Gambling Network Exposed as Major Criminal Front
▼ Summary
– A massive, 14-year-old infrastructure running fraudulent gambling websites is likely a dual operation by a nation-state-sponsored group targeting US and European organizations.
– The attackers compromise poorly configured WordPress sites and vulnerable PHP web apps to install a backdoor, using hijacked servers to host gambling content.
– The gambling sites specifically target Indonesian-speaking visitors, exploiting the country’s prohibition on gambling, and primarily use domains from Cloudflare and hijacked subdomains from major cloud services.
– Security researchers now believe the operation is far larger and more complex than previously known, serving both financial and espionage motives against sectors like manufacturing, healthcare, and government.
– The scale and longevity of the operation, involving hundreds of thousands of domains and an estimated annual cost of up to $17 million, support the assessment of nation-state involvement.
A sophisticated criminal network operating for over a decade has been unmasked, revealing a dual-purpose operation that goes far beyond simple gambling fraud. Security researchers now believe this sprawling infrastructure, which has been fleecing victims through fake gambling sites for 14 years, is likely a front for a nation-state-sponsored group targeting government and private-sector organizations across the United States and Europe. This revelation shifts the understanding of the threat from a purely financial scam to a potentially state-backed espionage campaign.
While earlier reports from firms like Sucuri and Imperva detailed how the operation compromises poorly configured WordPress sites and vulnerable PHP web applications to install backdoors, new analysis shows this is merely the tip of the iceberg. The attackers use these compromised servers to host a vast network of gambling websites, all specifically designed to lure Indonesian-speaking visitors. With gambling illegal in Indonesia, the illicit sites attract a captive audience seeking such services. The technical footprint is massive, with most of the 236,433 attacker-owned domains routed through Cloudflare, while 1,481 hijacked subdomains have been found on platforms like Amazon Web Services, Azure, and GitHub.
According to researchers at security firm Malanta, this gambling facade conceals a far more sinister and complex malicious network. The scale and longevity of the operation suggest objectives that extend well beyond profit. The group is likely leveraging this extensive infrastructure to support hacking activities against critical sectors, including manufacturing, transportation, healthcare, government bodies, and educational institutions. The sheer investment required to maintain such a system points to significant backing.
The evidence lies in the staggering resources dedicated to this project over 14 years. The infrastructure encompasses approximately 328,000 separate domains. This total includes roughly 236,000 domains purchased by the attackers and another 90,000 domains they seized by hijacking legitimate websites. The network also incorporates nearly 1,500 subdomains stolen from reputable organizations. Malanta estimates the annual operating cost for maintaining this digital empire falls somewhere between $725,000 and $17 million, a financial outlay that strongly implies support beyond a typical criminal enterprise. This level of sustained investment and operational security is a hallmark of advanced, state-aligned threat actors.
(Source: Ars Technica)