Home Features Chinese takeout

Chinese takeout

By Lars

Bet365’s foray into the Chinese market may have expanded to include more than 12,000 domain names during the pandemic. IP addresses registered in Australia but located offshore, some possibly in Hong Kong, have been a key part of its operation.

By Jack Kerr

The Chinese government has mounted a significant crackdown on illegal gambling, and particularly the use of overseas services, in recent years. 

Around 110,000 people were arrested for illegal gambling in 2020 alone, according to a report compiled by the Asian Racing Federation

“Operation Chain Break is broader in scope compared to previous anti-illegal betting campaigns, targeting overseas entities and countries, and involves various government stakeholders,” the ARF said.

While there is a legal market for gambling in China, the ARF estimated the country’s illegal market was twice its size, and it was this that the authorities targeted with “a series of concerted law enforcement and legislative efforts”.

“China’s crackdown on illegal betting does not only affect China,” it wrote, “but has multiple and wide-ranging impacts for legal and illegal betting operators across Asia and beyond.”

But what has been the impact for the company self described as the world’s biggest online sports betting company?

British firm Bet365 is licensed in many jurisdictions across the globe, and as The Guardian reported in 2014, it also accepts bets from China – and uses a series of “mirror sites” to do so. 

Mirror sites are essentially duplicates of a website that can be accessed via a different – and usually obscure – domain name (web address). In a country with a censorious government, they can help a local access a service that might otherwise be off-limits to them. 

If the mirror site is also hosted in their region, it can make access to the company’s services even quicker.

“In the view of bet365, and its lawyers, Chinese law does not extend to the provision of services into China by gambling operators and service providers who themselves have no nexus with the territory,” the bookmaker told The Guardian. 

No legislation “expressly prohibits the supply of remote gambling services,” it said, and so “any allegation of illegality on the part of bet365 is therefore untrue”.

But how does a company thrive in a hostile environment where gambling websites are routinely blocked?

It “alter[s]” its website addresses to allow Chinese punters to keep betting, according to an anonymous Bet365 employee who spoke to The Guardian, using “obscure domain names such as 28365365.com in their often brief lifespan”. This, they said, was “100% true”.

In light of this crackdown, we were curious to find out more about this network of websites it was said to be using. 

So we started digging, and we soon found ourselves in a weird world of phantom betting sites, offshore IP addresses and activity that no one told us was illegal but which we nonetheless found to be a fascinating insight into the ways the global online betting market operates.

More than 12000 websites?
Internet registry records show that one domain name listed by The Guardian – 28365365.com – is registered to a British company called Endzin Limited and uses an email address from Hillside New Media. Both companies are part of the Bet365 family.

Internet registry records list around 1600 obscure domain names registered through Endzin or a related company. Many of these web addresses are dead links or have had their domain name parked. 

Others, including 28365365.com, remain active, although it is not possible to know how active they are or where their visitors are coming from.

At first glance, these 1600 obscure domain names appear to be random collections of numbers, but with time, numerical patterns begin to emerge.

To find other sites of interest, we ran an analysis of the now-defunct Domain Big Data internet registry archives to look for registered domain names that followed these patterns. 

For example, after finding the domain name 365-858.com, we then tried to find the record for every web address from 365-000.com to 365-999.com. 

As well as looking through numerous other patterns like this, we also looked for websites registered by other companies in the Bet365 stable.

In total, we found registration details for over 20,000 domain names this way. Further analysis showed that around than 60 per cent of these sites had the potential to be part of the Bet365 network. 

Some of these were shopfront domain names like bet365.com. Most were not. These included over 10,000 identical sites with Bet365 branding.

They were mostly registered in early 2020 and used a single IP address associated with a location in Hong Kong.

These sites did not appear to accept bets themselves  – and these sites were not registered to Bet365 (nor was their IP address). 

However, we were able to access a customer service chat room through several of the sites, where staff frequently provided us with domain names for Bet365 mirror sites. 

It was not clear if these chat room staff were working for the bookmaker, receiving a commission or providing these domain names for some other reason. 

Someone with strong knowledge of the Chinese gambling market suggested they could be external “agent” sites. 

“Normally, betting companies are spending trillions on commercials,” says Chris Kronow Rasmussen, a Copenhagen-based expert in gambling integrity. “But then they don’t want to tell them where to bet unless you enter some kind of chat room? That is the first sign that something is unusual.”

The Hong Kong-linked sites are no longer active; they went offline and many of their domain names were put up for sale shortly after we started making enquiries about them.

Licensed in Malta?

More than a dozen mirror sites seen during this investigation carried an authorisation seal from the Maltese Gaming Authority (MGA) at the foot of their home pages. 

These seals linked to a web page that showed the Maltese authorisation for the company’s main domain name, bet365.com.

When asked if this meant these mirror sites were licensed or able to operate under Bet365’s licence, the MGA repeatedly said that Bet365’s mirror sites “are known” to it and that “players accessing bet365’s services under the remit of the MGA licence will stem from markets where the licensee has justifiable reasons to operate”. 

It would not clarify if that meant the mirror sites were licensed directly, nor if a license for a primary address also covers mirror sites. 

The MGA did not reply to questions relating to the operations of these sites, including the flagging of suspicious bets.

We were unable to clarify the licensing status of these sites with the bookmaker, though it would be surprising if there was no legal basis for these sites to be in operation.

A sports law expert from a German university agreed the status of these sites was not clear, but noted that their absence from the MGA’s list of unauthorised domain names may, by implication, mean they are licensed, either directly or indirectly.

We also contacted the International Betting Integrity Association, whose logo appears on these sites. IBIA counts Bet365 as a member. 

We asked about the licensing rules regarding mirror sites and how many suspicious betting alerts that had been flagged through such sites. 

We also asked how mirror sites contribute to the concept of betting integrity. 

No answers were provided. 

Sport Integrity Research Lead from the University of Canberra, Dr Catherine Ordway, noted that transparency and trust in the gambling system was paramount for the sports industry.

“The co-dependent relationship that professional sporting codes increasingly find themselves enmeshed in with gambling operators, relies on a robust, transparent and vigilant system.

“Sport organisations rely on betting operators to monitor and report ‘red flags’ … [and without them it]  leaves sporting competitions highly vulnerable to infiltration and interference.” 

Where are the servers based?
It was observed during this investigation that many of the mirror sites were using IP addresses that were registered by an Australian branch of Bet365. 

These IP addresses were typically registered care of a commercial law firm’s offices in the  Central Business District of Sydney..

IP addresses are unique identifiers assigned to every machine and website on the internet in order to help them connect.

Josimar found that thousands of IP addresses had been registered, either directly or indirectly, through an Australian arm of Bet365. Many of its mirror sites had or were still associated with these IP addresses. 

Many points of internet law are yet to be explored and remain uncontested, and we wondered what the legal obligations would be if a server based in Australia was being used to help a British bookmaker operate in an Asian market.

We therefore approached the Sydney law firm in question. (We have chosen not to name them as there is no suggestion they have engaged in any conduct that goes against Australian law.) 

They provided a thorough overview of the situation, explaining that these IP addresses were not used by servers or operations in Australia. 

As a result, they strongly refuted a suggestion that these would be subject to Australian regulations.

“Besides being nominated in the role of a simple contact address … there is no other connection whatsoever between our client’s Australian company … or our law firm’s address for that matter with the IP addresses [in question],” it said.

IP addresses do not need to be located at the street address where they are registered and can be transferred internationally, they said, and these IP addresses are only registered in Australia to help Bet365 with more efficient access to the Asia-Pacific market.

They would not, however, say where the servers associated with these IP addresses were based, nor which watchdogs would have jurisdiction over transactions that took place through them.

Curious to find out more, we spoke with cybersecurity experts from two commercial companies – DomainTools and Iron Bastion – and an Australian university. 

Pinpointing the physical location of a server based on its IP address is very difficult without internal company records, or something similar, they said. But publicly available information could provide locations of interest which may lead to further enquiries.

We ran thousands of “ping” tests on different “blocks” (ranges) of these IP addresses to see if we could identify where their associated servers were based. 

Ping tests measure the time it takes a message to travel between a computer and an IP address, and a number of providers allow you to send ping tests from their different international locations. 

We used the services of a handful of different providers and ran tests from locations as diverse as Vladivostok, Johannesburg and Mexico City.

Although Bet365 has registered numerous blocks of IP addresses (using a number of ASNs), we were particularly interested in four consecutive blocks, as many of the mirror sites were associated with IP addresses in these ranges and they had been registered via Australia.

We had also noticed they carried the descriptor HKG (HGK-1, HGK-2, HGK-3, HKG-4). HKG can be an abbreviation for Hong Kong.

For the first of these blocks, ping times were fastest from Hong Kong and Guangzhou, with speeds diminishing in line with the distance of a test location from these Chinese twin cities. 

While the fastest results for one provider were from Manila, the times from the Philippines’ capital were not inconsistent with its distance from Hong Kong. 

As one cyber expert told us, various factors can slow down a ping speed but you can’t fake a quick time.

This block was, however, the only one that pointed towards Hong Kong. 

The next block suggested a location somewhere in the vicinity of Tokyo, with speeds trending faster in line with their proximity to the Japanese capital.

There was no discernable pattern from the two other related blocks of IP addresses. 

The cyber security experts noted Bet365’s sites could be distributed globally by the Cloudflare service. This could increase the sites’ security and efficiency, a major commercial advantage for a company working with real-time data. 

Nevertheless, the results were consistent with the law firms’ statements that Australia-registered IP addresses connected to its mirror sites were not located in Australia – and that some were located in the Asia-Pacific region. 

That raises a whole different set of questions, some of which we put to the bookmaker (via the law firm) and which were not answered.

Whatever the answers to these and the many other mysteries we came across, our research confirmed – in our mind at least – Bet365’s reputation as one of the industry’s most innovative players.

Addendum: Shortly before publication, we rechecked the mirror sites that we had last associated with Australia-registered IP addresses. Nearly all were now inactive. Those that weren’t were either using IP addresses registered to Bet365 in the UK or redirecting to bet365.com from commercial IP addresses.

• The production of this investigation was supported by a grant from the Investigative Journalism for Europe (IJ4EU) fund.

Related Articles