A major Chinese crime syndicate is hiding a network of illegal gambling platforms behind a suite of stealth-oriented technologies and shell companies with relationships throughout top-tier European soccer.
Some have argued that Yabo (aka Yabo Sports, Yabo Group) and its many constituent brands comprise “the biggest illegal betting operation targeting Greater China.” You probably haven’t heard of it before, but you may have come across it unknowingly in passing, hundreds of times, if you watch European football, aka soccer in US parlance. The operation enjoys multimillion-dollar partnerships with some of the world’s biggest clubs, like Manchester United and Bayern Munich.
Less visible to the public are Yabo’s modern day slaves, forced to staff the debt-fueled pyramid scheme underpinning its gambling empire.
It all works thanks to a deep and diverse suite of technologies designed to conceal its operations from anyone who doesn’t match the profile of its intended audience, its future victims. In a significant new report, Infoblox has named the amorphous entity that designed, developed, and maintains this smoke screen “Vigorish Viper.”
“Often, as a culture and as an industry, we separate technical stories from real life,” Dr. Renée Burton, head of threat intelligence at Infoblox, says. “But these are monumental human crimes that are occurring [in] human trafficking and money laundering. It’s the most interesting research I’ve ever been involved with.”
Dirty Money in Sport
World football has a history of corruption in its highest institutions. Controversial governments own many of the highest-profile clubs in the top European leagues and win bids to host World Cups. Gambling ads are so ubiquitous that players banned for using such platforms still end up having to advertise them on their kits while playing.
Premier League star striker Ivan Toney, who served an eight-month ban for breaching English Football Association (FA) betting regulations, advertising a betting company. Source: MB Media Solutions via Alamy Stock Photo
In 2019, Manchester United — the world’s second-most valuable football club, according to Forbes — penned a sponsorship deal with Yabo Sports thought to be worth up to £3 million pounds ($3.6 million) per year. Though the betting company was at that point just one-year old and had no social media presence to speak of, it also signed with the soon-to-be World Cup winner Argentina National Football Team, as well as Leicester City (England), Bayern Munich and Hertha BSC (Germany), AS Monaco (France), the Copa América tournament, Italy’s top league, Serie A, and later AC Milan (Italy).
On paper, Yabo Sports shut down in 2022 amid media scrutiny. But it fact it actually passed on through other brands like Kaiyun Sports. Kaiyun’s logo has featured prominently on the sleeves of Aston Villa and Crystal Palace kits, or uniforms, in recent seasons, and the front of Nottingham Forest’s (all England). Kaiyun reportedly also has a partnership in place with the world’s biggest club, Real Madrid.
There are many other companies that cannot be definitively tied to Yabo or Kaiyun, but share Vigorish Viper technology and, according to Infoblox, operate like branches of a single franchise, such as Fun88, shirt sponsor for Saudi Arabia-owned Newcastle United.
As Burton tells it, “Essentially, they use a ton of shell companies in multiple places around the world. And then they’ll come up through these white label providers in the UK, like TGP Europe, which was linked by journalists to [gambling organization] Suncity, which has been accused by the Chinese government of money laundering. So it obfuscates those [groups] which are already obfuscated. It’s just this ridiculous chain of false identities.”
The partnerships that Yabo, its offspring, and Vigorish Viper’s other related brands enjoy afford them an air of legitimacy, and attract fans from China and around Southeast Asia to their sites.
How Yabo Turns Gamblers into Slaves
“So it draws people [into the sites],” Burton explains, “and they’re browsing around a little bit. You’ve got your Manchester United logo. Then it starts popping up: these lures for you to come gamble.” The sites include images of scantily dressed women and live chats with purported customer service agents. If a user stays idle for a period of time, the site might offer financial incentives, like a sliding scale of up to $1,500 free for any user who deposits up to $70,000 in a week.
“It draws you in further, and eventually you’re losing. Now you’re in debt, and you move into servitude. It’s essentially a pyramid scheme: you have to go recruit people to gamble, then you get a portion of those people’s losses to go against your debt,” she says.
Online betting may not be the only way Yabo recruits its employees. A 2023 report from the Asian Racing Federation (ARF) Council on Anti-Illegal Betting and Related Financial Crime described how Yabo betting sites are also staffed by physically imprisoned individuals:
The walled-off complexes have apartments, offices, supermarkets and other facilities, and are guarded by armed security whose job is to keep people in, according to reports in Chinese state media and elsewhere.
[. . .]
According to victim testimony, staff must work 12 hours a day, six days a week and cannot leave without a ransom. Staff are sold between operators, with ransoms increasing on each occasion. Videos and photographs online in 2021 showed people being physically threatened, beaten with sticks, and struck with electric batons.
The report notes that the same indentured workers behind Yabo betting are also forced to promote pig butchering and crypto scams.
Vigorish Viper’s Stealthy Suite
How does Yabo ensure, in all of this, that it doesn’t end up attracting the wrong kind of visitor to its sites? Someone who isn’t in Southeast Asia, won’t gamble, or, worse, works in law enforcement?
This is where Vigorish Viper comes in.
Viper maintains multiple DNS- and HTTP-based CNAME-organized traffic distribution systems (TDSs). These TDSs are made up of at least 170,000 constantly evolving domains, including some phishing domains, but mostly ones generated using domain generation algorithms (DGAs). Like a series of shifting gates — or, perhaps, a hall of mirrors — these TDSs serve two primary functions.
First, like a cyber parallel to Yabo’s many shell companies and brands, the ping-ponging domains conceal the true nature of the underlying infrastructure from security professionals.
This is just one of many anti-analysis techniques used by Vigorish Viper, which also extensively employs control flow and code obfuscation, encryption, and uncommon and varied ports for TCP access, and blocks right-clicking or selecting text on its sites.
The TDSs also serve as a filter, extensively profiling visitors and redirecting them as needed. This process involves gathering data about the visitor’s device and browser. It integrates geofencing, ensuring that Yabo gambling sites are only accessible from targeted regions like China, Hong Kong, and Macau. In fact, it can even filter IP addresses within China based on whether they’re mobile, residential, or commercial in nature. It can also detect the use of virtual private networks (VPNs).
Even those who make it through without reaching an access denial page aren’t totally in the clear. Vigorish Viper sites are all protected by Web application firewalls (WAFs) and will monitor user activity to determine whether it seems automated, triggering a captcha puzzle or outright disconnecting the server if so.
Breaching this wall of obfuscation technology and, in particular, the criminal syndicate behind it, will require the cooperation of cyber experts, regulators, and international law enforcement, particularly in Britain and China.
“This traffic is absolutely 100% coming back and forth through the Great Firewall, and they’re not blocking it,” Burton laments. She adds that, from a sporting perspective, “The cleverness of the way in which a criminal organization can leverage these football clubs to do crime is crazy. It’s just the nuttiest thing. We need to address why are the sports teams going into these deals in the first place. There should be regulation that prevents that.”
Source: www.darkreading.com