A Customer Spends 4 Hours Every Day on One Machine — Should I Be Concerned?

In 2018, I was called to an arcade in Quezon City, Philippines, by an owner who had noticed something unusual. One of his regular customers—a man in his mid-30s, always alone, always carrying a small backpack—had been arriving at the arcade at 10:00 AM every day for six weeks. He would buy a fixed amount of credits, sit at the same fish table machine, and play continuously for four to five hours. He cashed out modest amounts, never caused trouble, and was polite to the staff. The owner’s instinct was that this was just a dedicated player who enjoyed the game. But something did not sit right. The machine’s net revenue had been declining slowly but steadily for two months, from an average hold of 26% down to 18%. No other machines on the floor showed the same pattern. When I inspected the machine, I found a tiny, custom-made USB device plugged into an internal debug port behind the control panel. The player had been installing it when he arrived and removing it when he left. The device was intercepting game outcome calculations and making micro-adjustments that gave him a persistent edge—not enough to win every round, but enough to shift the long-term probability in his favor by about 2-3%. Over four hours a day for six weeks, those micro-adjustments added up. This article is about recognizing the difference between a passionate customer and a potential threat, how to investigate without making false accusations, and when it becomes appropriate to take action.

The Pattern: When Extended Play Stops Looking Like Enthusiasm

There is a specific profile that I have learned to recognize across arcades in the Philippines, Thailand, Vietnam, and Indonesia. The player arrives at roughly the same time every day, typically during slower hours—mid-morning or early afternoon on weekdays. They use the same machine every time and become visibly uncomfortable or even argumentative if that machine is occupied when they arrive. They play for extended sessions of three to six hours. Their betting patterns are unusual: they often play minimum bets for long stretches and then suddenly increase to maximum bets for a few rounds before dropping back down. They cash out modest amounts frequently rather than accumulating large balances. They are friendly with staff but do not socialize with other players. When questioned, they have a plausible cover story: they are retired, they work nights, they are between jobs, they just really enjoy the game.

The challenge for arcade operators is that some of these customers are exactly what they appear to be—retired individuals, night-shift workers, or genuine gaming enthusiasts who have found a game they enjoy and have the time to invest in it. Arcades in the Philippines, where unemployment and underemployment create a population of people with significant free time, see a higher proportion of legitimate long-duration players than arcades in more regulated or higher-income markets. The question is not whether the behavior itself is wrong. The question is whether the machine’s financial performance supports the narrative of a legitimate player.

A legitimate enthusiast playing four hours a day will lose money over time. That is how the machine’s mathematics work. The house edge, even if small, compounds over thousands of rounds. A player who wins consistently over weeks or months is either extremely lucky—which is statistically unsustainable over sufficient volume—or they have found a way to alter the game’s odds in their favor. The machine’s net hold over the period the player has been active is the only metric you need to distinguish between these two possibilities.

What May Actually Be Happening: Five Common Exploitation Methods

When a player camps on a single machine for hours every day and that machine consistently underperforms, I have found the cause falls into one of the following categories with high reliability.

Timing-based exploit of payout cycles. Many arcade games, especially fish tables and slot-style redemption games, use pseudo-random number generators that operate on cycles. A player who has studied the game’s behavior over hundreds of hours may learn to recognize visual or audio cues that signal an approaching payout window. They then play minimum bets during cold cycles and maximum bets during warm cycles. This is not hacking in the traditional sense—there is no external device and no code modification. It is pattern recognition applied to a deterministic system. I have documented this pattern in the Philippines with players who had spent so much time on specific game versions that they could predict payout behavior with enough accuracy to flip the house edge from negative to positive. The fix is usually a firmware update that randomizes cycle timing or eliminates the detectable cues, but many arcade operators do not know to look for this because the player is not using any visible cheating device.

Physical device-based manipulation. This is what I found in the Quezon City case. The player carries a small device—a USB stick, a microcontroller board, or even a modified phone—that connects to an internal port on the machine. These ports exist for factory diagnostics and firmware updates. They are not supposed to be accessible during normal operation, but many arcade machines have accessible USB or serial ports behind the control panel, under the coin door, or inside the bill acceptor compartment. A player who has identified an accessible port and obtained or reverse-engineered the communication protocol can send commands that alter credit balances, payout multipliers, or random number generation. The USB device I found in Quezon City was so small it fit inside the player’s closed hand, and he could connect and disconnect it in under three seconds while pretending to adjust his seating position.

Software-based manipulation through the machine interface. Some exploits are performed entirely through the machine’s normal interface—the buttons, the touch screen, or the card reader. I have documented cases where specific button press sequences, performed rapidly during certain game states such as payout animations or bonus round transitions, would cause the machine to credit additional coins, reset a losing spin, or trigger a bonus round out of sequence. These are bugs in the game software. They typically affect a specific firmware version. Players who discover them share the information within small communities, and the same exploit often appears in multiple arcades across a region within weeks as word spreads through player networks.

Card system exploitation. In arcades that use player cards for credit and ticket tracking, a player who has obtained a card writer or who has found a vulnerability in the card encoding can modify their card balance. They load a card with 500 credits, play it down to 50, then rewrite it back to 500 without paying. To the staff watching the floor, they appear to be a heavy player who buys credits frequently. In reality, they are recycling the same credits over and over. I identified this pattern in a Manila arcade by comparing the card’s transaction log against the cash register log for the same time period. The player’s card showed 12 reloads in one day totaling 6,000 credits, but the cash register showed only two purchases by that player totaling 1,000 credits. The other 5,000 credits were generated by a card writer the player kept in his backpack.

Collusion with a staff member for credit bypass. This is the simplest method and often the hardest to detect because it leaves no technical evidence. A staff member with manager override access adds free credits to the machine. The player sits and plays. They split any winnings. If the player loses, no one notices because the credits were free and the machine shows normal play activity. When questioned, the player says they bought the credits legitimately. The staff member confirms this. Without machine-level meter data showing credit-in versus credit-played discrepancies, this pattern is nearly invisible from casual observation.

How to Investigate a Suspicious Long-Duration Player Without Making an Accusation

The last thing you want is to falsely accuse a legitimate customer of cheating. That customer will tell their friends, leave negative reviews, and potentially never return. In the close-knit arcade communities I have observed in the Philippines and across Southeast Asia, word travels fast, and an unjust accusation can damage your reputation more than the revenue loss from an actual cheater. Here is a systematic, non-confrontational investigation approach.

Step 1: Establish the machine’s financial baseline. Pull detailed revenue data for the specific machine over the past three to six months. Calculate daily net hold as a percentage of credits inserted. Identify the date when the player began their daily routine and compare the machine’s average net hold before and after that date. If the hold percentage has dropped significantly since the player became a regular, that is your first data point. A legitimate player will not systematically depress a machine’s hold over time. The mathematics of the game guarantee that a fair player loses at the house edge rate over sufficient volume. If the machine’s hold is trending down instead of converging to the programmed rate, something is interfering with the game’s probability distribution.

Step 2: Analyze the player’s betting patterns. If your machine supports it, export the detailed play log for sessions when this player is active. Look at bet sizing patterns. Are they playing minimum bets for 95% of the session and then suddenly betting maximum on specific rounds? This is the signature pattern of someone who can predict or influence game outcomes. A legitimate recreational player may vary their bets based on mood or balance, but the variation will not correlate with game states in a consistent, predictable way. A player exploiting timing-based vulnerabilities will show bet sizing that correlates with the game state in a way that suggests foreknowledge.

Step 3: Observe without confrontation. Have a staff member you trust—or better yet, do it yourself if you are not known to the player—observe the player from a distance during their session. You are looking for specific behaviors: the player frequently reaching into a bag or pocket immediately before or after game rounds, the player’s hands moving to areas of the machine that are not normal playing surfaces such as underneath the control panel or around the coin slot area, the player appearing to interact with a phone or small device in a way that is synchronized with game events, and whether the player appears agitated or concerned when staff walk near the machine. None of these behaviors individually proves anything. All of them together form a pattern that justifies closer inspection.

Step 4: Inspect the machine after hours. When the arcade is closed and the player is gone, open the machine and look for anything anomalous. Check all accessible ports for foreign devices. Check for tool marks around screws and access panels that the player might have opened. Check the bill acceptor and coin mechanism for any modification. Look at the wiring harness for cuts, splices, or non-factory connectors. Take photos of the machine’s internal configuration, especially any DIP switch settings or configuration jumpers. Compare against factory specifications. If you find a device you do not recognize, photograph it and send the image to the machine manufacturer for identification before removing it.

Step 5: Check the card system logs if applicable. If your arcade uses player cards, export the suspect player’s full transaction history. Compare every credit reload against cash register records for the same timestamp. Look for reloads that do not correspond to cash transactions. Look for balance adjustments that occur at times when no staff member with override access was logged on duty. The card system is a digital paper trail, and someone exploiting it will almost always leave a pattern in the data that contradicts the cash register log.

Prevention and Response: What to Do Based on What You Find

The appropriate response depends on what your investigation uncovers. Here is how I advise arcade owners to handle each category of finding.

If the player is legitimate. Your investigation finds no financial anomaly, no suspicious behavior, and no hardware tampering. The machine’s net hold is within expected range. The player is simply someone with a lot of free time who enjoys your game. In this case, treat them like any valued customer. Acknowledge their loyalty. A free drink or a small credit bonus goes a long way. Legitimate heavy players are your best marketing because they keep machines occupied and create an atmosphere of activity that attracts other customers. Do not make them feel watched or unwelcome.

If you find a technical exploit. You have identified a firmware bug, an accessible port, or a card system vulnerability that the player is exploiting. Remove the exploit. Update the firmware. Seal the diagnostic port with a tamper-evident sticker or physical lock. Patch the card system vulnerability. Do this during closed hours so the player arrives the next day to find the vulnerability closed. In most cases, they will test it a few times, realize it no longer works, and stop coming. You do not need to confront them. The machine has been fixed. If they ask questions, a staff member can say the machine received a routine software update. That is the truth, and it avoids any confrontation.

If you find a physical device. You have found a USB stick, microcontroller, or other foreign device connected to the machine. Document it thoroughly. Take multiple photos from different angles showing how it is connected. Note the date, time, machine number, and where it was found. Remove it and store it as evidence. If you have camera footage of the player connecting the device, save that footage. At this point, you have clear evidence of tampering. The next steps depend on your local laws and your preference. In the Philippines, I have seen owners handle this by having security approach the player, present the evidence, and issue a permanent ban from the premises. In some cases, owners have filed police reports. In the Quezon City case, the owner chose to ban the player and use the incident as a learning opportunity to inspect all other machines on the floor, finding one additional device that had been installed by a different player.

If you find staff collusion. Your investigation reveals that a staff member is providing free credits to the player. This requires handling both parties. The player should be banned. The staff member should be terminated or, depending on the severity and your local legal framework, reported to authorities. Then implement the dual-custody procedures, role rotation, and machine access logging described in our companion article on staff investigation. The player was only able to exploit the system because a staff member created the opening. Close the procedural gap as well as removing the individuals.

Long-Term Prevention Measures

Once the immediate situation is handled, implement these structural changes to prevent recurrence across all your machines.

Physically secure all diagnostic and service ports. Every accessible USB port, serial port, and debug connector on every machine should be physically sealed. Tamper-evident stickers are the minimum. For higher-security applications, use port locks or covers that require a tool to remove. I recommend inspecting port seals during weekly machine checks and replacing any that show signs of tampering.

Enable and review player session logging. If your machine management system supports it, configure alerts for unusual play patterns: sessions exceeding three hours, sessions where bet sizing varies by more than a factor of five within short intervals, sessions where the player’s net win exceeds a threshold relative to their total bet volume. These alerts do not prove cheating, but they tell you which sessions to review more carefully.

Maintain current firmware on all machines. When a manufacturer releases a firmware update, there is usually a reason. It may fix a known exploit. It may close a timing vulnerability. It may randomize a predictable behavior. I recommend checking for firmware updates monthly and applying them during scheduled maintenance windows. Keep a log of which firmware version is installed on each machine so you can quickly identify which units need attention when an update is released.

Train floor staff to recognize and report suspicious behavior. Your staff see more than you do because they are on the floor for entire shifts. Train them to notice and report: customers who are unusually protective of a specific machine, customers who reach into areas of the machine that are not normal playing surfaces, customers who carry bags or backpacks and position them close to machine access points, customers who arrive at consistent times and leave at consistent times every day, especially during slow periods. Create a simple reporting system—a notebook, a messaging group, or a log entry in your management system. Reward staff who report legitimate issues. The goal is not to create a culture of suspicion. It is to create a culture of awareness where unusual behavior gets noted and escalated rather than ignored.

Q: How many hours per day is “too many” before I should be concerned?

A: There is no fixed threshold. A retired person playing for four hours is not inherently suspicious. The concern arises from the combination of extended daily sessions on the same machine and declining machine revenue. If your machine’s net hold is within the expected range and the player is not winning consistently, the hours do not matter. If the machine is underperforming and the player is the primary occupant, investigate regardless of how many hours they play. I have seen exploits that work in 90-minute sessions and I have seen legitimate players who stay for six hours. The machine’s financial data tells you whether a problem exists. The player’s behavior tells you where to look for the cause.

Q: What if I ban the player and they go to a competitor across the street?

A: If the player was exploiting a vulnerability in your specific machine or firmware version, they may not be able to replicate the exploit at a competitor with different hardware or updated firmware. If they can, that competitor has the same vulnerability you had, and addressing it at your venue at least protects your revenue. In the Philippines, I have seen arcade owners share information about banned players and known exploit methods through informal industry networks. If you are comfortable with it, reach out to neighboring arcade owners and let them know what you found. The exploit is the real enemy, not the player. A player without a vulnerability to exploit is just another customer.

Q: Can I just move the machine to a different spot on the floor to break the pattern?

A: Moving the machine is a temporary measure at best. If the player is exploiting a machine-specific vulnerability, they will find the machine in its new location within a day or two. If they are exploiting a firmware bug that exists on all machines of that model, moving one machine does nothing because the bug is still there. Moving the machine may also inconvenience legitimate customers and disrupt your floor layout. I recommend addressing the root cause rather than rearranging the furniture. If the root cause is a firmware bug, update the firmware. If the root cause is an accessible port, seal it. These fixes are permanent and protect all machines, not just the one the player was using.

Q: Should I install cameras pointing at individual machines?

A: Cameras covering the general floor are useful for security and should cover all machines at a high enough resolution to identify individuals at play. Cameras pointed specifically at individual machines can make legitimate customers uncomfortable and may violate privacy expectations in some jurisdictions. A better approach is to use the data your machines already generate—meter readings, play logs, card transaction histories—to identify suspicious machines and sessions, and then focus camera review on those specific time windows. This is more efficient and less invasive than blanket surveillance of every player at every machine.

Q: What is the financial impact of one exploitative player over time?

A: It depends on the exploit and the volume of play, but the numbers tend to be larger than most owners expect. In the Quezon City case, the player was extracting approximately 3,500 PHP per day through the USB-based exploit. Over six weeks of daily four-hour sessions, that was roughly 105,000 PHP. The machine was one of eight identical units on the floor. The other seven were performing normally, so the owner initially attributed the variance to normal fluctuation. By the time the pattern was obvious enough to trigger investigation, the loss was already significant. A single determined player with a reliable exploit can drain a machine at a rate that equals or exceeds the revenue from several legitimate machines combined. This is why early detection matters—the cost of investigation is negligible compared to the cost of inaction.

What to Do Next

If you have a customer who fits the profile described in this article—daily extended sessions on the same machine, unusual betting patterns, or behavior that triggers your intuition—I recommend starting with Step 1 of the investigation process today. Pull that machine’s revenue data for the period before and after the player became a regular. Calculate the change in net hold. If the number tells you something is off, proceed methodically through the remaining steps without confrontation, without accusation, and without alerting the player that they are being investigated.

If you find a device you cannot identify, a firmware vulnerability you do not know how to address, or a pattern in your data that you cannot explain, I am available to help. Send photos of anything unusual you find inside your machines. Send your meter data if you are seeing patterns you cannot interpret. I have investigated hundreds of these cases across the Philippines, Thailand, Vietnam, Malaysia, and Indonesia, and I can usually provide an initial assessment within a day. There is no charge for the initial consultation. You may also find it helpful to review our other operational security articles for a complete framework on protecting your arcade revenue from all angles.