Illegal betting syndicates continue to hijack government websites, sparking regulatory crisis

India’s public digital infrastructure is under siege as a network of cybercriminals continues to exploit vulnerabilities in government websites to promote illegal betting applications. Recent revelations show that over 20 Maharashtra government websites have been compromised, with users unknowingly redirected to betting platforms via cloaked URLs and malicious scripts.

The Maharashtra breach includes websites of key departments such as Transport, Tribal Welfare, State Excise, the Charity Commissioner, and even the state's main portal (maharashtra.gov.in). Attackers have used sophisticated redirect mechanisms and cloaking techniques to ensure that only specific users—such as those accessing via Google—are funneled toward betting domains like 01game.info.

Dhiraj Gupta, CTO and co-founder of mFilterIt, outlined how such redirection attacks work.

“A recent case involved the official website of the Charity Commissioner, Government of Maharashtra, being used as a redirect gateway to a betting site... The site uses Cloudflare to mask its server’s IP and hides deeper integrations behind obfuscated APIs.”

The scope of the issue, however, is not limited to one state —similar breaches have occurred across several Indian states, making this a nationwide cybersecurity and regulatory crisis.

Similar breaches have affected government websites in Bihar, Goa, Karnataka, Kerala, Mizoram, Telangana, and Uttar Pradesh, where portals maintained by departments ranging from law enforcement to municipal water supply have hosted malicious code or links promoting betting and lottery scams.

Abhay Chattopadhyay, Partner at Economic Laws Practice, elaborated, “Cybercriminals mainly target vulnerabilities in poorly maintained or less frequently updated government websites... In 2024, Lucknow’s Jal Kal Department’s website was compromised to link to an Indonesia-based lottery scam. We’ve seen similar misuse in property tax and municipal sites across other states.”

In Maharashtra, a Public Interest Litigation filed by Ruzbeh Raja (in February) prompted the Bombay High Court to direct state cyber authorities to review and act on recommendations for cybersecurity upgrades. The court acknowledged the gravity of the threat and permitted the petitioner—an IT law expert, to submit preventive proposals to Maharashtra Cyber and the Mumbai Police Cyber Cell.

The petition, filed through advocate Ajinkya Udane, listed 20 government department websites contaminated with malicious programming code which redirected users to betting websites to collect their personal information.

"When the matter came up, the government informed the court that they had taken down all the compromised websites and were working on relaunching them. However, these sites currently lack even basic security protocols—there is no login authentication mechanism in place. Anyone can access them freely without verification. Going forward, it is essential that access be restricted through an OTP-based login system. Users should be required to enter their credentials, including a valid name, email ID, and mobile number. Only after verifying the OTP should access be granted. Alternatively, access to these websites should be made possible only through secure platforms like DigiLocker or Aadhaar-based authentication, regardless of the user's socio-economic status," said Udane.

Industry Cries Foul

Roland Landers, CEO of the All India Gaming Federation (AIGF), issued a stark warning. “Offshore illegal gambling websites represent one of the most serious national security threats facing our country today. Their exploitation of government portals is designed to give an illusion of legitimacy to these unlawful operations.”

Sonam Chandwani, Managing Partner at K S Legal, noted the advanced tactics being used.

“Cybercriminals are exploiting government websites with alarming sophistication... They embed malicious links and counterfeit pages, employ SEO manipulation and phishing tactics, and deceive users into downloading malicious APKs.”

She added that these breaches pose reputational damage, potential data leaks, and massive financial costs for recovery.

“Governments must prioritize rigorous patch management, multi-factor authentication, and real-time threat monitoring. Legal provisions under the IT Act, 2000 (Sections 66, 66C, 66D) can be used to prosecute offenders, and international cooperation is essential.”

Beyond institutions, it is the public that bears the brunt of these digital traps. Malicious links hosted on .gov.in domains can lead to identity theft, financial fraud, and even accidental participation in illegal betting activity.

Chandwani explained, “These threats exploit public trust in government platforms... Governments must implement awareness campaigns to educate citizens on verifying app sources and recognizing phishing attempts.”

Chattopadhyay echoed this sentiment. “The average person trusts a .gov.in domain implicitly. When users download apps from such sites, they often don’t question legitimacy—until it’s too late.”

With cybercriminals growing bolder and more technically adept, experts recommend a multi-pronged response:

-Nationwide vulnerability audits across all government digital portals

-Zero-trust cybersecurity architecture and stricter access control

-Legal enforcement under IT and gambling laws, including action against influencers promoting illegal betting

-Public education campaigns and browser-based redirect detection systems

“We continue to work closely with policymakers and enforcement agencies to build a safe and transparent online ecosystem,” said Landers of AIGF.

Experts said that without systemic safeguards and public vigilance, these digital intrusions will only deepen, undermining the credibility of governance and endangering citizens in the process.