163 Organizations Compromised in Thai Gambling SEO Poisoning Operation
A significant cybersecurity breach has emerged, revealing that a Thai gambling SEO poisoning operation has compromised 163 organizations across over 30 countries. This operation exploits abandoned cloud DNS delegations, as detailed in research conducted by Cyble Research & Intelligence Labs (CRIL). The implications of this breach are far-reaching, affecting various sectors, including government agencies, healthcare organizations, financial institutions, universities, and critical infrastructure operators.
Mechanism of the SEO Poisoning Campaign
The campaign primarily targets abandoned Azure DNS zone delegations. When organizations retire cloud projects, DNS records that delegate subdomains to Azure are often neglected. Cybercriminals identify these orphaned delegations, recreate the abandoned DNS zones under new Azure subscriptions, and gain control over the affected subdomains. This method allows attackers to deploy a Next.js-based Thai-language gambling kit, which is protected by valid Let’s Encrypt wildcard certificates. Consequently, users, browsers, and search engines perceive this content as legitimate, hosted under trusted corporate domains.
As of the latest reports, 161 of the 163 compromised organizations remain actively affected by this operation.
Discovery and Global Exposure
The investigation commenced when CRIL detected unusual DNS activity within a Verizon subdomain environment. Researchers uncovered over 1,000 individually named subdomains serving Thai-language gambling content. Each page is embedded with affiliate links aimed at driving user registrations and generating commissions. Further analysis revealed that the same infrastructure and content fingerprints were present across 162 additional organizations. More than 90 compromised enterprise subdomains shared identical Next.js build IDs, favicon paths, and affiliate redirect destinations.
Identified DNS Abuse Methods
The Thai gambling SEO poisoning operation employs four primary compromise mechanisms:
- Azure DNS Zone Takeover: Over 150 organizations were impacted through abandoned Azure DNS delegations.
- DigitalOcean DNS Zone Takeover: Two organizations were similarly compromised using this technique.
- Direct Wildcard DNS Misconfigurations: Two organizations had wildcard records pointing to infrastructure controlled by attackers.
- Mass A-record Creation: Verizon’s environment contained more than 1,000 individual DNS records directing traffic to gambling content.
Certificate Transparency records indicate that some abandoned zones had remained dormant for years. For instance, one pharmaceutical company’s subdomain had not seen a legitimate certificate since October 2019, before attackers secured a new certificate on April 11, 2026. Another electronics firm exhibited a gap in legitimate certificates between February 2023 and April 10, 2026.
Monetization and Backend Infrastructure
The SEO poisoning campaign generates revenue through various affiliate tracking codes, including “ibiza99vip1,” “bigwinv1,” “seven77vip1,” and “link99.” Researchers observed server-side filtering that verified visitor origins from Thailand before redirecting them to gambling platforms. The campaign is linked to four gambling destinations: ibiza99.autos, big888.store, seven77.click, and link99.nova555.rest. These pages promote deposits as low as 1 Thai Baht (approximately $0.03 USD) and incorporate structured SEO content, FAQ schema, and mobile optimization features.
Behind this delivery infrastructure, researchers identified a dedicated backend fleet of 103 servers located in Hong Kong under AS398478 (PEG TECH INC). Evidence linking these servers included identical TLS fingerprints, shared certificates, matching HTTP hashes, uniform MySQL configurations, and common administration tools.
Detection and Mitigation Challenges
CRIL highlights that traditional security tools are unlikely to detect this Thai gambling SEO poisoning activity. The attackers utilize valid certificates, reputable domains, and clean infrastructure, complicating detection efforts. Researchers recommend continuous monitoring of Certificate Transparency logs, auditing all DNS delegations, and promptly removing abandoned NS records pointing to cloud providers.
The report underscores how a single failure in DNS hygiene can be exploited on a large scale. Instead of breaching networks or applications directly, attackers leverage forgotten cloud configurations, transforming trusted domains into vehicles for a sophisticated SEO poisoning campaign targeting Thai search traffic.
For further insights, refer to the original reporting source: thecyberexpress.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
