There is one aspect of that story that's still bothering me (well there is more than one TBH, but I'm trying to pretend now that it's true). They said the the rogue employee "had to chose manually which player to cheat". How did he do that if he didn't have access to the production database? Some kind of a backdoor in the UI? All we've seen was two or three lines of code that don't really explain much. I think at the very least DB should have published the whole commit. This is one of those things that would have gone a long way towards credibility.
Good point.
The three line screenshot didn't really show anything. Could we see the whole diff he submitted? The condition for when to apply the nonce-skip would be interesting. I too wonder how the rogue employee was able to chose manually which players to cheat when he didn't have access to the db.
If he was watching the live bets then the rogue employee could get a good idea as to who had a lot of money in their account, or he could have looked at the "high rollers" section to see who where larger betters.
He could have just picked "x" number of random users to have nonces skipped for, and it just so happened that the first one to notice was a whale and the rest didn't actually bet until it was discovered and simply never bet anything while the code was in effect.
By "not having DB access" they could mean that the employee did not have the ability to write/make changes to the DB but could "read" the DB. If this was the case he could simply pick "x" number of users who would bet large amounts.
He could have used the bet verifier to check how much was wagered on random bets by each user and picked users who had made large bets. (I have not actually used the bet verifier prior to when they disabled it so I don't know if this would actually make sense)
The above is nothing more then speculation but all would fit the story that Dicebitco.in gave.