Hacker reveals how Jogo do Tigrinho steals and manipulates your money

On Thursday (11), cybersecurity engineer Igor Rincon broadcast a livestream on Twitch with analyses of the code “Jogo do Tigrinho” (Fortune Tiger). It revealed methods for how game operators manipulate results and prioritize winners based on the number of followers on social networks.

“Casino” from the PlayPix platform, Tigrinho is structured to prefer the house within the calculated marginAccording to Rincon. Moreover, as a result of his analysis, Tigrinho has a method of preferring influencers with thousands of followers, while a group of users are not prioritized in terms of monetization.

Igor Rincon took a total of three lives by analyzing the code on Twitch between June and July. You can follow along in detail below.

No luck here

The research, conducted on the channel “Rinconzeraa”, tried to understand how Tigrinho’s algorithms at PlayPix interact with players. The streamer observed the information traffic using an analysis program to intercept communication between the browser and the game server.

The engineer assessed that PlayPix communicates with the Application Programming Interface (API) of the PG Soft company. The decision to win or lose the bet is made by the PG Soft server. Thus, PG Soft makes the decision and transmits the final answer to the casino website.

Based on this analysis, the next step was to understand how this decision was made. By accessing PG Soft’s publicly available material explaining the metrics used in the game, the researcher found the Return to Player (RTP) metric. This metric states that Fortune Tiger returns 96.81% of the money invested to players.

The partner is basically the person who brings players to the casino

“This measure [RTP] This caught my attention because somehow I thought that with every move the house makes, 96.81% of the money goes back to the players and the remaining 3.19% goes to the house,” Igor notes.

To understand how the calculation is made, the analyst used some casino codes openly available on the Internet and conducted a functionality test.

After applying these codes, Rincon concluded that in the case of “Tigrinho”, in addition to the figure of the player, the figure of the online casino that is the operator, and the figure of the game supplier (PG Soft), there is also a figure that they call “affiliated”.

“The affiliate is basically the person who brings players to the casino. There are people on the Internet who have the link to the game and when they recommend this game to someone, they actually bring people to the casino (…) we see a lot of influencers who do this,” Igor notes.

How does it work

The Tigrinho Game is widely known and promoted by various digital influencers in Brazil and is especially known for advertising in applications widely used on social networks. You have probably already encountered an influencer advertising the game.

Most of these announcements are accompanied by a clickable link for access, which naturally encourages the user to engage quickly. According to the publisher’s analysis, the reason for this link integration in the live broadcast is clear: Cost per Acquisition – or Cost per Action (CPA) and revenue sharing, called Revenue Share (RevShare) in Portuguese.

CPA defines how much the casino, the gaming operator, pays influencers to bring new players to the platform. The operator (online casino) creates a share link and this link is sent to the affiliate to promote the game. CPA identifies the affiliate through this link.

“When someone clicks on the influencer’s link, creates an account at the casino and deposits, for example, a minimum of 50 reais, the casino can define there that this CPA will pay 5 reais, 10 reais for each person who deposits the money,” the analyst says.

It is possible to structure the disclosure so that 30% of the earnings are passed on to the affiliate, but in practice the affiliate only receives 10%.

The RevShare metric, on the other hand, is the percentage of the amount the house pays the affiliate based on the people who enter the game through them. From this, there is a calculation of how much money the players are losing, and that goes to the affiliate.

“So imagine the player loses 100 reais to the house. If RevShare is 20%, that 20 reais goes to the influencer/affiliate,” he explains.

The expert concludes that the game organizer earns in two ways: through CPA and RevShare. However, with the same casino codes he found, he had access to the publisher’s administration page and saw that the platform administrator had a chance to manipulate affiliate earnings.

The analyst notes that it is possible to structure the disclosure so that the profit passed on to the affiliate is 30%, but in practice he only receives 10%. This tactic can be used to distort the value the contractor reports to the affiliate, giving the impression of a different profit than it actually is.

There was also an analysis of the game’s supplier, PG Soft, and how this creates the possibility of loss or gain for players.

It was possible to recreate the way the platform’s API works through a reimplementation of the PG Soft API that the researcher found on Google. Igor, together with other programmers who followed the live broadcast, concluded that online casinos authenticate home users with the PG Soft platform via a token.

With this rebuilt API, the expert reports that the winning percentage of a casino using this API is determined by the casino itself, unlike the rules observed in the original implementation in the PG Soft open file.

“There is a code, an algorithm there (in the re-implementation) that will take the percentages of the players and check them, for example:

• If the bettor has more than R$ 100;
• Who bets R$ 2;
• Whether the player is impressive or not

And all of this will change the percentage of success in betting,” he explains.

Igor Rincon reveals that a random percentage is generated by the casino system between 0% and 100%. This number is compared to the player’s success percentage (for example, 43%) and determines whether the bettor will win or not.

When the random number is greater than the player’s percentage, the player loses. When it is lower, the player wins.

The way RTP is determined in PG Soft and other casino API implementations may differ. For example, in PG Soft, it is the game provider who defines this value, which directly affects the players’ chances of winning. As the engineer noted, on other platforms not hosted by PG Soft, the casino has more control over how these measurements are configured, which can significantly affect the users’ gaming experience.

The analysis of the algorithms and metrics reveals a lack of transparency in Jogo do Tigrinho and its operation. In the last live broadcast, the broadcaster concluded the investigation by emphasizing to the public that the main goal was to raise awareness.

“At the end of the day, the result is always the same. You leave the house clean,” Rincon concludes.

• Report written by: Thayna Tosta, journalist