In October 2025, news emerged about cybersecurity researchers warning about a “privacy-friendly” web browser that has the potential to act as malware itself. Known as the “Universe Browser,” the tool is said to have a million-install base, and raises security implications for users.
The browser allegedly routes its connections through China-based servers, apart from quietly installing several programmes that covertly run in the background. Cybersecurity firm Infoblox, in collaboration with the United Nations Office on Drugs and Crime (UNODC) Regional Office for Southeast Asia and the Pacific, conducted a detailed probe on the matter and found that its hidden elements include keylogging, changes to the network configurations of the device, and stealthy connections.
The finding found resonance with WIRED tech journalist Matt Burgess, who wrote, “It’s not only that the Universe Browser makes some big promises to its potential users. Its online advertisements claim it’s the ‘fastest browser,’ that people using it will ‘avoid privacy leaks,’ and that the software will help ‘keep you away from danger.’ However, everything likely isn’t as it seems.”
Infoblox researchers noted that the “hidden” elements include features similar to malware, including “key logging, surreptitious connections,” and changing a device’s network connections. These experts also found links between the browser’s operation and Southeast Asia’s sprawling, multibillion-dollar cybercrime ecosystem, which has connections to money laundering, illegal online gambling, human trafficking, and scam operations that use forced labour.
According to Infoblox, the browser itself is directly linked to a network around a major online gambling company, BBIN, which the researchers have labelled a threat group they call “Vault Viper.”
Uncovering the dirt
Infoblox remarked that both the browser’s discovery and its suspicious and risky behaviour indicate that criminals in Southeast Asia and the Pacific are becoming increasingly sophisticated.
“These criminal groups, particularly Chinese organised crime syndicates, are increasingly diversifying and evolving into cyber-enabled fraud, pig butchering, impersonation, scams—that whole ecosystem,” said John Wojcik, a senior threat researcher at Infoblox, while interacting with Burgess.
“They’re going to continue to double down, reinvest profits, and develop new capabilities. The threat is ultimately becoming more serious and concerning, and this is one example of where we see that,” Wojcik added.
The Universe Browser was first identified and named by Infoblox and UNODC at the beginning of 2025. This occurred while they were investigating the digital systems associated with an online casino operation based in Cambodia, which the law enforcement officials previously raided.
“Infoblox, which specialises in domain name system (DNS) management and security, detected a unique DNS fingerprint from those systems that they linked to Vault Viper, making it possible for the researchers to trace and map websites and infrastructure linked to the group,” Burgess noted.
According to Infoblox, tens of thousands of web domains, plus various command-and-control infrastructure and registered companies, are linked to “Vault Viper” activity.
As the company examined corporate documents, legal records, and court filings with links to BBIN or other subsidiaries, “Universe Browser Online” appeared multiple times.
“We haven’t seen the Universe Browser advertised outside of the domains Vault Viper controls. Each of the casino websites they operate seems to contain a link and advertisement to it,” said Mael Le Touz, a threat researcher at Infoblox, while making another disturbing discovery: the browser was “specifically” designed to help people in Asia, the continent known for largely making online gambling illegal, bypass the same restrictions.
When the Infoblox researchers reverse-engineered the browser’s Windows version, they found it difficult to verify the tool’s “malicious intent.” However, elements of the browser included many features that are similar to those found in malware and try to evade detection by antivirus tools.
When the browser is launched, it “immediately” checks for the user’s location, language, and whether it is running in a virtual machine. The app also installs two browser extensions, one of which can allow screenshots to be uploaded to domains linked to the browser.
Understanding the seriousness
Despite the browser offering leeway for those attempting their luck in illegal gambling, it also puts their data at risk. In the hands of a threat actor, this browser would serve as the perfect tool to identify wealthy players and obtain access to their machines, claims Infoblox.
Infoblox also found that the browser disables functions like right-click, access to settings, and developer tools, while the tool itself is run with several flags that disable major security features, including sandboxing. Additionally, the removal of legacy SSL protocols (Secure Sockets Layer, an older form of web encryption used to protect data transfers) has significantly increased risk compared to typical mainstream browsers.
According to Burgess, the web infrastructure around the Universe Browser led the researchers back to BBIN, a company that has existed since 1999. Originally founded in Taiwan, the company now has a large base in the Philippines.
BBIN, which also goes by the name Baoying Group and has multiple subsidiaries, describes itself as a “leading” supplier of iGaming software in Asia. However, a UNODC report from April 2025, which linked BBIN to the Universe Browser, observed the firm running several hotels and casinos in Southeast Asia, apart from providing “one of the largest and most successful” iGaming platforms in the region.
The iGaming industry also develops online gambling software, such as virtual poker and online casino games, that can be played on the web or on a mobile phone.
“BBIN Baoying is officially an online casino game developer or ‘white label’ online casino platform, meaning it outsources its online gambling technology to other sites. The only languages it offers are Korean, Japanese, and Chinese, which isn’t a great sign, as online gambling is either banned or heavily restricted in all three countries,” said Lindsey Kennedy, research director at The EyeWitness Project, which investigates corruption and organised crime.
Jeremy Douglas, chief of staff at the UNODC and its former regional representative for Southeast Asia, said, “Baoying and BBIN are what I would call a multibillion-dollar grey-area international conglomerate with deep criminal connections, backstopping and providing services to online gambling businesses, scams, and cybercrime actors.”
“Aside from what has been estimated as a two-thirds ownership by Alvin Chau of SunCity, arguably the biggest money launderer in the history of Asia, law enforcement partners have documented direct connections with Triad groups including the Bamboo Union, Four Seas, and Tian Dao,” Douglas added.
Southeast Asia: The new scam hub?
Over the last decade, online crime in Southeast Asia has seen a big surge, driven partially by illegal online gambling and also by a series of scam compounds that have been set up across countries like Myanmar, Laos, and Cambodia.
Headlines have emerged about hundreds of thousands of people from more than 60 countries being tricked into working in these compounds, where they operate scams day and night, knowingly or unknowingly chugging the crime machine that steals billions of dollars from people around the world. And BBIN is getting named here as well.
In October, US law enforcement seized $15 billion in Bitcoin from one giant Cambodian organisation, which publicly dealt in real estate but allegedly ran scam facilities in secret. One of the sanctioned entities, Cambodia-based Jin Bei Group, which investigators accused of operating a series of scam compounds, also showed links to BBIN’s technology.
Reportedly, multiple Telegram groups and casino websites indicated BBIN’s partnership with multiple entities inside the Jinbei casino.
As per Jason Tower, a senior expert at the Global Initiative Against Transnational Organised Crime, one group on Telegram “posts daily advertisements indicating an official partnership between Jinbei and BBIN.”
There are multiple government press releases and news reports from countries, including China and Taiwan, that have alleged how BBIN’s technology has been used within illegal gambling operations and linked to cybercrime.
While the EyeWitness Project noted the Universe Browser being the preferred option for those accessing Chinese-language gambling websites, researchers say that its development indicates how pivotal and lucrative illegal online gambling operations have become, resulting in global scamming efforts scaling and diversifying like a well-oiled industrial machine.