Online Poker Cheating: How Platforms Detect Collusion (2026)

In November 2024, GGPoker stripped Francesco Garofalo of his WSOP Online bracelet and $1.1 million in winnings. The platform’s investigation found evidence of multi-accounting and unfair software use. Garofalo was banned for life. Seven months later, in June 2025, the WSOP Millionaire Maker tournament erupted in controversy when winner Jesse Yaginuma and runner-up James Carroll faced chip dumping allegations. WSOP seized the bracelet and $2.2 million in combined prizes pending investigation. In November 2025, GGPoker caught another ghosting incident during the GGMillion$ tournament and redistributed $115,000 to affected players.

These are not isolated events. PokerStars has removed over 3,000 suspicious accounts since January 2025 using machine learning detection systems. GGPoker banned 31 accounts in a single sweep for using real-time assistance tools. The platforms are catching more cheaters than ever, but the cheaters keep adapting.

Online poker has a unique vulnerability compared to other gambling verticals. In slots or sports betting, multi-accounting enables bonus abuse. In poker, it gives a direct mathematical advantage at the table. A player controlling two seats does not just claim two bonuses. They see more cards, coordinate betting, and manipulate outcomes in ways that fundamentally break the game.

Why online poker is uniquely vulnerable

The structure of poker creates opportunities for cheating that do not exist in other gambling formats.

The mathematical advantage of multi-accounting

At a nine-player Texas Hold’em table, each player sees 2 of the 52 cards in the deck before the flop. That is roughly 4% of total information. A player controlling two seats sees 4 cards: 8% of the deck, double the information of every honest opponent.

This does not sound like much in isolation. In practice, it transforms decision-making. Knowing that four specific cards are not in the remaining deck changes the probability of every draw, every made hand, and every bluff. Over thousands of hands, this informational edge compounds into a significant profit advantage that no amount of skill can overcome for honest players.

Real-time information sharing

When two colluding players sit at the same table, they know each other’s hole cards. This lets them play as a team against the rest of the table. They can:

• Squeeze opponents by having one player raise and the other re-raise, forcing others to fold equity
• Protect hands by having the weaker hand fold early instead of competing for the pot
• Trap opponents by having one player slow-play while the other builds the pot
• Maximize value by never competing against each other in large pots, preserving chips within the partnership

A single player running multiple accounts achieves the same coordination without needing a partner.

Tournament exploitation

In tournament poker, multi-accounting is particularly damaging. Entering the same tournament under multiple accounts increases the probability of a deep run. If each entry has a 1% chance of reaching the final table, three entries bump that to roughly 3%. For satellite tournaments that award seats to larger events, this multiplication of entries can systematically farm entries to high-value tournaments.

The cancelled prizes from the WSOP and GGMillion$ incidents show the stakes. Six and seven-figure prize pools are at risk when even one cheater makes a deep run.

The cheating playbook

Poker cheating has evolved far beyond basic multi-accounting. Modern operations use sophisticated tools and techniques.

Collusion rings

Organized collusion involves multiple players (or one player with multiple accounts) coordinating strategy at the same table. Communication happens through Discord calls, screen sharing, or dedicated collusion software that aggregates information from all seats.

At high-stakes tables, the edge from seeing extra cards translates directly into thousands of dollars per session. Long-running collusion rings at mid-stakes games can operate for months before statistical anomalies become large enough to trigger platform detection systems.

Ghosting

Ghosting is account sharing at its most exploitative. A recreational player enters a major tournament, makes it to the money, and then hands control to a professional player for the crucial final stages. The professional plays on the recreational player’s account, making decisions far above the account owner’s skill level.

GGPoker’s November 2025 GGMillion$ case is a clear example. The account “Hinaru” was identified as being operated by someone other than the registered owner during play. The $115,752 in fifth-place winnings were canceled and redistributed to the other finalists.

Ghosting is difficult to detect because the play happens on a legitimately registered account. The identity checks pass because the account does belong to a real person. The fraud is in who is actually pressing the buttons.

Real-time assistance (RTA) tools

RTA software runs alongside the poker client and provides optimal strategy recommendations in real time. Tools like GTO Wizard calculate game-theory-optimal plays for the exact situation on screen, effectively giving the user a perfect strategy engine that no human can match from memory.

GGPoker banned 31 accounts in early 2025 specifically for RTA use. The platform has also banned “stables,” organizations that manage groups of players, supply them with RTA tools, and take a percentage of their winnings.

Chip dumping and money laundering

Chip dumping serves two purposes. The first is competitive: transferring chips from a “feeding” account to a main account, consolidating a chip stack without winning it from opponents. The second is financial: using poker tables as a money transfer mechanism.

A money launderer deposits dirty funds into Account A, deliberately loses them to Account B at the poker table, and withdraws from Account B as “poker winnings.” The transaction looks like a normal poker loss and win. Multiply this across dozens of accounts and the money is effectively cleaned through game activity.

How platforms catch cheaters today

The major poker platforms have invested heavily in detection, and their systems are becoming increasingly sophisticated.

Machine learning on hand histories

PokerStars and GGPoker both use ML models trained on millions of hand histories to detect statistical anomalies. These models look for:

• Win rates that deviate from expected ranges at specific stakes and game types
• Hand selection patterns that match information-sharing (consistently folding hands that would have lost to a specific opponent)
• Betting patterns that suggest coordination (one player always folding to another’s raises)
• Session overlap between accounts that consistently appear at the same tables

The strength of ML-based detection is that it catches subtle patterns invisible to human reviewers. The weakness is that it requires a large sample of hands before anomalies become statistically significant, meaning cheaters may profit for weeks or months before detection kicks in.

IP and geolocation monitoring

Platforms track the IP addresses of connected players and flag accounts that consistently share the same network. Two accounts at the same table connecting from the same IP address is a strong collusion signal.

This catches casual cheaters (a player running two accounts on the same home network) but fails against anyone using VPNs or residential proxies. Proxy services assign different IPs to each browser profile, making coordinated accounts appear to be in different cities or countries.

Device fingerprinting

This is where detection gets harder to evade. Device fingerprinting collects hardware-level signals (GPU renderer, canvas rendering, audio processing, screen properties, and more) to create a persistent identifier for each physical machine.

If two poker accounts at the same table are running on the same laptop and browser, the device fingerprint matches, regardless of IP address, browser profile, or identity. A cheater using two different browsers on the same machine would produce two fingerprints, but table-level correlation of hardware signals (GPU, screen, audio stack) can still cluster them. This is one of the strongest signals for detecting multi-accounting in poker because the fraudster cannot change their physical hardware between accounts.

Behavioral analysis

Beyond statistical hand analysis, platforms examine behavioral patterns: typing speed in the chat, mouse movement patterns, the timing between receiving cards and acting, and decision latency. Two accounts operated by the same person tend to share these behavioral signatures even when the user tries to vary them.

Ghosting detection relies heavily on behavioral shifts. When a recreational player suddenly starts making professional-level decisions at the same pace and with the same mouse patterns as a known high-stakes player, the mismatch between the account’s historical behavior and current behavior triggers investigation.

Where current detection falls short

Despite significant investment, the detection gap remains wide.

Anti-detect browsers defeat basic fingerprinting

Anti-detect browsers like Multilogin, GoLogin, and Dolphin Anty create browser profiles that each present a different device fingerprint. A cheater running four profiles on one laptop appears as four different devices to basic fingerprinting systems.

These tools were designed for marketing and e-commerce use cases but have become standard equipment for poker cheaters. Over 24 anti-detect browsers exist in the market, with GoLogin alone claiming over 500,000 users worldwide.

VPNs mask network signals

With 1.75 billion VPN users globally, IP-based detection is increasingly unreliable. Residential proxy services that route traffic through genuine home connections are nearly impossible to distinguish from legitimate users by network signal alone.

ML detection has a latency problem

Statistical detection works over large sample sizes. A cheater who plays 10,000 hands at a table will eventually show detectable anomalies. But a cheater who plays 500 hands, extracts profit, and moves to a different alias may never accumulate enough data to trigger an alert. Short-lived, high-impact cheating sessions slip through statistical models designed for long-term pattern recognition.

Ghosting is hard to prove

Behavioral analysis can detect that “something changed” about how an account plays, but proving that a different person is at the controls requires either an admission, technical evidence (like a different device connecting to the account), or extensive manual investigation.

How device intelligence closes the gap

Advanced device fingerprinting addresses the weaknesses in current detection systems.

Persistent identification across sessions

Guardian’s device fingerprinting creates a stable visitor ID tied to the device and browser combination. This ID persists across browser sessions, incognito mode, cookie clears, and VPN changes. A major browser update can produce a new ID, but platforms that maintain historical identifier mappings can link the old and new values. When a player connects to the poker platform, their device is identified before they take any action at the table.

If that same device has been seen on other accounts, the platform knows immediately. No need to wait for thousands of hands of statistical analysis. The multi-accounting signal is available at login.

Anti-detect browser detection

While basic fingerprinting can be spoofed by anti-detect browsers, advanced tamper detection identifies the inconsistencies these tools create. Guardian’s browser tampering signals detect when a browser profile claims one set of hardware characteristics but actually runs on different hardware.

For poker platforms, this means flagging suspicious accounts at the connection stage rather than after they have already played hands and potentially caused damage to other players.

Table-level device correlation

The most powerful application is correlating devices at the table level. When a poker table has nine players, each connected device should be a unique physical machine. If two or more player sessions share a device fingerprint (or come from devices with correlated hardware signals suggesting the same desk), that is a collusion red flag.

// Server-side: check for device overlap at a poker table
import { createGuardianClient } from '@guardianstack/guardianjs-server';

const client = createGuardianClient({
  secret: process.env.GUARDIAN_SECRET_KEY,
});

async function checkTableIntegrity(tablePlayers) {
  const deviceMap = new Map();

  for (const player of tablePlayers) {
    const event = await client.getEvent(player.requestId);
    const { visitorId } = event;

    if (deviceMap.has(visitorId)) {
      // Two players at this table share a device
      await flagCollusion(
        deviceMap.get(visitorId),
        player.accountId,
        visitorId
      );
    }

    deviceMap.set(visitorId, player.accountId);
  }
}

Velocity signals for account farming

Device-level velocity tracking reveals when a device is creating accounts at a rate inconsistent with legitimate play. A real poker player has one account (or very few, if they have played on the platform previously). A multi-accounting operation creates many accounts over a short period, and that velocity is visible at the device level.

{
  "visitorId": "xyz789abc012",
  "velocity": {
    "5m": 0,
    "1h": 1,
    "24h": 4
  },
  "linkedAccounts": 4,
  "browserTampering": {
    "detected": true,
    "anomalies": ["canvas_mismatch"]
  }
}

Four linked accounts and canvas fingerprint manipulation on the same device is not a legitimate player. It is a multi-accounting operation.

What platforms should implement

Based on the patterns emerging from GGPoker, PokerStars, and enforcement trends in 2025-2026, here is what a comprehensive poker integrity system looks like.

Pre-table device checks

Before a player sits at a table, verify their device against all other players currently seated. If a device match or correlation is found, prevent the seating. This is a real-time check that must happen in milliseconds, which is why lightweight device fingerprinting APIs matter.

Post-session statistical analysis

Continue using ML models on hand histories, but use device intelligence to focus the analysis. Instead of scanning every hand at every table, prioritize analysis on sessions where device signals raised concern: shared devices, detected tampering, VPN usage, or high velocity.

Account lifecycle monitoring

Track device signals not just at registration and login, but throughout the account’s lifetime. A legitimate account that suddenly connects from a new device with different behavioral patterns may have been sold to a cheater (account trading is a growing problem in poker).

Transparent enforcement

GGPoker and PokerStars have both moved toward public disclosure of enforcement actions. Publishing the number of banned accounts, redistributed prizes, and detection methods (without revealing exploitable details) builds player confidence that the platform is actively protecting game integrity.

The stakes for the industry

Online poker’s credibility depends on players trusting that the game is fair. Every high-profile cheating scandal, from Garofalo’s WSOP disqualification to the GGMillion$ ghosting incident, erodes that trust. Recreational players, the lifeblood of the poker ecosystem, leave when they believe the games are rigged against them.

The AI Sports Betting Fraud Detection market is projected to grow from $0.6 billion in 2025 to $3.2 billion by 2033. Platforms that invest in advanced detection now will retain players and attract new ones. Platforms that do not will lose both.

Device intelligence is not the only layer needed, but it is the one that addresses the fundamental weakness in current detection. Identities can be faked. IPs can be masked. Statistical patterns take time to emerge. But the physical device behind every session is immediate, persistent, and extremely difficult to spoof at scale.

Start your free trial to see how Guardian helps poker platforms detect multi-accounting and collusion.