Online Gaming and Cyber Fraud in India: Understanding the Regulatory Void

I. Introduction

In 2023, what began as a small-scale juice-selling operation in Bhilai, Chhattisgarh, transformed into one of the most audacious financial crime stories in recent Indian history. Saurabh Chandrakar, who co-founded the Mahadev Online Book platform, allegedly masterminded an illicit online betting empire from a luxury villa in Dubai, accumulating proceeds estimated at over Rs. 6,000 crore. The scheme channelled dirty money through hawala networks, benami accounts, and cryptocurrency transactions spanning India, the UAE, Sri Lanka, and Pakistan. The Enforcement Directorate’s sweeping investigation — culminating in the attachment of properties including units within the iconic Burj Khalifa complex — threw into sharp relief a troubling reality: India’s rapidly expanding online gaming sector had grown into a hospitable environment for intricate cyber fraud, and the country’s legal architecture was fundamentally ill-equipped to confront it.

India’s online gaming industry has emerged as one of the world’s most dynamic digital sectors. With approximately 591 million gamers—nearly one-fifth of the global gaming population—and a projected market value of USD 4.38 billion in 2025, the sector drives significant economic activity and supports over 130,000 jobs. However, this growth has been accompanied by a sharp rise in fraudulent practices: manipulated algorithms, fictitious player schemes, identity fraud, money laundering, and predatory offshore operators targeting Indian consumers. Between 2022 and 2024 alone, India lost more than Rs. 25,000 crore to gaming-related fraud, illicit financial flows, and tax evasion.

In response, Parliament enacted the Promotion and Regulation of Online Gaming Act, 2025 (“PROG Act”) in August 2025, imposing a sweeping prohibition on all real-money online gaming.The Promotion and Regulation of Online Gaming Rules, 2026 (“PROG Rules”), gazetted on 22 April 2026 and effective from 1 May 2026, gave operational effect to this framework. This article argues that while these legislative measures represent a necessary intervention against gaming-related cyber fraud, they are marred by constitutional overreach, structural enforcement gaps, and unintended negative consequences that merit critical scrutiny. The discussion proceeds as follows: Part II reviews the pre-existing statutory framework; Part III analyzes the PROG Act and PROG Rules; Part IV examines relevant case law and the Mahadev fraud; Part V identifies regulatory shortcomings and constitutional tensions; and Part VI proposes concrete reforms.

II. The Pre-Existing Legal Framework

A. The Information Technology Act, 2000

Prior to the passage of the PROG Act, the Information Technology Act, 2000 was the main legal framework for tackling cyber fraud in the online gaming sector. Section 66C, which criminalizes electronic identity theft, directly addressed fraudulent gaming profiles and impersonation schemes. Section 66D, penalizing cheating by personation using computer resources, encompassed ghost-player scams in which operators created fictitious users to manipulate game outcomes. Section 69A authorized authorities to block unlawful gaming and betting websites—a power actively exercised, with more than 1,500 platforms taken down from 2022 to June 2025. Section 43 targeted unauthorized computer access, applying to gaming operators who collected users’ financial data without consent.

The IT Act’s limitations in this domain were nonetheless apparent. Having been conceived before the emergence of contemporary gaming fraud, its provisions lacked the specificity needed to address algorithmic manipulation, rigged game mechanics, and the layered financial structures characteristic of real-money gaming abuse. Enforcement authorities were compelled to stretch general cyber-fraud provisions to cover gaming-specific harms, generating legal uncertainty and uneven outcomes across jurisdictions.

B. The Prevention of Money Laundering Act, 2002

The Prevention of Money Laundering Act, 2002 (hereinafter “PMLA”) emerged as the Enforcement Directorate’s foremost tool against gaming-related financial crime. The definition of money laundering in Section 3 of the PMLA — encompassing concealment, possession, or utilisation of proceeds derived from scheduled offences — was sufficiently broad to capture the hawala transactions, shell company structures, and cryptocurrency flows deployed by entities such as the Mahadev platform. The ED’s provisional attachment powers under Section 5 permitted the freezing of bank accounts and attachment of assets spanning multiple jurisdictions, even in advance of conviction, making the PMLA an instrument of significant preventive force.

C. Other Applicable Statutes

The Public Gambling Act, 1867 — a colonial inheritance — remained the foundational prohibition on gambling in India, although its applicability to online platforms was contested given its focus on physical premises. The Integrated Goods and Services Tax Act, 2017 offered a fiscal regulatory mechanism, mandating registration and subjecting online gaming suppliers to a 28% levy on deposits. The Digital Personal Data Protection Act, 2023 addressed the data-security dimension of gaming fraud, governing the collection and misuse of sensitive personal and financial data by gaming operators, consistent with the right to privacy articulated in K.S. Puttaswamy v. Union of India.

III. The PROG Act, 2025 and the PROG Rules, 2026

Enacted on 22 August 2025, the PROG Act represents a significant legislative development in India’s gaming sector, establishing a clear differentiation among online social games, e-sports, and online money games, the latter of which are completely banned regardless of skill or chance involved. This marks a significant shift from previous legal interpretations. The Act creates the Online Gaming Authority of India for regulation and introduces a comprehensive registration system along with grievance redress mechanisms. Penalties for violations include imprisonment and heavy fines, with banks prohibited from facilitating transactions related to banned activities. The PROG Rules, which take effect on 1 May 2026, elaborate on the Act’s provisions with detailed regulations on platform registration, content classification, user protection, and the empowerment of local cyber cell officers to enforce these rules, thus decentralizing enforcement responsibilities.

IV. Judicial Developments and the Mahadev Scam

A. The Mahadev App Case: Anatomy of Gaming Fraud

The Mahadev Online Book case represents a significant incident in India’s battle against gaming fraud, involving a franchise system that issued licenses to associates under a profit-sharing model. These associates were responsible for user recruitment and fund transfers through a vast network of more than 3,033 bank accounts. The Enforcement Directorate (ED) launched an investigation across multiple cities, uncovering various fraudulent activities such as hawala operations, match-fixing, and cryptocurrency laundering. Legal action was grounded in a precedent asserting that assets derived from scheduled offences are deemed proceeds of crime, with attachments exceeding Rs. 1,700 crore by March 2026. Additionally, the court affirmed the validity of digital evidence in these proceedings, which was crucial given the electronic nature of the evidence presented, including transaction records and messaging communications. While the case highlighted the effectiveness of the Prevention of Money Laundering Act (PMLA) in addressing fraud outcomes, it also revealed the procedural limitations that allowed the fraudulent operations to persist for nearly five years amidst regulatory inaction.

B. The Supreme Court Challenge

On 8 September 2025, the Supreme Court of India consolidated multiple High Court petitions challenging the constitutional validity of the PROG Act and identified four core questions for determination: whether Parliament possesses legislative competence over gambling (historically a State List subject); whether the blanket prohibition infringes the right to trade and profession under Article 19(1)(g); whether the abrogation of the skill-chance distinction violates the right to equality under Article 14; and whether the prescribed criminal penalties are proportionate under Article 21. These constitutional questions remain unresolved, casting significant uncertainty over the regulatory framework’s durability.

V. Critical Analysis: Gaps, Constitutional Tensions, and Unintended Consequences

A. The Blanket Ban and Constitutional Proportionality

The PROG Act’s most controversial aspect is its comprehensive ban on all online money games, regardless of the skill level involved. Historically, Indian law has recognized skill-based games, such as fantasy sports and rummy, as protected commercial activities under Article 19(1)(g). In the case of K.S. Puttaswamy, the Supreme Court emphasized that any legislative encroachments on fundamental rights must meet the criteria of legality and proportionality. A blanket ban that fails to differentiate between skill-based and chance-based games could potentially violate the proportionality requirement. The economic impact has been severe, with major platforms like Dream11 and Mobile Premier League halting monetary gaming in response to the Act. Previously, real money gaming, which represented 86% of India’s Rs. 31,938 crore gaming market, faced a drastic revenue decline, leading to a loss of USD 3 billion in foreign direct investment and a significant drop in investor confidence. Although intended to address genuine issues, the legislation has inadvertently dismantled a legitimate industry that has developed over the past decade.

B. The Offshore Migration Problem

The most consequential unintended outcome of the blanket ban has been the mass migration of Indian users to unregulated foreign platforms. With India’s 28% GST on deposits already making offshore platforms attractive before the ban, the outright prohibition has dramatically accelerated this shift. Offshore operators — reachable through VPN services — operate outside any consumer protection framework, offer no grievance redressal mechanisms, maintain no algorithmic transparency, and provide no legal recourse for fraud victims. A prohibition-centred regulatory paradigm thus risks generating the very outcome it was designed to prevent: Indian consumers exposed to amplified fraud risk, with diminished legal protection and no domestic platform accountability.

C. Enforcement Gaps and Cross-Border Complexity

The Mahadev investigation reveals that gaming fraud operates transnationally, with Dubai-based operators controlling networks in Nepal, Sri Lanka, and Pakistan, using cryptocurrency and hawala for illicit fund transfers. This situation presents significant enforcement challenges, as India’s legal framework lacks a dedicated cybercrime treaty or mutual assistance agreement for dealing with gaming fraud. While the PROG Act’s empowerment of state-level cyber cell officers is a positive step towards decentralization, it fails to address the necessary international coordination that allowed the Mahadev network to thrive for nearly five years. Additionally, there are notable gaps in data security regulations, highlighted by the compromise of over 11 million gaming account credentials in 2024. Although the DPDP Act 2023 establishes data protection obligations, the ability of gaming platforms to comply, especially those facing financial difficulties post-PROG Act, remains uncertain. This intersection of gaming fraud, data breaches, and identity crime continues to be inadequately regulated, posing ongoing risks.

VI. Recommendations

The preceding analysis points towards five concrete proposals for a more effective and constitutionally durable regulatory framework.

First, the blanket prohibition should be replaced with a risk-tiered regulatory model that differentiates among high-risk chance-based gaming (prohibited), medium-risk skill-based gaming (licensed with algorithmic transparency requirements and financial caps), and e-sports (actively promoted). Such an approach would preserve constitutional commercial rights while targeting the specific fraud vectors that necessitated legislative intervention in the first place.

Second, mandatory independent audits of gaming algorithms by accredited certification bodies should be prescribed for all licensed platforms. This would address ghost-player fraud and rigged game mechanics — harms that are difficult to detect externally and that a licensing regime alone cannot adequately police.

Third, India should actively pursue dedicated multilateral instruments on gaming fraud intelligence-sharing, building upon existing financial intelligence cooperation under the Financial Action Task Force (FATF) framework. The Mahadev case demonstrates beyond doubt that effective responses to gaming fraud require coordinated international enforcement architecture.

Fourth, the Online Gaming Authority of India should be constituted as an independent statutory body with security of tenure and functional autonomy, insulated from executive interference, with a mandate encompassing consumer protection, fraud investigation, algorithmic oversight, and data security — modelled on the institutional framework of the Securities and Exchange Board of India (SEBI) in capital markets regulation.

Fifth, given research indicating that approximately 70% of Indian gamers under the age of 25 exhibit patterns consistent with addictive gaming behaviour, mandatory responsible gaming provisions — encompassing deposit limits, cooling-off mechanisms, loss-limit disclosures, and addiction helpline integration — should be mandated for all permitted platforms as a minimum standard of consumer protection.

VII. Conclusion

India’s online gaming sector has arrived at a moment of profound reckoning. The Mahadev fraud laid bare the catastrophic human and financial costs of extended regulatory neglect — a Rs. 6,000 crore criminal enterprise that operated openly for years, shielded by legal ambiguity, jurisdictional fragmentation, and inadequate institutional capacity. Against this backdrop, the PROG Act, 2025 and the PROG Rules, 2026 represent an overdue acknowledgement that the regulatory status quo had become unsustainable.

Yet the mode of intervention gives cause for serious concern. A blanket prohibition adopted without industry consultation, dismantling a multi-billion-dollar sector overnight, and immediately confronting constitutional challenge in the Supreme Court, raises fundamental questions of regulatory statecraft. The unintended drift of users towards unregulated offshore platforms, the implosion of the domestic industry, and the unresolved constitutional uncertainty collectively suggest that the government’s response — while directionally defensible in its anti-fraud orientation — was disproportionate in its reach.

India’s legal system faces the task of constructing a regulatory edifice that shields 591 million gamers from fraud without extinguishing a legitimate digital economy, that enforces domestic law against foreign operators without erecting a surveillance apparatus, and that reconciles constitutional freedoms with legitimate social protection objectives. Sound gaming regulation demands not the bluntest legislative tool available, but the most precisely calibrated instrument the state can devise. The regulatory stakes have been set — it falls to the Supreme Court and the next legislature to determine whether the outcome serves justice.

Reference(S):

Statutes and Rules

• Promotion and Regulation of Online Gaming Act, 2025, No. 34, Acts of Parliament, 2025 (India).

• Promotion and Regulation of Online Gaming Rules, 2026, Notification No. G.S.R. 270(E) (Apr. 22, 2026) (India).

• Information Technology Act, 2000, No. 21, Acts of Parliament, 2000 (India).

• Prevention of Money Laundering Act, 2002, No. 15, Acts of Parliament, 2003 (India).

• Digital Personal Data Protection Act, 2023, No. 22, Acts of Parliament, 2023 (India).

• Integrated Goods and Services Tax Act, 2017, No. 13, Acts of Parliament, 2017 (India).

• Public Gambling Act, 1867, No. 3, Acts of Parliament, 1867 (India).

• National Sports Governance Act, 2025, No. 28, Acts of Parliament, 2025 (India).

Cases

• Bharat Amratlal Kothari v. Union of India, (2000) 1 SCC 480 (India).

• Directorate of Enforcement v. Obulapuram Mining Company, (2022) 4 SCC 201 (India).

• K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1 (India).

Secondary Sources

• Soumya Awasthi & Shravishtha Ajaykumar, eds., Building a Regulatory Framework for Online Gaming in India, ORF Special Report No. 300, Observer Research Foundation (Mar. 2026).

• Observer Research Foundation, Online Gaming Regulation in India: A Preliminary Review (Sept. 3, 2025), https://www.orfonline.org/expert-speak/online-gaming-security-and-regulation-in-india-analysing-the-new-act.

• Subimal Bhattacharjee, India’s Online Gaming Rules 2026: What Changes for Real-Money Gaming?, The Quint (Apr. 30, 2026), https://www.thequint.com/opinion/india-online-gaming-rules-fixing-the-past-risking-the-future.

• GCSEL, Proposed Amendments to India’s Online Gaming Bill: Balancing Regulation, Innovation, and Protection (Nov. 22, 2025), https://www.gcsel.com/post/proposed-amendments-to-india-s-online-gaming-bill.

• Enforcement Directorate, Press Release: Mahadev Online Book (Sept. 15, 2023), https://enforcementdirectorate.gov.in.

• Padhai.AI, Promotion and Regulation of Online Gaming Act 2025 (Jan. 22, 2026), https://padhai.ai/blogs-padhai/promotion-and-regulation-of-online-gaming-act-2025.

• Lawful Legal, The Mahadev Betting App Scam: A Legal Dissection of India’s Emerging Cyber-Gambling Crisis (June 13, 2025), https://lawfullegal.in/the-mahadev-betting-app-scam.

• NASSCOM, Gaming Fraud and Security Threats in India (2024).

• PIB, A New Era of Online Gaming Governance (Apr. 30, 2026), https://www.pib.gov.in/PressNoteDetails.aspx?NoteId=158400.