Full Report
A recent Bellingcat investigation revealed that a controversial Russian-founded gambling platform takes bets on thousands of amateur sports events that are live-streamed to its website from secret locations. We examined hundreds of videos broadcast to 1xBet – an official partner of FC Barcelona and Paris Saint-Germain FC – and geolocated six venues in three countries. […] The post Bellingcat Discord Members Geolocate New 1xBet Stream Sites appeared first on bellingcat.
Analysis Summary
# Incident Report: Unauthorized Live-Streaming and Gambling on Amateur Sports via 1xBet Platform
## Executive Summary
This "incident" relates to an investigative disclosure by Bellingcat revealing that the controversial, Russian-founded gambling platform 1xBet was hosting live streams and accepting bets on thousands of amateur and non-compliant sports events globally. The compromise appears to be primarily related to broadcasting rights and venue access rather than a traditional cyber intrusion against the platform itself. The investigation utilized open-source intelligence (OSINT) techniques, including reverse image searching and community collaboration, to geolocate multiple unauthorized venues across Russia, Belarus, Ukraine, and India.
## Incident Details
- **Discovery Date:** October 21, 2024 (Date of Bellingcat investigation publication)
- **Incident Date:** Ongoing streams occurring prior to and during the investigation period.
- **Affected Organization:** 1xBet (Gambling platform), various amateur sports leagues/venues.
- **Sector:** Gambling, Sports Betting.
- **Geography:** Russia, Belarus, Ukraine, India.
## Timeline of Events
### Initial Access (To Venues/Content Providers)
- **Date/Time:** Ongoing, prior to investigation.
- **Vector:** Allegedly through arrangement with third-party streaming providers who broadcast from various amateur venues.
- **Details:** Content from numerous amateur sports leagues (e.g., MLS+, Short Football D1, Indoor Cricket) was broadcast to the 1xBet website.
### Lateral Movement (Investigation Focus)
- **Details:** Bellingcat and community volunteers used techniques like reverse image searching (Yandex, Google Maps) and social media profiling (VK, Instagram) to move from identifying stream content to confirming specific physical venues (e.g., Football Arena Nagatino in Moscow, Box 365 in Minsk). Shadow analysis was used to confirm a location in Gujarat, India.
### Data Exfiltration/Impact
- **Impact:** Unauthorized live-streaming and global betting on amateur sports events; potential breach of local copyright/broadcasting laws; reputational damage to associated partners (FC Barcelona, PSG FC).
### Detection & Response
- **Detection:** Investigative journalism/OSINT inquiry by Bellingcat and their community, beginning with examination of hundreds of 1xBet video streams.
- **Response Actions:** 1xBet issued a public statement via its partner Sigma, claiming compliance, requesting removal of non-compliant third-party streams, and reminding providers of their obligations.
## Attack Methodology
The methodology here describes the investigation's approach to mapping the compromised/unauthorized content distribution, rather than a typical attacker kill chain against 1xBet's IT systems.
- **Initial Access (Content Source):** Arrangement with third-party streaming providers at minor sporting venues.
- **Persistence:** Continuous, around-the-clock streaming (evidenced by sunrise/sunset observation in India streams).
- **Privilege Escalation:** N/A (Not a cyber intrusion).
- **Defense Evasion:** Venues either denied knowledge of 1xBet or did not respond to inquiries.
- **Credential Access:** N/A.
- **Discovery (Investigation):** Reverse image search, geolocation, analysis of stream markers (banners, roof beams, pitch markings).
- **Lateral Movement (Investigation):** Tracing links between initial geolocated sites and other associated venues/leagues using venue social media profiles.
- **Collection:** Recording and analyzing video metadata (e.g., shadows for time/location confirmation).
- **Exfiltration:** Unauthorized streaming of amateur sports footage globally onto the 1xBet betting platform.
- **Impact:** Violation of operating laws, potential copyright infringement.
## Impact Assessment
- **Financial:** Not quantified, but involves significant betting volume and potential undisclosed licensing costs.
- **Data Breach:** No specific customer PII breach detected; focus is on unauthorized broadcast material.
- **Operational:** Minimal direct operational disruption to 1xBet systems reported, though reputational risk is high due to associations with major football clubs.
- **Reputational:** Significant negative exposure highlighting engagement with untraceable/unauthorized amateur leagues, particularly those in regions linked to the company's founders (Bryansk, Russia).
## Indicators of Compromise
*Note: These are indicators of the unauthorized broadcast content, not system compromise.*
- **Network Indicators:** N/A (Requires external context of 1xBet stream URLs/IP ranges, which are not provided in the source text).
- **File Indicators:** Specific identifiable streaming video footage associated with named amateur leagues (e.g., MLS+, Short Football D1).
- **Behavioral Indicators:** Continuous, 24/7 broadcasting from small, seemingly unauthorized indoor/outdoor sporting facilities.
## Response Actions
- **Containment:** 1xBet stated it requested the removal of streams provided by non-compliant third parties.
- **Eradication:** N/A (Investigation only; remediation depends on venue/provider cooperation).
- **Recovery:** N/A.
## Lessons Learned
- Thorough vetting of third-party streaming providers and content sourcing is critical, especially for globally recognized brands associated with the content.
- OSINT capabilities, particularly community collaboration, can rapidly uncover widespread, geographically dispersed operational irregularities.
- Shadow analysis, combined with geographical knowledge, is a viable technique for verifying time-sensitive imagery captured outdoors.
## Recommendations
- Implement enhanced third-party content auditing policies directly tying streaming partners to verifiable usage rights for every broadcasted event.
- Review and strengthen contractual obligations with all streaming providers regarding compliance with local broadcasting and copyright laws worldwide.
- Given the company's Russian origins, conduct increased scrutiny on affiliated operations originating from locations identified as key hubs (e.g., Bryansk).