For millions of Indians, the IPL is more than just cricket. It’s group chats lighting up at midnight, last-minute jersey purchases, office leaves planned around match schedules, and frantic attempts to grab tickets before they disappear in seconds. That frenzy is exactly what scammers are exploiting this season and at a massive scale.
A new report by cybersecurity firm CloudSEK paints a worrying picture of how fraud networks are cashing in on fan excitement during IPL 2026. From fake ticket booking websites to malicious “free streaming” platforms that can quietly infect devices with malware, the report suggests the IPL has become one of the biggest seasonal hunting grounds for cybercriminals in India.
According to the report titled Hit Wicket: Inside The Expansive Web of Scams Targeting Millions of IPL Fans This Season, CloudSEK identified more than 600 fake domains selling fraudulent IPL tickets and over 400 fake streaming sites, many of which were actively distributing malware capable of stealing passwords, draining cryptocurrency wallets, and remotely accessing victim devices.
The scams are built around one thing: emotion.
The desperation to catch a sold-out CSK vs RCB clash. The panic of tickets disappearing within minutes. The temptation of a “guaranteed” seat offered through an Instagram page with thousands of followers. Or the urge to watch a big playoff match for free after official streaming subscriptions become too expensive.
By the time fans realise something is wrong, the money — and sometimes even their personal data — is already gone.
The fake ticket trap
According to CloudSEK, scammers are building convincing replicas of legitimate ticketing websites by copying branding, layouts and colour schemes from platforms like BookMyShow and District.
The fake sites often feature countdown timers, “limited seats left” banners and discounted prices designed to create urgency and trigger impulse purchases. They are then aggressively promoted through Instagram Reels, Facebook posts, Meta ads, Telegram channels and Google search results.
Once users land on these websites, the flow appears legitimate. Fans choose seats, enter personal details and pay through UPI, QR codes, cards or payment gateways. Minutes later, they receive professional-looking PDF tickets complete with seat numbers and QR codes.
The problem surfaces only at the stadium gate.
The QR code does not scan. The booking ID is fake. The match goes on without them.
CloudSEK researchers said these operations are far more organised than typical phishing scams. In one case, researchers accessed the admin panel of a fake IPL ticketing site and found what they described as a “fully functional operations dashboard” that allowed operators to manage bookings in real time, manually verify payments, generate fake tickets and dynamically change ticket prices depending on demand.
The backend also collected names, phone numbers and email addresses of victims — data that researchers warned could later be sold or reused for future fraud campaigns.
The report further found Meta Pixel integrations embedded within some scam sites, allowing operators to track ad performance and optimise campaigns in real time, much like legitimate e-commerce businesses.
The “free IPL stream” that infects your device
Not every scam asks for money upfront. Some simply need a click.
CloudSEK said fake IPL streaming websites have become one of the biggest cyber threats this season, especially as fans search for unofficial free streams online.
Researchers found hundreds of fake streaming pages promoted across Reddit, Telegram and Facebook groups and optimised for search terms like “watch IPL online free” or “IPL 2026 live stream.”
What users often receive instead of a cricket stream is a malware infection chain.
These websites bombard users with pop-ups, redirects and fake download prompts. During testing, CloudSEK found some pages redirecting macOS users to fraudulent “security update” or GitHub installer pages that tricked victims into opening Terminal and pasting malicious commands.
Once executed, the malware could steal browser passwords, cookies, banking credentials, Telegram sessions, crypto wallets and even sensitive files stored on the device.
Researchers identified one malware strain called “SHub Stealer”, which they described as a full-fledged macOS infostealer capable of targeting browser data, cryptocurrency wallets, Apple Notes, iCloud information and desktop files. The malware also established persistence on infected systems, allowing attackers continued remote access even after the initial infection.
The report warned that unofficial streaming platforms are increasingly surfacing through AI-generated search overviews and community recommendations, making them appear more trustworthy to users.
Why IPL is such a big target
The IPL is one of India’s largest digital events, with hundreds of millions of viewers, sold-out matches and massive online transactions compressed into a few weeks.
According to CloudSEK, that combination of urgency, fandom and high spending creates the perfect conditions for cybercriminals. Fans are emotionally invested, often desperate for last-minute tickets and more willing to take risks during high-demand matches or playoffs.
The fraud ecosystem also evolves with the tournament. Scam infrastructure — including fake domains, social media pages and Telegram channels — is often set up even before the first match begins. Activity intensifies around marquee clashes and knockout games before fading after the final, only to return more refined the next season.
What users should watch out for
CloudSEK advised fans to buy tickets only through official platforms and avoid links shared through social media ads, Telegram groups or direct messages. Users should also be cautious of heavily discounted tickets, guaranteed availability for sold-out matches or suspicious URLs with unusual domain extensions.
The company also urged users to avoid unofficial streaming sites altogether, warning that these platforms are increasingly functioning as malware distribution networks rather than simple piracy hubs.
Security experts recommend enabling two-factor authentication on email, banking and UPI accounts, keeping devices updated and avoiding unnecessary app permissions related to streaming or ticketing apps.
Because in the IPL scam economy, sometimes all it takes is one click — or one desperate attempt to watch the match — to lose far more than the price of a ticket.
