An international network of cybercriminals has infiltrated the digital infrastructure of Mexican public institutions, including government and university websites, to run a large-scale online gambling scam. In less than two months, they have created at least 20 domains targeting the Mexican public, hidden within official pages, which automatically redirect users to illegal gaming platforms such as A7X and RBD 777. These sites appear legitimate, even using fake logos of the Ministry of the Interior (Segob) to deceive users and earn their trust.
The attackers hijack vulnerable servers, insert malicious code, and manipulate Google search results so that when users type terms like “casino,” “blackjack,” or “slot machines” along with the name of an institution, active or indexed links appear that lead directly to these clandestine casinos. Most concerning is that many of these pages are still accessible online.
The use of government websites to conceal illegal operations not only represents a technical failure, but also poses a serious threat to public trust, institutional integrity, and national digital security.
A Massive Campaign Targeting the Mexican Public
Between March and May 2025, a wave of suspicious websites was detected, all sharing strikingly similar patterns: names containing combinations like “mx,” “97,” “g77,” or “fun.” Examples include mxph97.com, mxg99.xyz, mxfun97.com, and mxa7.com. All of these domains led to the same destination: cloned versions of the A7X casino, a site designed to appear legitimate and offering welcome bonuses, fast withdrawals, and daily prizes to lure users in.
What’s particularly alarming is that all these domains are hosted on the same IP address: 104.18.16.172. That single IP hosts at least 48 active domains, most of which were registered within just a few weeks—from late March to early May. Additionally, another linked IP address, 104.18.18.204, was found hosting over 200 domains. Many of these domains have names that sound generic or are crafted to seem trustworthy, such as p999.com, aaaawin.app, rbd777.bet, and 888novo.com. All operate in a similar fashion: redirecting users to illegal gambling platforms with the intent of deceiving and capturing unsuspecting visitors.
One of the most serious incidents occurred on the website of the Centro Estatal de Información sobre Seguridad Pública (CEISP) in Yucatán. In this case, the attackers managed to hijack the institutional domain and, even more concerning, automatically redirect hundreds of subdomains to an illegal gambling page. Evidence suggests they not only inserted malicious code but may have gained full control of the server.
This is not an isolated case. Websites of other institutions also show signs of being compromised. For example, the portal of the Instituto Nacional de Antropología e Historia (INAH) showed signs of covert redirection, likely carried out through a web shell—a digital backdoor granting attackers continuous access. A similar situation occurred with the website of the Tribunal Electoral del Poder Judicial de la Federación (TEPJF), which was also compromised, although the issue has since been resolved.
Read more: macOS Users and Benito Juárez Scholarships in Hackers' Crosshairs
Gambling Disguised with Official Logos
Cloned sites such as RBD 777 or A7X are crafted to appear trustworthy at first glance. They feature highly polished designs, especially optimized for mobile viewing, and most worryingly, they include fake seals and logos—like the emblem of the Ministry of the Interior (Segob)—to give the illusion of legality. They also lure users with supposed rewards just for signing up or downloading an app: “$300 peso bonus” or “instant withdrawals”—offers that seem too good to be true.
Behind these schemes lies a growing form of deception known as design fraud. The attackers don't just copy content from legitimate pages—they precisely replicate design elements and user experience (UX/UI) to make the interface nearly identical to that of a real site. Fonts, colors, buttons, even animations and pop-up messages are meticulously placed to ensure the user never doubts they’re in a trusted environment. This greatly increases the risk of falling for the scam without noticing any warning signs.
To draw in more victims, the operators launch aggressive campaigns on social media platforms like X (formerly Twitter) and Facebook. Dozens of automated accounts repeatedly share the same message, only changing the link—but all routes lead to the same illegal gambling sites.
In some cases, the perpetrators have even reused old domains or digital certificates that were once legitimate to boost their credibility. For instance, a subdomain of mx97.xyz was found to have a certificate in 2019 associated with a supposed BBVA-related system, though it’s no longer active. Every detail is carefully orchestrated to mislead users.
Universities Also Targeted by the Scam
This wave of attacks has not been limited to government websites. Pages ending in .edu.mx have also been compromised, indicating that several Mexican universities have fallen victim. Among the affected institutions are the Instituto de Estudios Superiores de Zacatecas (IEZ), the Universidad Tecnológica de Querétaro (UTEQ), and others where certain subdomains or modified links display casino-related content such as “Blackjack,” “Poker,” or “Roulette.”
In many cases, these redirections only activate if the visitor is using a mobile device, either Android or iPhone. This is no coincidence: the sites are programmed to detect the type of device and only redirect mobile users, making it significantly harder for administrators to spot the issue from desktop computers.
The entire scheme is built for stealth and rapid scaling. On one hand, the perpetrators use advanced SEO manipulation techniques (known as SEO poisoning) to ensure their sites appear prominently in search results. On the other hand, they exploit DNS vulnerabilities, hijack social media accounts to spread links, and even launch referral programs that promise “rewards” for sharing the sites with others—all in a bid to generate more traffic and attract more victims.
Over 200 domains connected to this fraud network have been traced worldwide, many with similar names, identical or nearly identical visual templates, and SSL certificates that follow the same patterns. In Mexico alone, at least 20 domains are currently active or were recently created—emerging within just a six-week span.
Some of these sites can even detect the user’s country of origin and redirect them to a different version of the fake casino based on their location. This clearly points to a well-organized, targeted operation—not an improvised scheme.
