Social Media Nexus Spreads Color Prediction Games that Defraud Users

Originally published at:



Adversary Intelligence







Executive Summary

  • The proliferation of games that promise money for correctly predicting colors.
  • Banking credentials and PII are collected from players.
  • Monetary loss.
  • Increases risk of social engineering attacks, identity theft, etc.
  • Report the gaming apps and sites to Cyber Crime Cells.
  • Awareness campaigns to educate users.

Analysis and Attribution

  • CloudSEK’s contextual AI digital risk monitoring platform XVigil came across an engagement loop called Color Prediction gaming, a financial scam functioning under the pretext of gaming.
  • Color Prediction based platforms promise quick money by allowing users to place bets and win good returns for predicting the right color.
  • The scam is similar to Ponzi/ pyramid scheme, where the money collected from new players/ investors is used to pay profits to early adopters/investors.
  • 60 websites and several social media handles have been identified propagating this scam.
  • These scams have been prevalent for a long time and several actors have been arrested for such activities in the past 3 years.

Modus Operandi

  • Threat actors start by registering multiple domains, which contain keywords related to color prediction games. This allows them to maintain continuity even if a domain is taken down.
  • Color prediction games are also available as mobile apps. However, they are usually not available on verified stores like Google Play or Apple iOS App store.

Retail Brand Impersonation

  • Several well-known retail brand names are abused in order to gain credibility.
  • The sites use reputable payment gateways and financial services, to appear legitimate.
  • India-based payments service providers are also used to route payments.
  • Below is the sample of a malicious website having visually identical jewelry listings as that of a legitimate website selling jewelry.

Fake Domain

Legitimate website

An example of a malicious website that was utilized in the scam and had the same jewelry listings as the actual website

Spreading the Scam

  • Social media platforms (Facebook, Telegram, and YouTube) are used to popularize these games.
  • CloudSEK’s interaction with an influencer revealed that they were paid to promote one such game, pointing to the possibility of a fully organized social media nexus disseminating these games.
  • Attackers operating these games also have dedicated groups and channels on Telegram to communicate with their followers. (For more information refer to the Appendix)
Screenshot of the communication with an influencer


Different Labels, Same Scam

  • CloudSEK uncovered multiple campaigns promoted with keywords “mall”, “game”, and “club”.
List of keywords used to promote the scamList of keywords used to promote the scam


  • CloudSEK researchers identified ~60 such websites and hundreds of social media handles.
  • Information from a sensitive source revealed that one such website reportedly had 560 users. (For more information refer to the Appendix)
  • Further research on the domains revealed the identities of some of the registered users.
Scam domain displaying the user information


The Game

  • Once a player registers on a color prediction website or domain, they can earn money by:
    • Predicting the correct color.
    • Enrolling additional players for the referral bonus.
  • Victims begin with a small bet placed on a specific color. If they win the bet, their money is doubled.
  • This encourages players to increase the value of their bets.
  • However, the wallet, once topped up with the player’s money, is blocked from additional withdrawals.
  • Several YouTube tutorials and websites teach how to set up color prediction games and even provide the source code for the same.


  • APKs downloaded from these websites reveal domains hosted on Alibaba Cloud Computing (Beijing) Co., Ltd. Some IP addresses can also be mapped to China.
  • The app code includes a Chinese open source Android framework named XUpdate.
  • An article by Telangana Today revealed a suspicion of the scammers operating from China, considering a majority of the victims’ calls were traced from Hong Kong-based numbers.
  • On similar lines, an article in Indian Express, in August 2020 unveiled a scam of Rs. 1600 crore unearthed by Hyderabad police, where a Chinese national was arrested. The entire technical operation was purportedly run by Beijing T Power company directors and partners.
  • However, in this case, there is no direct link between the campaign and Chinese entities.

Impact and Mitigation

Impact Mitigation
  • Such fake applications could be leveraged to deploy malware and spyware.
  • Users’ PII, such as bank details, could be leveraged for social engineering attacks and identity theft.
  • Significant monetary loss.
  • Report the phishing sites to Cyber Crime Cells.
  • Run aggressive awareness campaigns to educate users/ customers about ongoing scams.



The scam website with 560 users


Static code analysis revealing ‘Xupdate’ used for developing APK


Association with Alibaba Cloud Computing(Beijing) Co. Ltd


Returns on later investments being denied


Youtube tutorials for developing platforms



Images of platforms where users could download the source code and create their own color prediction games

Images of telegram channels

Screenshot of Telegram channels


Facebook being used to promote the campaigns


Facebook being used to promote the campaigns

Youtube being used to promote the campaigns