Threat Research

Hit Wicket: Inside The Expansive Web of Scams Targeting Millions of IPL Fans This Season

CloudSek
Hit Wicket: Inside The Expansive Web of Scams Targeting Millions of IPL Fans This Season
CloudSEK mapped the online IPL betting ecosystem for IPL 2026, showing how illegal betting platforms, tipper networks, and supporting criminal services work together to exploit cricket fans. The investigation found over 1,200 domains promoting betting sites, more than 9,300 rejected withdrawals worth an estimated ₹4.65 crore in losses, and growing use of AI deepfakes, compromised .gov.in sites, money mules, and fake loan apps to sustain the operation. #IPL2026 #CloudSEK #Telegram #Instagram #YouTubeShorts #govin #RanveerAllahbadia #SmritiMandhana

Keypoints

  • CloudSEK identified a large illegal IPL betting ecosystem active during IPL 2026.
  • More than 1,200 domains were found promoting illegal betting platforms.
  • One admin panel showed 25+ betting sites being operated from a single backend with real-time control over deposits and withdrawals.
  • Between May 2025 and May 2026, over 9,300 withdrawal requests were rejected, with estimated user losses of ₹4.65 crore.
  • AI-generated content and deepfakes were increasingly used to make tipper channels and betting platforms appear credible.
  • Compromised Indian government websites were used to inject links to illegal betting and gambling pages, boosting search visibility and trust.
  • The wider underground support network included money mules, black-hat SEO operators, bulk ad services, lead generation providers, and fake loan apps.

MITRE Techniques

  • [T1583.001 ] Acquire Infrastructure: Domains – Threat actors registered and used large numbers of domains to promote betting platforms and redirect users (‘Over 1200 domains were found promoting illegal betting platforms’).
  • [T1584.005 ] Compromise Infrastructure: Web Servers – Attackers abused compromised government websites to host injected betting links and manipulate search visibility (‘Multiple Indian government sites were found exploited and injected with links pointing to illegal IPL betting platforms’).
  • [T1055 ] Process Injection – The article describes injected content added into website source code to alter page behavior and ranking (‘attackers inject backlinks to illegal betting platforms directly into these sites’ source code’).
  • [T1566 ] Phishing – Bulk messages and deceptive promotional content lured users toward betting and loan apps through fraudulent links (‘mass unsolicited text messages promoting betting platforms’ and referral funnels).
  • [T1598.003 ] Phishing for Information: Spearphishing Link – Users were enticed through referral links from tippers and ads to click into illicit platforms (‘What they are actually selling is a referral link’).
  • [T1649 ] Steal or Forge Authentication Certificates – Deepfake impersonation was used to forge believable endorsements from celebrities and cricketers (‘deepfake tools to clone the faces and voices of well-known cricketers, news anchors, and celebrities’).
  • [T1036 ] Masquerading – Fake tipper personas posed as insiders such as ex-analysts or professional gamblers to gain trust (‘running channels under personas crafted to project insider credibility’).
  • [T1036.005 ] Masquerading: Match Legitimate Name or Location – Fake loan apps and betting pages impersonated legitimate services to appear trustworthy (‘Instant loan apps’ and legitimate-looking betting platforms’).
  • [T1102 ] Web Service – Threat actors used Telegram, Instagram, YouTube Shorts, WhatsApp, Meta Ads, and Google Ads as operational channels (‘operate primarily on Telegram, Instagram, and YouTube Shorts’).
  • [T1090 ] Proxy – Money mules and registered business accounts were used to move funds while hiding the real operators (‘bank accounts set up to receive user deposits – registered under business entities rather than individual names’).
  • [T1496 ] Resource Hijacking – Not applicable in the strict compute sense; however, the article describes exploitation of user and website resources for illicit monetization (‘supporting underground economy’).

Indicators of Compromise

  • [Domains ] illegal betting promotion and redirected search traffic – more than 1,200 domains, .gov.in sites, Hacklink Market
  • [Social media channels and platforms ] tipper distribution and recruitment – Telegram, Instagram, YouTube Shorts, WhatsApp, Meta Ads, Google Ads
  • [Organizations / services ] underground enablement and lead generation – Hacklink Market, TRAI DND service, cybercrime.gov.in
  • [User account / financial infrastructure ] deposit and withdrawal handling through mule setups – business-registered bank accounts, money mule accounts, 25+ betting sites on a single backend
  • [Time-bound activity records ] withdrawal rejection campaign – May 2025 to May 2026, 9,300+ rejected withdrawal requests
  • [Financial impact metric ] potential victim losses – estimated ₹4.65 crore
  • [Named people used in deepfakes ] promotional impersonation examples – Ranveer Allahbadia, Smriti Mandhana
  • [File / content type ] fake promotional media and cloned endorsements – AI-generated deepfake videos, manipulated images, referral links, clone scripts

Read more: https://www.cloudsek.com/blog/illegal-ipl-betting-platforms-underground-economy

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint