Published: August 24, 2023, 06:30h. 

Last Updated: August 24, 2023, 06:30h.

A major iGaming operator may need to reassess its development team and financial audit policies due to a recent incident in Spain. One savvy user was able to exploit a bug in the operator’s app, resulting in a nearly half a million dollar payout.

The scammer who took advantage of a security flaw in an online betting app has been apprehended by the Civil Guard in Spain. The arrest was made as part of an ongoing investigation known as “Operation Diacero,” where the individual allegedly stole over €450,000 (US$488,610) from the gaming platform.

The operation was aptly named “Diacero” (a combination of the Spanish words for “zero” and “day”), paying tribute to the zero-day vulnerability that was exploited. This term refers to bugs or glitches that have been discovered but for which no solution or patch has been developed by the app’s developers.

Exploiting a Flaw

The chain of events began when the gaming operator reported suspicious withdrawals of bet winnings at a gambling property in Los Barrios, Andalusia. Through surveillance cameras, local law enforcement was able to identify and apprehend the perpetrator.

Using the zero-day exploit, the scammer made over 650 withdrawals of approximately €700 (US$759) each. The Civil Guard did not disclose the duration of the activity, but it is likely that the property should have detected the issue earlier.

There are still many unanswered questions surrounding this case. Authorities are determined to uncover how the perpetrator discovered the bug and whether other apps could be susceptible to the same issue.

As part of the ongoing investigation, the Civil Guard is actively exploring the intricacies of the scheme. They are looking into possible connections with other entities operating under a similar modus operandi, which could result in further arrests in the near future.

Easy Targets in Online Gambling

The rapid growth of the online gaming industry has provided consumers with more entertainment options and governments with increased tax revenue. However, this surge in popularity has also attracted cybercriminals looking to exploit its vulnerabilities.

Several factors contribute to the gaming industry being an appealing and accessible target for unscrupulous individuals. Users often need to provide their banking details for deposits and withdrawals, making them potential targets for account takeovers or data breaches.

Political and ethical adversaries of gambling also frequently target gambling enterprises. These operators often find themselves under attack from activities such as DDoS attacks or DNS spoofing, orchestrated by criminals or individuals sympathetic to governments that prohibit gambling, as is the case in China.

Web applications and APIs play a crucial role in the gaming industry, enabling features like online multiplayer experiences and in-game shopping. However, if not properly configured, these technologies can introduce vulnerabilities. Thorough testing is essential to ensure bug-free code.