Online gambling has become one of the most-attacked verticals on the internet. Industry research consistently places gaming and gambling among the top targets for DDoS extortion, account takeover, and supply-chain compromise — with attack volume surging during major sporting events. Akamai recorded a 94% year-on-year rise in web attacks against the gaming sector in Q1 2024 alone, with bot activity quadrupling over the same period. EMEA — which encompasses Sub-Saharan Africa — has been the top region globally for DDoS attacks in successive years.

In Sub-Saharan Africa, iGaming and sports betting have grown rapidly on the back of mobile money, smartphone adoption, and league sponsorship deals. Operators in Nigeria, Kenya, South Africa, Ghana, Tanzania, and Uganda now process billions of dollars in monthly wagers across mobile apps, web portals, USSD shortcodes, and retail networks. Public reporting has documented incidents affecting African operators directly — including a multi-operator Nigerian sportsbook data leak disclosed in 2019 — as well as a sustained run of breaches against the global vendor ecosystem on which African operators depend.

A serious cyber incident at a betting operator is not merely an IT problem — it is a regulatory, financial, and reputational crisis. An outage during a Premier League weekend, an AFCON match, or a major political event translates directly into lost handle, voided bets, and player attrition to competitors. A confirmed personal data breach exposes operators to scrutiny under POPIA in South Africa, the NDPR in Nigeria, and Kenya's Data Protection Act, and can place a gambling licence at risk. IBM's Cost of a Data Breach Report places the average cost of a breach in South Africa at R53.1 million — before factoring in licence implications, regulatory penalties, or the cost of regaining player confidence.

Section 01 · Threat Landscape 01

The Scale of the Threat§

Online gambling is one of the most-attacked verticals on the internet. EMEA — the region that includes Sub-Saharan Africa — has been the top region globally for DDoS attacks in successive years. Attack volume rises sharply during major sporting events, and the threat actors are professional operators with industrial-scale tooling.

+94%Rise in gaming sector web attacks, Q1 2024 [1]

25%Of all gambling sites hit by DDoS in a single month [2]

800 GbpsPeak ransom DDoS on a gambling operator [3]

$169BProjected online gambling market size by 2030 [4]

iGaming and sports betting operators sit in the crosshairs of an unusually wide adversary mix. Financially motivated criminal groups treat operators as high-value targets because of the combination of player PII, KYC documents, payment data, and large cash flows. DDoS-extortion crews target operators specifically because every minute offline costs them real money — making the threat to operate uniquely credible. Hacktivist groups target gambling for ideological reasons. State-aligned actors increasingly target sportsbook APIs to manipulate odds and bets. The combined attack surface is broader than almost any other consumer-facing industry.

Sub-Saharan African operators face the global threat environment with three additional pressure points. First, peak-event traffic concentrates around the AFCON, Premier League weekends, and World Cup cycle, creating predictable windows for DDoS extortion and credential stuffing. Second, mobile money rails (M-Pesa, MTN MoMo, Airtel Money) are integral to deposit and withdrawal flows, expanding the payment-fraud surface beyond what European operators contend with. Third, the supplier ecosystem is largely international — from sportsbook platforms (BtoBet, Kambi, SBTech) to CRM (Fast Track, Optimove) and KYC (Onfido, SmileID) — meaning African operators inherit the security posture of vendors based on other continents.

In East Africa, the July 2023 Anonymous Sudan campaign that took 10 Kenyan universities offline also disrupted Safaricom, M-Pesa, and the government's eCitizen platform. While that campaign did not directly name betting operators among its targets, it demonstrated the kind of coordinated infrastructure attack that any high-profile African operator, especially one in a politically sensitive market, must now plan for.

+96%Bot attack spike during Euro 2020 [5]

800,000Customers exposed in a 2025 European betting breach [6]

5+Publicly reported incidents in the global iGaming vendor ecosystem, 2023–2025

Section 02 · Attack Vectors 02

How Operators Are Being Attacked§

Six attack categories account for almost every incident on record — DDoS extortion, account takeover, vendor compromise, web application exploits, payment and bonus fraud, and ransomware. They are routinely combined.

iGaming and sports betting operators face six primary attack categories, often used in combination. A motivated adversary will rarely use just one.

A distributed denial-of-service attack floods a sportsbook or casino with traffic volumes far beyond what its infrastructure can absorb. Operators are uniquely exposed because every minute of downtime translates directly into lost handle and voided in-play bets. The largest known ransom DDoS against a gambling operator peaked at 800 Gbps in 2021, and one industry study found that ~25% of all gambling sites were hit by DDoS attacks in a single representative month. [2][3] The economics of DDoS-for-hire — five minutes for EUR 5, weekly subscriptions for under USD 15 — mean that aggrieved players, ideological actors, and competitors can all credibly commission an attack. Mitigation requires absorbing attack traffic at the global edge, before it ever reaches the operator's origin.

Account takeover is the largest single-category loss for most online operators. Criminals purchase credential lists from prior breaches (including the publicly disclosed Nigerian sportsbook leak of 2019) and use automated tools to attempt logins against operator portals at tens of thousands of attempts per minute. When a match succeeds, the attacker can drain the wallet, change withdrawal bank details, abuse bonuses, or place coordinated bets. Survey research suggests 40% of online sports bettors have experienced cyber fraud tied to their accounts, and over 50% of sports betting websites reported at least one cybersecurity incident in 2023. [5] Underlying driver: 65% of users re-use passwords across sites, which makes a single third-party breach an enduring threat to every other operator the player uses.

African operators rely heavily on international suppliers — sportsbook platforms, payment gateways, KYC providers, CRM, affiliate networks, and live-casino studios. A breach at any one of them propagates instantly. The October 2025 attack on Fast Track, a Malta-based CRM platform serving over 100 operator partners worldwide, compromised at least two casino clients including Shuffle Casino — exposing player names, email addresses, home addresses, phone numbers, and transaction histories. [7] The November 2024 IGT cyberattack disrupted internal systems at the global gaming-tech vendor; in November 2025 the Qilin ransomware group claimed credit for a follow-on intrusion. [8][9] In August 2025 iGaming content supplier Bragg Gaming Group confirmed an intrusion of its internal computer environment. [10] None of those attacks required adversaries to ever touch an African operator's network — yet operators using affected suppliers inherited the exposure.

Every internet-facing system at an operator — registration, login, deposit, withdrawal, betslip, live-odds API — is exposed to SQL injection, cross-site scripting, and application-layer exploits. Imperva research has previously found that gaming sites suffer cross-site scripting at twice the rate of any other industry, and that 28% of all API traffic in gaming was directed at undocumented "shadow" APIs. Sportsbook APIs are an especially high-value target: a successful attacker can rig bets, harvest odds data for arbitrage, or extract player rosters in bulk. Defence requires a Web Application Firewall with API discovery, schema enforcement, and rate limiting — not just an IP allowlist on the load balancer.

Beyond technical compromise, operators face an industrialised fraud ecosystem: multi-accounting and bonus abuse (creating dozens of synthetic identities to claim sign-up bonuses), KYC document fraud (deepfake selfies and synthetic ID documents to pass verification), and payment fraud (chargebacks, money-mule networks abusing mobile-money rails). Mobile money is a particular pressure point in Sub-Saharan Africa: the same channels that make deposit and withdrawal frictionless for legitimate players also create dense laundering opportunities for organised fraud rings. Defending against this requires bot management, device fingerprinting, behavioural analytics, and tight integration with KYC providers.

Ransomware remains the most damaging single attack type. Criminal software penetrates the operator's network through phishing, exposed remote access, or unpatched vulnerabilities, and silently encrypts files across sportsbook databases, finance systems, KYC archives, and player wallets. Modern ransomware operators study their targets and deliberately strike during peak revenue periods — major sporting events, holiday weekends, regulatory deadlines. The average ransomware recovery takes 21 to 24 days. [11] The 2023 MGM Resorts incident cost an estimated USD 100 million in lost EBITDA over ten days of outage; Caesars Entertainment paid an estimated USD 15 million ransom to avoid the same fate. [12]

Section 03 · Documented Incidents 03

Operators Under Attack§

Five publicly reported incidents — one direct African operator data leak, three global supply-chain compromises that touched African operators, one industry-defining ransomware case. Together they illustrate the patterns leadership needs to recognise.

The five incidents below are drawn from publicly available reporting on cyber events affecting the global iGaming, sports betting, and gambling-technology sector. Where African operators are referenced, identifying details have been generalised; the underlying public reporting is cited in the sources section. The intent is to provide operator leadership with concrete context for the security investments ahead.

CASE STUDY  |  Nigeria  |  December 2019 SEVERITY 4/5 Nigerian Sportsbook Ecosystem — Multi-Operator Database Leak
Attack Type	Database exposure & subsequent credential reuse [13]
Impact	In December 2019 a large collection of data from a Nigerian sportsbook operator was disclosed to Have I Been Pwned, alongside database backups from several related betting brands in the ecosystem. Player records — email addresses, usernames, and password hashes — entered criminal markets and have been re-used in credential-stuffing campaigns against unrelated services ever since. Source: Have I Been Pwned, 2019. [13]
Key Lesson: A breach at one operator is a long-tail risk to every other operator the same players use. African operators must assume that historical breaches in their ecosystem are already weaponised against their own login pages, and defend accordingly — with leaked-credentials detection, bot management, and rate-limited login flows.

CASE STUDY  |  Global Precedent — United States  |  September 2023 SEVERITY 5/5 MGM Resorts & Caesars Entertainment — Scattered Spider
Attack Type	Social engineering → ransomware & data theft [12]
Impact	Two of the world's largest casino-hospitality operators were compromised within weeks of each other in September 2023, both attributed to Scattered Spider. MGM suffered approximately ten days of system outages affecting reservations, slot machines, room keys, and websites, with an estimated USD 100 million EBITDA loss. Caesars paid an estimated USD 15 million ransom and resumed operations more quickly. Both attacks reportedly began with phone calls to IT support staff. [12]
Key Lesson: Technical defences cannot fix a helpdesk that will reset credentials on a convincing phone call. Operators must treat human-targeted social engineering as a first-class threat — with mandatory callback procedures, phishing-resistant MFA (FIDO2 / WebAuthn), and Zero Trust access for any system that touches player data or funds.

CASE STUDY  |  Global Vendor — UK / Italy  |  Nov 2024 & Nov 2025 SEVERITY 5/5 International Game Technology (IGT) — Two Successive Incidents
Attack Type	Vendor-environment intrusion & ransomware (Qilin claim) [8][9]
Impact	In November 2024 IGT — one of the world's largest providers of slot machines, lottery systems, sports-betting platforms, and iGaming content — disclosed an SEC Form 6-K reporting that an unauthorised third party had accessed parts of its internal IT infrastructure, prompting the company to take systems offline. In November 2025 the Qilin ransomware group publicly claimed credit for a follow-on breach, alleging exfiltration of 10 GB across 21,683 files. [8][9] IGT operates in 100+ countries.
Key Lesson: An attack on a core platform vendor exposes every downstream operator simultaneously, with no warning and no ability to prevent it through conventional perimeter controls. Vendor risk must be assessed continuously — not just once at procurement — and operators should architect for the assumption that any given vendor will eventually be breached.

CASE STUDY: SUPPLY CHAIN BREACH  |  Malta  |  October 2025 SEVERITY 4/5 Fast Track CRM — Multi-Operator Vendor Compromise
Attack Type	Vendor breach → downstream operator data exposure [7]
Impact	In October 2025 Fast Track, a Malta-based CRM automation platform serving 100+ iGaming operators worldwide, disclosed a "highly sophisticated cyberattack" that compromised two casino clients. Shuffle Casino confirmed the breach and notified players that personal and financial details had been exposed — full names, email and home addresses, phone numbers, and complete transaction histories. Notably, Fast Track had renewed its SOC 2 Type 2 accreditation four months earlier. [7]
Key Lesson: Compliance certifications attest to controls at a point in time; they are not a substitute for ongoing assurance. Operators should minimise the data they share with each third party, segregate vendor access using Zero Trust principles, and treat any large CRM, KYC, or affiliate system as a primary breach risk.

CASE STUDY  |  United Kingdom  |  July 2025 SEVERITY 3/5 Flutter Entertainment — Paddy Power & Betfair Data Breach
Attack Type	Unauthorised access & PII disclosure [6]
Impact	Flutter Entertainment, parent of Paddy Power and Betfair, confirmed in July 2025 that up to 800,000 customer records were exposed. Compromised data included email addresses, IP addresses, and online activity tied to individual gambling accounts; no passwords, ID documents, or payment details were reported affected. The exposed information is precisely what makes downstream phishing convincing. [6]
Key Lesson: "Low-sensitivity" data is rarely low-impact. Email + IP + activity history is exactly the toolkit an attacker needs to send a believable phishing message to a player, mid-event, claiming a withdrawal hold or KYC issue. Operators should treat behavioural data as PII and protect it accordingly.

Section 04 · Impact 04

The Cost of Inaction§

Direct revenue loss, regulatory exposure, licence risk, and reputational damage — for an operator, the bill from a serious incident runs deep into eight figures, before any reputational repair begins.

For an iGaming operator, downtime is revenue, not just an inconvenience. Industry research suggests that an hour offline during peak betting hours can cost a mid-size operator tens of thousands of US dollars per hour, scaling to seven figures during a major sporting event. The MGM Resorts attack of 2023 illustrates the upper bound: approximately ten days of disrupted operations, ~USD 100 million EBITDA impact, and a successful class-action lawsuit from affected customers. [12] For African operators with thinner margins and tighter cashflow, even a single weekend's outage during a major fixture can be existential.

African operators are subject to a layered regulatory regime. South Africa's POPIA imposes administrative fines of up to R10 million for inadequate processing of personal information, with potential criminal liability for the Information Officer in the most serious cases. Nigeria's NDPR and Kenya's Data Protection Act create comparable obligations. Beyond data-protection law, every operator holds a gambling licence — from the National Gambling Board and provincial regulators in South Africa, the Lotteries Commission and state regulators in Nigeria, or the Betting Control and Licensing Board in Kenya. A serious cyber incident is generally a reportable event under licence conditions, and a pattern of inadequate controls can attract licence review, suspension, or revocation.

Anti-money-laundering and counter-terrorism obligations (FICA in South Africa, the SCUML regime in Nigeria) further raise the stakes around payment-fraud and KYC-bypass incidents: a control failure here can prompt regulator action even if no consumer data is breached.

An operator hit by ransomware will be offline for an average of 21 to 24 days during full recovery. [11] For a betting brand, that interval routinely spans multiple major fixtures and at least one settlement cycle for outstanding bets. Players will not wait; they will deposit with competitors and may not come back. Affiliate channels evaporate. Sponsorship partners ask awkward questions.

A publicly reported breach involving player names, KYC documents, or transaction histories generates negative coverage in both mainstream and trade media, and is amplified across the player community on social channels. In a sector built on trust — trust that bets will pay out, that withdrawals will clear, that funds are safe — a single high-profile incident can durably re-shape an operator's brand. In competitive markets like Nigeria, Kenya, and South Africa, where players juggle accounts across multiple operators, reputational damage translates directly into measurable customer-acquisition and retention costs in the following months.

Section 05 · The Defence Gap 05

Why Traditional Defences Are Failing§

Firewalls, WAFs on the load balancer, basic anti-bot rules, and on-premise DDoS appliances remain necessary — but they are no longer sufficient for an operator facing professional, peak-event-timed adversaries.

Every operator has firewalls, an on-load-balancer WAF, and some form of anti-bot or fraud rules. These are necessary baseline controls. They are no longer sufficient on their own, because the threat landscape and the operator's own architecture have both moved on.

Modern operators run across cloud platforms, third-party CRMs, affiliate networks, KYC providers, payment gateways, live-casino studios, mobile apps, and retail networks — all integrating with the core sportsbook from outside any single perimeter. Legacy firewalls protect a boundary that no longer corresponds to where player data, betslips, or wallet balances actually live. Zero Trust is not a buzzword: it is the only practical operating model for an operator whose surface is, by design, distributed.

The largest known ransom DDoS against a gambling operator peaked at 800 Gbps. [3] No single operator's internet uplink can absorb that, and no on-premise scrubbing appliance can either. Defending against volumetric DDoS requires the ability to intercept and discard malicious traffic at a point in the network with sufficient capacity — a global anycast edge with hundreds of points of presence. The Caribbean operator case study published by Red Button (industry-known but lightly anonymised) shows precisely the typical attack lifecycle: initial volumetric attack saturates the ISP, defender moves to a cloud WAF, attacker pivots to direct-to-origin, defender geo-fences, attacker pivots to a local botnet. The pattern repeats until a global edge absorbs the entire campaign.

Credential-stuffing botnets rotate through operator after operator, learning the defences of each as they go. A standalone bot-management tool sees only its own customer's traffic; an operator built on a global network sees attack patterns developing against thousands of other businesses in real time, and applies that intelligence pre-emptively. For an industry where ATO is the single largest fraud category, this difference is decisive.

Zero-day vulnerabilities are unknown until exploited. Even when patches are issued, operator IT teams running legacy environments cannot realistically patch all systems within the window between disclosure and active exploitation. Virtual patching at the WAF edge bridges that gap: known attack patterns are blocked at the network edge while underlying software is patched on its normal cycle.

The adversaries operators face — Scattered Spider, Qilin affiliates, sophisticated DDoS-extortion crews, organised fraud rings — are professional, well-resourced, and operate at industrial scale. SSA operators typically run security teams of 3 to 10 people. Expecting an in-house team of that size to detect, contain, and respond to a coordinated, multi-vector attack without an enterprise-grade platform is unrealistic. The remedy is leverage: operate the team you have on top of a global security platform that does the heavy lifting at the edge.

Section 06 · Defence 06

Built for Scale, Available for Operators§

Cloudflare operates one of the largest global networks in the world, with edge presence in Cape Town, Johannesburg, Durban, Nairobi, Mombasa, Lagos, and Accra — the same infrastructure used by global tier-one operators, available to African operators through LockdownIT.

Cloudflare operates one of the largest global networks in the world — 330+ points of presence across more than 120 countries, processing tens of millions of HTTP requests per second and blocking billions of cyber threats every day. The same infrastructure protecting global tier-one operators, regulated financial institutions, and national governments can protect your sportsbook, casino, or lottery brand.

Cloudflare Product	Operator Application and Benefit
Content Delivery Network (CDN)	Cloudflare's CDN caches static content — images, JavaScript, CSS, live odds tickers, casino-game assets, mobile-app artefacts — at hundreds of edge locations including Cape Town, Johannesburg, Durban, Nairobi, Mombasa, Lagos, and Accra. For an operator, three concrete benefits: (1) origin offload — typically 60 to 90% of requests are served from cache, so the sportsbook's web tier handles only a fraction of total traffic and survives kickoff-time load spikes without provisioning for peak; (2) bandwidth savings — egress at the origin is a major recurring cost, and the CDN materially reduces it (often 70%+) because cached responses never leave the edge; (3) faster player experience — mobile pages, live odds, and casino tiles load several times faster on the mobile and constrained networks that dominate SSA. The CDN sits in front of every other protection in this list, so performance and security are delivered through the same edge.
DDoS Managed Rules	Sportsbooks, casino lobbies, mobile-app APIs, and live-streaming endpoints are the single most predictable DDoS target on the internet. Cloudflare's DDoS protection is always-on, unmetered, and requires no manual intervention: volumetric and application-layer attacks are detected and mitigated automatically within seconds, regardless of size. The 800 Gbps ransom DDoS pattern from 2021 is well within the network's capacity. When AFCON kickoff lands on a Saturday night and tens of thousands of players hit the betslip simultaneously, the platform stays up — whether the load is legitimate demand or a coordinated attack.
Web Application Firewall	Every operator-facing service — registration, login, deposit, withdrawal, betslip, KYC submission, live-odds API — sits behind Cloudflare's WAF, which inspects and filters every request before it reaches the application. OWASP Top 10 attacks, SQL injection, cross-site scripting, and credential injection are blocked as a baseline. When a zero-day is disclosed in a widely-deployed component (Oracle EBS, Citrix, ProxyShell, Log4Shell), Cloudflare publishes virtual-patching rules within hours, protecting operators before their internal patch cycle has begun.
Bot Management	ATO via credential stuffing is the single largest fraud category in iGaming. Cloudflare Bot Management uses machine learning over signals from the global network to score every request, distinguishing real players from automated tooling — including the simple credential-stuffing bots that dominate gaming-sector traffic and the more advanced moderate bots used against sportsbooks specifically. Multi-accounting and bonus-abuse rings are throttled the same way, before they pollute marketing budgets.
Leaked Credentials Detection	The 2019 Nigerian sportsbook leak placed player credentials into criminal markets, where they have been re-used in credential-stuffing campaigns ever since. The 2026 Canvas breach added 275 million email addresses overnight. Leaked Credentials Detection checks every login attempt against the Have I Been Pwned breach corpus in real time, blocking attempts that use known-compromised credentials before access is granted.
API Shield	Sportsbook odds APIs, mobile-app APIs, and payment-orchestration APIs are high-value targets for bet manipulation, scraping, and bulk data extraction. API Shield discovers undocumented "shadow" APIs (which industry research found account for 28% of API traffic in gaming), enforces schemas, validates JWTs, and rate-limits per endpoint — preventing the kind of API abuse that drives both fraud and competitive intelligence leaks.
Cloudflare Access (Zero Trust)	Legacy VPNs assume that every device on the corporate network is trusted — the assumption that Scattered Spider exploited to devastating effect at MGM Resorts. Cloudflare Access replaces that with per-request identity verification for every internal system: trader consoles, finance back-office, KYC review queues, RG (responsible gambling) tooling. Combined with phishing-resistant MFA (FIDO2 / WebAuthn), it materially reduces the social-engineering blast radius.
Cloudflare Gateway (DNS Filtering & SWG)	Phishing is the primary delivery mechanism for both ransomware and ATO-supporting malware. Gateway acts as a secure DNS resolver and web filter for every device on the corporate network and for remote staff via WARP, blocking connections to known malware infrastructure, phishing kits, and command-and-control servers before pages load.
Email Security (Area 1)	Phishing emails impersonating regulators, payment providers, or affiliate partners are a recurring vector against iGaming finance and ops teams. Cloudflare's AI-driven email security scans inbound mail before it reaches staff inboxes, identifying and quarantining business email compromise, vendor impersonation, and credential-harvesting campaigns — the precise attack patterns that have repeatedly succeeded against operators globally.
Magic Transit	For operators running on-premise data centres, retail-shop networks, or hosting back-office infrastructure locally, Magic Transit provides network-layer DDoS protection at the IP layer, absorbing volumetric attacks before they reach the operator's network edge. Particularly useful for operators with hybrid cloud / on-premise architectures.
Turnstile	Cloudflare's CAPTCHA alternative protects high-value forms — registration, login, withdrawal — from automated abuse without inflicting the friction that drives legitimate players to competitors. Turnstile runs invisibly for most users and produces a measurable lift in form-completion rates versus traditional CAPTCHAs.

About Lockdown IT Lockdown IT is a specialist Africa-based cybersecurity company and a Cloudflare Enterprise Services Partner. We design, implement, and manage enterprise cybersecurity solutions for iGaming, sports betting, financial services, and education operators across Sub-Saharan Africa. [email protected] | +27 11 024 5696 | www.lockdownit.co.za

About Cloudflare Cloudflare, Inc. (NYSE: NET) is the leading connectivity cloud company on a mission to help build a better internet. Cloudflare's platform protects and accelerates any internet application online, with Points of Presence throughout Africa. cloudflare.com

© 2026 Lockdown IT (Pty) Ltd. All incident data is drawn from public sources.

All statistics and incident data cited in this report are drawn from the following publicly available sources. Reference numbers correspond to citation markers in the body text.

[1]	Akamai State of the Internet — Gaming Industry Q1 2024 Akamai recorded a 94% rise in web attacks against the gaming sector in Q1 2024, with bot activity quadrupling over the same period. akamai.com

[2]	Imperva — DDoS Attacks on Gambling Sites ~25% of all gambling sites hit by DDoS attacks in a single representative month; 10% of sites impacted during Wimbledon 2022. helpnetsecurity.com

[3]	Akamai — 800 Gbps Ransom DDoS on a Gambling Operator (2021) Largest known ransom DDoS attack on a gambling operator peaked at 800 Gbps; novel DCCP-based attack vector. bleepingcomputer.com

[4]	Online Gambling Market Projection Global online gambling market projected to reach approximately USD 169 billion by 2030 (industry consensus, 8.5% CAGR). helpnetsecurity.com

[5]	Enzoic / Industry Research — Account Takeover in Sports Betting 40% of online sports bettors have experienced cyber fraud tied to their accounts; over 50% of sports-betting websites reported a cybersecurity incident in 2023. enzoic.com

[6]	Flutter Entertainment — Paddy Power & Betfair Data Breach (July 2025) Up to 800,000 customers affected; emails, IP addresses, and online activity exposed. helpnetsecurity.com

[7]	Fast Track CRM Breach (October 2025) Malta-based CRM platform serving 100+ iGaming operators worldwide; two casino clients compromised. Shuffle Casino notified players of exposed personal and financial data. breached.company

[8]	International Game Technology (IGT) Cyberattack — November 2024 IGT (Form 6-K, SEC) disclosed unauthorised third-party access on 17 Nov 2024; systems taken offline; alternatives put in place to maintain continuity. securityaffairs.com

[9]	Qilin Ransomware Group — IGT Claim (November 2025) Qilin RaaS publicly claimed credit for an attack on IGT, alleging exfiltration of 10 GB across 21,683 files; data posted to the group's dark web leak site. cybernews.com

[10]	Bragg Gaming Group — Cyberattack (August 2025) Toronto-listed iGaming content and technology supplier confirmed an intrusion of its internal computer environment; no customer data reported affected. securityweek.com

[11]	Sophos State of Ransomware — Recovery Time Average full recovery time after a ransomware incident is 21 to 24 days; only a minority of victims recover within a single week. sophos.com

[12]

MGM Resorts & Caesars Entertainment Cyberattacks — Scattered Spider (September 2023) MGM: ~10 days outage, ~USD 100 million EBITDA impact, subsequent class-action settlement. Caesars: ~USD 15 million ransom paid. Both attributed to Scattered Spider; phone-based social engineering of IT support reported as the initial vector. igamingfuture.com

[13]	Have I Been Pwned — Nigerian Sportsbook Data Leak (December 2019) Database backups from a Nigerian sportsbook operator disclosed to HIBP alongside backups from several related betting brands in the ecosystem; player records placed into criminal markets. haveibeenpwned.com

[14]	IBM Cost of a Data Breach Report 2024 — South Africa Average IBM places the average cost of a data breach in South Africa at R53.1 million; figure covers incident response, system restoration, regulatory notification, and legal counsel. Ransom payments and regulatory fines not included. ibm.com

[15]	Akamai — DDoS Attacks on EMEA, 2023 EMEA (incorporating Sub-Saharan Africa) was the most-targeted region globally for DDoS attacks, with financial services, gambling, and manufacturing leading sector-level volume. akamai.com