Specialists Reveal Chinese Cybercrime Network Behind Betting and Trafficking
|
| The connection among different TDSs and DNS tied to Vigorish Viper and the final user landing experience |
An organized crime group from China with ties to illicit money transactions and human smuggling in Southeast Asia has been utilizing an advanced “technology suite” covering the entire spectrum of cybercrime supply chain to lead its activities.
Infoblox is tracing the entity responsible for development and maintenance under the alias Vigorish Viper, affirming that it’s created by the Yabo Group (also known as Yabo Sports), a group previously associated with illicit betting activities and deceptive schemes related to pig processing. The group rebranded as Kaiyun Sports towards the end of 2022 and has now merged into a new entity named Ponymuah.
The suite, marketed in China as “baowang” (“包网,” meaning comprehensive package) includes various elements like Domain Name System (DNS) setups, web hosting, payment channels, advertising, and mobile applications. It manages thousands of domain names and multiple brands within an infrastructure connected to Hong Kong and mainland China.
The operation revolves around obtaining sponsorships from European soccer clubs using intermediary companies or generic brands, leveraging them to promote illicit betting websites in the region with the aim of attracting more participants. As of July 2023, reports indicated that betting company logos were displayed up to 3,500 times during a single televised soccer match.
Yabo, Ponymuah, and affiliated branches such as OB (or OBGM), DB Gaming, Panda Sports, KM Gaming, and Smart King Games (SKG) form part of Vigorish Viper’s expansive network, shedding light on the intricate and unclear ownership structure of the betting entities and the elaborate methods adopted to bypass scrutiny.
Not only English soccer clubs but also cricket and kabaddi teams in India have entered into similar sponsorship agreements to endorse Vigorish Viper brands, as uncovered by the investigation.
“Vigorish Viper manages an extensive network comprising over 170,000 active domain names, eluding detection and law enforcement through its clever utilization of DNS CNAME traffic distribution systems,” explained Infoblox researchers Maël Le Touz, Jacques Portal, Renée Burton, and Elena Puga in a detailed report shared with The Hacker News.
“Aside from betting, Vigorish Viper’s CNAME [traffic distribution systems] are utilized for unlawful streaming and adult content websites. Some of the streaming domains are long-standing registrations that Vigorish Viper acquired after their original ownership expired.”
Burton, who serves as the vice president of threat intelligence at Infoblox, characterized the threat actor as “one of the most sophisticated and significant digital security threats uncovered to date.”
 |
| Overview of Vigorish Viper’s strategy for sports sponsorship |
“Vigorish Viper established a complicated infrastructure with multiple layers of traffic distribution systems (TDSs) utilizing DNS CNAME records and JavaScript, rendering detection remarkably challenging,” Burton expressed in a statement. “These systems are further bolstered by their encrypted communications and proprietary applications, making their operations not only elusive but also exceptionally resilient.”
This involves employing DNS CNAME records to redirect traffic from one domain to another, a tactic previously employed by other malicious DNS actors like Savvy Seahorse. Additionally, the system possesses the capability to differentiate between residential, mobile, and commercial IP addresses within China.
In January this year, the Play the Game initiative by the Danish Institute for Sports Studies discovered links between numerous European soccer clubs and illicit betting brands, linking back to Yabo and targeting regions like China where gambling is prohibited and identified as organized crime.
These online activities also have an offline aspect involving illegal human smuggling, where individuals are enticed with promises of lucrative opportunities and are compelled to engage in unlawful activities.into backing sports betting schemes and promoting pig slaughtering scams and other cryptocurrency frauds, as stated by the Asian Racing Federation (ARF).
A report [PDF] released by the ARF in October 2023 revealed that in groups of 8-10, some individuals collaborate with sports commentators and broadcasters (presumably on unauthorized streams) to endorse live chat communities advertising betting platforms during matches. Others perform as customer retention managers to incentivize bettors to continue gambling, while some act as direct customer acquisition agents.
 |
| Unfolding the steps from a user’s visit to betting initiation |
Infoblox shared that their investigation into Vigorish Viper originated from an unusual domain, kb[.]com – a gaming portal known as KB Sports that operates through Chinese domain servers – and also holds yabo[.]com, the web address for Yabo Sports.
An intriguing point to highlight is that the site is restricted by geography to users in France and other European regions, but can be accessed from mainland China, Hong Kong, and Macau.
“When accessed from these locations, the user is redirected to a different domain – like kb830[.]com,” as highlighted by the researchers. “The redirection URL changes regularly. Moreover, all ‘right-click’ options are disabled on the platform, and text selection is inhibited, making it challenging to scrutinize or replicate the website.”
Visitors to the site are then exposed to advertisements promoting financial rewards for regular betting, along with payment options such as WeChat Pay, EBpay, Alipay, JD Pay, KOIPay, AstroPay, YunShanFu, UniPay, Net Pay, Fast Pay, and NetBank. The betting transactions are facilitated through agents who handle bets, manage deposits, and interact with bettors using specialized, encrypted messaging applications.
A thorough review of the DNS query logs has revealed evidence that the operations of Vigorish Viper extend beyond China to target users globally.
Some of the defensive strategies integrated into these platforms include periodic monitoring for signs of automated actions and presenting CAPTCHA challenges to visitors to resist potential scanning attempts, or while seeking customer assistance, a responsibility performed by real individuals who may have been trafficked to Southeast Asia.
But wait, there’s more. Visitors to one of Vigorish Viper’s affiliated sites are subjected to multiple rounds of fingerprint checks to verify their location in China and legitimacy before being permitted to place bets on the websites.
“Both the DNS data and software bind the entirety of Vigorish Viper’s operations to Yabo Sports or Yabo Group,” stated the company. “Their influence spans across various brands, potentially hundreds, and reaches users outside Southeast Asia as well.”
“Despite the extensive array of domains, websites, and associated applications, alongside a noticeable presence in the public domain, Vigorish Viper operates overtly and strangely in the PRC without facing any significant repercussions.”
About Author
