The one poker room you can study bot detection from real busts, not rumours

Why this site studies ACR specifically

Ask how any other poker room catches bots and you get inference: people reverse-engineer bans, compare notes on forums, and guess at the signals from the outside. The room never confirms anything. ACR is the one place where that reticence breaks. The Winning Poker Network has gone on the record about catching bots — naming the scale, stating that hand histories drove the identification, and publicly returning the confiscated money to the opponents who lost it. That turns a guessing game into something closer to a case file you can actually read.

So the question these notes start from is not "what is a poker bot." It is narrower and more useful: when ACR catches a bot ring and tells us about it, what does the evidence actually show? A bot here is just software that plays one seat from the visible game state — its own cards, the board, the action, the stacks — and acts under a clock. It sees nothing a focused human cannot see. The interesting part is not what it is; it is what trace it leaves behind, and how WPN read that trace in the cases on record.

The 2015 KhanZ case file

The anchor case is a Russian-speaking bot ring that ran on ACR over an extended stretch in 2014–2015, named "KhanZ" in the community accounts that first surfaced it. The shape of the file, pieced together from forum investigation and WPN's own statements: roughly thirty accounts, identified through their hand histories, frozen, and rolled back over a multi-month investigation. Around $1.4 million in winnings was confiscated and distributed back to the players those accounts had taken it from.

What makes it a case file rather than a rumour is the sequence of evidence. The ring did not get caught by a packet sniffer or a leaked exploit. It got caught because thirty supposedly independent strangers were playing with the same statistical fingerprint — bet sizes clustered on identical pot fractions, fold-to-3bet curves that lined up too closely, frequency profiles sitting on solver mass with implausibly low variance for thirty different "humans." Once the play patterns pointed at a group, the shared deposit and device trail across the skins tied them into one entity. Every page on this site is, in one way or another, an attempt to read that sequence carefully.

The room behind the busts

To read the case you need the room. ACR Poker — Americas Cardroom — became the dominant US-facing room after Black Friday in April 2011, when the U.S. Department of Justice indicted PokerStars, Full Tilt and Absolute Poker and shut the prior generation out of the US market. ACR runs on the Winning Poker Network alongside three sibling skins — BlackChip Poker, TruePoker, YaPoker — that share one player pool, one security team, and crucially one account graph. The network holds a Curaçao licence and settles in crypto, which is part of why it stayed reachable from most US states through the federal grey zone.

Phil "OMGClayAiken" Galfond is the most visible name in ACR's modern history; he later moved on to his own Run It Once project, but the Venom MTT series he lent his nickname to survives as the headline weekly draw with a seven-figure guaranteed main event. The Venom field rarely turns up in bust files, and that itself is a clue: its variance is high enough that no operator lets one account grind the thousands of buy-ins it would take to even estimate an edge. The busts cluster where the volume is — small and mid-stakes cash, low-buy-in nightly tournaments.

Three structural facts make ACR readable in a way most rooms are not. Persistent screen names give every account a stable identity that evidence can accumulate against — there is no anonymity to hide a behavioural signature behind. Public statements mean the network's own words are part of the record; the 2015 figures (~$1.4M, ~30 accounts) came from WPN, not a leak. One account graph across four skins means a ring that spreads across ACR, BlackChip, TruePoker and YaPoker to look bigger is, evidentially, drawing the prosecutors a map.

What the evidence trail shows

Reading the cases on record, four kinds of evidence keep appearing — and the order they appear in tells you how WPN actually builds a file. The play patterns come first and do the convicting; the account links come second and tie the ring together; the rest corroborates. This is reverse-engineered from the busts themselves, not handed to us by the network, so treat it as the best reconstruction available rather than gospel.

Hand-history evidence

The lead. Long-sample statistical traces: VPIP/PFR pairs clustered too tightly, bet-sizing histograms stacked on exact pot fractions, fold-to-3bet curves matching across accounts that should be strangers. The 2015 ring was identified here first — this is the layer that does the actual catching.

Account-graph evidence

The tie. Once the play patterns flag a cluster, shared IPs, device fingerprints, crypto wallets, KYC documents and table co-occurrence across ACR, BlackChip, TruePoker and YaPoker bind the accounts into one entity. A ring spread over four skins to look bigger only makes the link easier to draw.

Behavioural evidence

The corroboration. ACR's desktop client surfaces input timing, mouse paths, confirmation latency and idle behaviour between hands — telemetry that separates a person on a desk from a process in a rack, and supports the file the play patterns opened.

Human review

The decision. People read the whole file — hand histories, chat, withdrawal timing, KYC consistency — before money is touched. Which is why the documented gap from first quiet flag to the public 2015 confiscation ran several months, not days.

The case files on this site

Open forensic questions

The record is rich but incomplete. Five things the public busts gesture at but never fully resolve, where better evidence would actually move understanding:

1. What exactly triggered the 2015 review? The accounts had been live for an extended period before action. Was it a withdrawal spike, a forum thread that prompted WPN to look, or a scheduled forensic sweep that finally crossed threshold? The public account is vague on the trigger, which is the most operationally interesting detail.
2. How tight was the statistical match? "Shared fingerprint" is qualitative. Nobody outside WPN has published the actual distance metric — how far inside the population envelope a single account could have sat and still been caught as part of the ring versus standing alone.
3. How much of the link was play-pattern vs. account-graph? The order matters. If the graph (shared wallets, devices) did most of the binding, the forensics story is overstated; if the play patterns alone clustered thirty strangers, that is a far stronger claim about hand-history evidence.
4. Why so few public busts since? The 2019–2020 cleanups came without dollar figures. Is enforcement quieter, less frequent, or just less publicised — and does the absence of new case files mean detection improved or that transparency receded?
5. Does cross-skin linking still work the same way? The four-skin account graph was central in 2015. With crypto rails and better operator-side wallet clustering, the evidentiary weight of an on-chain link has likely grown — but no case file confirms it.

If you have studied any of these from real data — a hand sample, a documented action, a WPN statement we have not seen — the chat is read by the team. The most useful contributions arrive as a specific finding with evidence attached, not a general claim.