The post Laravel Passport Patches Machine-to-Human Authentication Bypass appeared first on Daily CyberSecurity.

This article is the result of a collaboration with Josimar. You can find Josimar’s corresponding piece here.

A European academic used a false name to represent an opaque Asian-facing bookmaker that is sponsoring Croatia’s national football team in the run up to the 2026 FIFA World Cup.

Croatia’s national governing body of football, the Croatian Football Federation (HNS), struck the deal to make gambling website Dragon Z6 the team’s “exclusive betting partner” across Asia in May 2024.

Promotional footage of the ceremony to ink the two-year agreement was filmed in Zagreb, with Croatian national team players Marco Pašalić, Lovro Majer and Josip Juranović in attendance.

A video posted to Dragon Z6’s website shows HNS International’s chief executive Dennis Lukančić and the federation’s head of marketing Ante Cicvarić signing the contract with the bookmaker’s representative.

“We hold Dragon Z6.com in high regard,” Cicvarić said in the clip. “A brand with a 25 year legacy and a stellar reputation for providing an exceptional gaming experience. Their motto, ‘Life is a gamble’, resonates deeply with us.”

Dragon Z6’s representative, who is named on screen and in a placard as “Alexander Smith”, described the deal as a “momentous partnership”. 

He said: “The Dragon Z6.com family proudly welcomes the Croatian national football team. We embark on an exciting journey to realise our shared ambitions.”

But the man who appears in the footage on behalf of Dragon Z6 is not Alexander Smith. He is Branko Balon, a senior lecturer in computer science at Algebra Bernays University in Zagreb. 

The Croatian national was identified using facial recognition search engine PimEyes, with images from his Facebook, university profile and media reports confirming the match.

In addition to his university position, Balon is the president of non-profit group the Croatian-Chinese Friendship Society for Cultural, Scientific and Economic Cooperation (CCFS).

He appears to have visited China on several occasions, including last July when he took part in a visiting scholar programme with the Nishan World Center of Confucian Studies in eastern China’s Shandong province, according to his Facebook posts.

Six months before the signing ceremony with HNS, Balon reportedly addressed a Zagreb sports and tourism symposium whose attendees included representatives from the Croatian Football Federation.

After initially confirming receipt of an email from Bellingcat, Branko Balon did not respond to questions. Dragon Z6 did not respond to multiple emails.

Dennis Lukančić said the Croatia Football Federation respected the rules and regulations of the sport’s governing bodies as well as Croatian law, but did not answer specific questions about how it became involved with Dragon Z6 or if it was previously aware of Balon’s real identity.

“Regarding the signing ceremony, we note that the Croatian Football Federation did not publish or officially communicate the identity of the Dragon Z6 representative present at the event,” he said. “As is customary with such ceremonies, the event itself was of a promotional nature and did not constitute the formal execution of contractual documentation.”

“The Croatian Football Federation is not in a position to comment on the internal decisions, communications, or presentation choices of Dragon Z6, including the use of names or identities in their own materials or appearances. Any questions regarding the identity or representation of Dragon Z6 at promotional events are best addressed to Dragon Z6 or their representatives. 

“In any of our proceedings we always negotiate in good faith and we respect all rights and obligations that arise from any agreement.”

Lukančić said the federation had carried out “standard compliance and due diligence procedures” before entering the deal and that the agreement was executed between the relevant legal entities, with Dragon Z6 “represented by their duly authorised signatories”. 

Asked which country Dragon Z6 was headquartered in, who its beneficial owner was, and for the name of the person who signed the contract on behalf of the gambling company, Lukančić said: “In our previous email we gave you already all answers and our position in this matter.”

We also asked if the Dragon Z6 deal includes sponsorship during the upcoming FIFA World Cup, but did not receive a response. England is Croatia’s first opponent, facing off against the Three Lions in Dallas on June 17.

The Many-Headed Dragon

Open source findings suggest that Dragon Z6 – sometimes referred to in Chinese as “Zunlong Kaisheng” – is just the latest iteration of an Asian-facing online gambling platform that has been sponsoring Western sports teams under different names for more than a decade. Dragon Z6 appears to be associated with the Hong Kong-linked gambling company KashBet, also known as KB88.

Gambling does not occur directly on the Z6.com domain. The site is essentially a gateway that redirects users to a fluctuating number of mirror websites with alphanumeric string domains. These Chinese-language sites host the gambling content, including live-streamed card games, and provide clues about Dragon Z6’s association with KashBet.

The image of Dutch former professional footballer Robin van Persie is featured prominently on Dragon Z6’s mirror sites. In the “About” section of these websites, the online casino says it signed van Persie as its brand ambassador in 2021. The same photograph of him is used interchangeably to promote both Dragon Z6 and the KashBet brand.

Van Persie’s agent, Kees Vos, said the footballer had not entered into a partnership with Kashbet, was not involved with Dragon Z6, and had not been aware that his image was being used on these websites.

Related articles by Bellingcat

Europe

Stream Teams: Battery Farming Sport For Bets

“We have taken notice of the abuse of the image of our client Robin van Persie by several Asian gambling platforms, and we will instruct our lawyers to take legal action against these parties,” Vos said.

Z6’s mirror sites also say Zunlong Kaisheng is the “official sponsor” of Bundesliga clubs Bayer Leverkusen and Augsburg, Brazilian side Fluminense, Italian club Roma, English league team Wigan Athletic and Dutch club Ajax. 

However, it was KashBet that signed sponsorship deals with these football teams in 2017 and 2019. No record of a sponsorship with FC Augsburg was found, but KB88 was promoted in pitchside advertising during one of the team’s 2019 home games.

In 2019, Australian football team Melbourne Victory dropped their AFC Champions League sponsor “Kaishi Entertainment” after concerns were raised about the company’s link to Kashbet. 

KashBet’s representative at the signing with Bayer Leverkusen was the same person who represented Kaishi Entertainment during the Melbourne Victory announcement in the same year.

A YouTube channel branded as “Zunlong Kaisheng” and featuring the Dragon Z6 logo hosts a 2024 video titled “Welcome to Dragon Casino”. It shows a tour of a facility where female croupiers are live-streamed operating table games. 

The video also features framed photographs purporting to show various ceremonies. These include the KashBet image of van Persie, as well as club teams AS Roma and AFC Ajax’s Asian betting partnerships with KB88 in 2017. Another photo claims to show former Real Madrid, Chelsea and Belgium footballer Eden Hazard becoming a Dragon Casino “brand ambassador” in 2020.

Bellingcat’s emails to representatives for Eden Hazard, who was recently announced as a “global ambassador” for online gambling platform Stake, were not returned.

The location of the facility is not stated but open source evidence shows it was filmed in the Philippines, where offshore gaming operators were banned in 2024. Reverse image searches confirm one section of the promotional video was shot in the five-star Peninsula Hotel in Makati City, Manila.

Offshore Corporate Labyrinth

Dutch club Ajax, who were sponsored by KB88 in 2017, said their deal involved Hong Kong firm KB88 Entertainment Culture Limited. A company based in the British Virgin Islands is also behind trade names linked to KB88, according to a 2023 investigation by Dutch outlet NRC. But the entities purportedly in control of the gambling platform do not stop there.

Dragon Z6’s site links to a 2012 statement posted by English Championship club, Queen’s Park Rangers (QPR), announcing a one year deal to make KashBet the club’s international betting partner. The press release, which was removed from QPR’s website earlier this year, said KashBet was “fully owned and operated by Keen Ocean Entertainment (IOM) Limited” and licensed and regulated by the Gambling Supervision Commission (GSC) on the Isle of Man.

Records from the Isle of Man company registry show a company named Goldenway Investments (UK) Limited was incorporated in 2010 and changed its name to Keen Ocean Entertainment (IOM) Limited a month later. The company’s two directors were all residents of the Isle of Man, adding Hong Kong resident Yong Tang as the third director in November of that year. A company acting as the secretary, Rivercroft Limited, is also named in documents.

An archive of the Isle of Man’s Gambling Supervision Commission’s 2012-13 annual report shows that Keen Ocean Entertainment obtained a full online gambling license. This enabled it to enter into the QPR deal as the regulated body behind Kashbet.

Filings on the Isle of Man register are low on detail. Balance sheets are not filed, and the only documented activity about the company was the occasional movement of Isle of Man-based directors. By November 2015, Yong Tang was the sole director of the company. 

In 2016, Keen Ocean Entertainment was informed by the Companies Registry that it did not have the authority to maintain its registered office at the address it had given as its premises. Yong Tang did not respond to this correspondence, according to the available documents, and the company was subsequently struck off the register.

Gaming Compliance International (GCI), a regulatory intelligence firm that monitors the global online gambling market, said Dragon Z6 and KashBet did not have a current gaming license in any credible jurisdiction.

Ismail Vali, GCI president and the founder and former chief executive of Yield Sec, which tracks gambling and streaming marketplaces, said Dragon Z6 “ruthlessly” targeted audiences in China – where gambling is illegal – but that did not mean the operators were based there.

“Generally, in the illegal gambling model, they use triangulation and separation,” he said. “It’s the most basic form of organised crime: operate your business in one place, incorporate your business in another, make your money from many places, bank your money in many places, and, finally, invest and spend it everywhere to create more crime. Separating the elements of the illegal activity creates problems for tracing, policing and enforcement.”

Vali said Western football associations that are struggling to operate on shrinking budgets could be lured into sponsorship deals with unregulated and illegal gambling companies, which were focused on building brand recognition through live-broadcast games.

“The illegal gambling companies aren’t focused upon making money from the direct audience of the clubs or from the football association’s footprint in Croatia,” he said. “What they are making money from is the audience the football matches are broadcast to globally. They want to communicate what the brand is and because it’s associated with international soccer people think it must be trustworthy.

“The whole point here is to recruit you through sports. That’s the cheapest way to get you interested because you want to place a bet on Croatia versus the Czech Republic in the World Cup qualifiers. Once they recruit a customer cheaply via sports events, they can then cross-sell or migrate them into casino and more products – where the profit margin is far higher.

“Unregulated gambling companies want a blended customer – they don’t just want you for sports betting, they want you for everything.”

Ross Higgins and Connor Plunkett contributed to this article.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post Croatia’s Football Team Signed Deal With Gambling Sponsor Whose Rep Used Fake Name appeared first on bellingcat.

Discover how European biometric passports work. Explore RFID chips, Data Groups (DG1-DG3), MRZ encryption, and the tech behind the Schengen Entry/Exit System.

The post Information Stored in European Passports appeared first on Security Boulevard.

It’s the month of top seeds, big upsets, and Cinderella runs by the underdogs. With March Madness basketball cranking up, a fair share of online betting will be sure to follow—along with online betting scams. 

Since a U.S. Supreme Court ruling in 2018, individual states can determine their own laws for sports betting. Soon after, states leaped at the opportunity to legalize it in some form or other. Today, nearly 40 states and the District of Columbia have “live and legal” sports betting, meaning that people can bet on single-game sports through a retail or online sportsbook or a combination of the two in their state. 

And it has made billions of dollars for the government.

If you’re a sports fan, this news has probably been hard to miss. Or at least the outcome of it all has been hard to miss. Commercials and signage in and around games promote several major online betting platforms. Ads have naturally made their way online too, complete with all kinds of promo offers to encourage people to get in on the action. However, that’s also opened the door for scammers who’re looking to take advantage of people looking to make a bet online, according to the Better Business Bureau (BBB). Often through shady or outright phony betting sites. 

Let’s take a look at the online sports betting landscape, some of the scams that are cropping up, and some things you can do to make a safer bet this March or any time.  

Can I bet on sports in my state, and how? 

Among the 30 states that have “live and legal” sports betting, 19 offer online betting, a number that will likely grow given various state legislation that’s either been introduced or will be introduced soon. 

If you’re curious about what’s available in your state, this interactive map shows the status of sports betting on a state-by-state level. Further, clicking on an individual state on the map will give you yet more specifics, such as the names of retail sportsbooks and online betting services that are legal in the state. For anyone looking to place a bet, this is a good place to start. It’s also helpful for people who are looking to get into online sports betting for the first time, as this is the sort of homework that the BBB advises people to do before placing a sports bet online. In their words, you can consider these sportsbooks to be “white-labeled” by your state’s gaming commission.

However, the BBB stresses that people should be aware that the terms and conditions associated with online sports betting will vary from service to service, as will the promotions that they offer. The BBB accordingly advises people to closely read these terms, conditions and offers. For one, “Gambling companies can restrict a user’s activity,” meaning that they can freeze accounts and the funds associated with them based on their terms and conditions. Also, the BBB cautions people about those promo offers that are often heavily advertised, “[L]ike any sales pitch, these can be deceptive. Be sure to read the fine print carefully.” 

Scammers and online betting 

Where do scammers enter the mix? The BBB points to the rise of consumer complaints around bogus betting sites: 

“You place a bet, and, at first, everything seems normal. But as soon as you try to cash out your winnings, you find you can’t withdraw a cent. Scammers will make up various excuses. For example, they may claim technical issues or insist on additional identity verification. In other cases, they may require you to deposit even more money before you can withdraw your winnings. Whatever you do, you’ll never be able to get your money off the site. And any personal information you shared is now in the hands of scam artists.” 

If there’s a good reason you should stick to the “white labeled” sites that are approved by your state’s gaming commission, this is it. Take a pass on any online ads that promote betting sites, particularly if they roll out big and almost too-good-to-be-true offers. These may lead you to shady or bogus sites. Instead, visit the ones that are approved in your state by typing in their address directly into your browser. 

Ready to place your bet? Keep these things in mind. 

In addition to what we mentioned above, there are several other things you can do to make your betting safer. 

1) Check the rep of the service.

In addition to choosing a state-approved option, check out the organization’s BBB listing at BBB.org. Here you can get a snapshot of customer ratings, complaints registered against the organization, and the organization’s response to the complaints, along with its BBB rating, if it has one. Doing a little reading here can be enlightening, giving you a sense of what issues arise and how the organization has historically addressed them. For example, you may see a common complaint and how it’s commonly resolved. You may also see where the organization has simply chosen not to respond, all of which can shape your decision whether to bet with them or not. 

2) Use a secure payment method other than your debit card.

Credit cards are a good way to go. One reason why is the Fair Credit Billing Act, which offers protection against fraudulent charges on credit cards by giving you the right to dispute charges over $50 for goods and services that were never delivered or otherwise billed incorrectly. Your credit card companies may have their own policies that improve upon the Fair Credit Billing Act as well. Debit cards don’t get the same protection under the Act. 

3) Get online protection.

Comprehensive online protection software will defend you against the latest virus, malware, spyware, and ransomware attacks plus further protect your privacy and identity. In addition to this, it can also provide strong password protection by generating and automatically storing complex passwords to keep your credentials safer from hackers and crooks who may try to force their way into your accounts. And, specific to betting sites, online protection can help prevent you from clicking links to known or suspected malicious sites. 

Make the safe(r) bet 

With online betting cropping up in more and more states for more and more people, awareness of how it works and how scammers have set up their presence within it becomes increasingly important. Research is key, such as knowing who the state-approved sportsbooks and services are, what types of betting are allowed, and where. By sticking to these white-label offerings and reading the fine print in terms, conditions, and promo offers, people can make online betting safer and more enjoyable. 

Editor’s Note: If gambling is a problem for you or someone you know, you can seek assistance from a qualified service or professional. Several states have their own helplines, and nationally you can reach out to resources like http://www.gamblersanonymous.org/ or https://www.ncpgambling.org/help-treatment/. 

The post How to Protect Yourself from March Madness Scams appeared first on McAfee Blog.