LockDown IT Threat Intelligence Report
STAKES ONLINE | CYBERSECURITY THREATS FACING AFRICAN iGAMING & SPORTS BETTING | LOCKDOWN IT THREAT INTELLIGENCE REPORT
LOCKDOWN IT iGAMING THREAT INTELLIGENCE REPORT
STAKES
ONLINE
Cybersecurity Threats Facing African iGaming and Sports Betting
This report is hosted serverless on Cloudflare's Developer Platform
A 2026 Threat Intelligence Report | LockDown IT Cyber Response Team

LockdownIT | Cloudflare Enterprise Services Partner | Sub-Saharan Africa Focus
About This Report

This report is intended for senior leadership at iGaming, sports betting, and lottery operators across Sub-Saharan Africa — Chief Executives, Chief Operating Officers, Heads of Risk and Compliance, Heads of Technology, and Information Officers responsible for player trust, regulatory standing, and operational continuity. It draws on publicly documented cyber incidents in the global gaming and gambling sector, industry threat telemetry from Akamai, Imperva, NETSCOUT and Cloudflare, and the regulatory frameworks under which African operators are licensed.

Executive Summary

Online gambling has become one of the most-attacked verticals on the internet. Industry research consistently places gaming and gambling among the top targets for DDoS extortion, account takeover, and supply-chain compromise — with attack volume surging during major sporting events. Akamai recorded a 94% year-on-year rise in web attacks against the gaming sector in Q1 2024 alone, with bot activity quadrupling over the same period. EMEA — which encompasses Sub-Saharan Africa — has been the top region globally for DDoS attacks in successive years.

In Sub-Saharan Africa, iGaming and sports betting have grown rapidly on the back of mobile money, smartphone adoption, and league sponsorship deals. Operators in Nigeria, Kenya, South Africa, Ghana, Tanzania, and Uganda now process billions of dollars in monthly wagers across mobile apps, web portals, USSD shortcodes, and retail networks. Public reporting has documented incidents affecting African operators directly — including a multi-operator Nigerian sportsbook data leak disclosed in 2019 — as well as a sustained run of breaches against the global vendor ecosystem on which African operators depend.

A serious cyber incident at a betting operator is not merely an IT problem — it is a regulatory, financial, and reputational crisis. An outage during a Premier League weekend, an AFCON match, or a major political event translates directly into lost handle, voided bets, and player attrition to competitors. A confirmed personal data breach exposes operators to scrutiny under POPIA in South Africa, the NDPR in Nigeria, and Kenya's Data Protection Act, and can place a gambling licence at risk. IBM's Cost of a Data Breach Report places the average cost of a breach in South Africa at R53.1 million — before factoring in licence implications, regulatory penalties, or the cost of regaining player confidence.

Key Findings
1. iGaming is one of the most-attacked verticals on the internet: Akamai recorded a 94% rise in web attacks against the gaming sector in Q1 2024, with bot activity quadrupling. Imperva research has found that, in a single representative month, roughly 25% of all gambling sites were hit by DDoS attacks.
2. African operators are part of a global vendor ecosystem with documented breaches: Publicly reported incidents in 2024–2025 affected International Game Technology (IGT), Bragg Gaming Group, and the Fast Track CRM platform serving 100+ operators worldwide. Any African operator using these or comparable suppliers inherits that risk.
3. Nigerian sports betting was the subject of a multi-operator data leak: A December 2019 disclosure to Have I Been Pwned included database backups from a Nigerian sportsbook ecosystem — placing player records into criminal markets and creating an enduring credential-stuffing resource against any account that re-uses passwords across operators.
4. Major sporting events are predictable attack windows: Bot attacks spiked 96% during Euro 2020. Sports betting traffic during the FIFA World Cup, AFCON, the IPL, and Premier League weekends correlates with peak DDoS, account-takeover, and credential-stuffing activity — the same pattern African operators see around AFCON and Premier League fixtures.
Section 01 · Threat Landscape 01

The Scale of the Threat§

Online gambling is one of the most-attacked verticals on the internet. EMEA — the region that includes Sub-Saharan Africa — has been the top region globally for DDoS attacks in successive years. Attack volume rises sharply during major sporting events, and the threat actors are professional operators with industrial-scale tooling.

+94%rise in gaming sector web attacks
Year-on-Year · Q1 2024

Akamai's State of the Internet measured a 94% increase in web attacks against the gaming and gambling sector over Q1 2024, with bot activity over the same period quadrupling. Operators in Sub-Saharan Africa face the same global threat environment as their counterparts in EMEA and the Americas, magnified by peak-event timing around AFCON, Premier League weekends, and the World Cup cycle.

Source: Akamai State of the Internet, 2024 [1]
+94%Rise in gaming sector web attacks, Q1 2024 [1] 25%Of all gambling sites hit by DDoS in a single month [2] 800 GbpsPeak ransom DDoS on a gambling operator [3] $169BProjected online gambling market size by 2030 [4]

iGaming and sports betting operators sit in the crosshairs of an unusually wide adversary mix. Financially motivated criminal groups treat operators as high-value targets because of the combination of player PII, KYC documents, payment data, and large cash flows. DDoS-extortion crews target operators specifically because every minute offline costs them real money — making the threat to operate uniquely credible. Hacktivist groups target gambling for ideological reasons. State-aligned actors increasingly target sportsbook APIs to manipulate odds and bets. The combined attack surface is broader than almost any other consumer-facing industry.

Sub-Saharan African operators face the global threat environment with three additional pressure points. First, peak-event traffic concentrates around the AFCON, Premier League weekends, and World Cup cycle, creating predictable windows for DDoS extortion and credential stuffing. Second, mobile money rails (M-Pesa, MTN MoMo, Airtel Money) are integral to deposit and withdrawal flows, expanding the payment-fraud surface beyond what European operators contend with. Third, the supplier ecosystem is largely international — from sportsbook platforms (BtoBet, Kambi, SBTech) to CRM (Fast Track, Optimove) and KYC (Onfido, SmileID) — meaning African operators inherit the security posture of vendors based on other continents.

In East Africa, the July 2023 Anonymous Sudan campaign that took 10 Kenyan universities offline also disrupted Safaricom, M-Pesa, and the government's eCitizen platform. While that campaign did not directly name betting operators among its targets, it demonstrated the kind of coordinated infrastructure attack that any high-profile African operator, especially one in a politically sensitive market, must now plan for.

+96%Bot attack spike during Euro 2020 [5] 800,000Customers exposed in a 2025 European betting breach [6] 5+Publicly reported incidents in the global iGaming vendor ecosystem, 2023–2025
Threat Groups Active Against the Gaming and Gambling Sector
Documented adversaries against iGaming operators include Scattered Spider (the group publicly tied to the 2023 MGM Resorts and Caesars Entertainment incidents), Qilin (a Russian-speaking ransomware-as-a-service operation that claimed credit for an attack on global gaming tech vendor IGT in November 2025), and unattributed ransom-DDoS operators specialising in attacks against gambling sites during peak betting windows.
Financially Motivated · Social Engineering Scattered Spider

Overview: Scattered Spider is an English-speaking, financially motivated threat group that emerged around 2022 and rose to international prominence with the September 2023 attacks on MGM Resorts and Caesars Entertainment, which collectively cost those operators an estimated USD 115 million. Where most ransomware operators rely on software exploits, Scattered Spider's signature is human-targeted social engineering — phone calls to IT helpdesks impersonating staff, SIM swaps against executives, and convincing phishing kits.

Key characteristics: Initial access is most often achieved by phoning the target's IT support line and convincing an agent to reset credentials or enrol an attacker-controlled device for multi-factor authentication. Once inside, the group leverages commercial remote-management tools (TeamViewer, AnyDesk, Splashtop) to blend in with normal admin activity. Data is exfiltrated to cloud storage, and ransomware is deployed via affiliations with groups such as BlackCat/ALPHV, RansomHub, and Qilin. The group does not require deep technical sophistication — it relies on convincing humans, which makes it especially dangerous for any operator with an outsourced or under-trained IT support function.

Quick Facts
Active since
2022
Origin
English-speaking, US/UK
Aliases
UNC3944, Octo Tempest, 0ktapus
Method
Social engineering, SIM swap, RMM abuse
Model
Affiliate / multi-extortion
Sector focus
GamingCasinos, hospitality, telco
Notable victims
MGM Resorts & Caesars Ent. (Sep 2023)
Threat severity 5/5
Ransomware-as-a-Service Qilin

Overview: Qilin is a Russian-aligned ransomware-as-a-service operation active since 2022, and one of the most prolific ransomware brands of 2025. Affiliates recruited through Russian-language criminal forums carry out the attacks; the group provides the ransomware, the negotiation infrastructure, and a dark web leak site. In November 2025 Qilin publicly claimed credit for an attack on International Game Technology (IGT) — one of the world's largest gaming-tech vendors, present in over 100 countries — alleging exfiltration of 10 GB across 21,683 files.

Key characteristics: Initial access typically through phishing, exploitation of internet-facing services, and credentials purchased from initial access brokers. Double extortion is the standard play: data is exfiltrated to a Qilin-controlled server before file encryption, and if the ransom is refused, the data is published on the group's onion leak site. Notable for avoiding victims in CIS (former Soviet) states, indicating a Russian-aligned operating posture. Most affected country to date is the United States, followed by France, Canada, and South Korea.

Quick Facts
Active since
2022
Origin
Russian-aligned
Model
RaaS, double extortion
Top victim country
United States
Avoids
CIS countries
Sector activity
Manufacturing, finance, retail, healthcare, gaming
Notable claim
GamingIGT (Nov 2025)
Threat severity 5/5
Hacktivist / Ransom DDoS Anonymous Sudan, NoName057(16), KillNet

Overview: Several loosely affiliated DDoS collectives — Anonymous Sudan, NoName057(16), KillNet — pursue politically and ideologically motivated denial-of-service campaigns against high-profile online services. The gambling sector is a recurring target, both because the industry's public profile makes it ideologically attractive in some jurisdictions and because the financial stakes of any outage make ransom DDoS ("RDDoS") credible. Anonymous Sudan's July 2023 campaign against Kenyan infrastructure took 10 universities, seven hospitals, Safaricom mobile services, M-Pesa, and the eCitizen platform offline simultaneously — demonstrating the kind of nation-scale disruption that any high-profile African operator must now plan for.

Key characteristics: High-volume volumetric attacks (the largest known ransom DDoS against a gambling operator peaked at 800 Gbps in 2021), often layered with application-layer attacks targeting login pages, betslip APIs, and account dashboards. Attacks are coordinated openly on Telegram channels and frequently timed to peak betting windows — major sporting events, election cycles, and religious holidays. DDoS-for-hire services have dropped the cost of commissioning an attack to as little as EUR 5 for five minutes, meaning any disgruntled player or competitor can launch a credible attack.

Quick Facts
Active since
2021–2023
Motive
Ideological + ransom
Method
Volumetric & layer-7 DDoS
Coordination
Telegram channels
Peak observed
800 Gbps (gambling, 2021)
Africa activity
AfricaKenya campaign (Jul 2023)
Sector pattern
Peak-event timing (AFCON, EPL, World Cup)
Threat severity 4/5
Bottom lineiGaming is one of the most-attacked verticals online — bot activity quadrupling, roughly a quarter of gambling sites hit by DDoS in a single month, and African operators fully inside the global vendor blast radius.
Section 02 · Attack Vectors 02

How Operators Are Being Attacked§

Six attack categories account for almost every incident on record — DDoS extortion, account takeover, vendor compromise, web application exploits, payment and bonus fraud, and ransomware. They are routinely combined.

iGaming and sports betting operators face six primary attack categories, often used in combination. A motivated adversary will rarely use just one.

DDoS & Ransom DDoS: The Peak-Event Attack

A distributed denial-of-service attack floods a sportsbook or casino with traffic volumes far beyond what its infrastructure can absorb. Operators are uniquely exposed because every minute of downtime translates directly into lost handle and voided in-play bets. The largest known ransom DDoS against a gambling operator peaked at 800 Gbps in 2021, and one industry study found that ~25% of all gambling sites were hit by DDoS attacks in a single representative month. [2][3] The economics of DDoS-for-hire — five minutes for EUR 5, weekly subscriptions for under USD 15 — mean that aggrieved players, ideological actors, and competitors can all credibly commission an attack. Mitigation requires absorbing attack traffic at the global edge, before it ever reaches the operator's origin.

Attack volume against the gambling sector rises sharply during major sporting events. Bot activity spiked 96% during Euro 2020. Sports-betting traffic during the FIFA World Cup, AFCON, the IPL, and Premier League weekends correlates with peak DDoS, ATO, and credential-stuffing activity. The pattern is predictable enough to plan against.
Account Takeover & Credential Stuffing: The Quiet Bleed

Account takeover is the largest single-category loss for most online operators. Criminals purchase credential lists from prior breaches (including the publicly disclosed Nigerian sportsbook leak of 2019) and use automated tools to attempt logins against operator portals at tens of thousands of attempts per minute. When a match succeeds, the attacker can drain the wallet, change withdrawal bank details, abuse bonuses, or place coordinated bets. Survey research suggests 40% of online sports bettors have experienced cyber fraud tied to their accounts, and over 50% of sports betting websites reported at least one cybersecurity incident in 2023. [5] Underlying driver: 65% of users re-use passwords across sites, which makes a single third-party breach an enduring threat to every other operator the player uses.

Vendor and Supply Chain Compromise

African operators rely heavily on international suppliers — sportsbook platforms, payment gateways, KYC providers, CRM, affiliate networks, and live-casino studios. A breach at any one of them propagates instantly. The October 2025 attack on Fast Track, a Malta-based CRM platform serving over 100 operator partners worldwide, compromised at least two casino clients including Shuffle Casino — exposing player names, email addresses, home addresses, phone numbers, and transaction histories. [7] The November 2024 IGT cyberattack disrupted internal systems at the global gaming-tech vendor; in November 2025 the Qilin ransomware group claimed credit for a follow-on intrusion. [8][9] In August 2025 iGaming content supplier Bragg Gaming Group confirmed an intrusion of its internal computer environment. [10] None of those attacks required adversaries to ever touch an African operator's network — yet operators using affected suppliers inherited the exposure.

Web Application & API Attacks

Every internet-facing system at an operator — registration, login, deposit, withdrawal, betslip, live-odds API — is exposed to SQL injection, cross-site scripting, and application-layer exploits. Imperva research has previously found that gaming sites suffer cross-site scripting at twice the rate of any other industry, and that 28% of all API traffic in gaming was directed at undocumented "shadow" APIs. Sportsbook APIs are an especially high-value target: a successful attacker can rig bets, harvest odds data for arbitrage, or extract player rosters in bulk. Defence requires a Web Application Firewall with API discovery, schema enforcement, and rate limiting — not just an IP allowlist on the load balancer.

Payment, Bonus, and Identity Fraud

Beyond technical compromise, operators face an industrialised fraud ecosystem: multi-accounting and bonus abuse (creating dozens of synthetic identities to claim sign-up bonuses), KYC document fraud (deepfake selfies and synthetic ID documents to pass verification), and payment fraud (chargebacks, money-mule networks abusing mobile-money rails). Mobile money is a particular pressure point in Sub-Saharan Africa: the same channels that make deposit and withdrawal frictionless for legitimate players also create dense laundering opportunities for organised fraud rings. Defending against this requires bot management, device fingerprinting, behavioural analytics, and tight integration with KYC providers.

Ransomware: The Catastrophic Outcome

Ransomware remains the most damaging single attack type. Criminal software penetrates the operator's network through phishing, exposed remote access, or unpatched vulnerabilities, and silently encrypts files across sportsbook databases, finance systems, KYC archives, and player wallets. Modern ransomware operators study their targets and deliberately strike during peak revenue periods — major sporting events, holiday weekends, regulatory deadlines. The average ransomware recovery takes 21 to 24 days. [11] The 2023 MGM Resorts incident cost an estimated USD 100 million in lost EBITDA over ten days of outage; Caesars Entertainment paid an estimated USD 15 million ransom to avoid the same fate. [12]

Bottom lineSix attack categories used in combination — DDoS extortion, account takeover, vendor compromise, web and API exploits, payment and bonus fraud, and ransomware — peaking around major sporting events.
Section 03 · Documented Incidents 03

Operators Under Attack§

Five publicly reported incidents — one direct African operator data leak, three global supply-chain compromises that touched African operators, one industry-defining ransomware case. Together they illustrate the patterns leadership needs to recognise.

The five incidents below are drawn from publicly available reporting on cyber events affecting the global iGaming, sports betting, and gambling-technology sector. Where African operators are referenced, identifying details have been generalised; the underlying public reporting is cited in the sources section. The intent is to provide operator leadership with concrete context for the security investments ahead.

CASE STUDY  |  Nigeria  |  December 2019
SEVERITY 4/5
Nigerian Sportsbook Ecosystem — Multi-Operator Database Leak
Attack Type Database exposure & subsequent credential reuse [13]
Impact In December 2019 a large collection of data from a Nigerian sportsbook operator was disclosed to Have I Been Pwned, alongside database backups from several related betting brands in the ecosystem. Player records — email addresses, usernames, and password hashes — entered criminal markets and have been re-used in credential-stuffing campaigns against unrelated services ever since. Source: Have I Been Pwned, 2019. [13]
Key Lesson: A breach at one operator is a long-tail risk to every other operator the same players use. African operators must assume that historical breaches in their ecosystem are already weaponised against their own login pages, and defend accordingly — with leaked-credentials detection, bot management, and rate-limited login flows.
CASE STUDY  |  Global Precedent — United States  |  September 2023
SEVERITY 5/5
MGM Resorts & Caesars Entertainment — Scattered Spider
Attack Type Social engineering → ransomware & data theft [12]
Impact Two of the world's largest casino-hospitality operators were compromised within weeks of each other in September 2023, both attributed to Scattered Spider. MGM suffered approximately ten days of system outages affecting reservations, slot machines, room keys, and websites, with an estimated USD 100 million EBITDA loss. Caesars paid an estimated USD 15 million ransom and resumed operations more quickly. Both attacks reportedly began with phone calls to IT support staff. [12]
Key Lesson: Technical defences cannot fix a helpdesk that will reset credentials on a convincing phone call. Operators must treat human-targeted social engineering as a first-class threat — with mandatory callback procedures, phishing-resistant MFA (FIDO2 / WebAuthn), and Zero Trust access for any system that touches player data or funds.
CASE STUDY  |  Global Vendor — UK / Italy  |  Nov 2024 & Nov 2025
SEVERITY 5/5
International Game Technology (IGT) — Two Successive Incidents
Attack Type Vendor-environment intrusion & ransomware (Qilin claim) [8][9]
Impact In November 2024 IGT — one of the world's largest providers of slot machines, lottery systems, sports-betting platforms, and iGaming content — disclosed an SEC Form 6-K reporting that an unauthorised third party had accessed parts of its internal IT infrastructure, prompting the company to take systems offline. In November 2025 the Qilin ransomware group publicly claimed credit for a follow-on breach, alleging exfiltration of 10 GB across 21,683 files. [8][9] IGT operates in 100+ countries.
Key Lesson: An attack on a core platform vendor exposes every downstream operator simultaneously, with no warning and no ability to prevent it through conventional perimeter controls. Vendor risk must be assessed continuously — not just once at procurement — and operators should architect for the assumption that any given vendor will eventually be breached.
CASE STUDY: SUPPLY CHAIN BREACH  |  Malta  |  October 2025
SEVERITY 4/5
Fast Track CRM — Multi-Operator Vendor Compromise
Attack Type Vendor breach → downstream operator data exposure [7]
Impact In October 2025 Fast Track, a Malta-based CRM automation platform serving 100+ iGaming operators worldwide, disclosed a "highly sophisticated cyberattack" that compromised two casino clients. Shuffle Casino confirmed the breach and notified players that personal and financial details had been exposed — full names, email and home addresses, phone numbers, and complete transaction histories. Notably, Fast Track had renewed its SOC 2 Type 2 accreditation four months earlier. [7]
Key Lesson: Compliance certifications attest to controls at a point in time; they are not a substitute for ongoing assurance. Operators should minimise the data they share with each third party, segregate vendor access using Zero Trust principles, and treat any large CRM, KYC, or affiliate system as a primary breach risk.
CASE STUDY  |  United Kingdom  |  July 2025
SEVERITY 3/5
Flutter Entertainment — Paddy Power & Betfair Data Breach
Attack Type Unauthorised access & PII disclosure [6]
Impact Flutter Entertainment, parent of Paddy Power and Betfair, confirmed in July 2025 that up to 800,000 customer records were exposed. Compromised data included email addresses, IP addresses, and online activity tied to individual gambling accounts; no passwords, ID documents, or payment details were reported affected. The exposed information is precisely what makes downstream phishing convincing. [6]
Key Lesson: "Low-sensitivity" data is rarely low-impact. Email + IP + activity history is exactly the toolkit an attacker needs to send a believable phishing message to a player, mid-event, claiming a withdrawal hold or KYC issue. Operators should treat behavioural data as PII and protect it accordingly.
Bottom lineFrom the Nigerian sportsbook leak to MGM, IGT and Fast Track, the pattern is consistent and documented — a breach at one operator or shared vendor is a long-tail risk to all.
Section 04 · Impact 04

The Cost of Inaction§

Direct revenue loss, regulatory exposure, licence risk, and reputational damage — for an operator, the bill from a serious incident runs deep into eight figures, before any reputational repair begins.

R53.1Maverage breach cost · South Africa
IBM Cost of a Data Breach Report 2024

The IBM Cost of a Data Breach Report places the average cost of a breach in South Africa at R53.1 million — incident response, system restoration, regulatory notification, legal counsel. Ransom payments, regulatory fines, and licence implications not included.

Source: IBM Cost of a Data Breach Report 2024 [14]
Direct Revenue Loss

For an iGaming operator, downtime is revenue, not just an inconvenience. Industry research suggests that an hour offline during peak betting hours can cost a mid-size operator tens of thousands of US dollars per hour, scaling to seven figures during a major sporting event. The MGM Resorts attack of 2023 illustrates the upper bound: approximately ten days of disrupted operations, ~USD 100 million EBITDA impact, and a successful class-action lawsuit from affected customers. [12] For African operators with thinner margins and tighter cashflow, even a single weekend's outage during a major fixture can be existential.

The R53.1 million average breach cost in South Africa represents a material slice of any mid-sized operator's annual operating budget — deployed not on growth, marketing, or player acquisition, but on recovering from a preventable incident.
Regulatory and Licence Exposure

African operators are subject to a layered regulatory regime. South Africa's POPIA imposes administrative fines of up to R10 million for inadequate processing of personal information, with potential criminal liability for the Information Officer in the most serious cases. Nigeria's NDPR and Kenya's Data Protection Act create comparable obligations. Beyond data-protection law, every operator holds a gambling licence — from the National Gambling Board and provincial regulators in South Africa, the Lotteries Commission and state regulators in Nigeria, or the Betting Control and Licensing Board in Kenya. A serious cyber incident is generally a reportable event under licence conditions, and a pattern of inadequate controls can attract licence review, suspension, or revocation.

Anti-money-laundering and counter-terrorism obligations (FICA in South Africa, the SCUML regime in Nigeria) further raise the stakes around payment-fraud and KYC-bypass incidents: a control failure here can prompt regulator action even if no consumer data is breached.

Operational and Brand Disruption

An operator hit by ransomware will be offline for an average of 21 to 24 days during full recovery. [11] For a betting brand, that interval routinely spans multiple major fixtures and at least one settlement cycle for outstanding bets. Players will not wait; they will deposit with competitors and may not come back. Affiliate channels evaporate. Sponsorship partners ask awkward questions.

Reputational Damage

A publicly reported breach involving player names, KYC documents, or transaction histories generates negative coverage in both mainstream and trade media, and is amplified across the player community on social channels. In a sector built on trust — trust that bets will pay out, that withdrawals will clear, that funds are safe — a single high-profile incident can durably re-shape an operator's brand. In competitive markets like Nigeria, Kenya, and South Africa, where players juggle accounts across multiple operators, reputational damage translates directly into measurable customer-acquisition and retention costs in the following months.

Bottom lineDowntime is revenue, not inconvenience — a serious incident runs into eight figures before licence, regulatory and reputational costs are counted.
Section 05 · The Defence Gap 05

Why Traditional Defences Are Failing§

Firewalls, WAFs on the load balancer, basic anti-bot rules, and on-premise DDoS appliances remain necessary — but they are no longer sufficient for an operator facing professional, peak-event-timed adversaries.

Every operator has firewalls, an on-load-balancer WAF, and some form of anti-bot or fraud rules. These are necessary baseline controls. They are no longer sufficient on their own, because the threat landscape and the operator's own architecture have both moved on.

The Perimeter No Longer Exists

Modern operators run across cloud platforms, third-party CRMs, affiliate networks, KYC providers, payment gateways, live-casino studios, mobile apps, and retail networks — all integrating with the core sportsbook from outside any single perimeter. Legacy firewalls protect a boundary that no longer corresponds to where player data, betslips, or wallet balances actually live. Zero Trust is not a buzzword: it is the only practical operating model for an operator whose surface is, by design, distributed.

On-Premise DDoS Mitigation Cannot Absorb a Modern Attack

The largest known ransom DDoS against a gambling operator peaked at 800 Gbps. [3] No single operator's internet uplink can absorb that, and no on-premise scrubbing appliance can either. Defending against volumetric DDoS requires the ability to intercept and discard malicious traffic at a point in the network with sufficient capacity — a global anycast edge with hundreds of points of presence. The Caribbean operator case study published by Red Button (industry-known but lightly anonymised) shows precisely the typical attack lifecycle: initial volumetric attack saturates the ISP, defender moves to a cloud WAF, attacker pivots to direct-to-origin, defender geo-fences, attacker pivots to a local botnet. The pattern repeats until a global edge absorbs the entire campaign.

Bot Defence That Sees Only One Operator Is Outmatched

Credential-stuffing botnets rotate through operator after operator, learning the defences of each as they go. A standalone bot-management tool sees only its own customer's traffic; an operator built on a global network sees attack patterns developing against thousands of other businesses in real time, and applies that intelligence pre-emptively. For an industry where ATO is the single largest fraud category, this difference is decisive.

Patch Cycles Cannot Outrun Zero-Days

Zero-day vulnerabilities are unknown until exploited. Even when patches are issued, operator IT teams running legacy environments cannot realistically patch all systems within the window between disclosure and active exploitation. Virtual patching at the WAF edge bridges that gap: known attack patterns are blocked at the network edge while underlying software is patched on its normal cycle.

Operator Security Teams Are Outgunned

The adversaries operators face — Scattered Spider, Qilin affiliates, sophisticated DDoS-extortion crews, organised fraud rings — are professional, well-resourced, and operate at industrial scale. SSA operators typically run security teams of 3 to 10 people. Expecting an in-house team of that size to detect, contain, and respond to a coordinated, multi-vector attack without an enterprise-grade platform is unrealistic. The remedy is leverage: operate the team you have on top of a global security platform that does the heavy lifting at the edge.

Bottom lineOn-load-balancer WAFs, basic anti-bot rules and on-premise DDoS appliances remain necessary but are no longer sufficient — the defensible perimeter has moved to the global edge.
Section 06 · Defence 06

Built for Scale, Available for Operators§

Cloudflare operates one of the largest global networks in the world, with edge presence in Cape Town, Johannesburg, Durban, Nairobi, Mombasa, Lagos, and Accra — the same infrastructure used by global tier-one operators, available to African operators through LockdownIT.

Cloudflare operates one of the largest global networks in the world — 330+ points of presence across more than 120 countries, processing tens of millions of HTTP requests per second and blocking billions of cyber threats every day. The same infrastructure protecting global tier-one operators, regulated financial institutions, and national governments can protect your sportsbook, casino, or lottery brand.

Cloudflare's African network is one of the only enterprise-grade security infrastructures with local edge presence across Sub-Saharan Africa. Attack traffic is absorbed in-region; legitimate player traffic is accelerated through the same edge that protects it.
Request flow · Internet → Cloudflare → Operator Attackers Clean traffic Stopped at gate Click any gate to see what it does
INTERNET CLOUDFLARE EDGE OPERATOR players · punters attackers L01 DDoS Managed VOLUMETRIC L02 Bot Mgmt AUTOMATION L03 WAF + Virtual Patch OWASP / 0-DAY L04 Zero Trust IDENTITY L05 Leaked Creds HIBP CHECK L06 Email Security PHISHING L07 API Shield SCHEMA L08 CDN + Cache EDGE origin sportsbook · casino wallet · KYC APIs live-odds feed PLAYER TIER WALLET / PAY ODDS / API
How to read this diagram
Eight protective layers, one global edge
Every request to an operator's public services arrives first at the Cloudflare edge - one of the largest global anycast networks, with points of presence across Africa and 330+ other cities. Eight protective gates inspect the request in series. Red dots are attackers; most are stopped at the first three gates. Green dots are legitimate traffic; one is served from cache at the edge, two continue to the operator origin. Click any gate above to see which threat it stops and the public evidence behind it.
Layering is illustrative - Email Security operates out-of-band on inbound mail; Leaked Credentials runs inside the WAF; Zero Trust is a separate identity surface. The sequence shown is a teaching tool, not a literal request pipeline.
Cloudflare Product Suite for iGaming Operators

Eleven products organised into three layers of operator protection — the public-facing edge, the identity core, and the mail / API / network surface. Each maps directly to the attack categories in Section 02 and the case studies in Section 03.

01
Public-facing defence
Always-on protection in front of the sportsbook, casino lobby, mobile-app APIs, live-odds endpoints, and player-facing forms
Peak-event & DDoS
DDoS Managed Rules
Always-on, unmetered, automatic mitigation of volumetric and application-layer DDoS at the global edge. Absorbs the 800 Gbps ransom-DDoS pattern within seconds — whether the spike is a coordinated attack or genuine AFCON kickoff demand. [3]
Web Application Firewall + Virtual Patching
Inspects every request to registration, login, deposit, withdrawal, betslip, and odds APIs. When a zero-day lands in a widely-deployed component, virtual-patching rules deploy at the edge within hours — before the operator's internal patch cycle has begun.
Content Delivery Network
Caches static content — images, JS, CSS, live-odds tickers, casino-game assets — at edge PoPs in Cape Town, Johannesburg, Durban, Nairobi, Lagos, and Accra. 60–90% origin offload, 70%+ egress savings, faster mobile play.
Bot Management
Machine learning over global-network signals scores every request, distinguishing real players from the credential-stuffing and multi-accounting bots that dominate gaming-sector traffic — before they reach login, registration, or the bonus engine.
Turnstile
CAPTCHA alternative for high-value forms (registration, login, withdrawal). Runs invisibly for most players and lifts form-completion versus traditional CAPTCHAs — friction-free for punters, protective against automation.
02
Identity & access
Player accounts and internal operator systems — trader consoles, finance back-office, KYC review queues, responsible-gambling tooling
Anti ATO & social-eng
Cloudflare Access (Zero Trust)
Replaces VPN-based implicit trust — the assumption Scattered Spider exploited at MGM — with per-request identity verification for every internal system. Combined with phishing-resistant MFA (FIDO2 / WebAuthn), it shrinks the social-engineering blast radius. [12]
Leaked Credentials Detection
Checks every login against the Have I Been Pwned corpus in real time, blocking known-compromised credentials before access is granted. Direct mitigation for the 2019 Nigerian sportsbook leak and the credential lists re-used against operators ever since. [13]
Cloudflare Gateway (DNS Filtering & SWG)
Secure DNS resolver and web filter for every device on the operator network and remote staff via WARP. Blocks connections to malware infrastructure, phishing kits, and C2 servers before pages load — the proximate vector for ransomware and ATO-supporting malware.
03
Email, API & network connectivity
Inbound mail to finance and ops, machine-to-machine APIs with platform and payment vendors, and on-premise / retail-shop connectivity
Vendor & API
Email Security (Area 1)
AI-driven scanning of inbound mail — impersonations of regulators, payment providers, and affiliate partners — before it reaches finance and ops inboxes. Phishing is the entry point for both ransomware and the helpdesk social engineering behind the MGM and Caesars incidents.
API Shield
Sportsbook odds, mobile-app, and payment-orchestration APIs are high-value targets for bet manipulation, scraping, and bulk extraction. API Shield discovers undocumented “shadow” APIs (28% of gaming API traffic), enforces schemas, validates JWTs, and rate-limits per endpoint.
Magic Transit
For operators running on-premise data centres, retail-shop networks, or local back-office infrastructure: network-layer DDoS protection at the IP layer, absorbing volumetric attacks before they reach the operator's network edge. Built for hybrid cloud / on-premise estates.
Bottom lineThe same global edge that protects tier-one operators is available to African sportsbooks and casinos today — attackers absorbed upstream, before they ever reach the platform.
Working with operators across Africa

We block attackers upstream — on the public internet, before they ever reach your sportsbook, casino, or wallet.

LockDown IT protects iGaming and sports-betting operators across Sub-Saharan Africa. As a Cloudflare Enterprise Services Partner, we deploy Cloudflare's global network — with regional edge presence in Cape Town, Johannesburg, Durban, Nairobi, Lagos, and Accra — in front of your external surface: the sportsbook and casino front end, mobile-app and odds APIs, registration and withdrawal flows, KYC and payment integrations, staff email, and Zero Trust access for trader, finance, and support teams. DDoS floods, credential stuffing, bonus-abuse bots, vulnerability scans, and phishing are absorbed and filtered at the global edge — not at your origin, and never inside your core platform.

01 Upstream by design. Attacks are mitigated in 330+ Cloudflare PoPs globally — nearest the attacker, not your platform. The betslip stays up at kickoff.
02 Maps to your obligations. POPIA, NDPR, FICA / SCUML, and provincial / national licence-condition security requirements — covered by the defences in Sections 05–06.
03 Local accountability. Africa-based delivery, response, and supervision against your own SLAs — not a ticket queue in another time zone.
Get in touch
Book a Cloudflare briefing
or start a 30-day free trial.

A LockDown IT solutions engineer will walk your team through the Cloudflare platform mapped to your specific architecture — sportsbook front end, mobile and odds APIs, wallet and KYC, staff email. Or we can stand up a 30-day product trial against a non-production surface so the team can evaluate it directly.

Cloudflare Enterprise Services Partner Sub-Saharan Africa coverage 30-day product trial available
Self-Assessment Snapshot

A one-page checklist a Head of Risk, CTO, or compliance lead can complete in ten minutes. The goal is not a score — it is a defensible answer to the question “where is the operator exposed today?” Work the items in numbered priority order.

Control
In place
Partial
Gap
Priority
Sportsbook, casino, mobile APIs and odds feed behind always-on global-edge volumetric & L7 DDoS protection
01
Bot management / anti-credential-stuffing enforced on every login, registration, and withdrawal flow
02
Leaked-credentials detection on login against a live breach corpus (e.g. Have I Been Pwned)
03
Phishing-resistant MFA (FIDO2 / WebAuthn) on every staff account that touches player data or funds
04
Zero Trust per-request access for trader, finance, KYC and RG tooling; no flat VPN-based trust
05
Mandatory helpdesk callback / identity-verification procedure for any credential or MFA reset
06
WAF + virtual patching across registration, deposit, withdrawal, betslip and live-odds APIs
07
API Shield: schema enforcement, shadow-API discovery, and per-endpoint rate limiting
08
Formal vendor-risk programme covering sportsbook platform, payment, KYC, CRM, affiliate & live-casino suppliers
09
AI-driven inbound email security; quarterly phishing exercise with measurable KRIs
10
IR playbook tabletop-tested < 12 months ago; IR retainer and breach-comms plan in place
11
Regulatory mapping current: POPIA, NDPR, FICA / SCUML and licence-condition security obligations
12
Glossary of Acronyms

Acronyms and named threat groups used throughout this report. Listed alphabetically.

ATO
Account Takeover — unauthorised access to a player or staff account, most often via credential stuffing or phishing.
AML / KYC
Anti-Money-Laundering / Know Your Customer — the regulatory framework requiring operators to verify player identity and screen transactions.
CDN
Content Delivery Network — a globally distributed cache that serves static content from an edge location near the player.
DDoS
Distributed Denial of Service — an attack that floods a target with traffic from many sources to make services unavailable.
EDR
Endpoint Detection and Response — software on workstations and servers that detects malicious activity in real time.
FICA
Financial Intelligence Centre Act — South Africa's anti-money-laundering and counter-terrorism-financing law.
FIDO2 / WebAuthn
Open standards for phishing-resistant multi-factor authentication, typically using hardware security keys (YubiKey, Titan).
GLI
Gaming Laboratories International — an independent testing and certification body for gaming systems and RNGs.
MFA
Multi-Factor Authentication — requiring more than one verification method to log in. “Phishing-resistant MFA” means FIDO2 / WebAuthn, not SMS or push.
NDPR
Nigeria Data Protection Regulation — Nigeria's data-protection framework.
PII
Personally Identifiable Information — data that identifies an individual, including email, IP, and account-activity history.
PoP
Point of Presence — a physical edge location in a global network. Cloudflare operates PoPs in Cape Town, Johannesburg, Durban, Nairobi, Lagos, Accra and 320+ other cities.
POPIA
Protection of Personal Information Act — South Africa's data-protection law.
Qilin
Russia-linked Ransomware-as-a-Service group that publicly claimed the follow-on IGT breach in November 2025.
RaaS
Ransomware-as-a-Service — the affiliate model under which groups such as Qilin operate, sharing ransom proceeds with operators who carry out attacks.
RG
Responsible Gambling — tooling and processes (deposit limits, self-exclusion, affordability checks) that operators are licensed to provide.
Scattered Spider
English-speaking social-engineering crew tied to the 2023 MGM Resorts and Caesars Entertainment intrusions; specialises in helpdesk impersonation.
SCUML
Special Control Unit against Money Laundering — Nigeria's designated-non-financial-business AML supervisor.
SIEM
Security Information and Event Management — a system that aggregates and analyses log data to detect threats.
SOC 2
System and Organization Controls 2 — an audit standard for a service provider's security controls; an attestation, not a guarantee.
SWG
Secure Web Gateway — a filter that inspects outbound web traffic and blocks connections to malicious destinations.
WAF
Web Application Firewall — inspects HTTP/HTTPS requests and filters malicious or anomalous traffic before it reaches the origin.
About Lockdown IT and Cloudflare
About Lockdown IT
Lockdown IT is a specialist Africa-based cybersecurity company and a Cloudflare Enterprise Services Partner. We design, implement, and manage enterprise cybersecurity solutions for iGaming, sports betting, financial services, and education operators across Sub-Saharan Africa.
[email protected] | +27 11 024 5696 | www.lockdownit.co.za
About Cloudflare
Cloudflare, Inc. (NYSE: NET) is the leading connectivity cloud company on a mission to help build a better internet. Cloudflare's platform protects and accelerates any internet application online, with Points of Presence throughout Africa.

© 2026 Lockdown IT (Pty) Ltd. All incident data is drawn from public sources.

Sources and Data References

All statistics and incident data cited in this report are drawn from the following publicly available sources. Reference numbers correspond to citation markers in the body text.


[1]
Akamai State of the Internet — Gaming Industry Q1 2024
Akamai recorded a 94% rise in web attacks against the gaming sector in Q1 2024, with bot activity quadrupling over the same period.
[2]
Imperva — DDoS Attacks on Gambling Sites
~25% of all gambling sites hit by DDoS attacks in a single representative month; 10% of sites impacted during Wimbledon 2022.
[3]
Akamai — 800 Gbps Ransom DDoS on a Gambling Operator (2021)
Largest known ransom DDoS attack on a gambling operator peaked at 800 Gbps; novel DCCP-based attack vector.
[4]
Online Gambling Market Projection
Global online gambling market projected to reach approximately USD 169 billion by 2030 (industry consensus, 8.5% CAGR).
[5]
Enzoic / Industry Research — Account Takeover in Sports Betting
40% of online sports bettors have experienced cyber fraud tied to their accounts; over 50% of sports-betting websites reported a cybersecurity incident in 2023.
[6]
Flutter Entertainment — Paddy Power & Betfair Data Breach (July 2025)
Up to 800,000 customers affected; emails, IP addresses, and online activity exposed.
[7]
Fast Track CRM Breach (October 2025)
Malta-based CRM platform serving 100+ iGaming operators worldwide; two casino clients compromised. Shuffle Casino notified players of exposed personal and financial data.
[8]
International Game Technology (IGT) Cyberattack — November 2024
IGT (Form 6-K, SEC) disclosed unauthorised third-party access on 17 Nov 2024; systems taken offline; alternatives put in place to maintain continuity.
[9]
Qilin Ransomware Group — IGT Claim (November 2025)
Qilin RaaS publicly claimed credit for an attack on IGT, alleging exfiltration of 10 GB across 21,683 files; data posted to the group's dark web leak site.
[10]
Bragg Gaming Group — Cyberattack (August 2025)
Toronto-listed iGaming content and technology supplier confirmed an intrusion of its internal computer environment; no customer data reported affected.
[11]
Sophos State of Ransomware — Recovery Time
Average full recovery time after a ransomware incident is 21 to 24 days; only a minority of victims recover within a single week.
[12]
MGM Resorts & Caesars Entertainment Cyberattacks — Scattered Spider (September 2023)
MGM: ~10 days outage, ~USD 100 million EBITDA impact, subsequent class-action settlement. Caesars: ~USD 15 million ransom paid. Both attributed to Scattered Spider; phone-based social engineering of IT support reported as the initial vector.
[13]
Have I Been Pwned — Nigerian Sportsbook Data Leak (December 2019)
Database backups from a Nigerian sportsbook operator disclosed to HIBP alongside backups from several related betting brands in the ecosystem; player records placed into criminal markets.
[14]
IBM Cost of a Data Breach Report 2024 — South Africa Average
IBM places the average cost of a data breach in South Africa at R53.1 million; figure covers incident response, system restoration, regulatory notification, and legal counsel. Ransom payments and regulatory fines not included.
[15]
Akamai — DDoS Attacks on EMEA, 2023
EMEA (incorporating Sub-Saharan Africa) was the most-targeted region globally for DDoS attacks, with financial services, gambling, and manufacturing leading sector-level volume.