The Triple Six Fix: How Paint Rigged a Live Lottery, and Why Provable Fairness Beats a Ball Machine

"And now Violet, draw the first digit please." A pause, a rush of air, a ball climbs the tube. "Six." Then the second: "Six." Then the third: "Six. And there you have it, today's Pennsylvania lottery Daily Number. That's six, six, six. If you've got it, come and get it." On the evening of 24 April 1980, the televised three-digit draw came up 6-6-6, the balls bounced in the air, three sixes settled into the rack, and it looked exactly like every other night. It was not. The result had been fixed before the cameras rolled, using nothing more exotic than paint injected into the balls. The 'Triple Six Fix' remains the cleanest illustration we have of a hard truth about public draws: watching one is not the same as being able to verify it.

This post tells that story in full, looks at a second live draw decades later that raised exactly the same fear, and explains why a provably-fair draw built on a public randomness beacon is verifiable in a way a ball machine can never be. The point is not that every lottery is crooked. It is that when you watch a ball machine, you are trusting a chain of people, equipment, and software you cannot independently check, and history shows that chain can break.

The Triple Six Fix, in full

The man at the centre was Nick Perry, a long-time Pittsburgh broadcaster who hosted the lottery drawing at WTAE-TV, the station where the draws were produced. Hosting the show gave him proximity; the scheme gave him the rest. By the retrospective's account, it began with a simple question: Perry approached WTAE's art director, Joseph Bock, and asked whether it would be possible to weigh some of the balls down to produce a predictable combination. Bock began to experiment, and found that injecting the right amount of paint into a ball with a syringe would weigh it down just enough. The ball would still bounce around inside the machine, looking perfectly normal, but it would no longer pop up when the air vent opened at the top.

That discovery is the whole trick, and it is elegant in its simplicity. Pennsylvania's Daily Number used air-blower machines, the kind that float numbered ping-pong balls on jets of air and push the chosen ones up a tube. Those machines are exquisitely sensitive to weight. So the conspirators injected white latex paint into every ball except the 4s and the 6s. The painted balls were now too heavy for the air to lift. Only the lightweight 4s and 6s could rise. That single change collapsed the entire field of a thousand possible three-digit results down to just eight: every combination of 4 and 6, including 6-6-6, the one that came up. They left two numbers alone rather than one, hoping the outcome would look a little less conspicuous.

Pulling it off on air took a small crew, each with a role. A lottery official, Edward Plevel, allowed the machines and balls to sit unsupervised long enough to be tampered with. A WTAE stagehand, Fred Luman, swapped the legitimate ball sets for the weighted ones before the draw, and swapped them back afterwards, handing the doctored balls to Bock, who burned them that same evening to destroy the evidence. And Perry's business partners, brothers Jack and Peter Maragos, bought up tickets across the eight 4-and-6 combinations and placed side bets with bookmakers, while telling friends and family which numbers to play.

The record payout that night was around 3.5 million dollars. Roughly 1.18 million of it went to the conspirators. And here is the detail that matters most for our purposes: the fix was not caught by examining the balls, weighing them, or reviewing the tape. It was caught by the betting. The Maragos brothers' tickets, and the side bets, concentrated so heavily on those eight 4-and-6 combinations that bookmakers and lottery officials could not miss it. People do not bet that way by chance. Word that the game had been fixed was out almost immediately, and a traced phone call to Perry's broadcast booth helped seal it. In 1981 Perry was convicted of rigging a public contest, theft by deception, and perjury, and sentenced to seven years. Plevel was convicted too; Bock and Luman cooperated with the state; and the Maragos brothers testified in exchange for avoiding jail. Perry never admitted any role, to his death in 2003.

Sit with that for a moment. Every formal safeguard of the day was in place. The draw was live, on camera, run by a supervising lottery security official, witnessed by a television audience. None of it detected the fraud. What exposed it was a statistical anomaly in betting, entirely outside the draw itself. The integrity of the result depended not on anything the public could check, but on the honesty of the people in the room, and one of them was the host.

It keeps happening: other ways draws get rigged

The Triple Six Fix is the textbook case, but it is not an isolated one, and the failure does not always require paint. Sometimes it is software. Sometimes it is just the broadcast.

Consider what happened in Serbia in 2015. During a live televised drawing of the state game Loto 7 of 39, run by the State Lottery of Serbia and broadcast on TV Prva, the on-screen graphic flashed the number 21 while the ball physically out of the machine was 27. Then 21 emerged as the very next ball. The screen had effectively named an upcoming number before it dropped. To anyone watching, it looked as though the broadcast system already knew the sequence of results.

The lottery's official explanation was human error: the operator typing ball numbers into the broadcast graphics software simply keyed one ahead of the physical draw. The drawing commission president, Ljubomir Škorić, attributed it to the person entering numbers, and the lottery maintained the draw was valid and would stand. The one-million-euro jackpot, as it happened, had no winner. The fallout was nonetheless real: the lottery director, Aleksandar Vulović, resigned citing moral reasons while denying wrongdoing; Belgrade's Higher Public Prosecutor ordered a police probe; eleven people were questioned, including the draw's host; the machine, balls, and software were seized; and polygraph tests were administered. As far as we can confirm from reachable reporting, the 'technical error' verdict stood and the draw was upheld; we could not confirm any charges or convictions. Whether or not anything was actually manipulated, the lesson is the same as Pennsylvania's: the public had no way to tell. A glitch in an overlay was enough to break confidence entirely, because confidence was all there ever was.

The digital era added its own version. In the United States, MUSL security director Eddie Tipton planted malware on a lottery random-number generator to produce predictable results on specific dates, the canonical insider draw fraud; he was sentenced to 25 years. Across the confirmed and alleged cases, the methods recur in a small, predictable set:

• Weighting or loading balls, with paint or fluid, so target balls behave differently in weight-sensitive air machines, exactly as in the Triple Six Fix.
• Surface or density treatment, including varnish or heat, to change a ball's behaviour or create a tactile cue a drawer can feel.
• Swapping in a doctored ball set before the draw and restoring the legitimate set afterwards.
• Insider access: an unguarded machine and a complicit operator were the common enabler in every confirmed case.
• Broadcast or overlay manipulation: faking the displayed result rather than the draw itself, which is precisely what the Serbian glitch looked like.

Why ball machines ultimately rest on trust

It is only fair to say that modern lotteries have responded to this history with genuinely rigorous controls. Operators use multiple interchangeable ball sets and machines, selected at random by software just before each draw. Balls are weighed to thousandths of a gram, density-tested, even X-rayed, then re-weighed afterwards to confirm they were not swapped, the precise countermeasure to the painted-ball trick. Equipment is stored under tamper-evident seals with logged access. And independent auditors observe the weighing, watch the pretests, stand by during the live draw, and sign off afterwards. This is a serious procedural trust system, and it is far harder to beat today than it was in 1980.

But notice what every one of those controls has in common: each is a procedure performed by trusted parties and recorded for later inspection. Nothing about a tumbling ball is reproducible. The chaotic mixing is, by design, a one-time event with no transcript a stranger can re-run. A member of the public cannot re-derive the winning numbers from any public input, cannot confirm that the random machine and ball-set selection were not steered, and cannot prove the broadcast they watched was not staged. You trust the operator, the auditor, the calibration, and the camera. As both 1980 and 2015 show, watching a draw is not the same as being able to verify it.

A better model: the provably-fair draw

A provably-fair draw replaces trust with verification. It rests on two ideas: a commitment made before the result exists, and a source of randomness that nobody running the draw can choose, predict, or fake. It works in three steps.

First, commit. Before anyone knows the outcome, the operator publishes a cryptographic hash, a tamper-evident fingerprint, of the full list of entrants, along with a pointer to one specific future moment of public randomness. Because that randomness lies in the future, the operator cannot yet know who wins. Because the entrant list is fingerprinted, they cannot quietly swap names in later. Change a single entry and the fingerprint no longer matches. There is no equivalent of Nick Perry quietly preparing the result in advance, because the result does not yet exist.

Second, the randomness arrives. The draw uses a number from drand, a public randomness beacon run by the League of Entropy, an independent coalition that includes Cloudflare, the Ethereum Foundation, Protocol Labs, and several universities. Roughly every three seconds, the members jointly produce one random value using threshold cryptography: each signs a message derived only from the round number with its own private key-share, and the shares combine into a single signature. No single member, and no small group, can predict or bias the result unless a threshold of nodes collude. Every round is signed and can be checked against the network's fixed public key. The operator does not produce this number and cannot influence it.

Third, reveal and re-run. The operator reveals the entrant list and the drand round used. The winner is a deterministic function of the randomness and the entries: same inputs, same output, every time. Anyone, whether a journalist or a losing entrant, can download that exact drand round directly from the beacon, run the same calculation, and arrive at the same winner. The record is permanent and tamper-evident.

Why this is more secure than a ball machine

Compare the two honestly, link by link. A physical draw chains together things you must trust: the operator, the auditor, the calibration, an unedited broadcast. You watch the balls drop, but you cannot prove they were not weighted, swapped, or that the footage was not cut. The Triple Six Fix, the Serbian glitch, and the Tipton case are simply different points where that chain of trust failed: a host with a syringe, a broadcast overlay, a line of malware.

A provably-fair draw replaces every one of those links with something checkable. The randomness is public and entirely outside the operator's control, so no one can paint the balls or load the software. The commitment binds the inputs before the outcome can possibly be known, so no result can be prepared in advance. And the result is reproducible by anyone, forever, so detection never depends on someone noticing a strange betting pattern. Pennsylvania's fix succeeded for as long as it did precisely because nobody could check the draw directly; a commit-reveal draw on a public beacon removes that blind spot entirely.

We will be honest about the limit, because cryptography is not magic. The guarantee is precise and narrow: the published winner is the deterministic function of a public, unpredictable random value that was committed before the draw. It does not pass judgment on who is on the entrant list, and it does not certify the people involved. But that narrow guarantee is exactly the assurance a ball machine can never offer, no matter how many auditors are in the room. With a ball machine you trust that nobody tampered with it. With a verifiable draw you do not have to trust, because you can check.

See it for yourself

If you run giveaways, prize draws, or any selection where the result matters to people, this is the difference between asking your audience to take your word and handing them the means to confirm it. You can run a draw on Verified Draws and share the commitment and the drand round so anyone can reproduce the outcome. Or, if you already have a result in hand, you can verify a draw yourself: pull the same random value from the beacon, re-run the math, and watch it land on the same winner. No syringe, no overlay, no auditor, no trust required, just the maths, in the open.