.png){kind=logo}
BENGALURU, May 2026 — CloudSEK has exposed a large cybercrime ecosystem targeting Indian Premier League (IPL) fans through fake ticketing portals and malicious free streaming websites, exposing how cricket season has become a high-value fraud window for online scam operators.
The investigation found over 600 fraudulent domains selling fake IPL tickets and more than 400 fake “free streaming” sites, many of which were operating as malware delivery channels. These scams are designed around the behaviour of IPL fans: the rush for last-minute tickets, the fear of missing out on sold-out matches, and the search for free live streams during high-demand fixtures.
CloudSEK’s report shows that these operations are no longer limited to crude phishing pages or random social media posts. Fraudsters are using professional-looking websites, paid ads, search engine optimisation, social media pages, Telegram groups, fake customer testimonials, payment gateways, QR codes and automated ticket-generation systems to make the fraud look legitimate. (For More Information, Read The Full Report)
“IPL brings together scale, emotion and urgency. That is exactly what cybercriminals exploit. A fan looking for one last ticket or a free stream is not thinking about online safety risks. Scammers know this, and they are building professional fraud funnels around that moment of vulnerability,” said Sourajeet Majumder, Security Researcher, CloudSEK.
CloudSEK researchers identified hundreds of fake domains claiming to sell IPL tickets this season. Many of these websites impersonated trusted ticketing platforms such as BookMyShow and District by copying familiar logos, page layouts, colours and user flows. Some domains used names that looked deceptively close to legitimate brands, including variations around “bookmyshow,” “IPL ticket,” “stadium seat booking” and “pavilion tickets.”
The fake ticketing journey is designed to feel real from the first click.
A fan sees a Reel, a Facebook post, a Telegram message or a search result promising IPL tickets. The website opens with team logos, seat categories, countdown timers and banners claiming only a few seats are left. The user selects a seat, enters their name, mobile number and email ID, and pays through UPI, card, QR code or a payment gateway.
Minutes later, a PDF ticket lands in their inbox.
The ticket carries professional branding, seat details, booking numbers and a QR code. But the ticket is fake. The QR code does not work at the stadium. The fan discovers the fraud only when security refuses entry at the gate.
One of the most significant findings in the report is CloudSEK’s access to the admin panel of a fake IPL ticketing operation. The backend revealed that the scam was not a casual one-page fraud site. It was a structured operation with the tools needed to run a ticketing scam at scale.
The panel showed:
Real-time booking data
Victim names, phone numbers and email IDs
Manual payment verification
UPI and bank account details
Ticket price management controls
Match management modules
Options to confirm, reject, delete or email ticket orders
One-click generation and dispatch of fake PDF tickets (For More Information, Read The Full Report)
The payment flow was particularly revealing. Operators could manually verify whether the victim’s payment had landed before sending the fake ticket. This reduced the scammer’s risk and made the process more efficient.
The backend also had Meta Pixel integration, allowing scammers to track clicks, form submissions and payment events. This means fraudsters could measure which ads, creatives and social media campaigns were bringing in victims and then optimise their fraud campaigns just like a legitimate e-commerce business.
“The fake ticketing backend shows how industrialised these scams have become. Operators are not only selling fake tickets. They are tracking conversions, adjusting prices, verifying payments and collecting victim data that can be reused or sold for future scams,” said Sourajeet Majumder, Security Researcher, CloudSEK.
The second major threat identified by CloudSEK involves fake IPL live streaming websites. These platforms claim to offer free access to live matches but often act as gateways to malware, suspicious redirects and credential theft.
CloudSEK identified 400+ fake free streaming sites promoted through Google search results, Reddit threads, Telegram channels and Facebook groups. These websites were optimised for high-intent searches such as “IPL 2026 free live stream,” “watch IPL online free,” and match-specific terms like “DC vs RCB live streaming.”
At first glance, many of these sites look functional. They display match listings, team names, streaming buttons, quality options and navigation menus. But the real activity begins when a user clicks.
The report found that many of these sites use pop-unders, forced redirects, tracking scripts and browser-detection mechanisms. In some cases, scripts identify the user’s operating system and browser, then route the victim toward device-specific malicious pages.
For macOS users, CloudSEK observed redirects to ClickFix-style pages impersonating legitimate GitHub installers or Apple macOS security update pages. These pages instructed users to open Terminal and paste a command to complete the supposed installation or security update. Once executed, the command retrieved and ran a malicious payload. (For More Information, Read The Full Report)
CloudSEK researchers analysed one such payload and identified it as SHub Stealer, a macOS infostealer designed to quietly steal sensitive data from infected systems.
According to the report, the malware can collect:
macOS login passwords
Browser passwords and cookies
Chrome master password data
Telegram Desktop sessions
Apple Keychain data
iCloud account information
Safari cookies, history and autofill data
Apple Notes databases
Sensitive files from Desktop and Documents folders
Data from more than 100 crypto wallet browser extensions
Data from desktop wallets including Exodus, Atomic, Electrum, Guarda, Coinomi, Sparrow, Wasabi, Bitcoin Core, Monero, Ledger Live and Trezor Suite
The malware also attempts to establish persistence on infected machines through a fake Google Update application and a LaunchAgent that runs periodically in the background. This allows the attacker to maintain access even after the initial theft is complete.
One of the most serious capabilities observed was wallet injection. If popular crypto wallet applications were installed, the malware could modify application files to capture wallet seed phrases. A stolen seed phrase can allow attackers to reconstruct and drain a victim’s crypto wallet.
“What appears to be a free match stream can become a full device compromise. The victim thinks they are watching cricket. In the background, their passwords, browser sessions, files and crypto wallet data may already be leaving the system,” Majumder added.
The report notes that IPL is uniquely attractive to cybercriminals because it combines scale, urgency and emotion. With hundreds of millions of viewers, sold-out stadiums and large volumes of digital transactions in a short tournament window, the opportunity for fraud is significant.
Fans are often time-sensitive and emotionally invested. They may take risks to secure last-minute tickets, access a free stream or watch a major rivalry. Attackers design campaigns around these exact triggers.
The fraud infrastructure also begins before the tournament. Domains are registered, Telegram channels are seeded, fake social pages are created and ads are prepared before the first match. During major fixtures, playoffs and high-profile rivalries, these campaigns intensify.
By the end of the season, many domains are abandoned, repurposed or kept dormant until the next major cricket event.
CloudSEK advises fans to buy tickets only through official channels such as the BCCI website or authorised partners, and to treat any third-party offer surfacing through social media or messaging apps as suspect, regardless of how legitimate the page looks.
For streaming, only authorised broadcast platforms should be used. Any site offering a free live stream and prompting visitors to click a button or run a command on their device should be treated as a potential threat.
CloudSEK is an AI-native predictive cyber intelligence platform that identifies attack paths and initial access vectors before they are exploited. The platform combines external threat intelligence, AI attack surface intelligence, and third-party risk monitoring to help organizations detect how attackers gain access and disrupt attack paths before execution.
To learn more, visit https://cloudsek.com or write to info@cloudsek.com.
