Picking Up Where We Left Off 

In Part 1 of this series, CloudSEK mapped the first two major cyber threats dominating Indian Premier League 2026 - fake ticket booking networks that leave fans stranded at stadium gates, and malicious free streaming sites that silently compromise devices through multi-stage malware delivery chains. If you haven't read it yet, you can find it here.

Both these threats targeted fans at the edges of the IPL experience - those who couldn't get tickets, or couldn't afford a subscription. This second part goes deeper. It maps a third threat that targets something more fundamental than convenience - the belief that you can beat the odds.

In Part 2, we investigate the online IPL betting ecosystem - illegal platforms, usage of AI deepfake, and the sprawling underground economy of money mules, bulk advertisement services, blackhat SEO operations, and fake loan apps that keep it all running. What we found is not a collection of isolated scams. It is a tightly connected industry that activates every IPL season, operates in plain sight, and exits just as quietly when the trophy is lifted. 

Key Findings

• Over 1200 domains were found promoting illegal betting platforms, where users are often unable to withdraw funds. 
• Admin panel access to a betting platform revealed a centralised, multi-site operation, with full visibility into user activity and deliberate control over funds - including large-scale, intentional rejection of withdrawal requests. 
• Data from just one such admin panel showed that between May 2025 and May 2026, more than 9,300 withdrawal requests were rejected, amounting to an estimated ₹4.65 crore in potential user losses. 
• AI-generated content and deepfakes were found being increasingly used to build credibility for betting platforms and tipper channels.
• Multiple Indian government sites were found exploited and injected with links pointing to illegal IPL betting platforms and gambling applications - abusing the trust and domain authority of .gov sites to manipulate search rankings and funnel unsuspecting users toward illicit content.
• A mature underground ecosystem was discovered - including money mules, lead generation providers, and black-hat SEO networks - supported operations.

Threat #3 - The Online IPL Betting Ecosystem

Every IPL season, a vast illegal betting economy quietly activates alongside the tournament. It is not new, and it is not small. Illegal cricket betting is estimated to be a multi-thousand-crore market, operating in plain sight across Telegram channels, social media pages, and slickly designed platforms.

What has changed in recent years is the infrastructure. It has evolved into a technology-driven ecosystem - with dedicated platforms, affiliate marketing pipelines, AI-generated promotional content, and a supporting underground economy of money mules, bulk advertisement operators, and blackhat SEO networks and so on. CloudSEK mapped this ecosystem across IPL 2026 and what follows is what we found.

The Betting Platforms

At the centre of the ecosystem are the platforms themselves. CloudSEK identified multiple illegal betting sites actively targeting Indian cricket fans during IPL 2026. These platforms are sophisticated - they offer live odds, in-play betting, deposit bonuses, referral programs, and customer support. 

‍

A lot of these platforms are built on clone scripts - available for purchase on different forums and Telegram channels - meaning a new platform can be stood up in days with minimal technical knowledge. This is why the number of active platforms grows every season. The barrier to entry is low and the margins are high.

‍

Once a user is in, the platform is designed to keep them there. New users are often allowed to win in the early stages - small, encouraging payouts that build confidence and justify larger deposits. But the odds are always in the house's favour, and losses accumulate over time. The more insidious trap comes when users try to withdraw their money. Many find that withdrawals are blocked, delayed indefinitely, or tied to impossible conditions buried in the terms.

Behind the Scenes - Admin Panel Access

CloudSEK researchers accessed the admin panel of one of these platforms, and what it revealed was the full operational picture of an illegal betting business. The interface displayed real-time user activity - active bets, deposits, withdrawal queues, and account management functions. What stood out most was the agent-based structure. Rather than being run by a single operator, these platforms function through a distributed network of agents, each tasked with recruiting users, handling deposits, approving transactions, and paying out winnings within their assigned territory.

Notably, the admin panel we accessed was being used to operate 25+ different betting sites simultaneously - all managed from a single backend. 

What stood out most in the panel’s findings was the withdrawal data. Between May 2025 and May 2026, more than 9,300 user withdrawal requests were rejected by agents - covering amounts from minor sums to as much as ₹5 lakh per request. Data from the admin panel suggests that rejected withdrawal requests alone amounted to an estimated ₹4.65 crore in potential user losses.

These weren’t system errors or failed transactions; they were intentional denials. What users perceive as the platform “freezing” their funds isn’t a technical issue at all, but a conscious operational action taken by an agent with a single click.

A separate admin panel accessed by CloudSEK also shed light on how these platforms manage the funds they collect. It revealed a network of bank accounts set up to receive user deposits - registered under business entities rather than individual names. Most of these accounts match the typical characteristics of money mule setups, designed to channel and move funds while masking any direct link to the platform operators.

‍The Tipper Economy - AI Deepfakes & Prediction Fraud

Illegal betting platforms do not find their users through traditional advertising. Instead, they rely on a network of self-proclaimed prediction experts and tippers who funnel followers toward the platforms through referral links.

These tippers operate primarily on Telegram, Instagram, and YouTube Shorts - running channels under personas crafted to project insider credibility. A typical tipper presents as a former bookie, an ex-BCCI data analyst, or a professional gambler with a verified track record. 

Their channels have high follower counts, a history of supposedly successful predictions, and a consistent stream of content designed to manufacture trust.

What they are actually selling is a referral link. Illegal betting platforms run affiliate programs that pay commissions to anyone who brings in new depositing users. Tippers sign up as affiliates, receive a unique referral link, and earn a cut of every rupee their referrals deposit - regardless of whether those users win or lose. In some cases, tippers are directly linked to these platforms, and some might even own them - charging users for creating a betting account ID for them on the platform.

This season, CloudSEK researchers observed a significant escalation in the use of AI-generated content to manufacture tipper credibility. Threat actors are using deepfake tools to clone the faces and voices of well-known cricketers, news anchors, and celebrities - producing short video clips in which these figures appear to endorse a prediction channel or a betting platform.

A fabricated video of a popular cricketer saying she uses a particular platform to place her bets. A cloned youtuber reading a fake segment about a guaranteed prediction service. These videos are produced cheaply, distributed rapidly across Instagram Reels and Telegram, and by the time they are flagged and taken down, they have already reached hundreds of thousands of viewers. 

‍The Supporting Underground Economy 

The betting platforms and tipper networks are the visible layer. Beneath them is a supporting ecosystem of operators and services that keep the entire operation running.

Money Mules : 

Illegal betting platforms cannot use mainstream payment infrastructure openly - their transactions would be flagged and accounts frozen. Instead, they rely on money mules - individuals whose bank accounts are rented or coerced to receive and move deposits and withdrawals on behalf of the platform.

Mule recruitment happens openly on Telegram and WhatsApp - framed as easy work-from-home income. Recruits are asked to receive transfers into their accounts and forward them, keeping a small commission. Many do not understand the legal exposure they are taking on. 

‍BlackHat SEO : 

To capture organic search traffic, betting platforms pour resources into black-hat SEO - tactics aimed at manipulating Google rankings rather than following legitimate optimisation practices. 

One particularly aggressive method involves targeting government websites. By exploiting vulnerabilities in .gov.in domains, attackers inject backlinks to illegal betting platforms directly into these sites’ source code. Moreover, due to the inherent credibility of these top-level domains, users are more likely to trust and click on such links - often resulting in redirection to fraudulent or malicious websites.

‍

‍

‍

Beyond directly compromising websites, a wider underground economy has emerged around these practices. Platforms such as Hacklink Market act as open marketplaces where cybercriminals can buy access to thousands of hacked websites and deploy malicious code to influence search engine rankings.

Using dedicated control panels, attackers insert links to phishing or illegal betting platforms into the source code of otherwise legitimate sites. These links are strategically crafted with keyword-rich anchor text, ensuring that when users search for gambling-related terms during the IPL season, manipulated results appear - often elevating attacker-controlled websites in search rankings.

‍

‍

‍Lead Generation Services : 

User acquisition at scale requires reaching people who have never heard of the platform. Bulk SMS services provide exactly this - mass unsolicited text messages promoting betting platforms, referral bonuses, and tipper channels, sent to lists of phone numbers harvested from data breaches, sold by lead generation services, or scraped from social media.

These services operate openly on Telegram, Instragram, Facebook offering packages by volume -  a certain number of SMSes for a fixed price, with sender ID spoofing to make the messages appear to come from legitimate sources.

There are also dedicated lead generation businesses that run Meta Ads and Google Ads campaigns on behalf of illegal betting platforms - targeting cricket fans with precision demographic and interest-based targeting, driving traffic directly to betting sites or tipper funnels, and selling guaranteed leads by the batch. 

‍

‍Fake Loan Apps : 

There is another layer that indirectly fuels the illegal betting economy, and it is one that traps victims long after the bets are lost. Fake loan apps.

Advertisements run on social media to promote instant loan apps with promises of minimal documentation, low interest rates, and rapid disbursal. For someone who has just lost money on a betting platform and is trying to recover, these ads surface at a vulnerable moment. The loans appear easy to obtain, and downloading the app is quick and seamless.

What often goes unnoticed is the extent of access these apps request - including contacts, photos, call logs, messages, and location data. 

When users are unable or unwilling to pay additional amounts, intimidation tactics begin. Victims are threatened with the exposure of their personal data, including sharing photos and contact details with family, friends, or employers. In some reported cases, manipulated images have been distributed to maximise embarrassment and force compliance.

‍

The online IPL betting ecosystem is a tightly connected network built to attract, retain, and exploit users at scale. From discovery to financial coercion, each layer feeds into the next - making it easy to enter, but difficult to exit without loss. As the ecosystem grows more sophisticated, awareness becomes critical. Understanding how it operates is the first step in avoiding it. 

Impact

• Direct Financial Losses - The most immediate impact is financial. Victims lose money through illegal betting platforms that block withdrawals, and vanish without warning. These are not edge cases. They are standard operating procedures.
• Debt and Coercion - Victims who turn to fake loan apps to recover betting losses enter a second, often more damaging trap. These apps weaponise the victim's own personal data - contacts, photos, call logs - to coerce repayment through threats and public humiliation. What began as a bet ends in blackmail.
• Proliferation of Illegal Platforms - The widespread availability of clone betting scripts means new platforms can be deployed within hours of a takedown. For every site shut down, several more are stood up from the same kit - making enforcement a losing race against an endlessly renewable infrastructure.
• Money Mule Liability - Individuals recruited as mules to move funds on behalf of betting platforms face serious legal exposure. Their accounts appear in the financial trail. Their names appear in law enforcement records. Many had no meaningful understanding of what they were participating in.
• Normalisation of Illegal Gambling - The scale, visibility, and near-zero consequences for offshore operators normalises illegal betting - particularly among young cricket fans who encounter tipper channels and betting platform ads as a routine part of their IPL experience. Each season, the funnel starts earlier, reaches wider, and converts more effectively.
• Compromised Government Infrastructure The exploitation of government domains for blackhat SEO is not just an SEO problem - it is a breach of public trust. When a .gov domain silently redirects a user to an illegal betting platform, the state's own infrastructure becomes complicit in the fraud, however unwittingly.

Safeguards 

• Do not trust prediction channels or tippers : No one has insider knowledge of IPL match outcomes. Any channel claiming guaranteed predictions is running a scam, regardless of how convincing their track record looks.

• Referral links are a red flag : If a tipper or prediction channel is pushing you toward a betting platform through a personal link, they are earning a commission on every rupee you deposit. Their incentive is your loss, not your win.

• Deepfake endorsements are not endorsements : If you see a cricketer, news anchor, or celebrity promoting a betting platform on Instagram or Telegram, assume it is fabricated. No active Indian cricketer would publicly endorse an illegal platform.

• Illegal betting platforms offer no protection: There is no regulatory body, no dispute resolution, and no recourse if the platform blocks your withdrawal or disappears. The money you deposit is money you may never see again.

• Do not download loan apps from social media ads : Legitimate lenders do not advertise on Instagram with promises of instant approval and zero documentation. Apps that request access to your contacts, photos, and call logs are harvesting data for coercion, not verification.

• If you are being threatened or blackmailed by a loan app operator: Report it immediately to your local cybercrime cell or file a complaint at cybercrime.gov.in. 

• If you signed up on an illegal betting platform and cannot withdraw your funds: Document everything - screenshots of your deposits, withdrawal requests, and rejections - and file a complaint with your local cybercrime cell.

• If you were recruited as a money mule: Stop immediately and seek legal advice. Lending or selling your bank accounts to move illegal funds is a criminal offense. 

• If you receive unsolicited SMS messages promoting IPL betting: Do not click any links. Report the sender to TRAI's DND service.

Conclusion

Across both parts of this series, what emerges is not a picture of isolated scams but of a structured, seasonal criminal industry - one that targets the same audience at multiple points, recycles infrastructure across verticals, and grows more sophisticated with every passing year.

Part 1 showed how fans are exploited at the edges of the IPL experience - fake tickets, fake streams, and malware delivered through a single click. Part 2 goes deeper - into an illegal betting ecosystem sustained by AI-generated deepfake content, clone platforms, exploited government infrastructure, mule networks, and debt traps that follow victims long after the tournament ends. 

The scammers will be back next season - better funded, better equipped, and with a longer list of targets. The strongest defence remains the same: verify before you trust, question what seems too good to be true, and report what you find.