Money Laundering + Phishing Under the Cloak of Gambling! (Phambling)

The story began by reading the posts from a Telegram channel managed by someone called Jorjandi in 2018. Reading his posts, I realized that he is talking about a quite big network of money laundering (ML) which is operational in several countries, transferring money from Iran to other parts of the worlds such as UK, US and European countries (and of course Turkey which is the main bridge of every money laundering network from Iran).

ML is not the topic of my interest. However, this one is a bit different because of two main reasons:

• based on an interview with one of the members of the Judicial system of the Islamic Republic of Iran, we are talking about 1 Billion Dollars (yes, 9 zeros!) of money laundering per year which is huge considering the fact that 1 Iranian Rial equals to 0.000019 Euro as of May, 19 2021 and this number is just an "estimation" of the real amount of money they transfer every year!
  
• the second reason is the DNS ecosystem/infrastructure that is used by this network as the main part of making money through running a large number of online gambling websites which I will explain more about it in this post.
  

 Before getting into details, first we need to know about the 3 main steps of money laundering and the classic definition of ML in order to better understand the classic procedure and its differences with the method that is used by the mentioned network.

based on the United States Treasury Department, ML is defined as below:

Money laundering is the process of making illegally-gained proceeds (i.e., "dirty money") appear legal (i.e., "clean"). Typically, it involves three steps: placement, layering, and integration. First, the illegitimate funds are furtively introduced into the legitimate financial system. Then, the money is moved around to create confusion, sometimes by wiring or transferring through numerous accounts. Finally, it is integrated into the financial system through additional transactions until the "dirty money" appears "clean"

Well, based on the above definition, there is dirty money that need to be cleaned and presented as clean to the financial system. This "dirty" money can be earned by any kind of "illegal" activity like Counterfeiting, selling drugs or whatever you have in mind but wait...You already know that all of them are illegal and you may say: OK, things happen but it's not like you sell drugs for 5 years and earn billions of dollars and still the government doesn't know about you!...but believe me, that's the case here if you know the key point and that's why I emphasized on the term illegal.

Every country has it's own definition of illegal activities.  Of course, things like selling drugs are illegal everywhere in the world but there are some minor differences in the definition of the term "illegal" in different countries. Well, if you can break the "illegal procedure" into several smaller steps and perform each step in a country which does not consider that step as an illegal activity, then you are not doing anything illegal in terms of law (law of each specific country) but the total procedure still remains illegal!

In order to better understand the scenario, let's take a look at the below diagram.

① Gambling is not prohibited in UK but it is regulated by the Gambling Commission on behalf of the UK governments. In order to run a gambling website in UK, one needs to go through the procedure of getting a license for the website which is not easy to get and follow several rules based on that license. It is also illegal to permit any person under the age of 18 to even enter the licensed gambling website. Even for different types of games you have on your website, you need to obtain different types of licenses and like all other online business in UK, the owner of the online gambling website needs to pay tax for it.

So how the above mentioned procedure (above diagram) works?

1. the miscreant (the one who runs the websites) registers a domain name from an accredited registrar like Godaddy and let's say she lives in the UK.
2. the language of the website is Persian/Farsi and it works only for Iranian people since it only accepts Iranian payment system so we can say that it targets only people who live in Iran.
3. so far, she hasn't done any illegal activity in UK.
4. on the other hand, having a gambling website is considered as a completely illegal activity and is punishable by law in Iran but she doesn't live in Iran, therefore, no one can touch her.
5. of course Iran government can ask UK to extradite her but like the real case of Sasha Sobhani (who is is one of the most famous gambling website owner), they easily claim that if they return back to Iran, the government may execute/torture them and their life is in danger! which is not true in this case.
6. also these websites (thousands of domain names) have no regulations and specifically target teenagers and individuals under 18 (since it's easier to lure them).
7. They also publish images and posts on their Instagram pages showing their luxury life style and claim that the only reason of being that rich is playing in these websites!!!

So far, we know how they make money but let's see the possible ways of transferring this huge amount of money from Iran to UK.

1 - Making money in Iran without leaving any trace

As you probably know, Iranian banking system is not connected to Visa/Master card payment system due to US sanctions against Iran. Therefore, Iran has its own payment system which is isolated from other parts of the world, called Shetab banking system. Gambling website owners can not access this system from other countries since gambling website is illegal in Iran. So what they do is actually easy. They created their own payment system called Parsigram which is simply (yet effectively) a wrapper over Shetab banking system. They also created an android app as well as iOS app to manage the wallet and payments from a mobile phone (update: the app has been removed from Google play store after the report).

What Parsigram does is to rent a lot of banking cards (mostly from the indigent) in Iran in exchange for either a fixed, monthly salary or sometimes 1% to 3% commission of all transactions/profits. These cards are used as the backbone of the payment system. Therefore, whenever someone wants to play an online game, first he/she needs to top-up his gambling account which uses Parsigram as the payment system. The gambler gives all of his credentials and card information to Parsigram system and then Parsigram servers do the transaction in the background (i.e., transferring money from player account to rented cards). Finally, they use those rented cards to convert the profit to cryptocurrencies like Bitcoin.

This is very dangerous since the players are sharing their credentials with Parsigram system which is not even clear who created it or which company is behind it. If you visit their website, you will see that there is no contact information or company address!. This gives the opportunity to Parsigram owners even use player's bank account to transfer money!

Below, you can see the advertisement on one of the job-seeking websites in Iran looking for people to rent their cards.

Here is the translation of the advertisement:

How the collaboration works?

Because of the restriction applied by central Bank of Iran, each banking card is limited to 50 million Rials per day and each individual can buy (Crypto/Currencies) at most 100 million Rials per day with his national ID card. Therefore, to satisfy our customers, we need partners to help us in buying (Crypto/Currencies) in exchange for 1 to 3 percent of total profit. We also offer some other bonuses like insurance in long term collaboration. Contact us for more information and any question...

So in this way, it's very difficult to track these guys since you can only find the rented cards not the card renters!

Of course, this type of scam is not limited to Iran. You can find many example of this type all around the world like this one.

2 - Transferring money to the UK

These guys have some deals with currency exchange services in Iran and UK. For example, consider an exchange service which accepts Iranian Rials in Tehran and gives British Pounds in London. There are lots of online services like this one (I DO NOT CLAIM THAT THIS EXAMPLE IS CORRUPTED. IT JUST PROVES THAT SUCH A SERVICE EXISTS!) that offer the same service. The owner of the gambling website receives cash in the UK without any problem. In worst case scenario (if the government get suspicious), she can claims that the money is from advertising on Instagram, consulting, or marketing stuff (remember the legit company or website that they already registered in the UK) and after paying the tax in UK, the money is clean and ready to spend!

Now let's take a look at some of these guys who live by luring teenagers in Iran, making illegal money.

This is the image of Donya Jahanbakht taken from her public Instagram page. This case exactly matches the above mentioned diagram. She has a legit business (with the domain name donya.uk) and an illegal gambling website (vnduseh457ryfd7y.casa) which you can see it's a completely random domain name (since they don't care about branding as long as they have enough followers to lure). They also changed the domain names frequently to circumvent the filtering/censorship system in Iran. She claims that she makes money from advertising in her Instagram page but she always advertises the gambling website in Farsi/Persian.

The second example is Pooyan Mokhtari. The image was taken from his public Instagram page. He claims to be a musician while you can see the link to his gambling website (thrhrhz.info). He also claims to run a business called Loralord (apparently a new brand which is not exactly clear what it is).

His name is Davoud Ghaffari known as Davod Hazineh. Apparently he is living in Turkey.

and last but not the least, is the below image you see, known as Neda Yasee with different number of Instagram pages to cover her tracks.

Looking at the domain names of the gambling websites they are running and also doing a little bit of effort, we see that all of them are using a very same website template which means that there is one guy or a company that creates all the websites and sell to them. also, almost all the domains are behind CloudFlare service to hide the real service and make the reporting procedure more difficult.

The operators behind these websites, almost register 50 to 100 domains per day to circumvent Iran filtering/censorship system. Below, you can see the graph related to some of these websites I collected by searching only for an specific title.

And some of them are not behind CloudFlare.

Detected domain names

From 4 May, 2020 until 12 Feb 2021 (~ 10 months), I detected 11,950 domain names registered by this group by crawling newly registered domains per day. Looking at the domain names (e.g., qwx05h5633t6pg4.xyz or yuyuyu.digital), you can easily say that they don't even care about the domain names and it's all about just registering domains per day to circumvent the censorship/filtering in Iran (remind me of malwares and domain generation algorithms!).

Phambling web service, launched in May 2020, was responsible for collecting newly registered domain names of gambling and payment services. The service is not operational anymore since no take-down action was done by registrars even after several reports.

Please feel free to leave comments/share any useful information about this network of illegal gambling/money laundering.