Last month, KrebsOnSecurity tracked the sudden emergence of hundreds of polished online gaming and wagering websites that lure people with free credits and eventually abscond with any cryptocurrency funds deposited by players. We’ve since learned that these scam gambling sites have proliferated thanks to a new Russian affiliate program called “Gambler Panel” that bills itself as a “soulless project that is made for profit.”

The scam begins with deceptive ads posted on social media that claim the wagering sites are working in partnership with popular athletes or social media personalities. The ads invariably state that by using a supplied “promo code,” interested players can claim a $2,500 credit on the advertised gaming website.

The gaming sites ask visitors to create a free account to claim their $2,500 credit, which they can use to play any number of extremely polished video games that ask users to bet on each action. However, when users try to cash out any “winnings” the gaming site will reject the request and prompt the user to make a “verification deposit” of cryptocurrency — typically around $100 — before any money can be distributed.

Those who deposit cryptocurrency funds are soon pressed into more wagering and making additional deposits. And — shocker alert — all players eventually lose everything they’ve invested in the platform.

The number of scam gambling or “scambling” sites has skyrocketed in the past month, and now we know why: The sites all pull their gaming content and detailed strategies for fleecing players straight from the playbook created by Gambler Panel, a Russian-language affiliate program that promises affiliates up to 70 percent of the profits.

Gambler Panel’s website gambler-panel[.]com links to a helpful wiki that explains the scam from cradle to grave, offering affiliates advice on how best to entice visitors, keep them gambling, and extract maximum profits from each victim.

“We have a completely self-written from scratch FAKE CASINO engine that has no competitors,” Gambler Panel’s wiki enthuses. “Carefully thought-out casino design in every pixel, a lot of audits, surveys of real people and test traffic floods were conducted, which allowed us to create something that has no doubts about the legitimacy and trustworthiness even for an inveterate gambling addict with many years of experience.”

Gambler Panel explains that the one and only goal of affiliates is to drive traffic to these scambling sites by any and all means possible.

“Unlike white gambling affiliates, we accept absolutely any type of traffic, regardless of origin, the only limitation is the CIS countries,” the wiki continued, referring to a common prohibition against scamming people in Russia and former Soviet republics in the Commonwealth of Independent States.

The program’s website claims it has more than 20,000 affiliates, who earn a minimum of $10 for each verification deposit. Interested new affiliates must first get approval from the group’s Telegram channel, which currently has around 2,500 active users.

The Gambler Panel channel is replete with images of affiliate panels showing the daily revenue of top affiliates, scantily-clad young women promoting the Gambler logo, and fast cars that top affiliates claimed they bought with their earnings.

The apparent popularity of this scambling niche is a consequence of the program’s ease of use and detailed instructions for successfully reproducing virtually every facet of the scam. Indeed, much of the tutorial focuses on advice and ready-made templates to help even novice affiliates drive traffic via social media websites, particularly on Instagram and TikTok.

Gambler Panel also walks affiliates through a range of possible responses to questions from users who are trying to withdraw funds from the platform. This section, titled “Rules for working in Live chat,” urges scammers to respond quickly to user requests (1-7 minutes), and includes numerous strategies for keeping the conversation professional and the user on the platform as long as possible.

The connection between Gambler Panel and the explosion in the number of scambling websites was made by a 17-year-old developer who operates multiple Discord servers that have been flooded lately with misleading ads for these sites.

The researcher, who asked to be identified only by the nickname “Thereallo,” said Gambler Panel has built a scalable business product for other criminals.

“The wiki is kinda like a ‘how to scam 101’ for criminals written with the clarity you would expect from a legitimate company,” Thereallo said. “It’s clean, has step by step guides, and treats their scam platform like a real product. You could swap out the content, and it could be any documentation for startups.”

“They’ve minimized their own risk — spreading the links on Discord / Facebook / YT Shorts, etc. — and outsourced it to a hungry affiliate network, just like a franchise,” Thereallo wrote in response to questions.

“A centralized platform that can serve over 1,200 domains with a shared user base, IP tracking, and a custom API is not at all a trivial thing to build,” Thereallo said. “It’s a scalable system designed to be a resilient foundation for thousands of disposable scam sites.”

The security firm Silent Push has compiled a list of the latest domains associated with the Gambler Panel, available here (.csv).

The Committee on Foreign Investment in the United States just published its 2024 report, revealing once again that shielding U.S. tech from risky foreign investments was a critical focus for the interagency group that reviews investments in the United States for national security risks. But as U.S.-China tensions further intensify, bolstering these reviews is even more important for national security — and getting it wrong all the more damaging.

When President Trump took office again in January, he signed an executive order “fast-tracking” investments from (unspecified) allied and partner countries — in other words, expediting their CFIUS reviews — as a way to accelerate the funding of U.S. advanced tech and other businesses. It’s an idea with some merit.

Yet, CFIUS remains plagued by procedural problems, far beyond the screening of allied investments, that impact the rigor, transparency, and ultimate efficacy of its national security reviews. These issues make a CFIUS shakeup an opportune moment to evaluate the U.S. government’s broader strategy for screening investments into U.S. technologies. Policymakers should ensure CFIUS has a more rigorous analysis of risks, a more nuanced focus on China, and greater transparency — all of which will help U.S. tech security and with competition against Beijing in the coming years.

President Ford created what is now CFIUS in 1975 through executive order, making it 50 years old this year. In subsequent administrations, president after president kept it around as a matter of executive policy, and Congress statutorily authorized the Committee in 2007. The idea was that certain non-U.S. investments in U.S. companies could potentially enable foreign adversaries — such as, at the time, the USSR — to infiltrate supply chains, steal trade secrets, or even sabotage operations. This could target anything from U.S. energy infrastructure to steel plants for tanks.

As described in my upcoming book on U.S. national security governance of technology, CFIUS had a tech focus from its earliest days, such as handling concerns in the 1980s about Japanese investments in semiconductors. But as time went on, its tech focus grew substantially. CFIUS received authorities in 2018 to evaluate how foreign investments impact sensitive U.S. data and technologies. It forced a Chinese buyer to sell the gay dating app Grindr back to U.S. owners. And it even opened a 2019, pre-ban-debate investigation into TikTok. The current Committee structure puts the Treasury Department at the helm, working with departments from State to Defense, to parse these risks and recommend whether to block, approve, undo, or put security conditions on transactions.

Today, as its newest report says, CFIUS spends a substantial amount of time looking at risks to U.S. technology. Outside of real estate transactions, which CFIUS also reviews, 53% of companies that sent a “covered notice” to CFIUS in 2024 — alerting the group in detail of a potentially relevant investment — came from the “Finances, Information, and Services” sector, up from 50% in 2023. This category includes companies in telecommunications, computing infrastructure, data processing, and professional, scientific, and technical services. 

But the Committee is even more tech-focused than the numbers suggest: companies can also submit shorter filings to CFIUS — simpler “declarations” typically intended for less risky investments — not counted in these numbers. And companies not in tech, per se, can receive CFIUS scrutiny for a tech-related issue, such as a health insurer with sensitive data taking a non-U.S. investment.

The latest report also clarifies that CFIUS is highly focused on China. Investments from China motivated more covered notices in 2024 than investments from any other country — including from other adversaries such as Iran and Russia, which counted for none. Shorter declarations, meanwhile, were led by investments from Japan, Canada, France, and the United Kingdom. (China’s domination of covered notices but not shorter declarations may suggest Chinese investors prefer providing more information to CFIUS up front to — in their minds — make the U.S. security review timeline more predictable.)

Combined, these new data points illuminate the challenges at hand in the coming years.

CFIUS has powers to look at a broad sweep of investment activities. These range from acquisitions of big American firms to influential minority stakes in Bay Area startups to transactions involving national security-critical technologies — like AI models, space communications systems, and biotech applications. 

CFIUS has a substantial focus on Chinese investments, which the intelligence community has repeatedly said create opportunities for Beijing to steal U.S. technologies. And it must screen U.S. allied and partner investments that could create risks, too (including due to, say, Chinese front companies in Japan or Russian ones in the U.K.).

Despite this broad, consequential activity, CFIUS is often described as a “black box.” Companies complain it’s difficult to understand and therefore navigate; congressional overseers have told me repeatedly in recent years that they want better insights into CFIUS’s activity on AI, chips, China, and more, including to inform decisions about whether it needs more funding. 

Unlike other tech and national security regulatory programs, CFIUS additionally appears to lack an adequately standardized framework to identify and mitigate national security risks. Methodology sounds boring. But a rigorous, standardized risk process is the difference between identifying the right risks and working to address them — and acting in good faith but getting distracted, going down rabbit holes, inflating unlikely scenarios, and pulling focus from the highest priority risks.

The new administration — or a future one — and Congress should push CFIUS toward a more standardized, rigorous risk management process. This could include a White House-led effort to better synchronize risk mitigations across CFIUS-involved agencies or creating robust frameworks for issues like investors’ access to company-held data, software source code, or technical schema.

Related, CFIUS should work to resist the ever-growing D.C. temptation to label all China-related activity “a risk,” taking a reductive view of the threat landscape. It should instead apply more nuance to areas that present minimal, mitigatable risk versus areas that present outsized risk to U.S. technologies or data (such as with the later-undone Grindr acquisition).

Lastly, more transparency into U.S. investment security reviews would help companies, the public, overseers, and national security at once. No, CFIUS should not alert the press every time a company considers a merger or funding round — that’s proprietary and should be kept that way. And it relies on classified insights within the government to assess risks, too.

But Congress can and should compel the Committee to provide greater insights into its activities than only the statistics in its annual reports. Making its generalized risk criteria a bit clearer to companies — for instance, what areas concern it most and how it thinks about mitigations for risky investments — could help lower compliance costs without tipping off U.S. adversaries with too much detail. It could help congressional overseers better ensure the interagency team is focused on the right issues, including with tech and China, and can get briefings that protect company trade secrets but provide more details about security issues and reviews.

Increasing CFIUS’s transparency is also a win for the public. As CFIUS launches investigations that impact widely used communications and other technologies — TikTok being the chief example — transparency is both vital in a democracy and helpful to inform public debate. And as competition with China intensifies, investment security reviews will prove a critical vector for protecting business innovation, securing U.S. supply chains, and bolstering long-term security.

Justin Sherman is the founder and CEO of Global Cyber Strategies, a D.C.-based research and advisory firm, and the author of “Navigating Technology and National Security.

The post The U.S. should bolster investment reviews to combat China appeared first on CyberScoop.

Derek Banks // I recently heard something on the news that caught my attention.  I suppose that isn’t abnormal these days, but this in particular was the first time I […]

The post Let’s Talk About TikTok appeared first on Black Hills Information Security, Inc..