As IPL fever grips millions across India, cybercriminals are using the excitement around sold-out matches and free live streaming to run one of the country’s largest cricket-themed fraud operations.
Cybersecurity firm CloudSEK has uncovered a massive scam ecosystem involving over 600 fake IPL ticketing websites and more than 400 fraudulent streaming platforms designed to steal money and infect devices with malware.
The investigation revealed that many fans were lured through social media posts, Reels and Telegram forwards promising last-minute match tickets. These fake websites appeared genuine, using team logos, countdown timers and branding similar to trusted ticketing platforms. Victims paid through UPI or cards and received professional-looking PDF tickets with QR codes and booking details. However, the tickets failed at stadium entry gates because the seats never existed.
Researchers said the fraud operations were highly organised. One fake ticketing backend accessed by investigators included real-time booking tracking, payment verification systems, pricing controls and automatic fake ticket generation. The scam operators also used Meta Pixel integration to monitor ad performance, identify which matches attracted the most victims and improve their campaigns.
“The fake ticketing backend shows how industrialised these scams have become,” said Sourajeet Majumder, Security Researcher at CloudSEK. “Operators are not only selling fake tickets. They are tracking conversions, adjusting prices, verifying payments and collecting victim data that can be reused or sold for future scams.”
The report also exposed a large network of fake IPL streaming sites targeting users searching for “IPL 2026 free live stream” and similar terms before major matches. Many of these websites redirected users to fake software installers or security updates, especially on macOS devices. Victims were asked to paste commands into Terminal, unknowingly installing malware called SHub Stealer.
According to researchers, SHub Stealer can steal passwords, browser sessions, iCloud credentials, Telegram data, Safari history, files and cryptocurrency wallet information from over 100 wallet applications and browser extensions.
“What appears to be a free match stream can become a full device compromise,” Majumder said. “The victim thinks they are watching cricket. In the background, their passwords, browser sessions, files and crypto wallet data may already be leaving the system.”
CloudSEK advised users to buy tickets only through official BCCI platforms and authorised partners, and to avoid unofficial streaming websites asking users to download files or run commands.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
