Gambling Network Secretly Doubles as Cybercrime Infrastructure

A sophisticated and long-running cybercrime operation has been uncovered, revealing a network that masquerades as an illegal online gambling service while secretly functioning as a full-scale infrastructure for malware distribution and command-and-control activities. Security researchers have traced this operation, which primarily targets Indonesian citizens, back over fourteen years, uncovering a vast web of malicious domains and compromised systems.

The infrastructure is both extensive and deeply entrenched. According to the research, it currently encompasses over 328,000 domains. This figure includes a mix of purchased domains, a staggering number of hacked websites, and even hijacked subdomains belonging to legitimate organizations, including government entities. Beyond the domains, the operation is linked to thousands of malicious Android applications, dozens of compromised GitHub accounts hosting attack tools, and hundreds of deceptive domain lookalikes designed to mimic popular brands for future attacks.

This criminal enterprise began around 2011, initially focusing on facilitating gambling. Over more than a decade, it has dramatically evolved and expanded its capabilities. The group now engages in search engine optimization manipulation, distributes mobile malware, systematically hacks websites, and hijacks domains and subdomains to support its goals. A common tactic involves using social media and messaging platforms to advertise gambling sites and lure users into downloading fraudulent Android apps. These applications may show a functional gambling interface, but secretly they can download additional malicious code, access device storage, and communicate with attacker-controlled servers.

A particularly alarming aspect of their method is the weaponization of trusted web properties. The attackers exploit vulnerabilities in common web components, expired cloud resources, and lapsed security certificates to hijack subdomains. On some, they simply host fake content. On more sensitive targets, like government and corporate subdomains, they deploy sophisticated reverse proxies. These proxies make malicious traffic appear as normal, encrypted visits to a legitimate government website, making detection exceptionally difficult for security tools. In some cases, because subdomains share login session cookies, hijacking a single subdomain can grant attackers direct access to active user sessions, completely bypassing passwords and multi-factor authentication.

The scale and sophistication suggest this is no ordinary cybercriminal group. Maintaining such a vast network, involving domain registrations, certificate management, malware development, and ongoing exploitation campaigns, is estimated to cost hundreds of thousands to millions of dollars annually. The illegal gambling likely serves a dual purpose: generating revenue and providing a plausible cover for the broader malicious infrastructure. The covert proxies on hijacked government domains are perfectly positioned to relay command-and-control instructions or exfiltrate stolen data under the guise of legitimate traffic.

While the group displays the hallmarks of an advanced persistent threat due to its longevity, funding, and tradecraft, there is no current evidence linking it to a specific nation-state. Researchers assess that the operators are likely Indonesian or include Indonesian-speaking members, given the clear focus on that demographic. The discovery underscores a dangerous blurring of lines between financially motivated cybercrime and highly organized, state-level cyber operations, presenting a significant and persistent threat to digital security.

(Source: HelpNet Security)