A routine asset scan for a major entertainment company uncovered a massive gambling operation hiding behind legitimate e-commerce infrastructure. The discovery began with a simple subdomain takeover on Shopify-an abandoned DNS mapping that had been left active after decommissioning a store. Within 24 hours, attackers hijacked the subdomain, transforming a “Shop Not Found” page into a live gambling storefront that inherited the victim’s SEO reputation and domain trust. What appeared to be an isolated misconfiguration was later found to be part of a sprawling, organized network of over 500 gambling brands operating across cloud providers including AWS, Cloudflare, GCP, Akamai, and Oracle.
The attackers built realistic e-commerce facades using enterprise-grade marketing stacks to blend in—complete with analytics, A/B testing, GDPR banners, and session replay scripts—to avoid detection. Each cloned storefront contained hidden structures linking to other gambling domains, forming a distributed and resilient web of mirrors. Shared templates, telemetry keys, and overlapping analytics tags confirmed centralized control and active campaign management. This infrastructure leveraged the trust of hijacked corporate subdomains to gain SEO ranking, launder attribution, and shift operational costs to legitimate businesses.