“Illegal gambling operators have quietly hijacked more than 100 Indian government and public-sector websites (.gov.in, .nic.in, .ac.in, and .edu.in) to rank betting, rummy, and satta content on Google, weaponising the trust of official domains to funnel mobile users into offshore casinos,” UK-based cybersecurity intelligence firm FalconFeeds said in a post on X. It also explained how hackers are exploiting security vulnerabilities in government-owned websites.
“Operators have compromised more than 100 government and public-sector domains, including central ministries, a High Court, a constitutional audit body, a land registration system, police and tax portals, a diplomatic mission, and top academic institutions, and turned them into SEO machines for betting, rummy/teen patti, satta/matka, and Aviator-style crash games,” FalconFeeds further said.
How are they doing it without anyone noticing? “The trick is server-side cloaking. One URL, three audiences: Googlebot is fed a keyword-stuffed gambling page (sometimes rendered in Thai to dodge detection); a mobile user clicking from Google search gets redirected into an offshore betting/casino app; and an administrator or desktop visitor sees the normal page or a 404,” the cybersecurity intelligence firm explained.
What it means:
- Google’s crawler bots are fed gambling keywords: Hackers serve gambling-related keywords to Google’s crawler bots, sometimes in the Thai language to bypass Google’s detection systems.
- What happens when a user clicks the URL: When a user clicks on the seemingly legitimate website, they are quietly redirected to third-party offshore betting apps.
- What the website administrator sees: However, when the website administrator visits the same URL, it shows a normal page or a 404 error. Because of this cloaking technique, administrators may not detect the malicious redirection behaviour.
“That selective delivery is why it survives for months — routine browsing never reveals it,” the post said.
The threat goes beyond redirection: “The authority of a gov.in domain gets laundered to legitimise illegal gambling; and where attackers inject Search Console tokens, they effectively claim ownership of the government domain inside Google. Write access this deep also means the server should be assumed fully compromised, cloaking may not be the worst payload it could carry.”
This means that access to Google Search Console may indicate that a website is fully compromised, allowing attackers to exploit not only the website but also any data stored on it, going far beyond simple redirection to gambling sites.
This isn’t the first such incident
Similar cases have surfaced over the past two years:
- More than 90 gov.in websites hacked: In January 2025, the websites of the Indian Council of Agricultural Research (ICAR), the state governments of Maharashtra and Haryana, and over 90 other “gov.in” websites were reportedly hijacked by scammers, according to TechCrunch.
- In another instance, over 68 government websites from Bihar, Goa, Karnataka, Kerala, Mizoram, and Telangana were reportedly compromised. These websites included portals belonging to the states’ police and property tax departments, according to TechCrunch.
- Ministry of Agriculture: In November 2024, the website of the Ministry of Agriculture and Farmers Welfare was reportedly hacked by a gambling platform, according to GamingIndia.
- BJP politician Vijay Goel: In November 2024, when Goel called for a nationwide ban on online gaming, the official website of senior BJP leader and former Union Minister Vijay Goel was reportedly hacked by the online betting brand Piraslot. He later filed an FIR regarding the incident. The domain is no longer active. Read more about the incident here.
What is FalconFeeds’ fix list?
- Rebuild from a known-good baseline (don’t just delete files): Simply deleting malicious files, phishing pages, or malware may not solve the underlying problem. FalconFeeds recommends rebuilding the website from a secure, known-good baseline.
- Audit rewrite rules: Rewrite rules determine how website traffic is redirected, blocked, or routed. FalconFeeds recommends thoroughly auditing these rules to identify and remove cloaking-based redirects.
- Purge rogue Search Console owners and request de-indexing: Website administrators should remove attackers’ access to Google Search Console and request Google to re-index the website after removing the malicious content.
- Reset admin credentials and enforce MFA: FalconFeeds recommends resetting all administrator passwords and enabling multi-factor authentication (MFA).
- Patch CMS/plugins/server software: The firm also recommends updating content management systems (CMSs), plugins, and server software to close security gaps.
- Report to CERT-In: CERT-In, the nodal agency under the Ministry of Electronics and Information Technology (MeitY), is responsible for monitoring cyber threats and responding to hacking and phishing incidents. FalconFeeds advises victims to report such incidents to CERT-In.
Note: CERT-In has not yet publicly responded to the recent security vulnerabilities flagged by student cybersecurity researchers in CBSE’s online evaluation portal and the NTA’s re-examination portal. You can read MediaNama’s reporting on these incidents here: [ Link-1 | Link-2 | Link-3 ]
Testing should be from multiple user end points: The cybersecurity firm further said that verification should be conducted from multiple user endpoints, including Googlebot, mobile users arriving via Google Search, and direct visitors accessing the URL from an Indian IP address. This helps identify cloaking behaviour and ensures that all users, including search engine bots, see the same version of the website. “A single clean request proves nothing,” it added.
How many cybersecurity breaches did India face last year? After CBSE’s vulnerabilities were disclosed, FalconFeeds reported 1,104 publicly disclosed and confirmed security breaches between May 2025 and May 2026.
The breakdown is as follows:
- 736 data breaches
- 239 data leaks
- 129 ransomware incidents
Where did the leaked data resurface? “Most exposure is happening in plain sight, not deep in the dark web,” FalconFeeds said. The leaked data resurfaced on:
- 635 open web sources
- 263 Telegram channels
- 206 Tor (dark web) sites
How Google Ads were tricked by scammers in the past: According to MediaNama’s previous reporting on the Supreme Court of India’s public notice against fake websites impersonating the Supreme Court’s official website, scammers have used Google Ads to promote fake cryptocurrency websites designed to steal users’ wallet credentials. They have also reportedly used Google Ads to run tech-support scams by impersonating legitimate software companies and charging users for fake malware removal services.
AI disclosure: We used Claude to understand a few technical concepts.
Also Read:
