I don't think he will be hacking any sites any time soon lol. 
Topic: Hufflepuff Making 2k BTC On PrimeDice Nov 2014. March 2015 Update: He Cheated - page 5. (Read 49971 times)
June 29, 2015, 06:12:58 AM
I think his wallet linked by Stunna shows around 7000 bitcoins so it's possible his net worth is maybe what approx. 10 000 bitcoins out of all the different wallets and stuff lol I don't think he will be hacking any sites any time soon lol.
I don't think he will be hacking any sites any time soon lol. 
June 29, 2015, 06:04:43 AM
Just read the article. Can't the same exploits be made on almost all the sites ?
Maybe, but I would assume Hufflepuff should have also checked the other sites after PD fixed the problem completely and launched the same attack if it is feasible. Until now, I haven't heard of any comparably amazing win on the other sites.
If he is exploiting it on other sites, maybe he is now trying to be more subtile, so they don't notice and fix the flaw?
I agree, I think that in total our dear hufflepuff withdrew far more 'of 2037 btc from primedice, maybe he has exploited other sites...
Its possible huff could have took very large percentages out of the whole bitcoin gambling economy if he managed $8000 per secound at primedice. Hes probably sat on a beach somewhere earning 20% working out how to hack the next bitcoin site.
June 29, 2015, 05:44:16 AM
Just read the article. Can't the same exploits be made on almost all the sites ?
Maybe, but I would assume Hufflepuff should have also checked the other sites after PD fixed the problem completely and launched the same attack if it is feasible. Until now, I haven't heard of any comparably amazing win on the other sites.
If he is exploiting it on other sites, maybe he is now trying to be more subtile, so they don't notice and fix the flaw?
I agree, I think that in total our dear hufflepuff withdrew far more 'of 2037 btc from primedice, maybe he has exploited other sites...
June 29, 2015, 05:41:03 AM
Just read the article. Can't the same exploits be made on almost all the sites ?
Maybe, but I would assume Hufflepuff should have also checked the other sites after PD fixed the problem completely and launched the same attack if it is feasible. Until now, I haven't heard of any comparably amazing win on the other sites.
If he is exploiting it on other sites, maybe he is now trying to be more subtile, so they don't notice and fix the flaw?
June 29, 2015, 05:20:20 AM
Just read the article. Can't the same exploits be made on almost all the sites ?
Maybe, but I would assume Hufflepuff should have also checked the other sites after PD fixed the problem completely and launched the same attack if it is feasible. Until now, I haven't heard of any comparably amazing win on the other sites.
June 29, 2015, 05:06:20 AM
Just read the article. Can't the same exploits be made on almost all the sites ?
I think most of the exploits were back in the starting years. It definitely has helped a lot of other sites as well, to learn from their mistakes.
Thank you for posting this great read and the Ocean's 11 picture is just so on point lol Primedice has been exploited on multiple occasions which is quite shocking....
Primedice has been exploited on multiple occasions which is quite shocking....I think most of the exploits were back in the starting years. It definitely has helped a lot of other sites as well, to learn from their mistakes.
June 29, 2015, 04:27:30 AM
Thank you for posting this great read and the Ocean's 11 picture is just so on point lol Primedice has been exploited on multiple occasions which is quite shocking....
Primedice has been exploited on multiple occasions which is quite shocking.... June 29, 2015, 04:23:53 AM
Edited out for now, will edit in with the full details later. It would be preferable for people to be presented the full story rather than vague details here and there.
I just stumbled upon this post, claiming to be from Stunna:
Stunna has also posted that link in https://bitcointalksearch.org/topic/m.11740956, so yup it is the real official report.
Yeah interesting, i have updated the OP and put this link https://medium.com/@Stunna/breaking-the-house-63f1021a3e6d and quoted the story for historical archive.
June 29, 2015, 04:07:20 AM
Edited out for now, will edit in with the full details later. It would be preferable for people to be presented the full story rather than vague details here and there.
I just stumbled upon this post, claiming to be from Stunna:
Stunna has also posted that link in https://bitcointalksearch.org/topic/m.11740956, so yup it is the real official report.
June 29, 2015, 03:35:20 AM
Edited out for now, will edit in with the full details later. It would be preferable for people to be presented the full story rather than vague details here and there.
I just stumbled upon this post, claiming to be from Stunna:
Quote
Breaking the house
How Primedice was exploited for $1M in Bitcoin
This is the story of how we lost around $1 million worth of bitcoin to a hacker who exploited our online casino’s RNG system. This happened last year, but we’ve decided to share our experience for transparency and so that others can learn from our mistakes.
August 2014
Shortly after the launch of the third version of Primedice, our team faced an adversary that challenged the existence of our website. Our team had nearly two years of experience building bitcoin gaming sites, however I personally had pretty limited coding experience. We were under heavy pressure to avoid further delays and released after a short week of closed beta testing.
The heist began immediately after launch with two unusual players, Nappa & Kane. We noticed unusual betting patterns from both those accounts. Kane was automatically cashed out, we reviewed Nappa’s bets and thought they were highly unusual but could find no wrong-doing and cashed him out after a delay and a brief email exchange
September 2014
After getting spooked by his delayed cashout on Nappa, the exploiter waited a few weeks and created a new account named “Hufflepuff”. Hufflepuff was the largest bettor Primedice had ever seen, he was often seen betting upwards of $8000 worth of bitcoin every second for hours on end. Our entire team was shocked that Hufflepuff continued to beat the house edge (1%) and stack up more and more profit over time.
We were highly skeptical of his winnings and were forced to hold his cashouts time and time again to investigate and each time our developers could not find any wrong-doing. We couldn’t justify greatly delaying his withdrawals when there was no evidence he was cheating. There was also strong incentive for us to promptly pay him, so he’d keep playing. We heavily explored what we thought was every possibility, ran simulations and did the math and came to the conclusion that he was just incredibly lucky.
The Discovery
About two days after sending his final withdrawal placing him above 2037 profit on the Hufflepuff account alone, our main developer detected the exploit after we found a handful of accounts sharing the same server seed.
To understand how Hufflepuff beat our system, one must understand how our provably fair system (RNG) works. A user is shown an encrypted random value (the server seed) before they bet and they must also submit their own random value (the client seed). These two random values are combined and used to determine win or lose. The random encrypted random value used for the bet then is shown to the user after the bet so that they can be guaranteed that their bet is not rigged. You can find the detailed and in-depth explanations of provably fair here:
https://primedice.com/verify and http://dicesites.com/provably-fair
Part of the functionality of our site is that we have to give out decrypted server seeds (to assure users no bet manipulation has occurred) and put a new random seed in place, essentially trashing the old revealed seed. Hufflepuff found a way to “confuse” our server, and made it give out a decrypted server seed that was also an active seed. This was done by sending it more requests than it could handle in a small time period, think hundreds of requests in under a second. The result of this is that he knew all the information required to corroborate the outcomes of his bets. He knew whether if he would win or lose, and could wager accordingly.
We figured this out after frantically checking our servers after a eureka moment. We suspected something could have been going on and eventually realized the possibility of a timing attack described above. Our database had seeds that were both inactive and in use at the same time all connected to Hufflepuff. Along these “Schrödinger” seeds existed many seemingly unused seeds connected to the same accounts, indicative of the rapid fire of requests needed to obtain these.
Déjà vu
Unfortunately we detected this exploit after cashing out Hufflepuff and his handful of accounts 2400+ coins (roughly $1M at the time). Given the nature of Bitcoin there wasn’t much we could do but take it on the chin. We reached out to Hufflepuff via his bitcointalk forum account and demanded the return of the coins, however this backfired unbelievably hard. It turned out that our developer had improperly patched the glitch. In response to our message, Hufflepuff created a new account named Robbinhood and proceeded to rapidly win 2000+ additional bitcoins using a work-around to the patch. He was unable to cashout more than 50 or 60 coins this time around as our site hot-wallet was drained.
Shortly after he privately sent us this message which was preceded with the dox of a primedice employee:
“Your offer is declined. Your demands are laughable. I’m happy to walk away and leave you be, but if you’re going to take this further, then so will I. I don’t think you want this to go further. I actually enjoy this shit. Your move.
Oh, and by the way, there are some pending withdrawals that you need to process.”
And that was the day the house didn’t win…
Evidence for transparency and investigative purposes
Hufflepuff’s deposit address: https://blockchain.info/address/1BiPXmDrHm7VXZnWy6NnW1ZbPc4dcpfkH5
His primary withdrawal address: https://blockchain.info/address/14iS2UvcLK33xkC1K1qL1dhEbp49aiNfNp
Email: [email protected]
RobbinHood withdrawals:
https://blockchain.info/address/14HQ67ZhmATviHi9RdYhbUriAGSFmJpYoB
— Note — : Nappa/Kane were two other usernames used early on, amongst many others.
Kane’s Withdrawal address: https://blockchain.info/address/18dMBap634aESPTeD3FGcAgJ2S9n4qtBTZ
Nappa Deposit address: https://blockchain.info/address/16h9ggSzUWdvagEJdNvWVYiUkytw6SJgiB
Nappa email: [email protected]
Some IP’s used between accounts: 184.75.221.106, 184.75.223.34 , 151.224.50.156 , 76.179.22.16
Any information that leads to the return of the coins from this incident will be greatly rewarded. We invite you to analyze the above bitcoin addresses and find out where the bulk of the coins ended up if you have the skills.
It’s also important to note that this incident is proof of the strength of our integrity and provably fair system. If at any point we attempted to rig Hufflepuff’s bets (skip nonces etc) we would have instantly realized he was cheating and we would have 2400+ more bitcoins. Hufflepuff only took a brief break from playing after we halved our max bet, I believe he would have cleaned us had we never discovered what was going on. We fund our own bankroll so no users were negatively impacted as a result of this.
Sorry for the long read,
Stunna & Primedice
Contact: [email protected]
How Primedice was exploited for $1M in Bitcoin
This is the story of how we lost around $1 million worth of bitcoin to a hacker who exploited our online casino’s RNG system. This happened last year, but we’ve decided to share our experience for transparency and so that others can learn from our mistakes.
August 2014
Shortly after the launch of the third version of Primedice, our team faced an adversary that challenged the existence of our website. Our team had nearly two years of experience building bitcoin gaming sites, however I personally had pretty limited coding experience. We were under heavy pressure to avoid further delays and released after a short week of closed beta testing.
The heist began immediately after launch with two unusual players, Nappa & Kane. We noticed unusual betting patterns from both those accounts. Kane was automatically cashed out, we reviewed Nappa’s bets and thought they were highly unusual but could find no wrong-doing and cashed him out after a delay and a brief email exchange
September 2014
After getting spooked by his delayed cashout on Nappa, the exploiter waited a few weeks and created a new account named “Hufflepuff”. Hufflepuff was the largest bettor Primedice had ever seen, he was often seen betting upwards of $8000 worth of bitcoin every second for hours on end. Our entire team was shocked that Hufflepuff continued to beat the house edge (1%) and stack up more and more profit over time.
We were highly skeptical of his winnings and were forced to hold his cashouts time and time again to investigate and each time our developers could not find any wrong-doing. We couldn’t justify greatly delaying his withdrawals when there was no evidence he was cheating. There was also strong incentive for us to promptly pay him, so he’d keep playing. We heavily explored what we thought was every possibility, ran simulations and did the math and came to the conclusion that he was just incredibly lucky.
The Discovery
About two days after sending his final withdrawal placing him above 2037 profit on the Hufflepuff account alone, our main developer detected the exploit after we found a handful of accounts sharing the same server seed.
To understand how Hufflepuff beat our system, one must understand how our provably fair system (RNG) works. A user is shown an encrypted random value (the server seed) before they bet and they must also submit their own random value (the client seed). These two random values are combined and used to determine win or lose. The random encrypted random value used for the bet then is shown to the user after the bet so that they can be guaranteed that their bet is not rigged. You can find the detailed and in-depth explanations of provably fair here:
https://primedice.com/verify and http://dicesites.com/provably-fair
Part of the functionality of our site is that we have to give out decrypted server seeds (to assure users no bet manipulation has occurred) and put a new random seed in place, essentially trashing the old revealed seed. Hufflepuff found a way to “confuse” our server, and made it give out a decrypted server seed that was also an active seed. This was done by sending it more requests than it could handle in a small time period, think hundreds of requests in under a second. The result of this is that he knew all the information required to corroborate the outcomes of his bets. He knew whether if he would win or lose, and could wager accordingly.
We figured this out after frantically checking our servers after a eureka moment. We suspected something could have been going on and eventually realized the possibility of a timing attack described above. Our database had seeds that were both inactive and in use at the same time all connected to Hufflepuff. Along these “Schrödinger” seeds existed many seemingly unused seeds connected to the same accounts, indicative of the rapid fire of requests needed to obtain these.
Déjà vu
Unfortunately we detected this exploit after cashing out Hufflepuff and his handful of accounts 2400+ coins (roughly $1M at the time). Given the nature of Bitcoin there wasn’t much we could do but take it on the chin. We reached out to Hufflepuff via his bitcointalk forum account and demanded the return of the coins, however this backfired unbelievably hard. It turned out that our developer had improperly patched the glitch. In response to our message, Hufflepuff created a new account named Robbinhood and proceeded to rapidly win 2000+ additional bitcoins using a work-around to the patch. He was unable to cashout more than 50 or 60 coins this time around as our site hot-wallet was drained.
Shortly after he privately sent us this message which was preceded with the dox of a primedice employee:
“Your offer is declined. Your demands are laughable. I’m happy to walk away and leave you be, but if you’re going to take this further, then so will I. I don’t think you want this to go further. I actually enjoy this shit. Your move.
Oh, and by the way, there are some pending withdrawals that you need to process.”
And that was the day the house didn’t win…
Evidence for transparency and investigative purposes
Hufflepuff’s deposit address: https://blockchain.info/address/1BiPXmDrHm7VXZnWy6NnW1ZbPc4dcpfkH5
His primary withdrawal address: https://blockchain.info/address/14iS2UvcLK33xkC1K1qL1dhEbp49aiNfNp
Email: [email protected]
RobbinHood withdrawals:
https://blockchain.info/address/14HQ67ZhmATviHi9RdYhbUriAGSFmJpYoB
— Note — : Nappa/Kane were two other usernames used early on, amongst many others.
Kane’s Withdrawal address: https://blockchain.info/address/18dMBap634aESPTeD3FGcAgJ2S9n4qtBTZ
Nappa Deposit address: https://blockchain.info/address/16h9ggSzUWdvagEJdNvWVYiUkytw6SJgiB
Nappa email: [email protected]
Some IP’s used between accounts: 184.75.221.106, 184.75.223.34 , 151.224.50.156 , 76.179.22.16
Any information that leads to the return of the coins from this incident will be greatly rewarded. We invite you to analyze the above bitcoin addresses and find out where the bulk of the coins ended up if you have the skills.
It’s also important to note that this incident is proof of the strength of our integrity and provably fair system. If at any point we attempted to rig Hufflepuff’s bets (skip nonces etc) we would have instantly realized he was cheating and we would have 2400+ more bitcoins. Hufflepuff only took a brief break from playing after we halved our max bet, I believe he would have cleaned us had we never discovered what was going on. We fund our own bankroll so no users were negatively impacted as a result of this.
Sorry for the long read,
Stunna & Primedice
Contact: [email protected]
June 15, 2015, 08:33:26 PM
between did you say "unproven!"? yes that is indeed our typical dooglus, confused as usual 
I'm not confused. I made some guesses about what the exploit may have been. There's no way to know for sure without inside knowledge of the Prime Dice code.
looking back. was weird all of us watching someone steal $50,000 ***my edit, it was 750000$ at that time*** right in front of our eyes and didnt even notice.
stunna must have been busy hottubbing with the famous
Actually he was closely monitored but at that time Stunna did not have any proof of him exploiting so even if they actually knew he is cheating somehow , without proof it would look rly bad for primedice to hold somebody's money on an assumption of him cheating without any actual proof .
And as u can guess it was hard to prove it coz he had server seed so him betting with reveled server seed and betting while making it look like just pure luck .
So i understand them paying him out and proving once more that pd is the most trustworthy and most reliable dice site .
They would lose some respect if they did not pay him out without strong proof of him cheating .
June 15, 2015, 02:14:16 PM
So is stunna going to update us or nah?
He should have give us an update regarding it, he posted about his intention for this about a week ago
For example, another hufflepuff type scenario[I'll publish the post this week]
Well, unfortunately since it is Stunna who state this , it seems we would need to wait a few days more since Stunna got a different "time" than most of us ( a week period could be two weeks ). Also that this is not an important thing for him to do because it serves him no benefit at all by updating us about what happened with it since it was all his BTC that was "stolen"
June 15, 2015, 02:03:49 PM
So is stunna going to update us or nah?
June 15, 2015, 09:52:54 AM
between did you say "unproven!"? yes that is indeed our typical dooglus, confused as usual
I'm not confused. I made some guesses about what the exploit may have been. There's no way to know for sure without inside knowledge of the Prime Dice code.
looking back. was weird all of us watching someone steal $50,000 right in front of our eyes and didnt even notice.
stunna must have been busy hottubbing with the famous
June 08, 2015, 09:05:55 AM
I think Hufflepuff now owned moon on another galaxy 
maybe dan bilzerian is Hufflepuff.. who know.
maybe dan bilzerian is Hufflepuff.. who know.Huffle was able to make about $600-700k, it sounds like much, but its really not.
Its not huge money thats going to change anything more than his own life but it still would change anyones life dramically who didnt have that kinda amount before.
June 07, 2015, 07:35:11 PM
I think Hufflepuff now owned moon on another galaxy maybe dan bilzerian is Hufflepuff.. who know.
maybe dan bilzerian is Hufflepuff.. who know.Huffle was able to make about $600-700k, it sounds like much, but its really not.
Yeah ofc, it was a joke.
June 07, 2015, 07:31:21 PM
I think Hufflepuff now owned moon on another galaxy maybe dan bilzerian is Hufflepuff.. who know.
maybe dan bilzerian is Hufflepuff.. who know.Huffle was able to make about $600-700k, it sounds like much, but its really not.
June 07, 2015, 07:29:53 PM
I think Hufflepuff now owned moon on another galaxy maybe dan bilzerian is Hufflepuff.. who know.
maybe dan bilzerian is Hufflepuff.. who know. June 06, 2015, 10:10:23 PM
i saw this guy win all this btc, winning on 3x some straight wins some streaks he did a good job of making it non-suspicious.
big lesson for pd, i think their system is all fixed now though
big lesson for pd, i think their system is all fixed now though
June 06, 2015, 08:02:32 PM
between did you say "unproven!"? yes that is indeed our typical dooglus, confused as usual
I'm not confused. I made some guesses about what the exploit may have been. There's no way to know for sure without inside knowledge of the Prime Dice code.
AFAIK hufflepuff was a mod of primedice; so he can easily know his server seeds etc. Also it was obvious to gain attention to primedice...
Lol . He was never mod on pd . And also mods dont have any way of knowing server seeds or anything of pd code. We are just regular users with /m and /um commands thats all.
I was even in testing for pd3 months before launch and i never knew server seeds or how they are generated.
Jump to: