The Curious (Non)-Resolution of the Jens Kyllonen EPT Laptop Hacking
Finnish online star Jens Kyllönen’s tribulations stemming from hacking attacks launched at him and another player have continued this week, with two related developments in the story.
Kyllönen, whose laptop disappeared and then reappeared, albeit obviously hacked, at the early September European Poker Tour stop in Barcelona, Spain, brought the tale of his bizarre experience to the 2+2 poker forums soon after. While the hacking attempt was disrupted and no actually online theft involving the accounts of Kyllönen or Henri Jaakkola (whose laptop was also hacked) seem to have occurred, the fact that would-be thieves were operating openly withing the confines of the host Barcelona Arts Hotel venue was quickly and independently confirmed.
With key-card and security evidence both available and plentiful, it seemed that authorities would have little problem identifying the culprits — that is, except for the organizational interference which then ensued. The high probability is that the hacking attempt was done with some sort of participation from one or more Barcelona Arts employees, and the most plausible explanation is that the hotel has exerted enormous pressure in sweeping the Jens Kyllonen hacking story under the rug.
On Tuesday, in the first new development in several weeks, online security firm F-Secure confirmed that the laptops of Kyllönen and Jaakkola had indeed been hacked. The attempt included software designed to monitor their play online at PokerStars and other sites, repeatedly capturing screen grabs of the players’ computers, then transmitting that information in live time to another player somewhere else.
What that means is that one of the culprits was likely a high-stakes online player himself, perhaps Spanish or perhaps not, who would then have squared off against Kyllönen, Jaakkola and perhaps other victims, and armed with the knowledge of what hole cards those players held, proceed to clean them out of at the tables. It would have required cooperation between the player and one or more hotel personnel to gain access to Kyllönen’s room through what the F-Secure piece describes as an “evil maid” attack.
The attack’s online M.O., though disrupted, is very reminiscent of similar attacks that were launched against European stars Patrik Antonius and Johnny Lodden several years back. The Lodden case, in particular, was an extreme example of the damage that could be done. In 2007, in a PokerNews interview, Lodden publicly accused Mohamad Kowssarie, a/k/a “Fast_Freddie” and “TerrorofSweden”, of being behind that hacking attack which led to Lodden being virtual broken at the online tables, a situation from which it took years for Lodden to rebuild.
Antonius also accused Kowssarie, a Swedish player, of being behind one of the attacks on Antonius, in 2012. For the record, Kowssarie doe not appear to have been present at the EPT Barcelona venue in September, but the concept of hacking a poker player’s laptop is hardly new; anyone could have employed it, and it’s for sure now that someone did.
What’s more disappointing in this case is the aggressive blocking tactics used by both Barcelona Arts, the hosting venue, and sponsoring site PokerStars to prevent Kyllönen from obtaining justice. The original story as told by Kyllönen. As provable through reading the posts made by Kyllönen and others, including PokerStars’ own Lee Jones, numerous roadblocks were placed between Kyllönen and the lodging of a formal complaint with Barcelona authorities.
On several different occasions, PokerStars assured Kyllönen that the matter had been taken to the authorities, a lie that was later downgraded to a “misunderstanding” on multiple occasions in later correspondence. The framework for that is disgusting, and proves that no poker site, even the highly regarded PokerStars, can really be counted on to back up its customers in exceptional legal situations.
Kyllönen, following the publication of the F-Secure confirmation on Tuesday, followed up with a new post on 2+2 in which he publicly vented his outrage at PokerStars. This letter, a response from Stars’ Jones back to what was probably the fifth follow-up by Kyllonen, is way too typical to be anything other than an orchestrated cover-up:
Hi Jens –
Obviously, we are sorry about your being misinformed about the police being contacted (or not) at the outset of the investigation. That was certainly never intentional – it was a mistake caused by the confusion of the early days after the incident. Since then, many people at PokerStars have put a lot of hours into discussing what happened and (among other things) doing what we can to aid a criminal investigation.
As I told you, [internal specialist], on our security staff, put two weeks into researching your case and similar ones. And I can assure you that she has sent the information to the appropriate authorities on the Isle of Man. There’s really no more information I can give you (in fact, that I’m permitted to give you).
Sadly, it is unlikely that we will ever get any kind of official response or resolution to your case. It’s a potentially criminal matter that has been referred to the proper authorities and they will investigate as they see fit. Obviously, we all learned some lessons from the incident, and that’s the silver lining to the cloud. Fortunately, nobody was physically hurt and you discovered the malware and removed it before it could be used against you. I realize that’s small comfort, but in the grander scheme of things, it turned out relatively well.
To be quite clear, Jens – we did not sweep this incident under the carpet. We acknowledged it on 2+2 within an hour of your original post, we made a follow-up post to 2+2, and we have been in touch with you (both myself and [internal analyst]) since. Just because we didn’t get the outcome we all wanted (the perpetrators arrested) doesn’t mean that we swept anything under the carpet. That’s just how the world works sometimes.
I hope you can understand this – I’m sure it’s not terribly satisfying to you but it is our honest and best reply.
Warmest regards,
Lee Jones
I don’t want to call Jones a liar; what I’ll do instead is note that the above contains tons of carefully worded misinformation. This passage in particular is disgusting, if one remembers the earlier setting: It was Stars who advised Kyllönen that they were working with Barcelona Arts and the Spanish authorities in the matter, and that it was advisable for Kyllönen to return to Finland:
Sadly, it is unlikely that we will ever get any kind of official response or resolution to your case. It’s a potentially criminal matter that has been referred to the proper authorities and they will investigate as they see fit. Obviously, we all learned some lessons from the incident, and that’s the silver lining to the cloud. Fortunately, nobody was physically hurt and you discovered the malware and removed it before it could be used against you. I realize that’s small comfort, but in the grander scheme of things, it turned out relatively well.
That is one high-quality brushoff, let me tell you. Since no one was physically hurt and the crime was interrupted in progress, that’s supposed to make it all okay? What could possible be described here as turning out “relatively well”?
There are, in the various threads connected to the tale, accusations that PokerStars employees are involved. That’s highly unlikely and ventures into tinfoil-hat land. Instead, one needs to look at the realities and circumstances surrounding the EPT Barcelona stop:
- Barcelona is a criminal cesspool, quite possibly the worst such large city in Europe. It is a very dangerous place for tourists in particular;
- PokerStars and the EPT greatly desire a Spanish stop on the live EPT tour, as it is one of Europe’s larger countries;
- The Barcelona Arts is an upscale, prominent hotel, and if there were a nasty public scandal involving corrupt Barcelona Arts employees and actions during a live poker event, it could be quite difficult for PokerStars to obtain a high-quality replacement venue within the country;
- Poker is no safe bet in Spain anyway. The country is one of three (along with France and Italy) where Stars and other operators have been forced to obtain special single-nation licensing. Any untoward news involving poker or PokerStars can’t reflect well in a country where an online toehold is only barely and questionably established.
Given all those factors, it’s no wonder that the overriding pressure here is to make this Kyllönen situation go away. That doesn’t mean it’s good or honorable or the right thing to do. What it does show is that PokerStars is the same as every other major business in the world, acting in self-interest first, and only fully dealing with player and customer situations when they have the proper incentive to do so.
The real culprit here is probably the Barcelona Arts Hotel itself, whose officials have likely disincentivized PokerStars in every way possible from pursuing the matter. If I were PokerStars, would I move the EPT Barcelona stop elsewhere? Without a doubt, but that’s stated from a distant, “white knight” viewpoint. PokerStars’ decisions are made within an entirely different set of circumstances.
The truth of all that is that Jens Kyllönen and others are likely to get a very short stick in circumstances such as these. If there’s an error, however, it’s in a dealing with the players in such a false and insulting manner. PokerStars is often put on a pedestal, but examples such as this show the site can do a lot, lot better.
(The opinions expressed herein are the opinion of the author, and do not necessarily reflect the opinions or viewpoint of FlushDraw.com.)
COMMENTS