Description[edit | edit source]

Gambling Casino Family

Premier Players Club

Casino Club VIP

Ruby Fortuna Casino

Kings Palace Casino

Winner Palace Casino

Slots Palace Casino

Casino Fiesta Club

Casino La Scala

Euro Club Casino

EuroDice Casino

Euro Prime Casino (variant 1)

Euro Prime Casino (variant 2)

Euro VIP Casino

Exclusive Club Casino

Exotic Slots / Exotic $lots

Gold Casino Promotion

Golden Crown Casino

Golden Gate Casino

Green Table Casino

Jackpot Casino/Gambling Online Casino

Online Back Gammon

Privilege Club Casino

Royal Club Casino

Vegas VIP Casino

Vegas Club Casino

Vegas VIP Casino (variant 1)

Vegas VIP Casino (variant 2)

Vegas VIP Casino ("Vegas Casino" variant)

VIP Promotion! also known as "Welcome to Fabulous VIP Las Vegas Casino Online"

World Casino

World Jackpot Casino

Lucky Diamond Casino

King Spin Casino

Casino Special Offer

CC Casino Club

Elite World Casino

Prime Play Casino Club

Royal VIP Casino

Casino 1000 free

Grand Dollar Casino

Casino sites are difficult to categorize: A spamvertised brand may be on a single IP or on a fast flux botnet; it may be spammed as short-lived "throwaway" domains that redirect to the target site, or the throwaway domain may load the target domain in an iframe. Spam may arrive in consistent bunches that would suggest the same mailer is responsible for all, yet promote sites with different brands and different behaviors. There are probably several competing casino operations whose affiliates do not deal exclusively with a single sponsoring casino.

All spam casino sites require the player to be gullible enough to download software onto his/her own computer to play the games. Such programs are identified as adware or malware by various antivirus programs, though it is difficult to tell how malicious they may be nor to know if actually playing the games will download additional executable programs onto the computer. Some sites will attempt to download the software automatically by reloading themselves. Others require a click, but will download no matter what the user clicks, even the "about us" links. Others won't download at all unless the user enables javascript for the entire site, a risky move. Site visitors who have java enabled by default or who are using browsers like Internet Explorer that permit ActiveX controls may not witness this behavior -- because the software is being automatically downloaded and installed without permission from the user.

Many gambling casinos run on an illegally hijacked fast-flux set of botnet machines. The casino botnet being used in early 2008 was primarily located in the US, Romania, and Argentina. There were seats for 24 round robin addresses at a time with a refresh every 5 minutes, though fewer than 24 IP addresses were actually filled.

Legitimate sites which are barely within the law, like offshore casinos, often will have multiple servers due to the risk of Distributed Denial of Service attacks (DDoS). However, it was unlikely these sites were being hosted legitimately, since some of the host ISPs were cable/DSL providers in the U.S., where online gambling is illegal.

Any gambling casino that requires you to provide your identity and credit card information is suspect. It is not uncommon to find that identities and the corresponding credit card information will later be offered for sale on the "carder" black market. Victims will find their credit card being abused perhaps some months after they expose it to the criminals who run these bogus gambling casinos.

A sure sign that a gambling casino is illegal is when it is spammed using the redirection method. The link in the spam does not go directly to the site, but it first goes to an intermediate site. Another common sign is when the link to the site resides on a free hosting service, such as

Example of an incompletely-filled 24-seat botnet: Casino La Scala, April 2008



Sponsoring Registrars[edit | edit source]

NIC.AT[edit | edit source]

In 2012, after responsible action from other abused registrars, the focus for gambling casino domain registrations moved to Austria. The registrants are inevitably fake, and may be stolen identities. The registrant contact addresses show a distinct pattern, spread over 5 service providers: and

Sample of registrant email addresses

Sample sites:

1API GMBH[edit | edit source]

In October 2011, the registrar called 1API GmbH came under attack by these illegal miscreants. The hosting IP address was provided by ABIL ELECTRIC SRL in Bucharest, Romania and then shifted to the Czech Republic.[edit | edit source]

In September/October 2011, the registrar called CSL COMPUTER SERVICE LANGENBACH GMBH doing business as JOKER.COM was the largest sponsor of these illegal gambling casino domains. A list of some of these is shown below. The hosting IP address was provided by Telefonica o2 Czech Republic, a.s. and then switched to in Romania.

Trunkoz[edit | edit source]

In September 2011, the Indian registrar called TRUNKOZ TECHNOLOGIES PVT LTD. doing business as OWNREGISTRAR.COM was heavily into sponsoring these illegal gambling sites. A list of reported web sites for which they have taken registration fees is shown below. The hosting IP address was located in Romania, or located in the Czech Republic.

Examples[edit | edit source]

An example of the name servers used to resolve access to these unlawful domains, with IP addresses and ISPs:

-- Name Server -- -- IP Address -- Country -- Internet Service Provider RO RDSNET RCS & RDS S.A. - complain CZ TO2-CZECH-REPUBLIC Telefonica o2 Czech Republic, a.s. - complain RO RDSNET RCS & RDS S.A. - (see above) RO RDSNET RCS & RDS S.A. - (see above)

Typical site 1[edit | edit source]

Registrar: CSL Computer Service LANGENBACH GMBH D/B/A JOKER.COM


Lidia Davide,
Piazza San Carlo 50,  Quarona, 13017, IT

Name Servers:

Domain Name: BUOOG.RU

Typical site 2[edit | edit source]

PREMIERSUPERCLUB.NET has address in Russia


Svetlana Poltavceva
141090, Yubilejnyj, Leninskaya, 17, 43
Yubilejnyj, 141090

Name Servers: in Romania

Registrar: NAUNET-REG-RIPN in Russia

Typical site 3[edit | edit source]

Registrar: ENOM, INC.


 Alex Basovski (
 Fax: +1.11111111111
 Marksa str. 19
 Pinsk, PI 213121

Name servers:


Typical site 4[edit | edit source]

Registrar: REGTIME LTD.


bella kotz
Organization: Private person
Address: prospekt 60-letiya sssr, 18
City: birobidzhan
State: birobidzhan
ZIP: 679017
Country: RU
Phone: +7.4262268811

Name servers:

Domain Name: F942B690.COM

History[edit | edit source]

The botnet hosting these sites has also been used for bank phishing and money mule scams.

One example is the domain name, February 2008, which was an attempt to run a phishing operation against the Atlantic Regional Federal Credit Union site.

The bank phishing botnet is predominantly located on machines infected in Romania, USA, and Argentina.

The same botnet has been seen being used for fake escrow business scams using domains like in February 2008. This has been exposed and again exposed and yet again.

Sample Spam[edit | edit source]

Subject: Enjoy our MASSIVE $2400 bonus.........

Amazing $2400 bonuses..... Amazing Customer Support...... Amazing  games.....
Play at the world's most prestigious online casino.....
Come and get your MASSIVE $2400 BONUS NOW!
Fair Gaming, Fast Payouts unrivalled customer support: GUARANTEED!!!
Join the superstars and some of the world’s BIGGEST winners........ ENTER HERE TO

April 2008 casino nameservers and representative domains[edit | edit source]

24 seat botnet
7 unique bots

"Casino La Scala :: Elegant Gaming"
loads site in an iframe from
executable download =

":: Euro Dice Casino ::"
loads site in an iframe from
executable download =

"Welcome to the Euro VIP Casino"
loads site in an iframe from
executable download =

"Welcome to the Royal Casino!"
loads site in an iframe from
executable download =

loads site in an iframe from
executable download = (depending on language chosen; 
requires javascript enabled)

"***EURO VIP CASINO*** Amazing Games, Big Winnings, Fantastic Promotions! PLAY NOW & WIN!"
loads site in an iframe from
executable download =

"Casino Club V.I.P"
executable download =
no iframe

target domain for some of the above sites:
single IP address, shared only with a Russian tax software site
Host = InformTelecom, Moscow
nameserver: and (Xin Net)
sites hosted on IP address with ZBYD Technology Co.,Ltd, Beijing (LACNIC)

"Jackpot Casino/Gambling Online Casino"
executable download = => InstallCasinoV2.exe

"Welcome to the Euro VIP Casino"
executable download =

"Welcome to the Vegas Casino!"
executable download = meta refresh to

same nameservers/IP also have domains for "E2 Finance" and "Freedom From Debt Forever!/Freedom4U"
nameservers: and
sites hosted on IP address Hanaro Telecom, Korea

"world_casino_out"/"World Casino"
executable download =

"Golden Gate Casino"
executable download =
sites hosted at (see above)

"Welcome to the Royal Casino !"
executable download =

How to Report this Spam[edit | edit source]

The Complainterator is configured to report this spamming operation. When preparing the report, add a link to this page for evidence.

Further reading[edit | edit source]

Community content is available under CC-BY-SA unless otherwise noted.