The machine should also issue a signed receipt: 'This (lottery/random) ID voted for X'
The voter is free to choose to keep this receipt or destroy it. If he keeps the receipt he risks being harassed by the thug but he can also prove it if his vote was registered incorrectly at the official registry.
The important point here is that as long as a fraction of the voters keep their receipt, any systematic fraud may be noticed. If a random 1/10 of the population keep their receipt then only ten(!) single votes can be me messed with in the election before someone is likely to step forward with a receipt pointing out the fraud: 'This receipt says ID12345 voted for X, but the official registry says ID12345 voted for Y. How come??'