Full Report
This article is the result of a collaboration with Josimar. You can find Josimar’s corresponding piece here. One of the world’s most controversial bookmakers takes bets on thousands of amateur sports events live-streamed to its website. The locations of the games are a secret. Bellingcat has geolocated sites in three countries where these matches are […] The post Stream Teams: Battery Farming Sport For Bets appeared first on bellingcat.
Analysis Summary
This appears to be an investigative report on the operating practices of a controversial bookmaker, 1xBet, rather than a report on a traditional cyber security incident involving a data breach or network intrusion (e.g., hacking, malware deployment). Therefore, the "Incident" in this context refers to the **unregulated and potentially illegal nature of the company’s operations, including questionable labor practices and compliance violations.**
I will structure the summary by interpreting the **"incident" as the exposure of the organization's controversial activities via investigative journalism.**
# Incident Report: Exposure of Controversial Operations by 1xBet
## Executive Summary
Investigative journalism uncovered that the globally controversial bookmaker, 1xBet (licensed in Curaçao), is operating massive, undisclosed live-streaming amateur sports tournaments across Russia, Ukraine, and Belarus. The operation features relentless, back-to-back matches, raises concerns about fixed games, and has utilized players as young as 14. The exposure highlights the operator’s operational scale, its disregard for regulations, and its history of legal issues despite securing high-profile sponsorships.
## Incident Details
- **Discovery Date:** Ongoing investigation culminating in a public report (Specific date not provided, but tied to the October 2024 publication date of the related article).
- **Incident Date:** Continuous, revealing operations occurring over recent periods, including matches streamed in September.
- **Affected Organization:** 1xBet (1XCorp N.V.)
- **Sector:** Online Gambling / Sports Betting
- **Geography:** Operations geolocated in Russia, Ukraine, and Belarus; company based in Cyprus and licensed in Curaçao.
## Timeline of Events
### Initial Access (Informational Discovery)
- **Date/Time:** Ongoing investigation leading to publication.
- **Vector:** Investigative journalism (Bellingcat/Josimar) using open-source intelligence (OSINT) and geolocation techniques on live-streamed content.
- **Details:** Bellingcat geolocated sports venues hosting amateur, short football tournaments streamed exclusively to 1xBet.
### Lateral Movement (Operational Expansion)
- **Details:** The investigation revealed an "industrial scale" operation, streaming 1,297 short football games in a 24-hour period in September, potentially reaching half a million amateur matches annually. Players frequently change uniforms to represent multiple fictitious teams, indicating a coordinated, shift-based recruitment system.
### Data Exfiltration/Impact (Operational and Reputational Harm)
- **Details:** The primary impact is reputational damage and exposure of potential labor exploitation (players paid in cash, working long shifts, potential match-fixing). Data exposure risk is implied through the scale of operations but not specified as a cyber breach. The company is cited for facilitating gambling on games involving minors (as young as 14).
### Detection & Response
- **How it was discovered:** Independent investigative reporting (Bellingcat/Josimar).
- **Response actions taken:** Major sports clubs (Chelsea, Liverpool, Tottenham Hotspur) previously severed ties following earlier investigations; FC Barcelona and PSG have been asked for comment regarding current partnerships. Ukrainian authorities placed the company on a sanctions list in the preceding year.
## Attack Methodology
This section describes the **business/operational "attack" methodology** used by the bookmaker against regulation and social responsibility:
- **Initial Access:** Leveraging sponsorships with major clubs (PSG, FC Barcelona) to gain legitimacy.
- **Persistence:** Maintaining operations globally despite being blacklisted/banned in Russia (where founders face arrest warrants) and suspended elsewhere.
- **Privilege Escalation:** Utilizing loopholes in international licensing (Curaçao) to run large-scale, unregulated betting operations.
- **Defense Evasion:** Keeping match locations secret from viewers and regulators.
- **Credential Access:** *(Not applicable as a cyber incident, though operational control over player recruitment exists.)*
- **Discovery:** Replicating a model that experts claim is financially motivated with "no regard for consumer safety, regulation or taxation."
- **Lateral Movement:** Expanding the model to other non-professional tournaments beyond football.
- **Collection:** Gathering massive betting revenue from unregulated markets.
- **Exfiltration:** Transferring massive profits, estimated in the tens of billions in revenues, potentially through illicit channels given the founders' criminal status.
- **Impact:** Undermining regulated markets, potential match-fixing, and exploitation of amateur athletes, including minors.
## Impact Assessment
- **Financial:** Founders allegedly made over 63 billion rubles ($655 million USD) in illegal gambling activities (2021 assessment). Turnover is in the "tens of billions."
- **Data Breach:** No specific data breach detailed, but the nature of the business suggests high risk associated with processing large volumes of financial/betting data globally.
- **Operational:** The model suggests highly aggressive, continuous operation designed to maximize profit volume (nearly half a million amateur games streamed annually).
- **Reputational:** Severe, marked by blacklisting, founder arrest warrants, sanctions, and previous association termination by major football clubs (Chelsea, Liverpool, Tottenham).
## Indicators of Compromise
*(As this is an operational exposé, traditional IoCs are not applicable. The indicators are organizational/behavioral.)*
- **Network indicators:** N/A (Focus is on broadcast platform, not malicious network activity).
- **File indicators:** N/A
- **Behavioral indicators:** Scheduling of 24/7 amateur matches; rapid player turnover/uniform switching; use of unlicensed jurisdictions for operation.
## Response Actions
- **Containment measures:** Ukrainian government placed the company on its sanctions list (previous action). Three major UK clubs terminated sponsorships (previous action).
- **Eradication steps:** Russian authorities issued international arrest warrants for three founders (previous action).
- **Recovery actions:** None specified by the organization; the investigation serves as a call for regulatory action. Analysts note potential market vacuum created by legal operators moving to Brazil could lead to a "rise of dozens, if not hundreds, of new, upstart illegal operators" in Europe.
## Lessons Learned
- **Key takeaways:** Large-scale, illegitimate gambling operations can be sustained globally through aggressive sponsorship deals and utilization of gray market licensing structures (e.g., Curaçao).
- **What could have been done better:** Major sponsors (FC Barcelona, PSG) need rigorous due diligence regarding the operational ethics and regulatory compliance of partners, especially following prior public controversies involving the entity.
## Recommendations
- **Prevention measures for similar incidents:** Enhanced scrutiny by regulatory bodies on entities licensed in high-risk offshore jurisdictions facilitating high-volume, low-oversight amateur sports wagering. Major sporting organizations must adopt zero-tolerance policies regarding sponsors linked to alleged exploitation or criminal enterprise.