Casinos have always been targets for those looking to make money quickly. However, not all these people are players. For a long time, hackers have tried to access casino systems and cash in on stealing data, freezing systems, or locking casinos out and demanding a ransom.
Alongside the boom of iGaming sites in recent years, some hackers have successfully managed to get around continuously upgraded casino technology and network integrations. These criminals have ramped up their relentless attacks, which have been particularly abundant in 2023.
These infiltrations into casino security systems have rocked the industry and made all key players more acutely aware of the importance of security. Read on as we outline the most significant hacks that made gambling institutions re-evaluate their cyber security protocols.
Stake.com (2023)
Stake.com is a bookmaker and international online casino with tons of new slots and features enjoyed by millions of players worldwide. It is also one of the few online gambling providers that accepts player deposits in both fiat currency and crypto.
In early September 2023, the site fell victim to a hack on its “hot wallets,” in which it stored a large reserve of crypto. This crypto store is funded from deposits into players’ accounts and via profits from the casino.
The hackers, who remain unidentified and are known only by the name their crypto wallet was registered under—Stake.com Hacker—gained access to these hot wallets owned by the site. It is believed that access was acquired using a stolen private key used to authenticate users logging into the wallets.
After gaining access to the wallets, the hackers initiated payouts to their private wallet to the tune of $41 million. This was taken in the form of Ethereum ($15.7 million), Polygon ($7.8 million), and BSC ($17.8 million). The site quickly confirmed the hack and assured players their affected wallet balances would be restored shortly.
Marina Bay Sands Singapore (2023)
Owned and operated by American casino operator Las Vegas Sands, Marina Bay Sands in Singapore is an integrated resort (IR) featuring a luxurious hotel and casino and over 300 retail outlets. The IR was also the target of a cyberattack in October 2023.
Luckily for the casino, it was not the data of its gambling customers that was hacked into and stolen—it was the information of over 665,000 Sands Lifestyle Reward members. Members of this program enjoy special discounts on retail shopping and other lifestyle benefits from the casino group.
Las Vegas Sands quickly responded to the attack, informing clients affected by the breach that their names, contact information, membership numbers, and country of residence had been stolen. It also quickly assured all members that it was working with external cyber security specialists to protect its servers and other internal systems.
Gateway Casinos and Entertainment (2023)
Gateway Casinos and Entertainment is one of Ontario’s largest and most successful gambling brands. The Burnaby-based company operates numerous casinos, including Casino Rama—one of the premier casinos in the province.
After experiencing a cyberattack, the group was willing to share few details other than it had detected the attack, was working alongside a third-party service provider to restore its IT systems, and had immediately closed all operations in Ontario. It is unknown what financial cost the attack had on the operator.
When probed as to whether any personal information of players or staff was compromised, the group replied there was no such indication. The incident was reported to the relevant authorities and governing bodies, which also set industry standards for responsible gambling through strict regulations.
DraftKings (2022)
As one of the largest sportsbook and daily fantasy sports operators worldwide, DraftKings is home to millions of players and is one of the top fantasy sports operators. In 2022, third-party websites attacked the popular operator and were able to get in.
In a short space of time, the hackers were able to make multiple withdrawals from players’ accounts. Before being shut out, the hackers transferred over $300,000. The operator quickly restored all affected player accounts and stated its security systems had not been breached.
An investigation into the incident uncovered the hackers likely had access to usernames and passwords and used these to access accounts and withdraw funds. These are claimed to have come from other websites where this information was compromised and not from DraftKings servers.
Hong Kong (2017)
In 2017, more than 29 Hong Kong-based online gambling websites fell prey to an attack that industry experts report came from Mainland China. The sites, all of which offered various gambling opportunities, were subjected to almost two weeks of distributed denial of service (DDOS) attacks starting in early April.
DDOS attacks flood a web server with multiple incoming connections and slow down bandwidth and internet traffic, making the sites almost entirely inaccessible. Considering online casinos rely on customers being able to access their websites, this was detrimental to every site affected.
The attack was so great that cyber security firms in the USA were the first to notice it. While the US is commonly at the top of the list of countries experiencing attacks, Hong Kong took the top spot during these two weeks. During this time, an estimated 39% of the world’s internet traffic was concentrated on this handful of websites.
MGM Resorts International and Caesars Entertainment (2023)
One of the most significant security breaches in casino history occurred in September 2023. Although the news about the breach only surfaced after MGM Resorts announced it, Caesars Entertainment was the first to be affected.
Almost a week before the infamous attack on MGM Resorts, Caesars stated that its systems were locked out with ransomware and was ordered to pay a $30 million ransom. After negotiations, the group paid $15 million to restore its systems, which appeared to happen without incident.
The same group then targeted MGM Resorts, locking out systems controlling everything from online reservations, hotel key card systems, casino floor management systems, and even the company’s emails. The company did not immediately respond but eventually confirmed it was experiencing a cyberattack and was working alongside the FBI to resolve it.
The group behind both attacks, known by many names, including UNC3944, Roasted 0ktapus, ALPHV, and Scattered Spider, was found to have also infiltrated the security systems of three other companies: Cloudflare, Okta, and Twilio.
Although no money was stolen, this attack is estimated to have cost MGM Resorts almost $100 million. Caesars has yet to release a statement about the estimated cost of the attack it suffered on top of the $15 million ransom it paid.
