Self-deleting rootkit or no, forensics investigators have dissected the code that former lottery chief Eddie Tipton used to skirt a lottery system’s random number generator and score a $14.3 million jackpot.
They detailed their findings in a criminal complaint filed against Eddie’s brother, Tommy Tipton, on Wednesday, after the former Texas justice of the peace was discovered to allegedly have $500,000 in consecutive marked bills.
Tommy’s brother, Eddie Raymond Tipton, the former security director of the Multi-State Lottery Association (MUSL), was convicted last July for running a lottery scam and sentenced to 10 years in jail in September.
In addition to that conviction, Eddie’s now facing additional felony criminal charges for allegedly manipulating drawing computers that he was responsible for building and programming.
Investigators have linked Tommy Tipton to tainted jackpots in Colorado and Oklahoma.
The complaint against Tommy Tipton details the findings of a forensic examination on a random number generator (RNG) computer that produced the winning numbers in a suspect 2007 Megabucks jackpot in Wisconsin that was paid out to a longtime friend of the Tiptons.
Investigators already knew that Eddie Tipton had stored self-deleting malware on a thumb drive that would ensure that Iowa’s Hot Lotto lottery would spit out a winning number.
It being self-deleting, they couldn’t find it, though.
Jason Maher, the IT director at MUSL, had testified about Tipton having mentioned that he was in possession of a rootkit, though no evidence of such was ever discovered due to the agency’s hard drives being wiped.
In spite of somewhat murky video footage showing Tipton purchasing a ticket – which was against the rules, given that he worked for the lottery agency – and having no evidence of the rootkit, jurors had found Eddie Tipton guilty.
In what they called a breakthrough, the investigators eventually found one place where the self-deleting rootkit didn’t erase itself: namely, on the RNG computer that had been programmed by Eddie Tipton.
There, they found a fishy dynamic-link library (DLL).
DLL files are small and often run unnoticed on a computer’s operating system. They carry out all manner of tasks, be it connecting to a network or sending documents to a printer, and any one machine might have thousands of them.
This one particular DLL stood out because it turned out that it wasn’t the same as the one that had been verified as legitimate in a previous security audit.
Instead, it had two additional chunks of code, one of which redirected the RNG to not produce random numbers on three particular days of the year, if two other conditions were met.
So when draws occurred on …
- 3 particular days of the year,
- on 2 particular days of the week,
- after a certain time of day,
…the numbers would be drawn by an algorithm that Tipton could predict.
And that’s when the sound of ka-ching! filled the air. Six prizes linked to Tipton were drawn on either 23 November or 29 December between 2005 and 2011.
From the complaint:
When those three conditions were met for a draw, the RNG would produce numbers [with] a multi-variable algorithm that were predictable for anyone familiar with the operation of the RNG, the security system, the lottery games, and the variables of the algorithm itself.
Who would have known all that? Why, the lottery’s security director, of course!
The forensics examiners tested it out themselves. Sure enough, when they recreated the draws according to the algorithm, they produced the very same winning numbers.
Tommy Tipton came under scrutiny in 2006, when Texas investigators received a tip about those consecutively marked bills.
He claimed to have gotten the money after winning a share of a $4.5 million Colorado Lotto jackpot, saying he recruited a friend to claim $569,000 in cash payout because he didn’t want his wife to know about it while they were considering divorce.
Investigators at the time didn’t know that Tipton’s brother wrote and installed the program that Colorado Lottery officials used to draw the numbers.
Tommy Tipton had testified at his brother’s trial, saying the buyer in the surveillance footage of the winning ticket purchase looked nothing like his sibling. Besides, he said, the guy in the video was buying a hot dog, and Eddie doesn’t like hot dogs.
Months later, after his brother was convicted and his own name had surfaced, Tommy Tipton resigned his elected judicial position in Flatonia, Texas.
Tommy Tipton has been released on bond. He’s charged with ongoing criminal conduct related to his role in securing the Colorado and Oklahoma jackpots, which allegedly netted him $1.2 million in cash.
Image of lottery balls courtesy of Shutterstock.
Will
Minor typo after the quote: “Who would known all that?”
It sounds like this guy did almost everything he could not to get caught (self-deleting malware, a multi-variable algo to generate semi-random numbers at only a few small given windows of time), but when you’re dealing with sums of money that large, people are always apt to look a little more closely when something doesn’t seem quite on the up and up.
Keith
This is all very interesting but the real question is does Eddie like hotdogs or not?
Mahhn
To bad they don’t put as much scrutiny into voting machines in the US.
Sandra Walsh
If this can be accomplished on a lottery machine…how easy is it to be done on a voting machine? Very easy!! A few years ago…can’t remember which program..maybe 20-20…they actually showed how the machines were rigged. To long an explanation to post here. More Democrat votes shown than was “voted”! Try to Google
it!
Wilderness
That’s a cool picture at the top of the page. I found myself looking for a camera in the reflection.
Paul Ducklin
Probably ray-traced (that’s a cool way of dealing with mirror-like reflections).
Richard
There was an episode of the US crime drama “Numbers” which went along similar lines.