Former Security Director For Lottery Charged With Tampering Equipment Before Secretly Buying $14.3 Million Winning Ticket
from the security-director? dept
If someone hasn’t already sold the movie rights to the story of Eddie Raymond Tipton, expect it to happen soon. Tipton, an Iowa-based former “security director” for the Multi-State Lottery Association (MUSL), is accused of trying to pull off the perfect plot to allow himself to win the lottery. It didn’t work, but not for the lack of effort. MUSL runs a bunch of the big name lotteries in the US, including Mega Millions and Powerball. It also runs the somewhat smaller Hot Lotto offering, which was what Tipton apparently targeted. When he was arrested back in January, the claims were that it had to do with him just playing and winning the lottery and then trying to hide the winnings. Lottery employees are (for obvious reasons) not allowed to play. However, late last week, prosecutors in Iowa revealed that it was now accusing Tipton of not just that, but also tampering with the lottery equipment right before supposedly winning $14.3 million. Because of these new revelations, Tipton’s trial has been pushed back until July. However, the details of the plot and how it unraveled feel like they come straight out of a Hollywood plot.
First, there’s the story of how Tipton was discovered winning the lottery in the first place. The ticket was purchased in late December 2010 in a QuickTrip off of Highway 80 in Iowa. The winning $14.3 million went unclaimed for nearly a year, but right before it was set to expire, a New York lawyer named Crawford Shaw showed up with paperwork to claim it. However, Shaw refused to reveal the necessary details about who actually won the money, as Shaw was merely representing Hexham Investments Trust, which was a shell company set up in Belize. Belize, as you already know, is a popular place to setup offshore companies if you want the true ownership to be anonymous. The problem, however, is that Iowa doesn’t allow for anonymous lottery winners. That resulted in Iowa officials investigating who was really behind the winning ticket.
The resulting investigation took them from the NY lawyer Shaw to some (unnamed) guy in Quebec City, Canada, who was listed as Hexham Investments Trust’s trustor and president. That guy eventually pointed investigators to two other guys in the Houston area: Robert Rhodes and an unnamed Houston attorney — who had also known the NY attorney, Shaw, for many years. The attorney in Houston insisted that he represented the winner of the ticket who wished to remain anonymous. Somewhat stumped, investigators released a video and screenshots of the guy at the QuickTrip who bought the ticket:
And that’s where the story stood until just recently. In March, Rhodes was also arrested for fraud and then prosecutors revealed that Tipton was in the draw room in November, a month before the winning ticket was purchased and that they believe he tampered with the equipment:
Prosecutors also argued in their reply that Tipton was in the draw room on Nov. 20, 2010, “ostensibly to change the time on the computers.” The prosecution alleged the cameras in the room on that date recorded about one second per minute instead of how they normally operate, recording every second a person is in the room.
“Four of the five individuals who have access to control the camera’s settings will testify they did not change the cameras’ recording instructions; the fifth person is Defendant,” the prosecution wrote.
It is a reasonable deduction to infer that Defendant tampered with the camera equipment to have an opportunity to insert a thumbdrive into the RNG tower without detection.”
Of course, some of the additional evidence seems purely speculative. For example, prosecutors quote Tipton’s co-workers talking about his “obsession” with rootkits:
In their reply to the defense’s motion, prosecutors argued that Tipton’s co-workers said he “was ‘obsessed’ with root kits, a type of computer program that can be installed quickly, set to do just about anything, and then self-destruct without a trace.” The prosecution claimed a witness will testify that Tipton told him before December 2010 that he had a self-destructing root kit.
Honestly, that part of it feels pretty weak, and one would hope they have more extensive evidence to support that claim. However, given all of the other evidence in the case, and the timing of all of the events, it certainly does raise reasonable questions about just what Tipton was up to in that room.
Filed Under: eddie raymond tipton, fraud, hot lotto, iowa, lottery, rootkits, scam
Companies: multi-state lottery association, musl
Comments on “Former Security Director For Lottery Charged With Tampering Equipment Before Secretly Buying $14.3 Million Winning Ticket”
"given all of the other evidence" -- Yet can't connect Kim Dotcom to contributory infringement?
Petabytes of infringing content stored for anyone to download, but that’s only circumstantial, eh?
Your analytic abilities are highly selective.
Re: "given all of the other evidence" -- Yet can't connect Kim Dotcom to contributory infringement?
If that’s true, why did the FBI and DOJ permit the damning evidence to be destroyed by refusing to pay for the servers — or to let Dotcom pay for them himself?
Your analytic abilities are highly selective.
Winning and attempting to be anonymous isn’t going to work. The fine print on tickets grants the companies or states that run the lottery the use of name & likeness of the winner. Kind of like sports tickets.
Also, MUSL isn’t directly involved with the lottery equipment (at least, not in IL.) If he gained access to a machine, he likely had inside help. However, different states have different companies managing the machines so MUSL might have a little knowledge (as it pertains to their games) but I still think he’d need help.
Use to work for one of those companies.
"given all of the other evidence"
Yet you can’t connect Kim Dotcom to contributory infringement?
Petabytes of infringing content stored for anyone to download, but that’s only circumstantial, eh?
Your analytic abilities are highly selective.
Re: "given all of the other evidence"
Kim Dotcom uploaded petabytes of infringing content??!
His calendar must have been odd.
“Upload, upload, upload, upload, upload, upload, upload, upload, upload, pee, upload, upload, upload, upload, upload, upload, upload, upload, brush teeth, upload, upload, upload, upload, upload, upload, upload, upload, upload, upload, upload, upload, drink coffee.”
Re: "given all of the other evidence"
Kim Dotcom is not involved in any infringement activities. Some of his end users may be.
By your logic, maybe the guy at the KickTwip who sold Tipton the lottery ticket should also be charged. Be raided by black helicopters, etc. After all, this is a real crime for millions of dollars. And that KickTwip store definitely enables and facilitates committing fraud on lottery systems just as digital storage lockers, ethernet cables and electric utilities contribute to copyright infringement.
Re: Re: "given all of the other evidence"
Actually they should go after the owner(s) of KwikTrip.
Re: Re: Re: "given all of the other evidence"
…KwikTrip…
There are 2 chains in the US that call themselves that.
One spells it KwikTrip.
The other spells it QuikTrip.
Presently both are in different markets. I can only imagine the confusion that would result – like what already exists in this article – if they both entered the same market.
Re: Re: Re:2 "given all of the other evidence"
The fictional one I mentioned, KickTwip, is neither of those.
Re: "given all of the other evidence"
The Kim Dotcom case has international border and privacy complications. From the CBC News yesterday:
Kim Dotcom Megaupload case falters over sharing Canadian data
Another highlight: The crown attorney acting on behalf of the U.S., arguing that all the data should be handed over to the US, privacy be damned, because “this data pales in comparison to other information shared easily with the U.S., such as wiretaps.” “What’s being proposed here looks very, very minor in terms of what we’re exposing foreign officials to.”
Americans should remember that that information flow goes both ways.
Re: "given all of the other evidence"
We are talking active tampering by MUSL, while Dotcom was a third party. Might as well send the parents to a criminal underage kid to prison.
Your analysis is what seems selective here.
Re: "given all of the other evidence"
kim dotcom has never stepped foot in the USA and is therefore someone else’s problem.
Re: "given all of the other evidence"
“Yet you can’t connect Kim Dotcom to contributory infringement?”
Nobody can, it seems.
“Petabytes of infringing content stored for anyone to download, but that’s only circumstantial, eh?”
That’s not, by itself, evidence of contributory infringement, circumstantial or otherwise. Also, petabytes? Evidence, please.
Re: "given all of the other evidence"
The kim.com case does more to connect copy protection law, those that push for it (RIAA/MPAA), politicians, and the government with corruption than anything. It shows the true motive is not to stop infringement but to stop competition altogether. For example it was the government, working for the RIAA/MPAA (not the people), that was responsible for destroying all that evidence. Kim wanted to keep it. Why would he be willing to keep evidence that the government acted to destroy if he was so guilty. Kim dot com also went above and beyond when he complied with takedown notices. His servers were mostly used for legitimate purposes. Sure, some users may have attempted to use it for infringement but that’s no different than someone using the USPS for illegal activity. The USPS can’t be blamed for the actions of others.
Thanks for bringing this up. By bringing this up you allow us to keep reminding everyone how corrupt the government and industry is in their attempt to stifle competition for personal gain.
Re: Re: "given all of the other evidence"
Perhaps another part of the reason the U.S. government went after Megaupload is because it was a foreign service that competed with U.S. services (ie: google/youtube). The U.S. doesn’t want American dollars directed overseas. Of course New Zealand should probably consider this an attempt by the U.S. to harm their economic growth internationally and they should allow Kim.com to continue making their country wealthier. From this perspective this gives me a lot less sympathy for the U.S. when the EU attempts to pass laws against Google. A taste of their own medicine if you will.
The prosecution claimed a witness will testify that Tipton told him before December 2010 that he had a self-destructing root kit
He had a Sony DVD?
Re: Re:
Hardly – the Sony rootkits weren’t even nice enough to self-destruct after they performed their function – they just stayed there and provided a nice security hole for anyone who wanted to use them again.
Re: Re:
The Sony disks rootkits do not self destruct. They merely destroy your computer’s security, and effectively require you to get your OS re-installed from scratch to remove Sony’s malware.
Re: Re:
of death +3
How dumb do you have to be?
He really couldn’t find anyone else to buy the ticket for him and claim it? Wow.
Re: How dumb do you have to be?
More than likely, he just got cocky and figured he would deal with the issue of claiming it at a later date.
He probably didn’t count on the store still having video of him purchasing the ticket 😉
I’m guessing he realized at some point later that he couldn’t use any direct friends or family – he couldn’t trust some random stranger on the street, and choosing an old school buddy was his best bet.
Too bad it still tied back to him 😀
Re: Re: How dumb do you have to be?
My guess is that security cameras along with compliance with a corresponding policy to prevent and investigate possible fraud are likely required for any place that wishes to sell lottery tickets and part of that policy is likely that when a matching ticket is found, the footage is automatically reviewed and archived. This guy was also the “SECURITY DIRECTOR” for the lottery. If anyone should know what those policies and procedures are you would think that it would be him. Next question:
How does a guy this inept get hired to that position in the first place?
Re: Re: Re: How dumb do you have to be?
you sir have to much faith in humanity. likely someone bought a crappy 2tb dvr and set-it to only record motion events at very crappy quality.
Re: Re: Re: How dumb do you have to be?
Security directors for an IT-reliant company. His tampering was likely what he got focused on.
After that seemingly flawless execution of the hack, he didn’t plan ahead enough to get an accomplish for the actual heist. When he found out he had blundered, he tried covering it up. While his setup wasn’t bad – an old friends friend trying to hide him in a taxshelter – nobody wants hackers to get a payday for their deeds and the policework has been pretty good.
The question you should ask yourself is: “Would the company have noticed the tampering and made the connection before he could have disappeared if he didn’t buy the ticket?” Given how the case has unraveled, it seems likely he actually did well enough on the IT-technical stuff, while he done goofed in the legal understanding part of the plan.
Re: Re: Re:2 How dumb do you have to be?
The fact is lotteries don’t allow anonymous winners for 2 reasons and fraud prevention is only one of them. The other is whenever there is a big jackpot winner they want to use the presentation of that jackpot to the individual in a very public way to promote further interest in playing the lottery. It’s fundamental to the business plan for the way lotteries work. There is never going to be a winner that is going to be able to collect without exposing their identity. The concept of someone tampering with the lottery to generate a winning ticket for themselves but never collecting wouldn’t cause them to lose any money so until someone tries to claim it they really have no incentive to vet the process to make sure that the process was legitimate. If the ticket expires unclaimed, they still haven’t lost anything and don’t have to waste resources doing an investigation that in their mind is unnecessary.
Re: How dumb do you have to be?
And dumb enough to talk about his self destructing rootkit.
Dumb enough to not research and discover that Iowa doesn’t allow anonymous winners.
Dumb enough to think that an offshore and lawyer would keep him anonymous.
Dumb enough not to realize that winning would bring lots of instant scrutiny to ensure the win wasn’t fraudulent.
I think this guy should have found gainful employment with his talents, by applying for a job at Righthaven, Prenda, Rightscorp, or even the RIAA / MPAA.
Why not just...
…get a friend to buy the ticket and have him deposit the winnings in the offshore account? Seems both easier and less suspicious.
Re: Why not just...
$14.3 million cuts a lot of ties.
Re: Why not just...
Have him deposit HALF the winnings in the offshore account. If you are lucky.
Re: Why not just...
plus if anyone realized a friend of an employee won then I am sure both would be investigated for potential fraud. It would have to be an obscure friend that you can still trust enough to deposit at least some of the money into the account.
In the end playing the lottery is stupid and you could better spend your time and money on other pursuits.
Re: Why not just...
Ohai AC @ 11:44am. Please can you go pick up a ticket whose number I will specify when you’ve answered my post with your full name, address, date of birth, and bank account details including any security information I may need to access it so I can get my share of the multiple millions you’re going to have in there when you’ve bought it and cashed it in. Not bad for a couple bucks, huh?
Thanks in advance.
I'm surprised they use computers for the drawing
Like with voting machines rather than paper ballots, you don’t really have convincing methods checking for tampering.
Re: I'm surprised they use computers for the drawing
You cite the very reason why they would use computers (because tampering can be done), while being surprised that they would choose that.
Put the two together and it should bring you to a conclusion about why someone might choose to use something that can be tampered with. And it’s the exact same reason why some would push so hard for voting machines designed to invite tampering.
Q. Why would anyone choose something that can be tampered with and have no verification?
A. Because it allows the results to be tampered with and have no verification.
Re: I'm surprised they use computers for the drawing
I thought all the big lotteries used ping pong balls in the selection process to ensure a random result?
Re: Re: I'm surprised they use computers for the drawing
Some like powerball do. But our State drawings use computers to do the “draw”.
Re: I'm surprised they use computers for the drawing
So be fair, mechanical lottery devices and paper ballots allow for plenty of tampering and questionable results.
Look at Florida 2000 and everybody’s new friend, Dangling Chad.
In the meantime, open source code run by a monitored neutral party would be able to keep the game honest.
Re: Re: I'm surprised they use computers for the drawing
if heartbleed taught us anything its that open source projects translate into 1-3 guys that actually know the code and the rest of the internet using the code.
Re: Re: Re: I'm surprised they use computers for the drawing
You learned the wrong lesson from heartbleed, then. Some OSS projects are maintained by tiny teams, and some are maintained by huge ones. It all depends on the project.
Re: Re: Re: I'm surprised they use computers for the drawing
It also taught us that if people want to actually look for the weaknesses and flaws, they can – while closed source software is much more opaque to the masses (while remaining easy for the hackers and crackers to exploit at will).
You clearly picked up the wrong message.
Re: Re: Re:2 I'm surprised they use computers for the drawing
It also taught us that if people want to actually look for the weaknesses and flaws, they can
It also taught us that people actually don’t want to look for weaknesses and flaws.
I agree that it’s better to be able to than not to be able to… but for most of the world it’s an academic distinction.
Notwitstanding, it seems that black box hacking is at least as common as source code inspection, which suggests that it’s just as easy to find weaknesses and flaws in proprietary code as OSS code. The only benefit is that OSS code allows the possibility (but not the certainty) of a fork if the current developers aren’t interested in working on a fix for any found weaknesses and flaws.
Then again, patch and pray is a bit of a broken system to start with. The gordian knot needs to be cut.
Re: Re: Re: Open source doesn't determine the size of the support team or that they're volunteers
Only that the code is available to public scrutiny. Though, yes, that usually goes hand-in-hand with a free license to use and modify.
But that is what keeps our still robust encryption options like AES intact, and why we suspected the vulnerability of the elliptic curve RNG seed generator long before it was revealed to be an NSA backdoor.
With an open source secure lottery number picker, white hats and black hats alike would be all over it like anteaters looking for exploits.
Re: Re: I'm surprised they use computers for the drawing
There is no question about mechanical devices (or paper ballots) lending themselves to tampering. But they also lend themselves to monitoring and verification by independent parties.
Re: Re: Re: Monitoring and verification
I don’t see how mechanical devices lend themselves to monitoring and verification in a way that computers don’t. Granted, most of us schlubs think we know how mechanical devices work, but that makes them more exploitable, when a means to game the system we didn’t expect is employed.
So why are they not using a USB port blocker to lock all of the open ports? Require 2 or more people to get the key out of a safe and this would have been harder to pull off.
Can we give a funniest comment to...
the prosecutor?
“”Four of the five individuals who have access to control the camera’s settings will testify they did not change the cameras’ recording instructions; the fifth person is Defendant,” the prosecution wrote. “
I am pretty sure all 5 f them will testify they did not change the camera’s settings. Unless the accused just really wants to go to prison.
Re: Can we give a funniest comment to...
I am pretty sure all 5 [of] them will testify they did not change the camera’s settings.
Exactly. That sentence structure is prosecutor-speak to make people appear guilty using mere suggestion, and it works on many people.
I’ll posit a scenario: this guy came up with a way to rig the number-choosing side of the lottery, probably with a rootkit. He immediately wanted to see if it would work, so he bought a ticket, changed the security video frame record rate, and installed the rootkit.
Only after he does this, does he realize it’s not a “dry run”. He has already committed the crime. He left evidence. Rather than having time to complete the plan for the perfect crime, he is halfway in with no way to back out and no good endgame.
So he spends the next few months coming up with an approach to cash in the ticket. But it’s a lot more difficult than he expected. There are plenty of ways to launder money if you have a big operation and a legitimate flow of money to hide under. But no good way to do a last-minute one-off.
He probably didn’t have the contacts, but his best bet would probably have been someone looking to launder money. They would be willing to buy a winning lottery ticket in order to turn unexplainable piles of cash into legitimate income.
Re: "Dry Run"
There would have been a very easy way to back out after the fact. All he had to do was tear up the ticket and forget about it.
If nobody had ever tried to claim the prize the lottery almost certainly never would have conducted any investigation at all. Unless they were already aware of the improper video recording of the drawing computer they would have had nothing to be suspicious about. Since it took so long to make an arrest and the original charge didn’t include anything about the equipment tampering it seems unlikely that the video problem had already been discovered by any routine check.
The one thing that’s absolutely certain about this case is that the lottery’s security protocols were incredibly deficient.
Light Bulb Just Went On.
The best way to “Win The Lottery” is to “Sue The Lottery.” AS if it wasn’t already impossible to win if you don’t play, now we find out its impossible to win if you do play. That’s not a Lottery.