Starting with a single web address, our algorithmic OSINT tools quickly discovered a network of 12,000+ Bet365 sites targeting China - an extraordinary number, even for the world's biggest bookmaker.

In collaboration with:
Investigative Journalism for Europe&
Josimar Football

While British bookmaker Bet365 is licensed in many jurisdictions across the globe, it also accepts bets from China - a jurisdiction where gambling websites are routinely blocked and whose government has engaged in a major crackdown on the industry in recent years.

It targets Chinese customers through "mirror sites" - duplicates of its website which, an anonymous Bet365 employee told The Guardian, use "obscure domain names such as 283653365.com" to get around government censors.

From this single URL, we were, through our various automated cyber intelligence tools, able to take this finding to the next level: discovering a vast network of phantom betting sites, many of which are using IP addresses that geo-locate to Hong Kong or have been registered to the office address of a major Sydney law firm.

On the recommendation of a federal member of parliament, this body of research was shared with Australia's financial watchdog, which has subsequently announced an investigation the bookmaker over money-laundering concerns.1



Methodology

From the one address listed in the article, we were able to map out an initial network of more than 20,000 sites that may be part of Bet365's network of sites.

We began by looking in the web registry archive Domain Big Data, which showed 283653365.com was registered by Bet365-sibling company Endzin Limited.

Trawling through the DBD archives reveals more than 1,000 sites registered to Endzin, many with similarly obscure names like:

108-365.com

365288.com

688365365.com

As you may have noticed, these domains were a combination of '365' and a sequence of other numbers.

Using Python, we built a script to construct all possible addresses that would fit within these various patterns.

000-365.com

001-365.com

002-365.com

We then ran each of these constructed domains through internet web registries to determine if such a site existed and who was behind it, in order to get the initial scope of websites that could be in the network.

From the 20,000 sites that this returned, we used a combination of techniques to filter this down further. This included using scripts to compare the codes of sites, comparing timelines and archives in Wayback Machine and manual investigative techniques.

This filtered the results down to a network of around 12,000 sites that showed a probability of being within the Bet365 network.

These results also included the IP addresses associated with each site.

IP addresses can give some insight into where a server housing a website is based, although pinpointing the exact location without internal company records, or something similar, is difficult.

Using the services of a handful of different providers, we ran thousands of "ping tests" - which measure the time it takes a message to travel between a computer and an IP address - from locations as diverse as Vladivostok, Johannesburg and Mexico City

We concentrated these tests on some key "blocks" (ranges) of IP addresses within Bet365's network.

For the first of these blocks, ping times were fastest from Hong Kong and Guangzhou, with speeds diminishing in line with the distance of a test location from these Chinese twin cities.

This was consistent with a descriptor that was also seen in many of the registry records: HKG (which can be an abbreviation for Hong Kong).

Intriguingly, many of the mirror sites associated with IP addresses in these ranges had been registered in Australia via a major Sydney law firm.

IP addresses do not need to be located at the street address where they are registered and can be transferred internationally, the law firm said, and these IP addresses are only registered in Australia to help Bet365 with more efficient access to the Asia-Pacific market.

1 Bet365 strongly denied it was being investigated when contacted by us as part of our investigation; AUSTRAC has not confirmed if its investigation is related to our research.