[sophos.com] 14 JUL 2017 Law & order, Malware, Security threats by Lisa Vaas
Eddie Raymond Tipton, the former Hot Lotto security director who was convicted of running a malware-generating luck factory to scam his own lottery for $14.3m, is looking at up to 25 years in jail.
On June 29, the Iowa attorney-general’s office announced that Tipton had pleaded guilty to the felony charge of ongoing criminal conduct for his role in a multimillion-dollar lottery rigging scheme involving seven winning lottery tickets in five states.
Others in his ring of lottery ripper-offers have also been netted. Eddie’s brother, Tommy Tipton, pleaded guilty to conspiracy to commit theft, a Class D felony, and agreed to a state-recommended two-and-a-half month jail sentence on a serious misdemeanor theft charge.
Robert Clark Rhodes II, 46, of Sugarland, Texas, was previously arrested on charges of conspiring to influence the winnings of the Hot Lotto prize with the intent to defraud, falsely utter, pass or redeem a lottery ticket. The multistate lottery association itself is also in the hot seat: it’s facing multiple lawsuits filed by aggrieved lottery players who say their chances of hitting the jackpot were squelched by the association’s feeble security.
As we reported in April 2015, some people are born lucky. Some people make their own luck.
Some people insert their luck via self-deleting malware on a thumb drive, thereby ensuring that the state Hot Lotto lottery will spit out a number that wins them a sweet jackpot.
That’s how Eddie Tipton did it: he slipped his luck-generating thumb drive into the highly locked-down lottery number generating computer at the Multi-State Lottery Association (MUSL).
He had been the security director for the MUSL, a nonprofit organization made up of lottery departments in 37 states. The association is responsible for the software, equipment and technological wizardry behind multimillion-dollar jackpots.
As MUSL security director, Tipton designed, programmed and maintained software for computerized random number generators used to select winning lottery numbers in many states. Tipton’s position gave him access to the electronic brains behind the 16-state Hot Lotto game: two computers housed in what the HoustonPress describes as “the glass-walled chamber of an otherwise bland, beige-brick shoebox of a building next door to a giant Goodwill store in Urbandale, Iowa”.
Bland it may have been, but it’s the scene of quite the crime. A crime that the HoustonPress called…
…the most ballsy, brazen and ultimately ridiculous lottery-rigging mystery ever – a convoluted mess involving shady offshore tax shelters, the Royal Canadian Mounted Police, a bigfoot hunter and, ultimately, a best friend’s betrayal.
Court documents have described the glass-enclosed nerve center of the operation as a room that could only be entered by at least two people at a time, and which was monitored by a video camera. Evidence pointed to a surveillance camera having been tampered with so that it only recorded one second of footage per minute. Investigators suspect that would have given Tipton the time he needed to insert a USB thumb drive into MSLA’s computer and upload a malicious DLL file.
According to Bleeping Computer, investigators said that the DLL was almost identical to the original – except that it had been tweaked with two code blocks that enabled Tipton to hijack the standard random number generator (RNG) algorithm and produce predictable winning numbers if the lottery draw took place on three days of the year (May 27, November 22, and December 29), on two particular days of the week (Wednesdays or Saturdays), and after a certain time of day (after 20:00).
The DLL also contained code that would trigger self-delete after a certain period of time. Investigators lucked out when they found that one of those files had failed to self-delete.
Tipton’s tinkering with the random number generator spanned the states of Iowa, Wisconsin, Colorado, Oklahoma, Texas and Kansas. In June, he pleaded guilty in Wisconsin to theft by fraud and a computer crime charge for defrauding the Wisconsin Lottery in 2007, when he and an accomplice pocketed more than $783,000 for a Wisconsin Megabucks jackpot.
But it was the $14.3m Iowa win that brought his winning streak to a screeching halt. In December 2011, Crawford Shaw, a New York attorney, showed up a year after the lottery ticket purchase, mere hours before it was set to expire, and tried to redeem it on behalf of a mysterious company incorporated in Belize.
But given that Iowa state rules stipulate that lottery winners be made public, the winnings were never released, and authorities’ suspicions were aroused.
Shaw would turn out to be only one of a string of men who tried to cash the $14.3m ticket on behalf of an anonymous party.
Tipton was nailed by a surveillance video taken in a QuickTrip near Interstate 80 after it had been released by police and Tipton – who was in fact banned by his employer from buying lottery tickets – was recognized it in by an employee of the MUSL.
A judge has ordered Tipton to pay $1.4m in restitution, while his brother is facing a payment of $800,000. This is the amount authorities have managed to prove the two were able to cash in from fraudulently winning lottery tickets.
Be the first to comment