Sports
IPL scams surge with 600 fake ticket sites and 400 malicious stream platforms
CloudSEK uncovers malware traps, fake bookings and data theft behind IPL frenzy
MUMBAI: The frenzy surrounding the Indian Premier League is no longer limited to stadiums and streaming screens. According to a new report by CloudSEK, cybercriminals are increasingly using the cricket season to run sophisticated scams targeting millions of Indian fans through fake ticketing websites, malicious streaming platforms and data theft operations.
The cybersecurity company said it identified more than 600 fraudulent domains posing as IPL ticket booking portals this season, alongside over 400 fake “free streaming” websites that often double up as malware distribution channels.
The scams are designed to exploit exactly what makes the IPL such a high-intensity event: urgency, emotional investment and fear of missing out.
CloudSEK’s findings paint a picture of an organised digital fraud ecosystem that begins long before the first match and evolves throughout the tournament. Fake domains are registered weeks in advance, social media accounts are seeded with followers, Telegram groups are built up, and paid advertisements are strategically deployed around blockbuster fixtures and rivalries.
Many of the fake ticketing sites imitate trusted platforms such as BookMyShow and District, copying their logos, layouts and colour schemes to appear authentic. The pages often feature countdown timers, “only a few seats left” warnings and dynamic pricing designed to pressure fans into making quick purchases.
Victims are usually drawn in through posts and reels on Instagram and Facebook, while paid advertisements on Meta platforms help scammers target cricket audiences directly. Fraudulent websites are also heavily optimised for search engines using terms such as “IPL 2026 tickets” and “ticket booking IPL match”, allowing them to appear alongside legitimate results on Google search pages.
Once users land on these sites, the flow appears entirely legitimate. Fans are asked to select seats, enter personal details and complete payments through UPI, cards or QR codes. Shortly afterwards, they receive convincing-looking PDF tickets carrying fake booking numbers and non-functional QR codes.
The scam is usually discovered only at the stadium gate.
CloudSEK researchers also gained access to one fake ticketing operation’s admin panel, exposing a surprisingly advanced backend system. The dashboard reportedly included real-time order management, payment verification tools, fake ticket generators, dynamic pricing modules and databases storing victims’ names, phone numbers and email addresses.
The report noted that this data is often resold to other scam networks, exposing victims to repeated phishing attacks and fraud attempts long after the original incident.
The threat landscape extends well beyond fake ticket sales. CloudSEK warned that unofficial IPL streaming sites have evolved into full-fledged malware delivery networks targeting fans searching for free live match streams.
These websites are promoted aggressively across Telegram channels, Reddit communities and social media platforms, often appearing in AI-generated search summaries and community recommendations online.
At first glance, the streaming sites appear functional, complete with match schedules, HD viewing options and live score interfaces. But hidden behind the interface are multiple layers of redirects, tracking scripts and malicious code designed to hijack user clicks and redirect devices through shady advertising networks.
CloudSEK found that many of these malicious campaigns specifically target Mac users through fake update prompts and fraudulent installer pages impersonating GitHub applications or Apple security alerts.
Victims are tricked into opening the Terminal application and pasting commands that silently install malware. Researchers identified one such payload as “SHub Stealer”, a macOS infostealer capable of stealing browser credentials, banking data, Telegram sessions, iCloud information and cryptocurrency wallet details.
The malware specifically targeted wallets and services linked to Ledger, Atomic Wallet, Exodus and Trezor, among others.
CloudSEK said the malware also establishes persistence mechanisms that allow attackers to maintain remote access to infected devices even after the initial attack appears complete.
The impact goes far beyond losing money on fake tickets. Victims risk device compromise, credential theft, drained cryptocurrency wallets, stolen personal information and long-term exposure to further cybercrime campaigns.
The report also highlighted the emotional cost of such scams, noting that many fans experience significant stress after being locked out of stadiums or discovering their devices have been compromised after trying to watch a match online.
To reduce risk, CloudSEK advised fans to purchase tickets only through official platforms, avoid “too good to be true” discounts, stay away from unofficial streaming sites and carefully inspect website URLs for suspicious spellings or domain extensions such as “.online”, “.live” and “.store”.
The company also recommended enabling two-factor authentication, limiting app permissions and regularly updating devices and browsers to reduce exposure to malware attacks.
As IPL viewership and digital engagement continue to grow, the tournament is increasingly becoming as attractive to cybercriminals as it is to sponsors and broadcasters. For fans chasing last-minute tickets or free streams, one careless click may end up costing far more than the price of admission.
