Experts Uncover Chinese Cybercrime Network Behind Gambling and Human Trafficking

A Chinese organized crime syndicate with connections to money laundering and human trafficking across Southeast Asia is leveraging an advanced “technology suite” to run its cybercrime operations.

Tracked by Infoblox under the name Vigorish Viper, the suite is developed by the Yabo Group (also known as Yabo Sports), which has been linked to illegal gambling and pig butchering scams. In late 2022, it rebranded as Kaiyun Sports and was later integrated into a new entity called Ponymuah.

Marketed in China as “baowang” (meaning full package), the suite includes components such as DNS configurations, website hosting, payment mechanisms, advertising, and mobile apps. It supports thousands of domain names and brands, with infrastructure based in Hong Kong and China.

The operation involves securing sponsorships with European football clubs through front companies or white label brands to advertise illegal gambling sites, aiming to attract more bettors. In July 2023, betting company logos appeared up to 3,500 times during a single televised football match.

Vigorish Viper’s network includes Yabo, Ponymuah, and related entities like OB (OBGM), DB Gaming, Panda Sports, KM Gaming, and Smart King Games (SKG), highlighting the intricate ownership and efforts to evade scrutiny.

The syndicate’s reach isn’t limited to European football; cricket and kabaddi teams in India have also entered similar sponsorship deals to promote Vigorish Viper brands.

“Vigorish Viper operates a vast network of over 170,000 active domain names, evading detection and law enforcement through sophisticated DNS CNAME traffic distribution systems,” said Infoblox researchers Maël Le Touz, Jacques Portal, Renée Burton, and Elena Puga .

“In addition to gambling, Vigorish Viper’s CNAME traffic distribution systems serve illegal streaming and pornography sites. Some of these domains were picked up after the original registrations expired,” they added.

Renée Burton, vice president of threat intelligence at Infoblox, described Vigorish Viper as “one of the most sophisticated and important threats to digital security” discovered to date.

“Vigorish Viper created a complex infrastructure with multiple layers of traffic distribution systems (TDSs) using DNS CNAME records and JavaScript, making it incredibly difficult to detect,” Burton said. “These systems, complemented by encrypted communications and custom-developed applications, make their activities elusive and resilient.”

The group uses DNS CNAME records to redirect traffic between domains, a technique previously used by other DNS threat actors like Savvy Seahorse. Their system can differentiate between residential, mobile, and commercial IP addresses in China.

In January, the Danish Institute for Sports Studies’ Play the Game initiative revealed connections between European football clubs and illegal gambling brands linked to Yabo, targeting China where gambling is prohibited and considered organized crime.

The syndicate’s online crimes are intertwined with offline human trafficking, luring people with promises of high-paying jobs, only to coerce them into supporting sports betting schemes and promoting cryptocurrency scams, as noted by the Asian Racing Federation (ARF).

“Operating in teams of 8-10, some coordinate with commentators and broadcasters of live sports (presumably on pirate streams) to promote live chat groups marketing betting websites during games,” according to an ARF report from October 2023. “Others act as relationship managers to encourage continued betting and as direct customer recruitment agents.”

Infoblox’s investigation into Vigorish Viper began with a single anomalous domain, kb[.]com, a gambling site named KB Sports using Chinese nameservers, the domain for Yabo Sports. The site is geo-blocked in France and parts of Europe but accessible in mainland China and Hong Kong.

“When accessed from China or Hong Kong, users are redirected to another domain” the researchers noted. “The redirection domain changes over time. Additionally, all ‘right click’ functionality and text selection are disabled, hindering investigation or copying.”

Users visiting the site are served ads promoting financial incentives for regular betting and options to pay via WeChat Pay, EBpay, Alipay, JD Pay, KOIPay, AstroPay, YunShanFu, UniPay, Net Pay, Fast Pay, and NetBank. Bets are placed through agents who manage deposits and communicate with gamblers through encrypted chat apps.

DNS query log analysis revealed that Vigorish Viper’s activities extend beyond China, targeting users worldwide.

Additional defense mechanisms include checks for automated activity and CAPTCHA puzzles to avoid scanning, with customer support managed by trafficked individuals.

Users visiting Vigorish Viper’s sites undergo multiple rounds of fingerprinting checks to verify IP addresses in China before betting.

“Both the DNS and software link Vigorish Viper’s entire operation to Yabo Sports or Yabo Group,” Infoblox said. “Their reach extends to dozens, possibly hundreds, of brands targeting users beyond Southeast Asia.”

“Despite the massive number of domain names, websites, and applications, and their public presence, Vigorish Viper operates openly in the PRC without significant consequences.”

- Advertisement -

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles

error: Content is protected !!

Sign Up for CXO Digital Pulse Newsletters

Sign Up for CXO Digital Pulse Newsletters to Download the Research Report

Sign Up for CXO Digital Pulse Newsletters to Download the Coffee Table Book

Sign Up for CXO Digital Pulse Newsletters to Download the Vision 2023 Research Report

Download 8 Key Insights for Manufacturing for 2023 Report

Sign Up for CISO Handbook 2023

Download India’s Cybersecurity Outlook 2023 Report

Unlock Exclusive Insights: Access the article

Download CIO VISION 2024 Report

Share your details to download the report

Share your details to download the CISO Handbook 2024

Fill your details to Watch