4 Years, 51 Packages, 3 organizations: How npm Became a Gambling Ring's Config Server

Summary

Seven npm packages under the @hd-team organization contain no code. Each one exports a single base64 encoded JSON blob: a list of API endpoints, CDN identifiers, and what look like authentication tokens and load balancing weights. These are live configuration payloads consumed by a mobile app called 斗球 (Douqiu, "Fight Ball"), a Chinese sports gambling and pirate streaming platform. The app fetches these configs from five npm registry mirrors on every launch, using them to resolve which backend servers to connect to. When a domain gets burned, the operators publish a new package version and the app picks it up automatically.

Decompiling the APK and iOS binary led to a second npm org, @yuming2022 (43 packages, four years of history), and then to a third, @elton.bfw, discovered in iOS source code pushed to GitHub in 2022. All three orgs share infrastructure: identical CDN tokens, the same bfw prefix across email addresses, Sentry hostnames, and Huawei OBS buckets.

Across the three organizations, 51 packages have been published to npm, mapping over 60 unique domains across three CDN providers (Funnull, Aliyun, Huawei), and generating over 200,000 weekly downloads on npmjs.org alone. The true download figure is higher, since the three Chinese mirrors the app primarily queries don't publish stats.

The operator is using the npm ecosystem as a free, globally distributed, highly available config server, and has been doing so under the radar since August 2022.

Analysis

The investigation started with @hd-team/app-dnpkg-beta, a package with 88,000+ weekly downloads and 990+ published versions. Its index.js contains a single base64 string that decodes to:

{
  "code": 200,
  "data": [
    {
      "cdn": "ZnVubnVsbA==",
      "domain": "<https://apiyf>[.]dq87771[.]com",
      "openFlag": true,
      "token": "800cf3d509b44bf7bfd32529dc3ff597",
      "weight": 10
    }
  ],
  "msg": "操作成功"
}

{
  "code": 200,
  "data": [
    {
      "cdn": "ZnVubnVsbA==",
      "domain": "<https://apiyf>[.]dq87771[.]com",
      "openFlag": true,
      "token": "800cf3d509b44bf7bfd32529dc3ff597",
      "weight": 10
    }
  ],
  "msg": "操作成功"
}

{
  "code": 200,
  "data": [
    {
      "cdn": "ZnVubnVsbA==",
      "domain": "<https://apiyf>[.]dq87771[.]com",
      "openFlag": true,
      "token": "800cf3d509b44bf7bfd32529dc3ff597",
      "weight": 10
    }
  ],
  "msg": "操作成功"
}

{
  "code": 200,
  "data": [
    {
      "cdn": "ZnVubnVsbA==",
      "domain": "<https://apiyf>[.]dq87771[.]com",
      "openFlag": true,
      "token": "800cf3d509b44bf7bfd32529dc3ff597",
      "weight": 10
    }
  ],
  "msg": "操作成功"
}

The base64 value ZnVubnVsbA== decodes to funnull. Funnull Technology Inc., a Philippines-based CDN administered by Chinese national Liu Lizhi, was sanctioned by the U.S. Treasury on May 29, 2025 under Executive Order 13694 for providing critical infrastructure to virtual currency investment scams, with over $200 million in reported U.S. victim losses. The FBI identified 548 unique Funnull CNAMEs linked to over 332,000 domains. Funnull was also implicated in the 2024 Polyfill.io supply chain attack (Treasury, Silent Push, OFAC SDN listing, Wiz). The cdn field identifies which CDN provider fronts each API endpoint: some are labeled funnull, others aliyun or huawei.

The package publishes a new version every five minutes in waves, each with an identical payload. The versioning scheme uses timestamps in the format 1.0.YYYYMMDDHHMMSS, and all timestamps fall within UTC+8 (China Standard Time). The rapid publishing cadence serves as a heartbeat: it keeps the package "fresh" across CDN caches on all five mirrors the app queries.

Identifying the Product

The web frontend, identified at next[.]beta[.]qiu577[.]com , confirmed the product: 斗球直播 (Douqiu Live), a pirate sports streaming platform with integrated gambling and hostess cam features. The splash screen tagline reads "斗球！爱我所赢" ("Douqiu! Love What I Win").

The site's footer claims Chinese business licenses registered in Guangxi province (桂ICP备19009876号). Customer support is handled via QQ account 3560966093.

APK Retrieval and Decompilation

The download page, located at h5down[.]qiuhui[.]com , uses a JavaScript bundle that signs API requests with a hardcoded key, and hitting the live endpoint returned the current APK:

GET /qiutx-support/get/channel/package?type=1&channel=F0
→ RESPONSE
{"code":200,"data":{"2.4.1":"<https://sta-prod-pic-prod511>[.]jiaoict[.]

GET /qiutx-support/get/channel/package?type=1&channel=F0
→ RESPONSE
{"code":200,"data":{"2.4.1":"<https://sta-prod-pic-prod511>[.]jiaoict[.]

GET /qiutx-support/get/channel/package?type=1&channel=F0
→ RESPONSE
{"code":200,"data":{"2.4.1":"<https://sta-prod-pic-prod511>[.]jiaoict[.]

GET /qiutx-support/get/channel/package?type=1&channel=F0
→ RESPONSE
{"code":200,"data":{"2.4.1":"<https://sta-prod-pic-prod511>[.]jiaoict[.]

The APK (package name com.sports.dqty, build 2610) is signed with a self signed certificate issued to CN=sports, O=sports, OU=sports , and thumbprint 6db3406e6b9b23d102dda9e0b6de548a566906ea. The internal Java namespace is com.sports.douqiu.xmsport and the project codename is com.yb.ballworld ("YB BallWorld"). The iOS build is internally called XMSport.

Figure 1: APK Launch Screen

The classes4.dex file contains five npm registry mirror URLs, all pointing to the @yuming2022 organization:

• https://mirrors[.]cloud[.]tencent.com/npm/@yuming2022/app-dnpkg-*

• https://r[.]cnpmjs[.]org/@yuming2022/app-dnpkg-*

• https://registry.npmmirror[.]com/@yuming2022/app-dnpkg-*

• https://registry.yarnpkg[.]com/@yuming2022/app-dnpkg-*

• https://unpkg[.]com/@yuming2022/app-dnpkg-*

The APK requests 40+ Android permissions including ACCESS_BACKGROUND_LOCATION, CAMERA, READ_PHONE_STATE, REQUEST_INSTALL_PACKAGES, MANAGE_EXTERNAL_STORAGE, QUERY_ALL_PACKAGES, SYSTEM_ALERT_WINDOW, and DETECT_SCREEN_RECORDING. The privacy dialog at launch explicitly states the app collects IMEI, MAC address, and installed software lists.

The app integrates Alipay and WeChat Pay for payments, Alibaba's facial recognition SDK for identity verification, three redundant IM providers (RongCloud, NetEase NIM, JPush IM), push notification SDKs for every major Chinese OEM (Xiaomi, Huawei, OPPO, Vivo, Meizu), and DLNA casting for streaming to TVs.

How It Works

The iOS source code reveals the full domain resolution hierarchy.

Figure 2: Douqiu App Config Architecture

The app first calls /qiutx-support/domains/v2/pull on its current API server. If the API is down, the app fetches a static JSON file (app_prod.json) from a Huawei Cloud Object Storage bucket. Only if both the API and OBS are unreachable does the app try npm. It queries five mirrors in sequence: unpkg (proxying to npmjs.org), cnpmjs, npmmirror, Tencent Cloud, and Yarn. Each mirror fetches the latest version of @yuming2022/app-dnpkg-{environment} and returns the base64 config blob. If all of the above fail, the Android APK falls back to 13 api[.]dw*[.]app domains baked into the binary.

npm is the most interesting layer because it is the most resilient: the operator cannot be locked out of five independent npm mirrors simultaneously, the content is cached globally, and the publishing is automated.

Attribution

@yuming2022 has 43 packages on npm dating back to 2022, with byte-for-byte identical config payloads to @hd-team. The packages span three client types (app-dnpkg-* for Android, web-dnpkg-* for web, appstore-dnpkg-* for iOS) across numbered environments. Beyond Douqiu, the organization runs a decommissioned sports brand (qsty), an IM app called 聊个天 (LGT), and an SEO analytics SDK (seo-tracing) deployed on Google Sites doorway pages.

A GitHub repository (afeiaxing/Sport1) pushed four years ago contains the complete iOS source. The Xcode project identifies the developer as jsmaster, the original product as 球王体育 ("Ball King Sports"), and references a third npm org, @elton.bfw, with a single package cloud published August 16, 2022 under elton.bfw@gmail.com. That package shares the same Aliyun CDN token as today's @yuming2022 configs. The bfw prefix, present in @elton.bfw, jaxsonbfw@gmail.com, sentry.bfw14.com, and every Huawei OBS bucket, is the one constant across three npm org generations and four years of infrastructure.

Acquiring Users

The operation runs an SEO pipeline to funnel Chinese search traffic toward the app. Templated doorway pages on Google Sites and dedicated domains are stuffed with sports streaming keywords in Chinese, then redirect visitors to gambling domains like kyun9242[.]com and 38s[.]bet. The @yuming2022/seo-tracing npm package is an analytics SDK embedded in these pages to measure conversion. The doorway pages follow a consistent pattern: keyword stuffed Chinese text, a meta refresh or JavaScript redirect, and the tracing pixel. Google Sites appears to be the preferred host.

Motivation

We assess that the choice of managing the scale of this operation through NPM goes beyond infrastructure cost savings. Online gambling is completely banned in mainland China, and enforcement is severe. In 2024 alone, the Ministry of Public Security shut down over 4,500 illegal online gambling platforms, investigated 73,000 cross-border gambling cases, and arrested over 11,000 suspects. Operators of large scale gambling rings have received life sentences and death penalties. The government actively blocks access to foreign gambling websites at the network level and pursues both operators and players. For an operation like Douqiu, the existential threat is criminal prosecution.

npm registries solve this problem. Chinese npm mirrors like npmmirror.com are critical developer infrastructure used by millions of legitimate engineers. They cannot be blocked without collateral damage to China's entire software industry. A base64 blob in an index.js file is indistinguishable from a real package to any automated scanning system. Since the config is fetched at runtime rather than hardcoded in the binary, the operator can rotate blocked domains within minutes by publishing a new package version.

Conclusion

npm was designed to distribute JavaScript packages. Douqiu uses it to distribute infrastructure configuration for what we assess is an illegal gambling operation, and has been doing so for four years across 51 packages and 3 organizations.

The technique is simple: encode your config as a base64 string in index.js, publish it, and let the npm CDN handle global distribution, caching, versioning, and TLS. No C2 server to maintain. No domain to get seized. No infrastructure cost.

The implications extend beyond this one operation. Any app, malicious or otherwise, can use a package registry as a free config server. The publishing is automated, the distribution is global, the content is opaque, and the platform provides built-in redundancy through mirrors.

See it in action

Most AI closes the alert. Panther closes the loop.

Watch the demo

Indicators

npm Packages

@elton.bfw packages

@hd-team packages

@yuming2022 packages

APK

IPA (iOS)

Infrastructure

IP Addresses

Analytics and Tracking IDs

Developer Identity

Claimed Business Licenses (unverified)