CloudSEK exposes 1,200-domain illegal IPL 2026 betting network as Rs 4.65cr in user withdrawals deliberately blocked

Bengaluru-headquartered cybersecurity firm CloudSEK has published the second instalment of its Indian Premier League 2026 threat investigation, mapping an organised illegal online betting ecosystem that the company estimates spans more than 1,200 active domains targeting Indian cricket fans this season. The report, titled “Hit Wicket,” documents admin-panel-level access to one platform showing that 9,300 user withdrawal requests, worth an estimated Rs 4.65 crore, were intentionally rejected by platform agents between May 2025 and May 2026. The findings land just over seven months after the Promotion and Regulation of Online Gaming Act, 2025 came into force on 1 October 2025, a law that criminalises every form of real-money gaming and its advertising in India, and they raise sharp questions about how effectively that statute is being enforced during the country’s single largest sports event.

CloudSEK frames the operation as a “tightly connected industry” rather than a collection of opportunistic frauds, and the operational detail it has published is unusual. The investigation covers the platforms themselves, an affiliate-driven tipper economy now saturated with AI deepfakes of cricketers and content creators, money mule networks moving funds through business-registered bank accounts, blackhat search engine optimisation campaigns that have injected betting backlinks into Indian government domains, bulk lead generation pipelines running Meta and Google ads, and predatory fake loan apps that monetise victims a second time after their betting losses. The cumulative picture is of a seasonal criminal industry that activates with the tournament and dissolves after the trophy is lifted, recycling the same infrastructure for the following year.

What does CloudSEK’s IPL 2026 report reveal about how illegal betting platforms now operate behind the scenes?

The structural finding most likely to interest regulators and payment-system supervisors is that the illegal betting platforms documented by CloudSEK are no longer one-off websites but multi-site operations run from shared backends. Researchers obtained access to an admin panel that was simultaneously controlling more than 25 different betting sites from a single interface, with full visibility into active bets, deposit queues, withdrawal requests, and per-agent territories. This is closer in design to a small fintech operating company than to the crude phishing pages that dominated earlier seasons, and it explains why takedowns of individual domains have had limited deterrent effect. The underlying business is platform-agnostic at the operational layer.

The withdrawal data extracted from a single panel is the most damaging single statistic in the report. Over a twelve-month window, 9,300 user withdrawal requests, ranging from minor sums to as much as Rs 5 lakh per request, were rejected by agents. CloudSEK’s reading is that these are not technical failures but conscious operational denials executed with a single click, and that the platform’s terms of service are written to provide post-hoc justification for the action. For a payment-systems regulator, this is the precise mechanism that converts a deposit-acceptance ecosystem into a money-trap ecosystem, and it is the kind of evidence that has historically been difficult to obtain without insider co-operation.

A separate admin panel accessed by the researchers revealed the funds-flow architecture sitting behind the front-end. Deposits were being routed through bank accounts registered in the names of business entities rather than individuals, a pattern that matches established money-mule typologies but with an additional layer of corporate camouflage that complicates account freezes and Financial Intelligence Unit reporting. The use of business-registered mule accounts is also consistent with the warning that the Ministry of Electronics and Information Technology and the Reserve Bank of India have repeatedly issued about offshore betting operators using shell entities to extract Indian rupee deposits across the border.

Why is the use of AI deepfakes of cricketers and content creators a turning point for IPL-season fraud?

CloudSEK’s most consequential qualitative finding may not be the scale of the platform infrastructure but the maturity of the AI-generated content layer feeding it. Tipper channels on Telegram, Instagram, and YouTube Shorts have historically relied on persona-driven personalities claiming insider knowledge from former bookies, ex-BCCI analysts, or professional punters, and the credibility of these channels has always been the single biggest acquisition lever for the underlying betting platforms. The report documents that this credibility manufacturing process has now been industrialised through cheap, rapidly produced deepfake content featuring cloned faces and voices of well-known cricketers and content creators, with cricketer Smriti Mandhana and content creator Ranveer Allahbadia identified by name as among the figures whose likenesses have been weaponised to promote prediction channels and betting platforms.

The economic logic for the threat actor is straightforward. A deepfake clip costs a fraction of a paid celebrity endorsement, can be distributed within minutes across Reels and Telegram, and reaches hundreds of thousands of viewers before takedown mechanisms catch up. The cost of fabrication has fallen faster than the cost of moderation, and the asymmetry plays out at the speed of an IPL match cycle. From a brand-protection standpoint, this is now a first-order risk for any cricketer, broadcaster, or content creator with a recognisable public face, and it sits squarely outside the conventional scope of the BCCI’s brand-protection mandate, which was built for an era of static photo misuse.

The legal exposure for the impersonated figures is also non-trivial. While the deepfakes are unauthorised and the cricketers in question have no commercial relationship with the betting platforms, the fact that endorsements appear, however briefly, in the public domain creates reputational and regulatory complications that did not exist before. A clear gap remains between India’s existing IT Rules framework, which addresses takedown of unlawful content, and the absence of a dedicated deepfake or personality-rights statute that would allow rapid criminal prosecution of the producers rather than the platforms hosting the content.

How are illegal betting platforms exploiting compromised Indian government domains to game search rankings?

One of the more uncomfortable findings in the report concerns the use of compromised .gov.in domains for blackhat SEO. CloudSEK documents that attackers have injected backlinks to illegal betting platforms directly into the source code of multiple Indian government websites, exploiting the high domain authority and inherent user trust that .gov.in addresses carry on Bing, Google, and other search engines. The technique elevates the betting destinations in organic search rankings for IPL-related queries and simultaneously borrows institutional credibility from the state, with users following links that appear to originate from government infrastructure and landing on fraudulent gambling sites.

The supply chain behind this practice is itself industrialised. CloudSEK identifies marketplaces such as Hacklink Market that openly sell access to thousands of compromised websites and provide dedicated control panels for injecting keyword-rich anchor text into hijacked sites. This is not a small-scale opportunistic compromise of one or two state portals. It is a commercialised SEO manipulation service running as a parallel business to the betting platforms themselves, and the implication is that the security posture of multiple Indian government domains has been silently degraded for commercial exploitation by criminal operators.

For the National Critical Information Infrastructure Protection Centre, the Indian Computer Emergency Response Team, and the National Informatics Centre, the operational consequence is that perimeter security and content integrity monitoring at the .gov.in layer need to be treated as a brand-protection problem and a search-engine-poisoning problem, not only as a data-breach problem. A government website does not need to leak personal data to be weaponised against citizens. It only needs to silently redirect them.

What does the supporting underground economy of mules, bulk SMS and fake loan apps reveal about second-order harm?

The most strategically important section of CloudSEK’s report is its mapping of the support layer that keeps the platforms operating, because this is where most of the second-order victimisation occurs. Money mule recruitment is documented as taking place openly on Telegram and WhatsApp, framed as easy work-from-home income, with recruits asked to receive transfers and forward them in exchange for a small commission. The criminal exposure for these recruits is significant, but most have no working understanding of the offences they are participating in under the Prevention of Money Laundering Act and the Banking Regulation Act, and many will eventually find their accounts flagged, frozen, or referenced in law enforcement filings.

The lead generation layer is similarly mature. Bulk SMS services run on Telegram, Instagram, and Facebook offer pricing by message volume, with sender ID spoofing that allows messages to appear to come from legitimate senders. Dedicated lead generation businesses run Meta Ads and Google Ads campaigns on behalf of illegal betting platforms, deploying precision demographic and interest-based targeting to deliver cricket-fan audiences to betting funnels by the batch. The continued visibility of this advertising on regulated platforms is a direct enforcement question for both the platforms and the Ministry of Electronics and Information Technology, given that Section 6 of the Promotion and Regulation of Online Gaming Act, 2025 specifically prohibits any advertisement that directly or indirectly promotes an online money game.

The fake loan app layer is where the financial damage to individual victims compounds most aggressively. Victims who lose money on a betting platform are subsequently targeted by social media advertising for instant loan apps promising minimal documentation and rapid disbursal. The apps harvest contacts, photos, call logs, and location data on installation, and when borrowers cannot or will not repay inflated demands, operators move to coercion through threats of public exposure and, in documented cases, the distribution of manipulated images to contacts. The betting platform extracts the deposit; the loan app extracts dignity, reputation, and further cash from the same victim. The two operations are not formally linked in every case, but they are pointed at the same demographic at the same moment of financial vulnerability, and the targeting precision suggests at minimum a shared lead pool.

How effective has the Promotion and Regulation of Online Gaming Act, 2025 been at containing the IPL-season betting economy?

The CloudSEK report is, implicitly, an enforcement audit of India’s online gaming legislation. The Promotion and Regulation of Online Gaming Act, 2025 received presidential assent in August 2025, came into force on 1 October 2025, and bans the offering, advertising, and financial facilitation of every form of online money gaming, with penalties of up to three years’ imprisonment and Rs 1 crore in fines for offering services and up to two years’ imprisonment and Rs 50 lakh in fines for advertising. By January 2026, the Ministry of Electronics and Information Technology had blocked more than 7,800 illegal betting and gaming websites under Section 69A of the Information Technology Act, and additional rounds of takedowns have followed. The Promotion and Regulation of Online Gaming Rules, 2026 came into force on 1 May 2026, establishing the Online Gaming Authority of India to operationalise licensing, classification, and grievance redressal.

CloudSEK’s identification of 1,200 active illegal betting domains targeting IPL 2026 fans, less than three weeks after the rules came into force, indicates that the supply of new domains continues to outpace the rate of takedowns. The report’s note that clone scripts are openly traded on Telegram and underground forums, allowing new platforms to be stood up in days with minimal technical skill, explains why this is structurally the case. Enforcement is fighting a renewable infrastructure problem rather than a fixed inventory problem. Without action against the script marketplaces, the mule recruitment channels, the bulk SMS providers, and the SEO service marketplaces, individual domain takedowns will continue to function as cosmetic enforcement.

The Act’s prohibition on payment system facilitation is the most strategically important lever the government holds, because it is the layer at which the financial flows can be choked without depending on domain whack-a-mole. The persistence of business-registered mule accounts at scale, as documented by CloudSEK, suggests that the implementation of this lever through the banking system and the Unified Payments Interface infrastructure has not yet reached the operational tempo required to disrupt seasonal campaigns. The Reserve Bank of India, the National Payments Corporation of India, and the Financial Intelligence Unit have visibility into the patterns CloudSEK has described from the criminal side, and the practical test of whether the new statutory framework is working will be whether the next IPL season shows a measurable contraction in mule account availability.

Key takeaways on what CloudSEK’s IPL 2026 betting probe means for regulators, platforms, and the cricket ecosystem

• CloudSEK has documented 1,200 active illegal betting domains targeting IPL 2026 fans, indicating that domain-level takedowns under Section 69A of the Information Technology Act are being outpaced by the supply of new platforms built from openly traded clone scripts.
• Admin panel access at a single platform showed 9,300 user withdrawal requests, worth an estimated Rs 4.65 crore, were intentionally rejected by agents over twelve months, providing rare operational evidence that withdrawal blocks are a deliberate revenue mechanism rather than technical failures.
• A single backend was found controlling more than 25 betting sites simultaneously, indicating that the illegal operators are running platform-agnostic infrastructure that survives individual takedowns and requires backend-layer enforcement to disrupt.
• The widespread use of AI deepfakes of cricketers and content creators, with Smriti Mandhana and Ranveer Allahbadia among those whose likenesses have been weaponised, marks the operational maturity of generative AI as a low-cost credibility manufacturing tool for criminal marketing.
• Compromised Indian government .gov.in domains are being exploited as SEO assets, with backlinks to betting platforms injected into source code, turning state infrastructure into an unintended distribution channel for illegal gambling and exposing a security posture gap at multiple government portals.
• The use of business-registered mule accounts rather than individual accounts complicates Financial Intelligence Unit detection and indicates a more sophisticated funds-flow architecture than law enforcement has historically encountered in seasonal betting operations.
• The fake loan app layer extracts a second tranche of value from victims through harvested personal data and coercion, including the distribution of manipulated images, creating a compounded financial and reputational harm that goes well beyond the original betting loss.
• Bulk SMS providers, Meta and Google ad-based lead generation services, and blackhat SEO marketplaces such as Hacklink Market are operating as a parallel professional services industry to illegal betting, indicating that meaningful enforcement requires moving up the value chain from platforms to suppliers.
• The Promotion and Regulation of Online Gaming Act, 2025 prohibits advertising of online money games under Section 6, yet bulk lead generation through regulated ad platforms continues during the IPL window, raising the question of whether platform-level ad compliance is being enforced at the operational tempo the statute requires.
• The credibility of India’s new online gaming framework will be tested not in absolute domain takedown numbers but in whether the next IPL season shows measurable contraction in mule account availability, lead generation volume, and deepfake-driven user acquisition, the layers at which the supply chain is most vulnerable to coordinated disruption.