Sunita Murthy, a security guard with a private agency, was assigned duty at the M. Chinnaswamy Stadium in Bengaluru on March 28.

With the Indian Premier League (IPL) fever sweeping the nation, Sunita understandably also didn’t want to miss the opportunity to watch the action up close. So, when one of the bouncers mentioned he knew someone selling tickets, she promptly took down his contact details.

Her call went unanswered, but she got a reply on WhatsApp asking for an electronic transfer of ₹3,000 for two tickets. Minutes later, two QR code-bearing PDFs bearing her name landed in her mail.

There was little to suggest anything unusual was taking place. Hence, over the next five days, Sunita made multiple purchases from the same worth ₹52,500.

By the time she realised the tickets were fake, the damage had already been done.

Sunita’s experience was far from an isolated incident. In fact, cybersecurity firm CloudSEK believes she may be just one among “millions of IPL fans” who were exposed to similar scams this season. Independent research identified more than 600 fraudulent domains selling fake tickets, over 400 illegal streaming websites, and another 1,200-plus domains promoting betting platforms where users allegedly faced difficulties while withdrawing their funds.

Counterfeit Entry Passes

“We have our proprietary product that helps do the digital risk monitoring. We had added a few watchwords like betting, IPL, fake tickets, and so on. That helped us scour through all of those domains or squatted domains which are actually impersonating legitimate businesses. So, the moment you add those keywords, the product goes around the Internet—be it on the deep web, dark web or surface web—to find out every mention of similar words,” reveals Sourajeet Majumder, a security researcher at CloudSEK, specialising in cyber threat intelligence and offensive security.

That is when Sourajeet discovered multiple websites and applications masquerading as legitimate ticketing platforms like BookMyShow and District by mimicking their logos, colour schemes, and even the UI layouts to create a platform identical enough to dismiss any hint of suspicion.

“These websites were actually being created using phishing kits. These are basically like a pre-made source code that will be just handed over to you, and then all you need to do is deploy it. The moment you do that on your server, you are a threat actor. That is, you are ready to scam people. It’s kind of difficult to say if it is an organised group of people doing it or not, but at times, it may be possible for one group to create hundreds and thousands of sites using the kit. We don’t have the data on where they’re operating from. For the domains are registered on different ISPs (Internet Service Providers). But more often than not, we see that the infrastructure that is being used is Chinese,” Sourajeet explains.

bookmy-show.com, book-myshow.com, thebookmyshow.in, bookmyshow-ipl-ticket.com, bookmyshowticket.com, bookmyiplticket.com, bookm-show.shop, and bookmyticket.sbs are some of the domains which were designed between March and April 2026 to dupe buyers.

The official URL for the popular ticket-booking platform, meanwhile, is in.bookmyshow.com.

BookMyShow says its aware of the problem at hand.

“We have brought instances of unauthorised entities misrepresenting themselves as official ticketing channels to the attention of the relevant authorities and remain committed to supporting efforts that help protect consumers from fraudulent activity,” a spokesperson affiliated with the group told Sportstar.

BookMyShow additionally claimed it had initiated drives to make buyers more aware. “Consumer safety remains a priority for us and, as the official ticketing partner for select teams during IPL 2026, we regularly shared advisories and information on safeguards through our official platforms, urging customers to exercise caution and avoid unauthorised ticketing sources, which may lead to fraudulent transactions.”

One can only wish the problems ended here. When CloudSEK researchers managed to hack into the administrative panel of one of these fake domains, it wasn’t a pretty sight. Personal details of targets—including names, phone numbers, email addresses, and bank and UPI details—were all perched on the backend, ready to be sold as leads to other scammers again, hence making the victim vulnerable to further waves of fraud.

Streaming Into Trouble

Not all con jobs, however, seek an immediate payday. Some are elaborately crafted to infect systems with malware that can operate silently in the background, draining crypto wallets, stealing passwords, backdooring applications, and installing remote-access implants. And that is where the sites seemingly offering free livestreams come into the picture.

First, these links are optimised for trending search keywords like ‘ipl 2026 free live stream’, ‘watch ipl online free’ and ‘CSK vs RCB live streaming’. Sourajeet explains what happens next: “These threat actors will then go on Reddit or on different Facebook posts and talk about these fake IPL streaming sites. And let’s say, they somehow get other people to also start talking about it. Now when you do a simple Google search for free IPL streaming sites, it will come with an AI summary mode, right? The AI pop-up will start suggesting these sites because it will have picked up these community comments without actually verifying whether they are malicious.”

If one eventually makes the mistake of landing on one of these websites and clicking one of the play buttons, hidden code in the advertisements redirects the user through multiple websites. These detours are designed to earn money from advertising and, in some cases, may lead to potentially harmful websites.

Additionally, a script on the site’s source code helps identify operating systems, browsers, and devices. A specific macOS malware called ‘SHub Stealer’, which could potentially steal data, obtain credentials, trigger a browser data theft, read messages and infiltrate e-wallets, was also tracked.

The Betting Maze

The risks do not end with dummy tickets and malware-laden streaming portals. Waiting further down the rabbit hole is a sprawling network of illegal betting platforms.

Betting on sports has long been restricted in India under the Public Gambling Act, 1867, and state gambling laws. Earlier, fantasy sports platforms such as Dream11 were allowed to operate after Courts classified them as ‘games of skill’. However, the Promotion and Regulation of Online Gaming Act, 2025, introduced a nationwide ban on online real-money gaming, effectively ending paid fantasy sports contests and other cash-based online gaming formats.

But some of these shady operations continue to operate in plain sight. A single admin panel revealed it was being used to manage 25 such websites. Also, over the past 12 months, more than 9,300 fund withdrawal requests were rejected on these sites, amounting to an estimated ₹4.65 crore in potential user losses.

Former IPS officer Neeraj Kumar, who has served as the Delhi Police Commissioner and also the Chief Advisor and head of the Board of Control for Cricket in India’s (BCCI) Anti-Corruption and Security Unit (ACSU) from 2015 to 2018, says once the authorities discover how extensive the network is they will certainly take steps to curb its growth.

“When people get defrauded of all their savings by sharing things like OTP numbers or opening a malicious link, public notices are issued in that regard from time to time,” Neeraj says. “When a particular modus operandi of cheating becomes very widespread and a greater number of people are affected, then the authorities get to know and then they try to educate people on what to do and what not to. If there are far too many cases which are coming to the notice of the authorities, somebody would definitely take legal cognisance.”

Government Domains Hijacked

The findings took a more alarming turn when researchers discovered that several Indian Government websites also stood compromised. In multiple instances, .gov domains were found hosting injected links that redirected users to illegal betting platforms and gambling applications through BlackHat SEO techniques designed to manipulate search engine rankings.

“So, let’s say, for the e-filing portal, it’s ipindiaonline.gov.in. But if you see there’s a directory right beside it, like, ipindiaonline.gov.in > best-ipl-betting-apps, that shouldn’t have been there. That has been injected by the threat actors inside that website… The moment they are injected, they will start coming up on your search engine. So, if you search for, let’s say, “best IPL betting apps”, you see a .gov.in domain coming in. Theoretically, you, being a layman, would just go forward with it because you think it’s from a legitimate Government site. But the moment you click on it, you get redirected to an IPL betting site,” Sourajeet says.

When asked if these findings were shared and validated with law enforcement agencies and cybercrime units, Sourajeet said, “We brought in the attention of CERT-In (Indian Computer Emergency Response Team) and I4C (Indian Cyber Crime Coordination Centre). We have also sent them corrective measures like what can be done to fix this… This is not the first time the Government website injection thing is happening. It has been happening over the years…”

CERT-In, taking cognisance of the concern, said it is “aware of the incident and are in the process of taking appropriate action with the concerned authority.”

Following The Money

A separate admin panel shed light on the financial infrastructure underpinning these platforms, showing a web of bank accounts used to collect deposits, many of them registered under small business entities. Several of these accounts bore the hallmarks of money mule networks.

“Money mules are basically people whose bank accounts have been used to transfer fraudulent money. It has an entire syndicate to itself. There are multiple Telegram channels and Facebook groups where even today, if you want, you can drop a text saying you want to rent your bank account. All you need to do is give your bank details and your online transaction password. Post that, whenever there is any fraudulent transaction, all of that money will get routed through these money mules. So, once you have rented your bank account, you will get a certain commission for every such transaction. The remaining amount will get transferred to other bank accounts and at the end of the day that will get converted into electronic currency. That’s when it goes out of jurisdiction,” Sourajeet elaborates.

Influence For Hire

Sign-ups on these betting platforms are largely driven by tippers rather than traditional marketing campaigns. Posing as insiders with privileged knowledge of the game, these influencers cultivate audiences on Telegram, Instagram and YouTube Shorts before funnelling their followers into these networks. Their earnings are typically linked to the number of users they bring on board.

There has also been a significant uptick in the use of AI-generated deepfakes to create tipper credibility. Sourajeet says: “They pull up these videos from different podcasts, advertisements and so on. And then by using simple AI voice cloners or video editors, they make these celebrities endorse these tipping channels. And that is how a lot of people start believing them because they see the celebrity talking, right?”

For all the sophistication of the scams, however, there is no single profile of a likely victim. “Senior citizens may be less tech-savvy and therefore more vulnerable to clicking suspicious links,” Sourajeet says. “But it gets interesting when it comes to younger people as well, because threat actors are constantly finding out new ways to scam users. They’re getting better with time. So, I think anyone could be a target. It could be me, it could be you.”

That perhaps is the biggest takeaway from CloudSEK’s findings. The scams are no longer limited to obvious phishing emails or suspicious websites littered with spelling mistakes. Fake ticketing portals increasingly resemble legitimate platforms. Illegal streaming sites exploit search engine visibility and social media recommendations. Betting operators leverage affiliate networks and even AI-generated celebrity endorsements to gain credibility. In an environment where cyber criminals are constantly evolving their game-plan, awareness needs to become the first line of defence.

Researchers advise users to rely only on official ticketing partners, verify website URLs carefully before making payments, and avoid downloading software from streaming portals.

Anyone Can Be Targeted

For authorities and sporting bodies, the challenge is equally continuous. “Cyber crime will happen no matter how hard you try to stop it. These kinds of scams will return every year,” Sourajeet says. “What can be done is to take proactive steps. Continuous monitoring can help identify fake ticketing sites, betting portals or malware-spreading domains as soon as they appear. Once they’re detected, the responsible agencies can work with registrars and hosting providers to take them down.”

As the IPL continues to grow into one of the world’s biggest sporting spectacles, so too does the shadow economy attempting to profit from it. The contest is no longer confined to the boundary rope, and vigilance may be the only winning strategy.

Published on Jun 02, 2026