Balls or Bytes: How a Lottery's Own Security Chief Rigged the Random Number Generator

On 29 December 2010, a Hot Lotto draw produced a jackpot advertised at 16.5 million dollars, with a cash value of around 14.3 million. The winning ticket had been bought six days earlier at a QuikTrip convenience store in Des Moines, Iowa. And then nothing happened. No one came forward. The winner waited, and waited, until the very last day of the one-year claim window, then tried to collect the money anonymously through a team of lawyers and a shell company registered in Belize. Iowa does not allow anonymous lottery claims, so the prize was forfeited and investigators started asking why anyone would walk away from 14 million dollars rather than show their face. The answer, when it came, was the largest lottery fraud in US history — and it had been carried out by the one person trusted above all others to prevent it. The draw was real, certified, and audited. It was also rigged. This is the digital counterpart to painting a lottery ball, and it carries the same hard lesson: a draw you cannot independently check is not fairness, it is trust — and trust breaks.

The man who guarded the machines

Eddie Raymond Tipton was the information-security director of the Multi-State Lottery Association (MUSL), the Iowa-based body that builds and operates the random-number-generator systems used to draw games for dozens of US state lotteries. Read that job title twice, because it is the whole story in miniature. The man responsible for securing the draw machines — for protecting them from exactly the kind of tampering that brings down a lottery — had privileged physical and software access to the very systems he was charged with guarding. He did not need to break in. He held the keys.

This is the structural feature that makes insider fraud so dangerous, and it is worth dwelling on. A lottery's defences are mostly aimed outward: tamper-evident seals, logged access, independent auditors, certified equipment. They assume the threat comes from someone trying to get in. They are far weaker against the person already inside, the one whose signature is on the security procedures. As Naked Security put it, this was the lottery chief who rigged the randomness. The fox was not guarding the henhouse. The fox had designed it.

How a rootkit made 'random' predictable

On 20 November 2010, Tipton was let into the secure draw room under authorized maintenance access — ostensibly to adjust a clock for daylight saving. According to the case against him, that visit is when he installed his code: a malicious DLL, a rootkit-style payload, reportedly delivered by USB flash drive, onto MUSL's random-number-generator computers.

Here is the part that makes it elegant, in the same grim way that injecting paint into a ping-pong ball was elegant. The malware did not make every draw predictable. A machine that always produced winnable numbers would be caught in a week. Instead the code lay dormant and only hijacked the RNG under a narrow set of conditions: when a drawing fell on one of three specific dates in the year — 27 May, 22 or 23 November, and 29 December — on a Wednesday or a Saturday, after 8 p.m. On those rare occasions, and only those, the 'random' output stopped being random. It collapsed to a small, knowable set of number combinations that Tipton and his associates could buy in advance.

And then the cleverest, ugliest detail of all: the malware deleted itself after the draw. It erased its own tracks so that any forensic audit of the machine afterwards would find a clean, certified system with nothing on it. The audit was not merely passed; the audit was defeated. For years — investigators place the activity roughly between 2005 and 2011 — a physically secured, certified, independently audited RNG was being steered from the inside, and the evidence vaporised each time. Look back at that 29 December 2010 Hot Lotto jackpot and the dates line up exactly: a trigger date, on the calendar the malware was written to recognise.

How it unravelled

Notice what did not catch Tipton. Not the certification. Not the audit — his self-deleting code had seen to that. Not any member of the public, who had no way on earth to know that a number presented as random had been chosen in advance. What caught him was the same thing that caught the painted balls of the 1980 Triple Six Fix: human behaviour around the prize, not the draw itself.

It began with that unclaimed jackpot. The strange, almost theatrical reluctance to be seen — the year-long wait, the lawyers, the Belize shell company called Hexham Investments Trust — was itself the anomaly. People do not normally hide from 14 million dollars. When Iowa's rules on anonymous claims forced the prize to be forfeited, investigators had both motive and time to dig. They pulled the convenience-store surveillance footage of whoever had bought the ticket. And then the quietest, most human break in the whole case: MUSL colleagues, watching the recording, recognised the buyer's appearance and his voice. The man on the tape was their own security director.

Five states, and the reckoning

Once investigators knew where to look, the single Iowa jackpot opened into something much larger. The scheme ultimately spanned Iowa, Colorado, Wisconsin, Kansas, and Oklahoma, with Tipton's brother Tommy — a Texas justice of the peace — and an associate, Robert Rhodes, helping to collect winnings across state lines so the security director's name never sat on a claim.

Tipton was first convicted in July 2015 and initially sentenced to around ten years. As the wider conspiracy came apart, he pleaded guilty in 2017 to ongoing criminal conduct, confessing to rigging draws across the five states, and was sentenced to up to 25 years, with restitution variously reported in the region of 2.2 to 3 million dollars depending on which states and charges are counted. Colorado authorities recorded their own guilty plea in the multi-state case. Tommy Tipton and Robert Rhodes both pleaded guilty and received lesser penalties. Eddie Tipton was paroled in 2022 after about five years served; that parole was later revoked. The Iowa Lottery, for its part, issued its own statement on the sentencing of the man who had once secured its draws.

A note on the figures, in keeping with telling this straight. Sources disagree on one of the trigger dates — 22 versus 23 November — and on the exact restitution total. The widely cited 16.5 million dollars was the advertised jackpot; the cash value was around 14.3 million. None of those small disputes touches the spine of the story. The core of the case is not in question: the lottery's own security director hacked the random-number generator he was paid to protect, and got away with it for years.

Balls or bytes, it is the same failure

It is tempting to file the Tipton case under 'computer crime' and the Triple Six Fix under 'the old days of rigged ball machines', as if software and ping-pong balls were different problems. They are not. They are the same problem wearing different clothes.

In Pennsylvania in 1980, paint inside the balls collapsed a thousand possible outcomes down to eight, and the fraud was invisible to everyone watching the live broadcast. In Iowa decades later, a few lines of self-deleting code collapsed the random output to a knowable set on chosen dates, and the fraud was invisible to a certified audit. Different instrument, identical structure: someone on the inside narrowed an outcome that looked open, and no one on the outside could check. The physical draw rested on trusting the people in the room. The digital draw rested on trusting the custodian of the machine. In both cases the trust was misplaced, and in both cases nobody could have proven it from the outside, because there was nothing to prove it with.

That is the uncomfortable common thread. Tipton's system was certified. It was audited. It was physically secured. It was run by the lottery's own security chief. Every box that a traditional integrity regime asks you to tick was ticked — and it was rigged for years anyway, undetectably, by the insider trusted to guard it. The self-deleting code did not just hide the fraud from auditors; it defeated the very idea that auditing the operator can keep the operator honest. No member of the public could have caught it. The detection, when it finally came, depended on a year-long failure to claim a prize and a colleague recognising a voice. That is not a verification system. That is luck.

A draw you can check, not a custodian you must trust

The lesson is structural, not moral. The problem with both the painted ball and the planted rootkit is not that bad people exist; it is that the integrity of the draw rested entirely on trusting a custodian, and offered the public nothing to independently check. Fix that, and you do not need to assume everyone in the room is honest. A provably-fair draw is built precisely to remove the custodian from the position of having to be trusted.

It works in two moves. First, the randomness comes from a source no operator controls. Verified Draws uses drand, a public randomness beacon run by an independent coalition called the League of Entropy, which jointly produces a fresh random value on a fixed public schedule using threshold cryptography. No single member — and certainly no lottery security director — can predict, choose, or fake the number. There is no DLL to plant, because the operator never generates the randomness in the first place. Second, the entrant list is committed before that future random value exists, so no one can know the winner in advance and no one can quietly edit who is in the draw afterwards.

The result is the part that Tipton's machine could never offer: reproducibility. The winner is a deterministic function of the public random value and the committed entries — same inputs, same output, every time. Anyone can pull that exact random value straight from the beacon, re-run the calculation, and land on the same winner. There is no audit to defeat, because there is no private machine to audit. The check is public, permanent, and available to a losing entrant or a journalist as readily as to the operator. Crucially, detection no longer depends on someone failing to claim a prize, or a colleague recognising a face on a surveillance tape. It depends only on the maths, which anyone can run.

See it for yourself

If you run giveaways, prize draws, or any selection where the outcome matters to people, the Tipton case is the cleanest argument for handing your audience the means to check rather than asking them to take your word. You can run a draw on Verified Draws and share the commitment and the drand round so anyone can reproduce the result, or, if you already have a result in hand, verify a draw yourself: pull the same random value from the beacon, re-run the math, and watch it land on the same winner. It is free, and there is nothing to install.

We will be honest about the limit, because no tool deserves blind faith — that was rather the point of this whole story. A provably-fair draw guarantees something precise and narrow: that the published winner is the deterministic result of a public, unpredictable random value committed before the draw. It does not vet who is on the entrant list, and it does not certify the people involved. But that narrow guarantee is exactly the thing a certified, audited, security-chief-run RNG could not provide. With Tipton's machine, you had to trust that nobody had tampered with the randomness. With a verifiable draw, you do not have to trust, because you can check. Balls or bytes, that is the only real defence — and it is the difference between a draw and a story you are asked to believe.