A lottery security chief is accused of hacking the winning numbers


Playing the lottery always has horrible odds. But it’s even worse if, as Iowa authorities are alleging, one of the people playing against you is an IT specialist who has rigged the lottery’s number-picking software.

In January, authorities arrested Eddie Raymond Tipton, the Director of Information Security for the Multi-State Lottery Association, a non-profit organization that runs multi-state games for 33 different state lotteries, on charges of fraud. Tipton was supposed to ensure the security of the lottery system but was allegedly working to undermine it. The original charges accused Tipton (who, by virtue of being a lottery employee, isn’t allowed to play the lottery or win any money from it) of enlisting a Canadian man to claim a winning Hot Lotto ticket worth $14.3 million on his behalf.

Now, according to Lottery Post, Tipton is being accused not just of claiming a winning ticket he wasn’t allowed to have, but hacking into the lottery’s random number-generator software to engineer a win for himself.

“There is sufficient evidence for a jury to reasonably conclude from the evidence that Defendant tampered with lottery equipment,” prosecutors wrote in court documents revealed last week.

Tampering with lottery equipment isn’t easy. According to the court documents, the Multi-State Lottery Association’s random-number generator computers are disconnected from the Internet and kept in a locked, glass-walled room that is under 24-hour video surveillance. Prosecutors allege that Tipton entered the room on November 20, 2010, changed the camera’s settings to have it record less frequently, and inserted a USB drive containing malware that would manipulate the results of the upcoming lottery drawing.

“It is a reasonable deduction to infer that Defendant tampered with the camera equipment to have an opportunity to insert a thumbdrive into the RNG tower without detection,” prosecutors wrote, according to Lottery Post.

Prosecutors are arguing that Tipton, an IT professional, was “obsessed with rootkits,” the name given to a type of malware that silently infects a computer and gives a hacker constant, nearly undetectable access to that computer. The prosecution believes that Tipton used a self-destructing rootkit to tamper with the lottery’s random-number generator.

Of course, taking an interest in rootkits isn’t a crime. And, as a director of information security for a huge lottery system, Tipton would have plenty of legitimate reasons to possess and study different types of malware. His defense attorneys are arguing that the lottery’s random-number generators are checked regularly by outside auditors for signs of tampering, and that Tipton wouldn’t have been able to hack the system, even if he’d wanted to. At the very least, the prosecution’s theory of a “Swordfish”-style hack seems to rest on fairly thin circumstantial evidence.

“There is actually no evidence that Defendant tampered with the RNG computers or program,” Tipton’s defense lawyers wrote.

If convicted, Tipton will face up to five years in prison. Perhaps the saddest thing about the alleged scheme, if indeed Tipton carried it out, is that it didn’t even produce a mega-millions win. In 2012, lottery officials were unable to verify the true buyer of the ticket before the claim deadline passed, so the $14.3 million prize simply went unclaimed.

Inline Feedbacks
View all comments
Share Tweet Submit Pin