Online Gambling App Bug Exploited by Spanish Man, Steals Almost $500K

Posted on: August 24, 2023, 06:30h. 

Last updated on: August 24, 2023, 10:50h.

Erik Gibbs Read More
Expertise: Asia Pacific Gaming, Gaming Business, Global Gaming.

A certain iGaming operator might need to look closely at its development team and its financial audit policies. One of its users in Spain exploited a bug in the operator’s app that allowed him to walk away with almost half a million dollars.

A computer monitor displays programming code
A computer monitor displays programming code. A man from Spain exploited a bug in an online gaming app’s code to steal money from the operator. (Image: Dreamstime)

Spain’s Civil Guard members have busted a scammer who exploited a security flaw in an unidentified online betting app. As part of an ongoing police investigation, dubbed “Operation Diacero,” computer forensic specialists with the Civil Guard’s unit in the city of Algeciras arrested an individual they say stole more than €450,000 (US$488,610) through the gaming platform.

The operation got its name, Diacero (an amalgamation of the Spanish words for zero and day), in honor of the name of the zero-day vulnerability. This is a term for bugs or glitches that have been uncovered but for which the developers haven’t yet created a solution or installed a patch to correct the issue.

Beating the System

The chain of events unfolded after the gaming operator reported a series of odd withdrawals of bet winnings at a gambling property in Los Barrios, a town in the autonomous community of Andalusia in southern Spain.

The perpetrator apparently didn’t realize that his actions were being captured on surveillance cameras inside the property every time. With that, local law enforcement could figure out who he was and what he was doing.

He conducted over 650 withdrawals of around €700 (US$759) each through the zero-day exploit. The Civil Guard didn’t detail how long the activity was carried out, but the property probably should have caught on to his actions sooner than it did.

There are still many unanswered questions about the scheme, and authorities want to find out how the man discovered the glitch and determine if other apps could suffer the same issue.

As part of the ongoing investigation, the Civil Guard continues to delve into the intricacies of the scheme. They want to find out if there are any possible links with additional entities that might be operating under a similar modus operandi. As such, there could be more arrests in the coming days.

Online Gambling Makes For Easy Targets

The rapid growth of the online gaming sector in recent years has led to an increase in entertainment options for consumers and tax revenue for governments. Nevertheless, this surge in popularity has also sparked the interest of cybercriminals who seek to exploit its weaknesses.

Various factors make the gaming industry an appealing and accessible target to more than a few unscrupulous actors. When using online channels, users often have to provide their banking details to make deposits and withdrawals, presenting valuable information that may be exploited in cases of ATO (account takeover) or data breaches.

Political and ethical adversaries of gambling frequently target gambling enterprises as well. The operators often find themselves subject to a barrage of malevolent activities, such as DDoS (dedicated denial of service) attacks or DNS spoofing (changing domain name system registrations to send netizens to other websites.) These are engineered by crooks or individuals sympathetic to governments prohibiting gambling activities, such as in the case of China.

Web applications and APIs are integral to the gaming industry, enabling everything from online multiplayer experiences to in-game shopping. However, these technologies can introduce vulnerabilities if not properly configured. Only through rigorous and thorough testing can developers ensure their code is bug-free.