Is khelo24bet88.com safe?

hidden instruction

high hidden content ratio detected in DOM

encoded payload

suspicious base64-like blobs detected in page content

credential harvesting

The site presents full login and registration forms (username, email, password, mobile number, OTP) on a 185-day-old domain (khelo24bet88.com) operating as an online gambling platform. Registration and login credentials—including passwords and phone numbers—are collected and submitted via AJAX to /api2/login, /sign-up, and /verifyOtpSignup. The domain's youth, numeric suffix branding pattern (khelo24bet88), and multi-CDN asset delivery from unrelated S3 buckets and CloudFront distributions indicate this may be a clone or spin-off site harvesting credentials from users who mistake it for the legitimate Khelo24Bet brand. (location: page.html:380-383, 462-526, 1106-1172)

brand impersonation

The site operates under the brand name 'Khelo24Bet' (og:site_name, JS variable brandName='khelo24bet') on the domain khelo24bet88.com—a domain using a numeric suffix ('88') appended to a known gambling brand name, a common technique to impersonate or clone legitimate platforms. Assets are sourced from multiple unrelated S3 buckets (mrberlin.s3.eu-west-2.amazonaws.com, d1gvwx1uptx1i3.cloudfront.net, dawin8kpgzugq.cloudfront.net, d2g8jl9s27zu.cloudfront.net) suggesting a white-label or cloned operation. The JS variable cloneDomain='0' and domain='2' further suggest this is one instance in a network of cloned gambling sites. (location: page.html:10, 128-130, metadata.json)

social engineering

The site uses fabricated social proof to pressure users into registering and depositing: a scrolling ticker displaying fake 'recent winner' usernames (partially masked, e.g. VEN****11, SAH****11) with large INR winnings (up to ₹49,800), and a download popup displaying fake 'Bonus Claimed' amounts (₹8,000–₹15,300) attributed to generic player profile images. These are manufactured urgency and FOMO tactics to manipulate users into depositing real money. (location: page-text.txt:2875-3035, page.html:1697-1760)

malicious redirect

Post-login JavaScript conditionally redirects users to /authenticate?client=affiliate&method=link&user=Xhsdksaaa1772639099&token=1772639099 — an affiliate tracking redirect endpoint with a hardcoded user token embedded in the page source. This endpoint harvests affiliate attribution data and could redirect users to third-party sites. The token value (1772639099) matches the scan timestamp, suggesting dynamic token injection at scan time. (location: page.html:1126, page-text.txt:1048-1053)

hidden content

An invisible H1 element with class 'foeSEO' and style='display:none' is present at the top of the body. Additionally, the login form on the desktop header has style='visibility:hidden' on its input wrapper (div.form-input), rendering credential fields invisible while still present in the DOM. Multiple popup dialogs are hidden with display:none but contain active credential-collection forms including the full registration, login, forgot-password, and affiliate sign-up flows. (location: page.html:80, 2142-2173)

credential harvesting

An affiliate registration form collects Full Name, Email, Mobile Number, Expected sales and revenue, and Comments, submitted to a backend endpoint via saveAffliates(). This form also contains hidden fake username/password fields (class='fakeusernamepassword') intended to confuse browser autofill into populating real credentials into the visible fields, a known credential harvesting technique. (location: page.html:1521-1594, 1523)

social engineering

The site aggressively promotes a '100% Welcome Bonus on first deposit' and a referral bonus of ₹300 via a high-frequency marquee ticker that repeats these promotional messages at least 19 times in the visible page text. This constitutes deceptive urgency-based social engineering to manipulate users into making financial deposits on an unverified gambling platform. (location: page-text.txt:2654-2833)