COMPANY NEWS: Infoblox, a leader in cloud networking and security services, today announced a significant breakthrough in cybercrime investigation with the unmasking of a threat actor that the company has named “Vigorish Viper.” Vigorish Viper is a Chinese organised crime syndicate that utilizes a sophisticated technology suite to take advantage of the global US$2.5 trillion illegal sports gambling economy, with links to money laundering and human trafficking operations across Asia. This Infoblox discovery marks a significant milestone in the ongoing battle against global cybercrime using DNS intelligence.

“Vigorish Viper represents one of the most sophisticated and important threats to digital security that we have discovered to date,” said Infoblox Threat Intel vice president Dr. Renée Burton. “Infoblox Threat Intel used cutting-edge DNS research to discover the technologies underpinning the syndicate. Vigorish Viper created a complex infrastructure with multiple layers of traffic distribution systems (TDSs) using DNS CNAME records and JavaScript, which makes it incredibly difficult to detect. These systems are complemented by their own encrypted communications and custom-developed applications, making their activities not only elusive but also remarkably resilient.”

Vigorish Viper is a name derived from the gambling world’s exorbitant fees levied on unlucky bettors. The term vigorish, or vig for short, is used by organised crime syndicates to refer to these fees. Viper refers to the complex combination of TDSs and convoluted brand relationships that the actor employs to route users to content. Vigorish Viper leverages sponsorship of popular European sports teams to advertise for their illegal gambling sites, which primarily target Greater China.

Dr. Renée Burton added, “This work is particularly important because it connects the physical crimes of human trafficking, money laundering, and fraud, to online crime in a way that hasn’t been done before. We can now see that organised crime is executing a cunning strategy that uses unwitting European clubs to fuel their criminal cycle.”

The relationship between Vigorish Viper, kb[.]com, and known sanctioned entities

Source: Infoblox – “Vigorish Viper: A Venomous Bet”

The research report from Infoblox details the discovery of Vigorish Viper, how it operates from a technical perspective, its ties to organized crime, and its role in the European football sponsorship scandals. Key findings include:

• Sophisticated Tech Suite: Vigorish Viper’s technology suite is a comprehensive cybercrime supply chain, encompassing software, DNS configurations, website hosting, payment systems, and mobile apps.
• Criminal Connections: The technology was developed by the notorious Yabo Group (also known as Yabo Sports or Yabo) prior to its reported dissolution in 2022. The Yabo Group has been linked to controversy in Europe surrounding the use of certain football club sponsorships, including several in the English Premier League such as Manchester United, to illegally advertise unregulated gambling sites in Asia. The Asian Racing Federation (ARF) Council on Anti-Illegal Betting and Related Financial Crime identified Yabo as “possibly the biggest illegal gambling operation targeting Greater China” and directly tied it to practices of modern slavery in which victims are forced to support gambling services.
• Elusive Operations & DNS Knowledge: Vigorish Viper operates a vast network of over 170,000 active domain names, evading detection and law enforcement through its sophisticated use of DNS CNAME traffic distribution systems.
• European Sponsorship Controversy: The network is implicated in a scheme that involves securing European football club sponsorships on screens during games, or on player jerseys for example, to advertise illegal gambling sites in Southeast Asia, exploiting the clubs’ popularity to attract bettors.
• Interconnected Threats: Tens of seemingly unrelated gambling brands that advertise by way of sponsorship deals with certain European sports teams use Vigorish Viper technology. While these brands appear distinct, they operate more like the branches of a franchise, further highlighting the importance of a holistic view on such threats that only DNS brings to the table.

“DNS analytics led to the discovery of Vigorish Viper and constitutes the best mechanism for tracking the actor’s infrastructure. Stopping Vigorish Viper is also most effective via DNS because the actor changes rapidly,” added Burton.

An overview of the Vigorish Viper sports sponsorship scheme

Source: Infoblox – “Vigorish Viper: A Venomous Bet”

Adding to the gravity of the situation, despite gambling being almost completely illegal in Greater China, it is estimated that citizens in the region bet nearly $1.2 trillion annually. This staggering figure underscores the scale and complexity of Vigorish Viper’s operations, with significant implications for global cybercrime.

Details on this threat actor can be found in Infoblox Threat Intel’s latest research report here.

“Infoblox remains committed to providing actionable intelligence to expose threat actors leveraging DNS for their operations,” Burton emphasised. “Our ongoing tracking and exposure of threat actors demonstrates the critical role DNS plays in combating sophisticated cyber threats, and underscores the industry’s need for continued innovation in DNS and cybersecurity technologies.”

Under the leadership of Dr. Renée Burton, Infoblox Threat Intel has become a proud originator of DNS-based threat intelligence. Infoblox Threat Intel’s researchers use a unique approach that combines a profound understanding of DNS data, data science, machine learning, artificial intelligence, and reverse engineering. This potent mix of skills and expertise enables Infoblox Threat Intel to generate robust threat intelligence, fortifying Infoblox’s Threat Defence solutions. Learn more about Infoblox Threat Intel and explore how its research is shaping the future of cybersecurity by visiting here.

About Infoblox
Infoblox unites networking and security to deliver unmatched performance and protection. Trusted by Fortune 100 companies and emerging innovators, we provide real-time visibility and control over who and what connects to your network, so your organisation runs faster and stops threats earlier. Visit infoblox.com, or follow us on LinkedIn or X.