Teen Suspect Surrenders in 2023 Las Vegas Casino Cyberattack Case

Posted3 months agoActive3 months ago

campuscodi

64 points

65 comments

casino.orgTechstory

calmmixed

Debate

70/100

CyberattackLas VegasCasinos

Key topics

Cyberattack

Las Vegas

Casinos

A teenager has surrendered in connection with a 2023 cyberattack on Las Vegas casinos, sparking discussion on the attack's methods, the victims' responses, and the implications for cybersecurity.

Snapshot generated from the HN discussion

Discussion Activity

Very active discussion

First comment

Peak period

6-9h

Avg / period

6.2

Comment distribution62 data points

Loading chart...

Based on 62 loaded comments

Key moments

01Story posted
Sep 20, 2025 at 7:29 PM EDT
3 months ago
Step 01
02First comment
Sep 20, 2025 at 9:26 PM EDT
2h after posting
Step 02
03Peak activity
24 comments in 6-9h
Hottest window of the conversation
Step 03
04Latest activity
Sep 22, 2025 at 7:07 AM EDT
3 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (65 comments)

Showing 62 comments of 65

james_marks

3 months ago

3 replies

> In 2023, hackers used vishing (voice phishing) to impersonate employees and gain access to the internal systems of MGM Resorts International and Caesars Entertainment on the Las Vegas Strip, causing hundreds of millions of dollars in financial losses.

First time I’ve heard the term “vishing” to describe the attack we’ve all seen coming.

electroglyph

3 months ago

1 reply

social engineering is as old as hacking itself

ChrisMarshallNY

3 months ago

1 reply

That was Mitnick’s specialty, and he was hacking before the Web.

AstroNutt

3 months ago

The Art of Deception was one of my favorite books when it came out.

wrayjustin

3 months ago

4 replies

Phishing (Email), Smishing (SMS/Text Messages), and Vishing (Voice) are all standard industry terms, though obviously phishing is most well known.

Then there's even subcategories that further define some of these, like Spear Phishing, Whaling.

The industry loves its fun naming.

airstrike

3 months ago

1 reply

"Phishing" isn't limited to email

lostlogin

3 months ago

That’s lucky. Putting ‘ishing’ on the end of something email related doesn’t work very well.

mmaunder

3 months ago

2 replies

Never heard of vishing. I’m in the industry.

saithound

3 months ago

Wrong industry. It is primarily the "sell anti-phishing training to enterprise employees" industry that uses these terms.

antonymoose

3 months ago

I was worked in an anti Phishing / brand protection firm back in 2012 and we had Vishing and Smishing terminology baked in the to projects back then.

Razengan

3 months ago

> Smishing

uh that's something completely different (and not Monty Python)

Ekaros

3 months ago

Why is it not emishing with email?

StanislavPetrov

3 months ago

1 reply

In my day we used to call it "social engineering".

Barbing

3 months ago

“human hacking”

tehwebguy

3 months ago

2 replies

I’m almost positive ripping off a casino isn’t a crime. I’d be demanding a jury trial for sure.

era37

3 months ago

1 reply

Legal: using your brain. Illegal: devices, collusion, past-posting, edge-sorting with marked cards. Juries know the difference.

closewith

3 months ago

1 reply

Jurors also know that casinos aren't innocent victims, but great sources of societal harm.

immibis

3 months ago

Do they? Most people don't seem to know that.

Scoundreller

3 months ago

1 reply

Statistically, the jury will be made of people that lost money at a casino, know they’re a financial scam or have some moral disagreement with them.

evan_

3 months ago

1 reply

Orrrr it might be people who work in casinos/tourism and don’t feel great about someone extorting their employer.

LtWorf

3 months ago

TBH I would not hold a grudge to anyone extorting my employer.

trvr

3 months ago

1 reply

I was in Las Vegas when this happened, though we had no idea that day that this is what was happening. My wife and I went to get tickets to the Titanic exhibit at the Luxor and they said "our computers systems are down, we can only take cash". I had cash, and they sold us the tickets for extremely cheap.

Long story short, I've always felt like I stole from the casino that day too! :-)

sudoshred

3 months ago

Cyberpunk robin hood

betsor

3 months ago

1 reply

I was on call when that happened. Absolute nightmare for a few weeks and most of the team didn´t sleep for days. I hold no grudge but the business thinks differently for sure. Cheers to those guys because the way they got access and made it through was very clever after the social engineering part.

sillysaurusx

3 months ago

1 reply

It’s cool to hear from someone who was on the front lines. I want to ask vague questions like “what was everyone’s initial reaction like?” or “how urgent was the call when you got it?” but mostly I’d just like to hear more of whatever you’d like to talk about.

joules77

3 months ago

It's like being behind a McDonald fry station when suddenly thousand people show up for lunch. So sort of like a Prank video.

Now the real question is why do prank videos mesmerize people?

The chimp troupes handles randomness and unpredictability, with the 3 inch chimp brain whose hardware hasn't been updated in 100K years, only one way - tell stories. It's our randomness handling hack.

The stories breakdown all the time.

3eb7988a1663

3 months ago

1 reply

  MGM reportedly refused to pay a ransom, resulting in an estimated $100 million in losses and roughly 10 days of system outages affecting reservations, slot machines, room keys and websites. Caesars, in contrast, was reported by the Wall street Journal to have paid $15 million of a $30 million ransom demand and experienced less operational disruption.

So what happened to the $15 million?

Barbing

3 months ago

Reinvested (into more crime)

DarkmSparks

3 months ago

1 reply

How you know https is compromised...

Access to this page is disabled The law prohibits participation in games of chance organized by unauthorized persons through means of electronic communication.

The authorized organizers of games of chance via means of electronic communication are the State Lottery of Serbia and persons authorized by the Ministry of Finance.

heavyset_go

3 months ago

1 reply

You don't need to break TLS to do IP and domain blocking and redirection.

That said, I'd assume governments have access to root certificates, anyway, but they're only broken out for big investigations or secret dragnet stuff we'll find out about in five decades, if ever.

toast0

3 months ago

2 replies

You don't need to break TLS to do IP/domain blocking, but you can't redirect an https page unless you have an acceptable certificate.

> but they're only broken out for big investigations or secret dragnet stuff we'll find out about in five decades, if ever.

Certificate Transparency, where required, makes certificates unusable if they're not published... But that might not be enough information.

10000truths

3 months ago

2 replies

This is a DNS hijack, not an HTTPS hijack. The ISP's resolver sees "casino.org" in the A/AAAA query, finds it in a blocklist, and responds with an IP address to a web server that serves a block page (or a CNAME thereto).

michaelmcmillan

3 months ago

1 reply

Which is useless if the domain had HSTS enabled, which they should.

10000truths

3 months ago

HSTS for a domain is trust-on-first-use unless the domain is in the browser's preload list.

toast0

3 months ago

1 reply

The HN link is to https:// ... a web browser cannot request the page, and cannot process a redirect unless the server responds with an acceptable certificate. If the server responds with an unacceptable certificate, the browser may ask the user to accept it, in which case the browser could connect and issue the request and receive the block or a redirect.

If the user doesn't click through the certificate error, the user will only know it's blocked (or the server is misconfigured), they won't get information on why it's blocked; perhaps details of the certificate might help narrow down the cause of the block or the agency implementing it.

If the user loads the https page and sees "Access to this page is disabled The law prohibits participation in games of chance organized by unauthorized persons through means of electronic communication." as suggested earlier in this thread, and the user did not click through a certificate error, then the MITM must have obtained an acceptable certificate somehow or broken TLS. Since Sep 2024, multi-perspective issuance corroboration has been required by the CA/Browser Forum [1] and it was a best practice for many years, DNS takeover in a single country should be not sufficient to establish domain control for certificate issuance.

[1] https://cabforum.org/2024/08/05/ballot-sc067v3-require-domai...

10000truths

3 months ago

> The HN link is to https:// ...

Ah right, obviously the browser would still try to connect via TLS to the new IP. Not sure why I missed that.

vintermann

3 months ago

You certainly can, but you should get a big screaming "this site's certificate is not valid for dodgy-casino.games" warning.

If not, then maybe your browser vendor has been pressured to add some root certificate controlled by the Serbian police, which it approves to issue certificates to impersonate dodgy-casino.games.

cookiengineer

3 months ago

2 replies

> One count of conspiracy to commit extortion

How can it be a planned conspiracy if only one person was involved? US law is so weird when it comes to bogus charges just to blow up the case artificially.

Is the offender a person with multiple identity disorder or what's the reasoning here?

MathMonkeyMan

3 months ago

1 reply

I know of a guy who got nailed with "armed robbery" because he stole a gun from the glove compartment of an unoccupied car that he had broken into. All a prosecutor wants to do is screw somebody as hard as possible and win the case.

bagels

3 months ago

1 reply

Seems appropriate to me. Person was holding a gun while doing a robbery which greatly amplifies the danger inherent in the crime they were doing.

On the flip side, I knew someone who interrupted a car burglary and was murdered by the burglar. Imagine what might happen if someone came upon the guy you know of who was doing a robbery while holding a stolen gun?

The person you knew made a lot of choices that led to this, any of which had they not chosen to do would have led to not being an armed robber: don't do a robbery, don't steal a gun, don't do a robbery while holding a gun.

lambertsimnel

3 months ago

1 reply

IANAL, but my understanding is that breaking into an unoccupied car isn't robbery (but it might be theft and/or criminal damage). Wouldn't being convicted of armed robbery without committing a robbery be a serious injustice?

MathMonkeyMan

3 months ago

1 reply

He stole the gun, so it was robbery. I feel like an armed robbery is one where you bring a weapon, which makes the robbery more dangerous. This guy was looking for cash and found a gun, so "armed robbery." The comment above claiming that the charge is justified does make sense, but I disagree with it. I'm also not a lawyer.

lambertsimnel

3 months ago

What I mean is that if no victim was present there couldn't have been the violence or threat of violence necessary to turn the theft/larceny into robbery:[0]

> Robbery, in turn, was simply a "compound" form of larceny. For Blackstone, "compound larciny is such as has all the properties of former, but is accompanied with one of, or both, the aggravations of a taking from one's house or person," id. at *240, and "[l]arciny from the person is either privately stealing; or by open and violent assault, which is usually called robbery,"

I'm not really making a judgement about the rights and wrongs of the actual case (because I'm not only not a lawyer, but also not a witness, juror, etc.), but as described it doesn't sound like robbery at all.

[0] https://web.archive.org/web/20060903163713/http://docket.med...

ascorbic

3 months ago

> Cybersecurity experts have attributed the attacks to a loosely organized hacker group known as Scattered Spider, which also operates under aliases such as Octo Tempest, UNC3944 and 0ktapus3.

aborsy

3 months ago

1 reply

How come their IT systems are so bad that a kid in secondary school (thus with no experience) “hacked” into them?

hulitu

3 months ago

Because they protect against the user. Computer security has evolved: we must milk the user of its data and make sure he doen't interfere with the milking process.

IlikeMadison

3 months ago

3 replies

What always interests me in these type of cases is how do hackers get identified? Aren't they savvy enough to use some sort of proxies to cover their tracks?

squigz

3 months ago

1 reply

It only takes 1 mistaken connection for it all to fall apart.

Scoundreller

3 months ago

It only takes 1 mistaken connection for the parallel construction hammer to drop

heavyset_go

3 months ago

1 reply

Subpoenas and cooperating third parties can de-obfuscate proxy chains.

Xmd5a

3 months ago

Hack a wifi, connect longer-range radio IoT module, link it to your base, attach it to a firework rocket, hide it inabush near the target wifi, hack, ???, ignite.

immibis

3 months ago

No.

Lucasoato

3 months ago

3 replies

It should be illegal to pay a ransom to cyber criminals, every time it happens you’re increasing the incentives for these activities and you’re making it more likely to happen again in the future. If it’s illegal, these groups would feel less attracted to attack companies, because they know they wouldn’t be compensated for it.

hiatus

3 months ago

1 reply

What's the end result? Prosecuting the victim of a cybercrime for paying a ransom?

Tuna-Fish

3 months ago

1 reply

The end result is less cybercrime and thus less victims.

The way you get there is prosecuting the victims of cybercrime for paying a ransom, if any are stupid enough to break the law.

dundarious

3 months ago

1 reply

Alternatively, reporting of cyber crime craters or is massively delayed.

DangitBobby

3 months ago

1 reply

Right, because it's so easy to hide an outage of that scale.

dundarious

3 months ago

You're right that the biggies wouldn't really have that option. I'm sure they're not the only ones that get hit by such attacks, though. Smaller and non-public companies would have to think about it.

I'm not even arguing for a specific policy, but I didn't like how the framing of the post was about being "stupid" enough to break the proposed law. It wouldn't be that simple.

vintermann

3 months ago

Seems obvious to me too, but then again, if we went with coordinating for the obvious common good there wouldn't be a casino industry to extort in the first place.

heavyset_go

3 months ago

But what if cyber criminals planted a bomb and are demanding a ransom, and Jack Bauer can't defuse it in time?

ipnon

3 months ago

If a hastily organized band of teenagers can pull this off, you have to wonder what APTs are capable of.

jackgavigan

3 months ago

Likely linked to other recent arrests in the UK: https://www.theregister.com/2025/09/19/scattered_spider_teen...

3 more comments available on Hacker News

View full discussion on Hacker News

ID: 45318559Type: storyLast synced: 11/20/2025, 3:38:03 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN