Researchers with cloud security firm Infoblox have uncovered a suite of technologies used by a major Chinese crime syndicate whose tentacles reach deep into the trillion-dollar illegal online gambling environment and the high-profile world of Europe’s top soccer clubs.

In a report Monday, the researchers wrote that the bad actors behind the technology suite – who they’ve dubbed Vigorish Viper – offer a full stack of capabilities that include software, a Domain Name System (DNS) network, website hosting, mobile apps, payment systems, secure communications, branding services, and advertising, as well as an anonymous cryptocurrency payment tool that is embedded in all of their applications.

It is the technology anchor for a massive, diverse, and far-reaching criminal organization that is targeting the $1.7 trillion illegal sports gambling environment, with a particular focus on citizens in China, which has a thriving $850 billion underground gambling world even though gambling is essentially illegal throughout the country.

In total, Vigorish Viper operates a huge network of more than 170,000 domain names and evades detection and law enforcement agencies through its use of DNS CNAME traffic distribution systems, according to Infoblox. A DNS CNAME record provides an alias for another domain, according to Cloudflare.

“Vigorish Viper represents one of the most sophisticated and important threats to digital security that we have discovered to date,” Renée Burton, vice president of Infoblox Threat Intel, said in a statement. “Vigorish Viper created a complex infrastructure with multiple layers of traffic distribution systems (TDSs) using DNS CNAME records and JavaScript, which makes it incredibly difficult to detect. These systems are complemented by their own encrypted communications and custom-developed applications, making their activities not only elusive but also remarkably resilient.”

The use of DNS CNAME records and JavaScript enables the bad actors to create a “series of gates to protect their systems from unwanted scrutiny,” the researchers wrote in a blog post. “They extensively fingerprint the users, including continuously monitoring mouse movements and evaluating IP addresses. There are multiple versions of the software, and the most advanced version is reserved for the Chinese brands.”

Links to Yabo

According to the report, the technology operation has been around since 2018 and was discovered by Infoblox last year. The researchers are highly confident that the Vigorish Viper technology operation was created by Yabo – also known as Yabo Sports and the Yabo Group – a shadowy Chinese organization with ties not only to online gambling but also to other illegal activities, including modern human slavery, where people, mostly Chinese residents, are held in forced labor camps along the Cambodian-Laos border, the Infoblox researchers wrote.

There they are forced to work for the gambling operations and run “pig butchering” scams, online frauds in which the bad actor creates a fake online persona to lure people into fake investment schemes. They also provide customer support for Yabo’s websites and those of other betting brands, all of which use the Vigorish Viper technologies.

“While these brands appear distinct, they operate more like the branches of a franchise,” the researchers wrote in a blog post.

Under increasing pressure by journalists and authorities in Europe, Yabo dissolved in 2022, “but the remnants of the company were essentially laundered into a series of new entities, including Kaiyun Sports, KM Gaming, Ponymuah, and SKG,” the researchers wrote. “While at face value these new companies appear independent, evidence shows they are not. Together the newly established companies make up a supply chain for Vigorish Viper to continue operations unabated and under less scrutiny.”

Using European Soccer Teams

Vigorish Viper also is deeply involved in what the researchers wrote is an ongoing controversy in European soccer. Chinese organized crime groups use the highly popular sports teams to extend the reach of their illegal gambling operations. They leverage shell companies, fake identities, and credentials to create brands that are typically represented by a “white label intermediary” to create a local presence and establish credibility.

Players wear their logos on their jerseys, or the logos are displayed around the stadium. The games are broadcast in China, with the goal of getting citizens there to visit the website and bet on the games.

“This sponsorship charade has been the subject of robust reporting by investigative journalists and watchdogs over the past several years,” the researchers wrote. “Vigorish Viper technology connects most of these stories together and places Yabo at the heart of the controversy.”

The operations involving the soccer club sponsorships are ongoing, though the UK’s Gambling Commission last year sanctioned a white label provider, TGP Europe, suspended 14 brands and their UK-related domain names. Eleven of those brands were linked to Vigorish Viper, including Yabo. Despite the UK’s actions, the various brands have new sponsorship deals with teams in France, Spain, and other European countries, and TGP Europe is still the white label provider of five of Vigorish Viper’s brands.

In addition, at least eight top teams in England have such deals with Vigorish Viper brands, they wrote.

“This work is particularly important because it connects the physical crimes of human trafficking, money laundering, and fraud, to online crime in a way that hasn’t been done before,” Burton said. “We can now see that organized crime is executing a cunning strategy that uses unwitting European clubs to fuel their criminal cycle.”