The evasive grouphas interests in illegal gambling activities in Europe, and human trafficking and money laundering operations in the region

A group of DNS threat researchers have produced a report naming a Chinese organized crime syndicate purportedly involved in money laundering, human trafficking operations across Asia, and the global US$1.7tn illegal sports gambling economy,.

The syndicate has created a complex infrastructure with multiple layers of traffic distribution systems using DNS CNAME records and JavaScript, which makes it incredibly difficult to detect. These systems are complemented by their own encrypted communications and custom-developed applications, making their activities not only elusive but also remarkably resilient, according to the report.

Named “Vigorish Viper” in reference to the gambling world’s exorbitant fees levied on unlucky bettors, the China-linked syndicate has the following characteristics:

  • Sophisticated tech suite and elusive DNS tactics: The group uses a comprehensive cybercrime supply chain, encompassing software, DNS configurations, website hosting, payment systems, and mobile apps. These systems span a network of over 170,000 active domain names, evading detection and law enforcement through sophisticated use of DNS CNAME traffic distribution systems.
  • Criminal connections: The group’s technology was developed by the Yabo Group (also known as Yabo Sports or Yabo) prior to the latter’s reported dissolution in 2022. Yabo has been linked to controversy in Europe surrounding the use of certain football club sponsorships, including several in the English Premier League, to illegally advertise unregulated gambling sites in Asia. The Asian Racing Federation Council on Anti-Illegal Betting and Related Financial Crime has identified Yabo as “possibly the biggest illegal gambling operation targeting Greater China” and directly tied it to practices of modern slavery in which victims are forced to support gambling services.
  • European sponsorship controversy: The network is implicated in a scheme that involves securing European football club sponsorships on screens during games (or on player jerseys, for example) to advertise illegal gambling sites in South-east Asia — exploiting the clubs’ popularity to attract bettors. Tens of seemingly unrelated gambling brands that advertise by way of sponsorship deals with certain European sports teams use Vigorish Viper technology. While these brands appear distinct, they operate more like the branches of a franchise, further highlighting the importance of a holistic view on such threats that only DNS brings to the table.

According to Dr Renée Burton, Vice President, Infoblox Threat Intel, the firm that published its research: “Vigorish Viper represents one of the most sophisticated and important threats to digital security that we have discovered to date,” noting that the methods used can link physical crimes of human trafficking, money laundering, and fraud to online crime in a way that has not been attempted before.

Burton added: “DNS analytics led to the discovery of Vigorish Viper and constitutes the best mechanism for tracking the actor’s infrastructure. Stopping Vigorish Viper is also most effective via DNS because the actor changes rapidly.”