The 2015 ACR Bot Bust, Reconstructed

By Raul Moriarty · Updated 28 May 2026 · 13 min read

In 2015 the Winning Poker Network froze a bot ring on ACR, confiscated its winnings, and handed roughly $1.4M back to the players it had been taking from. It is the most documented bot takedown in online poker. This is a forensic reconstruction of how it was caught — which evidence pointed at the ring first, how thirty accounts were tied into one entity, and why it took months from first suspicion to public action.

The case in five lines

The ring — community-named "KhanZ" — ran roughly thirty ACR accounts over an extended stretch in 2014–2015 before WPN moved on it.
The accounts were caught by their hand histories first: thirty supposed strangers playing with one statistical fingerprint. The play patterns opened the file.
The cross-skin account graph — shared IPs, devices, deposit trails across ACR, BlackChip, TruePoker and YaPoker — then bound them into a single entity.
Roughly $1.4M was confiscated and distributed back to affected opponents, a refund step that is itself unusually public.
The lag from first quiet flag to confiscation ran several months — the evidence was there long before anything visible happened, which tells you how the pipeline is tuned.

The case file, in brief

What we have is not a leak; it is the network's own account, corroborated by the community forensics that first surfaced the ring. WPN's then-CEO confirmed the broad strokes: roughly thirty accounts, identified through hand-history analysis, frozen and rolled back over a multi-month investigation, with around $1.4 million returned. Everything below is built from that public record plus the structure of how such a case has to work — flagged where it is reconstruction rather than confirmed fact.

The reason ACR yields a readable file at all is the room's structure. Persistent screen names give thirty accounts thirty stable identities to accumulate statistics against. One shared account graph across four skins means a ring that spreads out to look like independent players instead draws its own membership diagram. And WPN's willingness to state outcomes — sometimes with dollar figures — turns what would elsewhere be forum speculation into something you can actually cite.

The order of the evidence matters

The single most useful thing the 2015 case teaches is sequence. There are four kinds of evidence in play, and the order they enter the file is not arbitrary — it is what separates a real reconstruction from a just-so story. The play patterns convict; the account graph binds; the rest corroborates; people decide.

First — hand-history evidence: The lead investigator. Per-account distributions on VPIP, PFR, 3-bet by position, fold-to-cbet by board texture, bet-sizing histograms, river aggression, showdown equity. Heavy to compute, run offline on a cadence, and the layer that actually clustered thirty "strangers" into one suspect group in 2015.
Then — account-graph evidence: The binder. Once a cluster is flagged, shared IPs, device fingerprints, crypto wallets, KYC documents and table co-occurrence across ACR, BlackChip, TruePoker and YaPoker tie the accounts into one entity. This is what converts "these play alike" into "these are the same operator."
Alongside — behavioural evidence: The corroboration. Input timing, mouse-path geometry, confirmation latency and idle behaviour between hands. ACR's desktop client gives a wide telemetry surface that distinguishes a person on a desk from a process in a rack — and supports the file the play patterns opened.
Last — human review: The decision. Reviewers read the whole file before money is touched: hand histories in detail, chat behaviour, session timing against stated time zone, withdrawal patterns, the small human errors a bot does not make. This is the bottleneck, and it is why the 2015 timeline runs in months.

These do not fire simultaneously. Hand-history evidence builds slowly and can mature for weeks. Behavioural telemetry is continuous but mostly stays quiet. Graph evidence is event-driven — a new shared wallet, a co-occurrence at a table. Human review is scarce, which is why the queue gets prioritised by combined suspicion, money at stake, and recent withdrawal activity. The 2015 ring sat inside that pipeline for a while before it surfaced.

Reconstructing the KhanZ ring, step by step

Forensic chain of the 2015 KhanZ bust: hand-history forensics flagged improbable winrates first, an account graph bound roughly 30 accounts together, behavioural telemetry corroborated, human review decided, ending in $1.4M confiscated and returned to opponents — The order of evidence in the 2015 KhanZ case — hand histories convict, the account graph binds ~30 accounts, behaviour corroborates, people decide, ending in the $1.4M confiscation and refunds.

The investigation surfaced first in community forum analysis of suspect accounts — players noticing winrates and patterns that did not add up — and was then confirmed by WPN. Reconstructing the likely sequence from the public account and the structure above:

The accounts did not get caught by a packet sniffer or a stolen exploit. They got caught because thirty supposedly independent humans shared one statistical signature: bet sizings clustered on identical pot fractions, VPIP/PFR pairs sitting on solver mass with implausibly low variance, fold-to-3bet response curves near-identical across accounts that should have been thirty different strangers. That is the hand-history layer doing the conviction. Once the cluster existed, shared deposit and device features pulled the accounts together into one entity, and reviewers signed it off.

Three things in the file are worth holding onto. First, the lag — the mathematical signal was present for weeks before anything visible happened, because the bottleneck is human review, not detection. Second, the accelerant — the public account points to a withdrawal pattern across the accounts as what moved the case up the queue, not the play itself; WPN wanted to act before crypto left the platform. Third, the refund — distributing ~$1.4M back to identifiable opponents is an unusual, deliberately visible move, and the same playbook reappeared in the quieter 2019–2020 cleanups, this time without dollar figures attached.

The tells that actually convicted

The exact weights WPN assigns are confidential. But the relative weight of each tell can be inferred from the order accounts get caught and what trips the catch — and the 2015 file is consistent with the ranking below.

The tells, ranked by how heavily they read in the record
Tell	Evidence type	Weight	What gives it away
VPIP/PFR at population mass, low variance	Hand-history	Very High	A solver baseline with no human noise sits too clean
Bet sizing on exact pot fractions	Hand-history	High	Sizes never wander off the canonical fractions
Fold-to-3bet curve identical across accounts	Hand-history	Very High	The 2015 signature — one engine behind many "players"
Winrate outside skill-pool envelope	Hand-history	Very High	A run no human in that pool plausibly sustains
Action-timing variance below population	Behavioural	High	Decisions land on a clock, not a human rhythm
Mouse clustering on click targets	Behavioural	Medium	Pixel-perfect clicks on the button centroid
Idle behaviour too uniform	Behavioural	Medium	No tab-switch, no chat, no pause, ever
Shared device fingerprint across skins	Account-graph	Very High	The ring runs from one machine across four skins
Crypto wallet clustering on chain	Account-graph	High	One wallet feeds, or drains, many accounts
Big-bang first withdrawal	Graph + review	High	Quiet grind, then a large cashout — the 2015 accelerant
Zero chat over 5k+ hands	Review	Medium	A human eventually types "nh"; a bot never does

The pattern is consistent with the file: the cheap, continuous evidence (behavioural telemetry, graph events) flags careless operators fast, while the heavy evidence (hand-history forensics, human review) catches the capable ones after a long lag. That is exactly why the KhanZ ring ran for an extended period before the axe fell — the evidence accumulated faster than reviewers could process it. The documented interval from first deployment to confirmed action runs months, not days.

The timing fingerprint that betrayed the bots

One tell deserves its own section because it is the most reliable and the most botched. A bot that emits actions at fixed intervals, or with uniform noise around a centroid, is convicted before its mean and variance are even examined — the distributional shape is wrong. Real human timing is log-normal with a long right tail, conditioned on the decision: a snap-fold of garbage takes 600–1200ms; a boundary river call takes 5–30 seconds; a routine flop continuation-bet takes 1.5–4 seconds. And there is a state-independent "distraction tail" — roughly 3% of actions spike into the 8–25 second range regardless of difficulty, because humans look away from the table. A process in a rack does not look away.

# Schematic: behaviourally-shaped action timing
def sample_action_delay(decision_difficulty, action_type):
    mu_base = {
        'fold_trivial':   math.log(0.9),
        'cbet_routine':   math.log(2.4),
        'river_boundary': math.log(8.5),
        'all_in_decision':math.log(12.0),
    }[action_type]
    mu = mu_base + 0.7 * decision_difficulty
    sigma = 0.35 + 0.55 * decision_difficulty
    delay = random.lognormvariate(mu, sigma)
    if random.random() < 0.03:          # ~3% distraction tail
        delay += random.uniform(8, 25)
    return max(0.25, delay)             # humans cannot react < 250ms

This is precisely the kind of distribution mismatch the 2015 hand-history layer keys on, extended into the timing domain. The correct framing is not "add noise" but "draw from a distribution whose shape matches the population, conditioned on state" — and it is exactly the discipline the KhanZ accounts lacked when thirty of them shared one rhythm.

From first flag to a $1.4M confiscation

The thing that turns detection into a case is the pipeline, and its dominant constraint is the cost of a false accusation. WPN cannot freeze legitimate winning players in volume — every false positive is a regulatory complaint, a chargeback, a forum thread, a lost customer. So a high suspicion score does not freeze an account; it queues it for people. The 2015 file moved through the stages below, and the lag at each is what stretched the case to months:

Quiet flag. The account drops into a higher-scrutiny bucket. Nothing visible changes; telemetry continues, sometimes with extra instrumentation. The KhanZ accounts sat here while the statistical case built.
Soft restriction. Withdrawal limits tighten, KYC re-verification is requested, bonus and rakeback quietly normalise. The first friction a careful operator notices.
Structured interview. Support asks for "clarifying information" about play style, schedule and software; the answers are checked against the play-pattern model that flagged the account.
Confiscation and refund. Winnings voided, balances held, accounts closed — and, in the crypto case, the confiscated funds distributed back to identifiable affected opponents. That last step is what made 2015 a public event rather than a quiet ban.

The documented cycle ran several months, anchored on review capacity and triggering events. The single biggest accelerant in the file was a large withdrawal — the operator wanted to act before the money left the platform.

Have a question? Talk to us

The KhanZ timeline, how the cross-skin graph binding actually worked, what the public statements do and do not establish — questions on the case record land with the Poker Bot AI team.

Join the chat on Telegram

Why one case generalises

A single bust is an anecdote unless it points at a method, and the 2015 file does. The reason the same patterns keep surfacing is that detection is not a fixed checklist — it is an adversarial classifier. WPN builds a model that separates ring behaviour from the player population, and the only way to evade it is to produce a behaviour distribution the model cannot tell apart from the population's. The formal idea dates to Dalvi, Domingos, Mausam, Sanghai & Verma (2004) and Lowd & Meek (2005). Three consequences fall out of treating the KhanZ case as a data point rather than a one-off:

The boundary keeps moving: Operators retrain as new behaviour appears. The exact KhanZ fingerprint would be caught far faster today than it was in 2015 — which is why the absence of recent public busts is ambiguous, not reassuring.
The reference is the population: The classifier separates the suspect distribution from the real player pool, not from an abstract "human" ideal. Thirty accounts were caught not because they looked inhuman, but because they looked identical to each other and unlike the pool.
Clean play is a tell: A pure-solver line maximises money per hand but sits too cleanly in the data — exactly the low-variance signature the 2015 forensics keyed on. The capable evader trades some edge per hand for many more hands before the file ever opens.

That last point is the paradox the case demonstrates: the most theoretically perfect play is the easiest to convict. The KhanZ ring won a lot per hand and got caught; a noisier strategy wins less per hand but survives longer. What matters is total realised winnings over the account's life — and the bust shows where the line sits when you get the trade-off wrong.

Sources and related work

WPN public statement, 2015. Bot-ring takedown account (~$1.4M returned, ~30 accounts) — the primary source for this reconstruction.
Community forensic threads, 2014–2015. The forum analysis that first surfaced the KhanZ accounts before WPN confirmed.
Dalvi, Domingos et al., 2004. Adversarial Classification. KDD — the framing for why one case generalises.
Lowd & Meek, 2005. Adversarial Learning. KDD.
Brown & Sandholm, 2019. Superhuman AI for multiplayer poker. Science 365 (Pluribus) — context on the engines behind modern rings.

Companion case files: what the record proves about ACR bots, and the UltimateBet 2007 counter-example, the overview of why ACR is studyable at all, and the case-file FAQ.