ACR Bot Busts: Case-File FAQ
By Raul Moriarty · Updated 28 May 2026 · 11 min read
Twenty direct questions about the only poker bot record you can actually study — what the 2015 KhanZ bust caught, how WPN's account-graph linking ties a ring together, why ACR's transparency is unusual, what the UltimateBet 2007 breach teaches by contrast, and the gaps the public record still leaves.
What this FAQ covers
- The 2015 case file — what it caught, which evidence came first, why it took months, and what the refund tells us.
- Method — how cross-skin account-graph linking works, why hand histories convict, and the timing tell that betrayed the ring.
- The myth side — why no "ACR hack" exists, and what UltimateBet 2007 shows about a breach that was genuinely real.
- The gaps — what the public record still hides: ring size, engine sophistication, post-2015 enforcement, whether anyone evaded.
Automated play, not an exploit. A Russian-speaking ring (community-named "KhanZ") ran roughly thirty ACR accounts over an extended period. They were caught because thirty supposed strangers shared one statistical fingerprint — bet-sizing histograms stacked on identical pot fractions, near-identical fold-to-3bet curves, VPIP/PFR pairs sitting on solver mass with implausibly low variance. The hand histories did the convicting; the account graph then tied the accounts into one entity. Roughly $1.4M was confiscated and returned to affected opponents over a multi-month investigation. There was no stolen card data, no broken deck, no server breach — just consistent automated play that read too clean across too many "independent" players.
It joins supposedly separate accounts on shared features: IP address, device fingerprint (OS, screen geometry, font and audio fingerprint, hardware concurrency), deposit method including crypto wallet address, KYC document, table co-occurrence across skins, and action correlations within shared hands. The graph spans all four WPN skins — ACR, BlackChip, TruePoker, YaPoker — as one pool. In the 2015 case the play patterns flagged the cluster first; the graph then bound the accounts together on shared deposit and device trails. Crypto wallet clustering on the public chain is increasingly central: one wallet feeding an ACR account and a BlackChip account is a near-deterministic edge.
Yes, markedly. Almost every operator treats enforcement as a black box — bans happen, nothing is confirmed, and the outside world reverse-engineers the rest. WPN broke that pattern by stating outcomes publicly, sometimes with dollar figures (the 2015 ~$1.4M refund), and by actually returning confiscated funds to identifiable victims. That is rare enough that it is the reason this site exists: ACR is the one room where you can study detection from a real case file instead of forum guesswork. The 2019–2020 cleanups were quieter and figure-free, so the transparency is not unlimited — but relative to the industry it is exceptional.
Because anonymity destroys the evidence trail in both directions. Ignition runs anonymous tables with no fixed screen names, so there is no stable identity for hand-history evidence to accumulate against — and no public bust record to read either. ACR's persistent screen names give every account a durable identity that statistics build up against, which is exactly what made the 2015 reconstruction possible. The same property that lets a player profile opponents lets WPN profile a ring. Net effect: ACR is the studyable room precisely because it is not anonymous.
The play, on the public account. The hand-history layer clustered thirty "strangers" into one suspect group by their shared statistical signature before the account graph confirmed the link through deposits and devices. This order matters: if the graph (shared wallets, one machine) had done most of the binding, the forensics story would be overstated. The fact that distributional play patterns alone flagged the cluster is the stronger claim — and it is the claim WPN's statements support. How tight that statistical match had to be is one of the things the public record does not quantify.
No working hole-card hack exists on ACR, and UltimateBet 2007 is exactly why people think one might. UB was the one genuine breach in poker history: insiders with administrative access used a "godmode" view of live hole cards for an extended period. But it was internal software abused by employees, not an external tool sold to players — and it was caught by the same kind of hand-history forensics that later caught the 2015 ACR ring, when analysts noticed impossible long-sample winrates. The lesson cuts against the seller's pitch: even a real godmode got caught by reading the data, and no operator survives maintaining that surface today.
Because the bottleneck is human review, not detection. The statistical signal was present for weeks before anything visible happened — a high suspicion score queues an account for people, it does not freeze it. WPN cannot afford to confiscate from legitimate winning players, so every case is read by hand: full hand histories, chat, session timing, withdrawal patterns, KYC consistency. Reviewer capacity is finite and the queue is prioritised by suspicion, money at stake, and recent withdrawal activity. The 2015 ring sat in that pipeline for an extended period before it surfaced publicly.
The public account points to a withdrawal pattern across the accounts, not the play itself. The play patterns opened the file, but what pushed it up the review queue was money preparing to leave — and with crypto cashouts, WPN wanted to act before funds left the platform. A quiet grind followed by a large cashout is the recurring accelerant in the record: it converts a slow-burning statistical case into an urgent one. This is also why a "big-bang first withdrawal" reads as such a strong tell.
Two reasons, and the economics of the second are genuinely open. First, with crypto cashouts the confiscated balances were still recoverable and identifiable opponents could be located, which most banking-rail operators cannot do as cleanly. Second, the refund is a deliberately public act — distributing ~$1.4M back to affected players is enforcement-marketing, with deterrent value across the whole bot population that plausibly exceeds the cost of pursuing one ring. Whether the refund was a net cost or an investment that paid for itself in reputation is a question the record cannot settle.
Unknowable from the record, by construction. We only have data on the rings that got caught — there is no public file on an operation that stayed inside the population envelope and was never flagged. The 2015 ring was caught because thirty accounts shared one rhythm and one deposit trail; a single account playing with population-matched variance and an isolated fingerprint is a far harder case. But the bust record structurally cannot tell us whether such an operation exists, because success in this domain is invisible. That is the central blind spot in studying detection from busts alone.
Genuinely unknown. The roughly thirty accounts and ~$1.4M are the only hard figures in the public record. The 2019–2020 cleanups came without numbers, so we cannot say whether 2015 was an unusually large catch that warranted a public statement, or a representative one among many quieter actions. The size of the 2015 case may itself be why it was announced — a $1.4M refund is a more compelling deterrent story than a routine handful of bans.
The public account just says "bots." It does not establish whether the KhanZ accounts ran modern solver-anchored baselines or something cruder that simply played consistently enough to flag. The tell that caught them — low-variance frequency profiles shared across accounts — would be produced by a fairly basic shared engine just as much as a sophisticated one. So the record proves the ring was automated and shared, but the actual capability bar that got convicted is one of the unanswered questions.
Ambiguous, and worth being honest about. The 2019–2020 cleanups happened without dollar figures, and nothing comparable has been announced since. Three readings fit the evidence equally: enforcement got quieter (fewer statements, same activity), detection improved enough that rings die before they grow announceable, or transparency itself receded. The absence of new case files is not reassuring — it could mean the room got better at catching bots or simply stopped telling anyone.
Probably stronger now, though no recent case confirms it. The four-skin account graph was central in 2015, binding accounts on shared deposits and devices. Since then crypto rails have become the dominant cashout path, and operator-side wallet clustering on public blockchains has matured — so the evidentiary weight of an on-chain link between an ACR account and a BlackChip account has likely grown. But "likely" is the honest word: there is no post-2015 public file detailing how the graph binding works today.
Cleanliness, paradoxically. A line that follows solver output too faithfully produces frequency distributions with lower variance than any human sustains — the bet sizes never wander off canonical fractions, the fold-to-3bet curve never drifts, the VPIP/PFR pair sits exactly on theoretical mass. A strong human is noisier: they misclick, tilt slightly, deviate, get tired. The 2015 ring's fatal signature was thirty accounts that were all clean in the same way. Against the population baseline, identical-and-perfect is far more suspicious than good-and-human.
Because the shape of human decision time is hard to fake and easy to measure. Real timing is log-normal with a long right tail, conditioned on the decision: a snap-fold takes 600–1200ms, a boundary river call 5–30 seconds, a routine continuation-bet 1.5–4 seconds. There is also a state-independent "distraction tail" — roughly 3% of actions spike into the 8–25 second range regardless of difficulty, because humans look away from the table. A process in a rack does not look away. A bot emitting actions on a clock, or with uniform noise, has the wrong distributional shape before its mean is even examined.
According to the pattern, yes — in the small human things a bot omits. Human review weighs more than play: chat behaviour (a human eventually types "nh"; a ring of silent accounts over thousands of hands stands out), session start/stop relative to a stated time zone, and the absence of misclicks or mid-hand pauses. None of these convict on their own, but they corroborate a file the hand histories already opened. The decisive layer in 2015 was people reading the whole picture, not a single automated trigger.
Almost, but not quite — and the gap is deliberate. The hand-history layer is what flags and clusters; it is the lead investigator. But WPN does not freeze accounts on a statistical score alone, because a false confiscation is far more expensive than a missed bot: it means a regulatory complaint, a chargeback, a forum thread, a lost customer. So the forensics open the case and humans close it. In 2015 the play patterns were the conviction, but the account-graph link and human review were what made it safe to act on.
It defines the two opposite failure modes of an operator. UltimateBet hid a real internal breach for years and lied about it until forensics forced the truth out. WPN catches ordinary external bots and announces the outcome, dollar figures and all. UB is what a genuine "hack" looks like — internal, hidden, devastating — and the fact that no ACR case resembles it is the strongest evidence that the "ACR hack" listings are fantasy. The contrast is the whole thesis of this site: one operator concealed; the other publishes.
Read the two long-form files — the step-by-step reconstruction of the 2015 bust and what the record proves vs. what's myth, plus the open forensic questions on the overview. The chat is read by the team. The most useful contributions are specific and evidenced: a hand sample, a documented WPN action we have not seen, a forum thread from the original KhanZ investigation, or a measurement that sharpens one of the open questions. Sales messages are auto-archived.
Question we didn't cover?
Ask the team in the chat. The FAQ is updated when a new question gets asked twice.