 |
| The various TDS and DNS relationships associated with Vigorish Viper and the final landing experience of users |
Chinese organized crime syndicates involved in money laundering and human trafficking across Southeast Asia are spearheading their operations with advanced “technology suites” that span the entire spectrum of the cybercrime supply chain.
Infoblox tracks owners and managers by the following names: Vigorous ViperThe company points out that the game was developed by the Yabo Group (also known as Yabo Sports), which has been implicated in illegal gambling and pig slaughter scams in the past, but later rebranded as Kaiyun Sports in late 2022 and was later absorbed into another newly established company called Ponymua.
Marketed in China as “Baoning” (meaning the full package), the suite includes several components, including Domain Name System (DNS) configuration, website hosting, payment mechanisms, advertising, mobile apps, etc. It also hosts thousands of domain names and numerous brands with infrastructure tied to Hong Kong and China.
The operation used front companies and white-label brands to secure sponsorship of European football clubs, with the goal of using them as “force multipliers” to promote illegal gambling sites in the region and attract more punters. In July 2023, gambling company logos were reported to have appeared 3,500 times during televised football matches.
Yabo, Ponymuah and associated offshoots such as OB (aka OBGM), DB Gaming, Panda Sports, KM Gaming and Smart King Games (SKG) are all part of Vigorish Viper’s vast network, highlighting the complex and murky ownership of gambling companies and the painstaking measures taken to evade scrutiny.
It is not just English football clubs that have such sponsorship deals, the investigation also revealed that Indian cricket and kabaddi teams have similar sponsorship deals to promote the Vigorous Viper brand.
“Vigorish Viper operates a vast network of over 170,000 active domain names and makes sophisticated use of a DNS CNAME traffic distribution system to evade detection and law enforcement,” Infoblox researchers Maël Le Touz, Jacques Portal, Renée Burton and Elena Puga wrote in a detailed report shared with The Hacker News.
“In addition to gambling, Vigorish Viper’s CNAMEs (traffic distribution systems) are also used for illegal streaming and pornographic sites. Some of the domains used for streaming are long-term registered domains that Vigorish Viper acquired after their original registrations expired.”
Burton, vice president of threat intelligence at Infoblox, described the attacker as “one of the most sophisticated and significant threats to digital security ever discovered.”
 |
| Overview of Vigorish Viper’s sports sponsorship scheme |
“Vigorish Viper has built a complex infrastructure with a multi-tiered Traffic Distribution System (TDS) using DNS CNAME records and JavaScript, making it extremely difficult to detect,” Burton said in a statement. “These systems are complemented by proprietary encrypted communications and custom-developed applications that make their activity not only difficult to detect, but also extremely durable.”
This involves using DNS CNAME records to redirect traffic from one domain to another, a technique previously employed by other DNS threat actors such as Savvy Seahorse. Additionally, the system has the ability to distinguish between Chinese residential, mobile, and commercial IP addresses.
Earlier this January, the Danish Sport Institute’s “Play the Game” initiative uncovered links between dozens of European football clubs and illegal gambling brands that could be traced back to Yabo, targeting jurisdictions such as China where gambling is banned and considered organised crime.
Online crime also has an offline dimension, including human trafficking, luring people with promises of high-paying jobs and coercing them into supporting sports betting schemes, pig slaughter scams and promoting other cryptocurrency scams, according to the Asian Horse Racing Federation (ARF).
“Operating in teams of eight to 10 people, some of them work with live sports commentators and broadcasters (likely pirate streams) to promote gambling websites in live chat groups during matches,” the ARF report (PDF) published in October 2023 said. “Other members act as relationship managers encouraging customers to continue betting or as agents directly recruiting customers.”
 |
| The steps a user takes from accessing the site to starting a bet |
Infoblox said its own investigation into Vigorish Viper began with a single anomalous domain, kb(.)com, a gambling site called KB Sports that uses Chinese nameservers. The site also hosts yabo(.)com, the domain name for Yabo Sports.
An interesting thing to note here is that while the website is geo-blocked for users in France and other parts of Europe, it is accessible from mainland China and the Special Administrative Regions of Hong Kong and Macau.
“When accessed from any of these areas, the user is redirected to another domain, for example kb830(.)com,” the researchers noted. “The domain changes over time. Additionally, all ‘right-click’ functionality on the site is disabled, as is text selection, preventing exploration and copying of the site.”
Users of the website are regularly shown advertisements promoting financial incentives for betting, along with payment options using WeChat Pay, EBpay, Alipay, JD Pay, KOIPay, AstroPay, YunShanFu, UniPay, Net Pay, Fast Pay and NetBank. Bets are placed through agents, who place bets, manage deposits and communicate with gamblers through a bespoke encrypted chat app.
A deeper investigation into the DNS query logs also revealed evidence that Vigorish Viper’s activity extends beyond China to target users around the world.
Other defense mechanisms built into these sites include regular checks for signs of automated activity and presenting CAPTCHA puzzles to visitors when they try to circumvent the scans or contact customer support, which are run by actual people who have been trafficked to Southeast Asia.
But that’s not all: users who visit Vigorish Viper’s branded domains are subjected to multiple fingerprinting checks to ensure their IP address is located within China and is legitimate before they are allowed to place bets on the site.
“Both the DNS and software link Vigorish Viper’s entire business to Yabo Sports or Yabo Group,” the company said, “which spans dozens, possibly hundreds, of brands and targets users outside of Southeast Asia.”
“Despite its vast number of domain names, websites and associated applications and obvious presence in the public eye, Vigorish Viper operates directly and mysteriously in China and has no significant impact.”
