Fraudsters are inundating Discord and various social media platforms with advertisements for numerous sophisticated online gaming and betting websites that entice individuals with complimentary credits and ultimately disappear with any cryptocurrency funds deposited by users. Here’s an in-depth examination of the social engineering strategies and notable characteristics of this extensive network of over 1,200 fraudulent sites.

The deception starts with misleading advertisements displayed on social media, asserting that the betting sites are collaborating with well-known social media figures, such as Mr. Beast, who recently initiated a gaming venture called Beast Games. The ads consistently claim that by utilizing a provided “promo code,” eager players can secure a $2,500 credit on the promoted gaming website.

The gaming platforms require users to set up a free account to access their $2,500 credit, which can be used to engage in numerous highly polished video games that prompt users to wager on each move. For instance, on the scam website gamblerbeast[.]com, visitors can choose from a variety of games like B-Ball Blitz, where players portray a basketball star shooting from the free throw line against a singular opponent, betting on their ability to score each shot.

The financial aspect of this scam initiates when users attempt to withdraw any “winnings.” At that moment, the gaming site will deny the request and require the user to make a “verification deposit” of cryptocurrency—typically around $100—before any funds can be disbursed. Those who deposit cryptocurrency will soon be prompted for further payments.

However, any “winnings” showcased by these gaming sites are pure illusion, and players who deposit cryptocurrency will never retrieve that money. Compounding the issue, victims are likely to be bombarded with solicitations from “recovery experts” who promote dubious claims on social media about their ability to recover funds lost to such scams.

KrebsOnSecurity first became aware of this web of deceptive betting sites from a Discord user who requested to be recognized solely by their username: “Thereallo” is a 17-year-old developer managing several Discord servers, and stated they began investigating after users started voicing frustrations about being overwhelmed with misleading spam messages promoting the sites.

“We were relentlessly spammed by these scam advertisements from hacked or purchased [Discord] accounts,” Thereallo shared. “I got exasperated with simply banning and deleting, so I started to look into the infrastructure behind the scam messages. This is not a one-off site; it’s a scalable criminal operation with a clear playbook, distinct technical markers, and a financial framework.”

Upon analyzing the code on the gaming websites promoted through spam messages, Thereallo discovered they all used the same API key for an online chatbot which appears to be either of limited usage or custom-built. Notably, a scan for that API key on the threat hunting platform Silent Push identifies at least 1,270 recently registered and active domains that all reference some form of gaming or gambling theme.

Thereallo noted that the operators of this scam empire seem to create a unique Bitcoin wallet for each gaming domain they launch.

“This acts as a decoy wallet,” Thereallo clarified. “Once the victim deposits funds, they are never able to access any of that money. Any attempts to reach out to ‘Live Support’ are managed by a mix of AI and human agents who eventually block the user. The chat system is self-hosted, complicating reporting to third-party service providers.”

Thereallo uncovered another trait common to all these fraudulent gambling sites [hereafter referred to as “scambling” sites]: If you register at one and then quickly attempt to sign up at a corresponding site from the same Internet address and device, the registration request is denied at the second site.

“I signed up on one site, then quickly tried to register again on another,” Thereallo recounted. Instead, the second site returned an error indicating a new account couldn’t be created for another 10 minutes.

“They’re monitoring my VPN IP across their entire network,” Thereallo elaborated. “My password manager also corroborated this. It attempted to use my dummy email on a site I had never visited, and the site informed me the account already existed. So it’s clearly one entity operating a single network with 1,200+ different domain names as front-ends. This clarifies how their support functions, with a central pool of agents overseeing all the sites. It also explains their strict policy against revealing wallet addresses; it’s a network-wide rule.”

In many respects, these scambling sites adopt strategies from “pig butchering” schemes, a widespread and more complex crime where individuals are gradually seduced by flirtatious strangers online into investing in fraudulent cryptocurrency trading platforms.

Pig butchering scams are commonly operated by individuals in Asia who have been abducted and threatened with physical harm or worse unless they spend all day in a cubicle defrauding Westerners online. In contrast, these scambling sites generally extract far less money from individual victims, but their uniform nature and automated support features may empower their operators to extract payments from many individuals in significantly less time, with considerably reduced risk and minimal initial investment.

Silent Push’s Zach Edwards stated that the operators of this scambling network are investing significantly to make the sites appear and feel like a novel type of casino.

“That’s a very peculiar type of pig butchering network and not like what we usually encounter, with much lower investments in the sites and their lures,” Edwards remarked.

Here is a list of all domains that Silent Push has identified as utilizing the scambling network’s chat API.