address that possibility at the high stakes by demanding that suspect users record video of themselves playing, showing their entire setup, but this is self-evidently not a scalable solution outside of the high-stakes community, with its relatively tiny user base.

That said, the free money fantasy is rooted in laziness, so as long as some sites’ security is stronger than others, those which take it more seriously will enjoy at least a partial deterrent, as most botters will focus on those sites where the odds of getting caught are the lowest, and the effort involved in avoiding security is lowest. This was a point made repeatedly by Themadbotter in describing his exploits: that ACR was the site he chose to run his bots on precisely because their security was lax, even tolerant. His claim was that the security team there will make no particular effort to catch a bot-user unless so long as other users don’t notice and complain, since bots are low-maintenance, high-raking users. By contrast, he described PokerStars as “off-limits” to all but the most sophisticated and experienced bot-designers, due to the multitude of automated, black-box security features designed to detect the characteristic behaviours of non-human players and bring them to the attention of the security team.

Accusations of trolling and shilling

It was for this reason, in part, that many in the thread were dubious about Themadbotter’s claims. Although he displayed a reasonable knowledge of the botting community and the technological challenges involved, he refused to provide any concrete evidence that he had written his own bot profile, withdrawn the amount of money he claimed, or even owned an account on ACR. The reason, he said, was that he could not afford to supply any details that could assist internet sleuths in establishing his identity, for fear of reprisal.

That makes sense, of course, but without any evidence his claims were true, it was a clear possibility that he was making the whole thing up, either simply to get a rise out of the ever-irritable TwoPlusTwo community, or for some ulterior purpose. One possibility that was pointed out was that he could be someone with a personal or professional reason to smear ACR’s reputation, or bolster that of PokerStars.

A sudden about-face

If there was any doubt that Themadbotter was for real, however, that was dispelled early this morning. Out of nowhere, he returned to the thread with two quick posts explaining that it was all just trolling and apologize for any panic caused or damage to ACR/WPN’s reputation. To say that his apology was unconvincing would be a massive understatement. Here is the full text of his second apology post:

I see from the FAQ that [my inability to delete previous posts] is likely due to the way this particular sub was set up. Well, I’m sorry to disappoint you all, I was just bored and wanted to troll. This is why I could not post any proof. I hope that admin can delete this thread so as to not cause undue panic in the players or to unnecessarily slander WPN’s reputation. ACR should ask to have this thread deleted since there is no reason why my unfortunate misstep, with no proof or evidence to support any of the allegations in this thread, should unnecessarily cause them financial harm or bring negative publicity.

The reason for this panicky about-face is equally easy to deduce; partway through the thread, a newly-registered user going by “NovaCaine” jumped in to say that he suspected he knew Themadbotter’s ACR username, and would be reporting him to security. Sure enough, the ACR Twitter account announced that it was launching a security investigation, just a short time after Themadbotter’s decision to recant his confession. It seems likely, then, that he was not as careful in covering his tracks as he’d believed, and with their attention and ire thus attracted, NovaCaine and the ACR security team were in fact able to determine his screen name. Unfortunately for him, the fact that WPN plays loose with the rules in general may work against him when it comes to privacy; sites in general tend to extend their privacy policies even to cheating users, but unregulated sites are more or less the Wild West, so I wouldn’t feel confident in Themadbotter’s shoes that my name wouldn’t get out one way or another.

But… why?

As much as we all enjoy a good tale of hubris, I suspect that for many readers, there will be a lingering question about why he would confess publicly in the first place, as it seems like a risky move with little upside. Surely the rational thing for him to have done, upon calling it quits, would be to pocket the money and never speak hide or hair of it to anyone for the rest of his life.

I believe the answer for that lies between the lines of his various posts. In explaining his decision to call it quits, he says that it was never really about the money for him, but the challenge. He says that he targeted 6-Max No-Limit cash games precisely because they were regarded as the hardest thing for bots to beat, compared to, say, hyper-turbo Sit-and-Go’s. To me, this smacks of narcissism, and narcissism is in fact at least a partial motive in a lot of crimes. Whether we’re talking about bank robbers, white-collar fraudsters, or murderers, a lot of the pleasure often comes from the sense of outsmarting one’s victims and the law, and victimizing others without consequence.

The trouble for these types is always the same: Once they’ve actually pulled off their crime, they find themselves in a paradox. They’ve proven themselves superior to themselves, but what the narcissist wants is being recognized as superior by others. What good is pulling off the heist of the century, when no one will ever know it was you? Thus, the anonymous public confession, often filled with subtle hints which are intended to tease, but which quite often result in the perpetrator getting caught in the fashion of the villain in most Hollywood psycho-thrillers. Once upon a time, pay phones and letters to the local newspaper were the media of choice for developing this infamy, but these days, pseudonymous internet forums provide an even better options.

In fact, Themadbotter’s behavior is nearly identical to a blog I came across while doing background research for my interview with Eric Jackson, early on in my time with PartTimePoker. The blog is by a guy named Matt Mazur, and the posts in question date back to early 2011, shortly before Black Friday. In it, he admits to having been caught botting and banned from both PokerStars and Full Tilt, and describes his experiences and techniques. Like Themadbotter, he says that it was always about the challenge, not the money and, although he didn’t step away voluntarily, he does a fair bit of mental contortion to convince himself and the reader that getting banned was kind of his goal all along. Furthermore, he went so far as to reach out to the security team at PokerStars to share his research, claiming that he hoped some good would come of it in helping them improve their defences.

All of that, too, is characteristic of a narcissist attempting to spin his misdeeds in the best possible light. It’s even possible, I suppose, that Mazur and Themadbotter are one and the same, though more likely, given that the blog is still up, is that they’re simply two people with similar personalities. Either way, assuming that WPN’s security investigation bears fruit, we may find out soon enough.

Alex Weldon (@benefactumgames) is a freelance writer, game designer and semipro poker player from Montreal, Quebec, Canada.