A large cyber fraud operation exploiting IPL ticket demand and free streaming searches has exposed how organised criminal networks are using fake booking portals, malware laden streaming sites and industrial scale digital infrastructure to target cricket fans during one of India’s biggest sporting events.
Hundreds of Fake Sites Target IPL Fans
A recent investigation by a security researcher identified more than 600 fraudulent domains posing as legitimate IPL ticket booking portals this season, along with over 400 fake free streaming websites. The findings suggest that the fraud was not opportunistic or hastily assembled, but built around professionally designed operations that closely imitated trusted platforms.
According to the reports, the fake sites mimicked services such as BookMyShow and District by Zomato, using convincing user interfaces, payment gateways, automated ticket generation systems and fabricated customer testimonials. Fans searching online for match tickets or live streaming links were allegedly directed to these websites through paid Google ads, Facebook posts, Telegram channels and Instagram reels.
The fraudulent domains were also pushed higher in search rankings through aggressive search engine optimisation, allowing them to appear alongside legitimate ticketing platforms and increasing the chances of users clicking on them.
FCRF’s Flagship Cyber Law Certification Returns With a New Four-Week Cohort
Fake Tickets, Real Payments, Late Discovery
Investigators found that once users landed on the sites, the experience appeared legitimate. Visitors could select seats, enter personal details, make payments through UPI or QR codes and receive convincing PDF tickets carrying fake booking numbers and non functional QR codes.
The fraud often surfaced only when fans reached the stadium gate, sometimes just hours before the match, by which time genuine tickets were no longer available. The report described the scheme as particularly effective because it relied on urgency, emotion and the fear of missing out among fans desperate for last minute access.
The same investigation found that the scam did not end with ticket fraud. Many fake streaming websites were also being used to deliver malware. Researchers said users who clicked stream buttons on such sites could trigger redirect chains that deployed SHub Stealer, as an infostealer capable of harvesting browser credentials, stored payment details, Apple Keychain data, Telegram sessions, cryptocurrency wallet credentials and system information from both Windows and macOS devices.
The macOS targeting received particular attention. Some sites reportedly used browser detection scripts to identify operating systems before sending users to device specific malicious pages, including fake Apple security update prompts or GitHub installer pages instructing them to paste commands into Terminal. Once executed, those commands allegedly installed malware that could continue extracting data for weeks before detection.
Industrial Scale Fraud and Wider Cyber Risk
Researchers also said they gained access to the admin panel of one fake ticketing operation, revealing backend systems designed to track victim data, manage payment processing and automate fraud workflows. The report described the activity as industrial scale digital fraud using the same infrastructure, search techniques and interface design principles commonly seen in legitimate online commerce.
The findings were also placed alongside other major cybercrime activity. The report noted that these IPL linked scams emerged at the same time as another major cyber incident in which the Incransom ransomware group claimed responsibility for breaching Silergy Corp and alleged theft of more than 450GB of sensitive data, including financial documents, passports, NDAs and customer information. According to the report, the overlap showed how modern cybercrime ecosystems can run multiple attack surfaces at once, with one operation exploiting mass consumer behaviour and another targeting high value corporate data.
The investigation concluded that protection requires both technical defences and behavioural caution. While endpoint security tools can help detect malicious downloads and suspicious network activity, the report stressed that the most effective defence remains verification. Users were advised never to purchase tickets through links in social media posts or search ads, to type official website addresses directly into browsers, and to remember that legitimate IPL streaming is available through licensed platforms rather than free sites promising instant access. The report warned that this infrastructure is unlikely to disappear after the final match and may simply adapt itself to the next high demand event.
About the author – Ayesha Aayat is a law student and contributor covering cybercrime, online frauds, and digital safety concerns. Her writing aims to raise awareness about evolving cyber threats and legal responses.
