Exploiting a blackjack edge on the largest online casino

How I exploited a software bug on Bovada for a 30% player edge on the blackjack tables and how you can too.

Casino games are tailored to give the house an edge. It has always been this way. I’ve always had an interest in the stories of players who have found ways to beat the house.

Players have always been searching for hacks and statistical advantages. Casinos have lost their edge to players using dice control techniques, slot machine algorithms, roulette wheel bias, and, the most common form of advantage play, card counting in blackjack. I remember reading Wired’s 2014 story on John Kane, a gambling addict who took casinos for over a half million dollars after discovering a glitch in the most popular video slot in Las Vegas. And then there’s the recent debacle surrounding Phil Ivey, the professional poker player who took advantage of a manufacturer error that created unsymmetrical card backs to take $9.6 million from the Borgata through Baccarat card sorting.

I certainly haven’t stumbled onto something as profitable as John Kane’s find or any of these other advantage play techniques, but I’ve discovered a profitable vulnerability that gives players an edge against Bovada, one of the largest online casinos. If used properly, the exploit ensures that a player never risks real money without an advantage against the house. I stumbled upon this vulnerability while exploring a hunch, and it doesn’t require any kind of special programming or computer knowledge. I sat on this information for a few weeks trying to decide what to do: exploit it for maximum profit? Share it with the company executives so the vulnerability could be patched? Publish the details on medium for the public to discover at the same time? To your favor, I’ve decided on the latter.

The vulnerability, which is detailed below, requires a fairly large bankroll (not just to account for variance, but also due to the nature of the exploit). I won’t tell you how much money I’ve personally made using this exploit, but I have ensured that it is technically and mathematically verifiable in giving a player a strong advantage against the house.

The basic premise of my exploit is best understood by someone with knowledge of how blackjack is played and also an understanding of Bovada’s nature and interface. The exploit depends upon Bovada’s availability of bonus funds, allowing for a player who is playing blackjack with promotional funds to double down using real money. This allows players to search for advantage scenarios before betting any real money.

Let me give you an example: if a player is dealt an 8 and a 3 (11 total) against a dealer’s 6, there is only a 29.8% chance of losing money if the player doubles down. 63.5 % of the time a player who doubles in this scenario will win the bet. The remaining 6.7% results in a push. The exploit detailed below allows a player to search for this optimal scenario using promotional balance before betting real money. This allows players to freely search for profitable situations with which to double down using real money. In this instance, the most profitable scenario for doubling down, the player has a 33.7% advantage over the house.

Now, let’s take a closer look at how this plays out. I have been utilizing the Table Games Welcome Bonus, a deposit bonus that is regularly available to all accounts once per week. When a player deposits and uses this bonus (code: BCBCASINO), Bovada will match the deposit amount in 40x rollover funds for the blackjack table. This means that the player must spend 40x the amount on the table games before the promotional balance becomes withdrawable funds. Usually, the bonus is worthless because a player is very rarely up after playing 40x his deposit amount and this money very rarely becomes withdrawable cash.

So if I deposit $100 and use this bonus, I am given $100 in promotional balance. Depositing the real money onto an empty poker table will then allow me to sit at a table game with only this promotional balance. Now I can use the worthless promotional balance to search for optimal situations with which to double down using the real money that I have offset onto an empty poker table. The software vulnerability results from the program allowing you to distinguish between real money and promotional balance when you are midhand. That is, the program allows the deposit of real money onto the blackjack table before the player has completed the hand.

I’ve posted the blackjack double down probabilities from blackjackinfo.com into this spreadsheet with the optimal situations highlighted for easy reference. There are 550 initial scenarios dealt in blackjack and 147 of these scenarios give the player an edge against the house. From these 147 scenarios, the average player edge for doubling is greater than 16%. This edge increase to ~24% if the player doubles on only the best 75 scenarios. If this doesn’t sound like a lot, remember that card counting gives a player an advantage of only ~1% against the house.

In analyzing this exploit, I found the math to be way over my head. I’m working on calculating the optimal betting pattern designed to give the player the highest returns while maintaining the bankroll through risk of ruin reduction. Already basic strategy on the 6 deck blackjack table on Bovada gives the house only a .56% edge. This means that the right bankroll management of the limited promotional funds will allow for a strong return on initial deposit.

Here’s some screenshots so we can take a closer look at how it works:

After your initial deposit (don’t forget to redeem the bonus), put your entire account balance onto an empty poker table cash game. Uncheck “Auto-post blind” This ensures that your real money is safe while you use bonus funds at the blackjack table.

You can see in the upper left hand corner here that my account’s cash balance shows $0 when I have the money on a an empty poker table.

Now I load up blackjack and I’m gambling with promotional funds using basic strategy until I find a situation that provides a player edge to double down on, such as this soft 15 vs dealer’s 5. In this situation, I have a 51.2 % of winning and only a 44.5% chance of losing.

Now it is very important that before I double down, I click back to the poker table where I am sitting out and I leave the table. This will redeposit these funds back into my account, and Bovada will allow me to use real money when I double down on my soft 15%.

Success! When I refresh my account balance, I will have $30.72 total, $5 more in cash funds. (Note: the interface shows us winning $10, but half of this, our initial bet, is promotional funds.)

Of course the largest limitation here is the dependency on a bankroll of promotional funds. My understanding is that the promotion I’ve been using matches funds for only $150 maximum/week. I’ve also discovered that some promotions treat bonus funds differently and can block this vulnerability due to the contingency that promotional funds are used up before betting real money (this is the case with Blackjack Weekend bonuses). The real strength in this exploit is in Bovada’s $3000 Casino Welcome Bonus.

Of course, the publication of this exploit is likely to garner quite a bit of attention and I fully expect the Bodog corporation to patch the vulnerability relatively quickly. Use this information at your own risk as I recently discovered that the Bovada Terms of Service address software vulnerabilities:

Abuse of System Vulnerability. If, in our reasonable discretion, we determine that an Account sought to or actually did exploit any hardware or software error, malfunction, “bug” or other vulnerability, we shall immediately close such Account and all Account balances, including both deposits and any winnings, shall be immediately forfeited. If, in our reasonable discretion, we determine that such activity is occurring, the Account(s) may, in our sole and absolute discretion, be disabled and all Account balances (including both deposits and any winnings) shall be forfeited. In such event, we expressly reserve the right to initiate civil legal proceedings and report such activities to authorities in support of criminal investigations and charges, as appropriate.

For serious inquiries or if you have information to contribute, you can write to me at thomastullis@gmail.com.