With Super Bowl LIX just around the corner, security insiders are warning millions of gambling football fans that a slew of brand new AI-driven threats has descended upon America's unprepared online betting industry.
Whether you’re betting on the Philadelphia Eagles crushing the Kansas City Chiefs (sorry, Swifties), a specific point spread at halftime, or how many touchdowns KC quarterback Patrick Mahomes will throw during Sunday’s game, gambling fever is always at an all-time high during the Super Bowl.
“No single event unites sports fans like the Super Bowl, and that excitement extends to sports betting, with this year’s record legal handle reflecting its widespread appeal,” said Bill Miller, President and CEO of the American Gaming Association (AGA).
According to the AGA, US football fans are expected to wager an estimated $1.39 billion on this year's Super Bowl – up from last year’s record of $1.25 billion and the first-ever $1 million dollar bet.
And, not surprisingly, earlier this week, sports betting guru and former ESPN reporter Ben Fawkes posted on X that "one bettor at @BetMGM in Nevada" has already wagered a cool $1.1 million on the Philadelphia Eagles, the slight underdog in Sunday's match-up.
One bettor at @BetMGM in Nevada has wagered $1.1 million on the Philadelphia Eagles in #SuperBowlLIX (@tdewey33 1st):
undefined Ben Fawkes (@BFawkes22) February 4, 2025
$800,000 on Eagles ML +110
$300,000 on Eagles 1H +0.5#FlyEaglesFly
In Super Bowl 2024, an AMA survey showed a whopping 68 million US adults placed bets on the game – nearly triple the amount recorded in 2019 at 22.7 million, the first year sports betting became legal in 38 states and Washington, DC.
‘Complete lack of defenses’
With record numbers of people rushing to get their bets in before the game, “betting websites are experiencing a surge in traffic,” said Florent Pajot, Machine Learning Engineer at DataDome.
Pajot said the recent uptick in traffic is not just “enthusiastic bettors but also malicious actors looking to exploit security gaps... presenting a prime opportunity for automated attacks, as fraudsters deploy bots to hijack accounts, steal winnings, and manipulate bets at scale."
The bot blocker and cyber fraud protection company decided to assess the security stance of five major sports betting sites in the lead-up to the Super Bowl, releasing their findings this week.
According to Legal Sports Report, a sports betting news outlet, the top sportsbook sites for the Super Bowl include BetMGM, Caesars, DraftKings, FanDuel, bet365, BetRivers, and Fanatics, although DataDome did not specifically name any sites in its research.
What stood out most to researchers was that all five unnamed betting sites tested showed “a complete lack of defenses against basic automation techniques,” DataDome said.
This leaves users at risk for attacks such as credential stuffing and mass account creation, which can easily be used for future attacks against the victim.
In a credential stuffing attack, the bad actors take already stolen usernames and passwords and, using automated bots, try to “stuff” the stolen credentials into the targeted website, hoping to match the login information to a legitimate account.
What’s more, the research team said it conducted the tests using essentially off-the-shelf tools and an “open-source bot framework without custom configuration,” meaning that threat actors using more advanced tactics can “inflict even greater damage.”
Here are some of the critical security lapses found by the DataDome research team on the sites:
- One-hundred percent of the sites allowed automated login or account creation.
- No CAPTCHAs were triggered, even on sites claiming to have them.
- No restrictions on the number of login attempts.
- No email validation requirement to sign in for account access.
- Account creation allowed using temporary email services, Gmail dot technique, and other alias tricks.
- Weak authentication measures (only one site used multi-factor authentication).
Spikes in AI-driven attacks
Security experts say Super Bowl betting scams have evolved from simple stolen credit cards to AI-generated fake identities and deepfakes, which can trick sportsbooks into approving hundreds, if not thousands, of fraudulent accounts at a time.
Bala Kumar, CPTO at identity verification solutions firm Junio, works with several gaming providers, including international online gambling sites Novibet, 888, and Betfair. He spoke about this year's implications for Super Bowl bettors and online gaming companies.
“The Super Bowl is ground zero for AI-powered betting fraud,” the Chief Product and Technology Officer said, adding that attackers have evolved from manual account creation “to using AI-driven pipelines, generating thousands of fake betting accounts in minutes.”
These "synthetic bettor” accounts are being made with realistic IDs and deepfakes that can easily pass outdated verification methods, Kumar said.
Once these fake accounts are in the system, they can be used to “exploit sign-up bonuses, launder money, and manipulate betting odds undetected,” Kumar explained.
🚨NEW: AGA projects $1.39B in legal wagers on #SuperBowlLIX. This record number reflects the continued expansion of and growing enthusiasm around the legal sports betting market.
undefined American Gaming Association (@AmericanGaming) February 4, 2025
Read the release ➡️ https://t.co/BshiFVcxwe pic.twitter.com/FL3O7SdnOm
The deepfakes can also wreak havoc for legitimate users looking to cash out their winnings in real-time after a touchdown or field goal simply because of the volume of users – both fake and real – flooding the system at the peak moments.
These betting sites “need to ensure their identity platform is equipped to handle dramatic spikes in demand without sacrificing security,” Kumar said, adding that “it's not just about fraud prevention – it’s about creating a seamless experience for the millions of real users who expect a quick, secure transaction when they need it most.”
Kumar believes the only way to fight AI-powered fraud while keeping legitimate users happy is to fight fire with fire, so to speak, using AI-powered defense and a platform built for scalability.
“Sportsbooks need real-time identity verification with biometric authentication, 'liveness detection' capable of detecting deepfakes, and advanced risk signals to flag suspicious activity – while ensuring a frictionless experience for good users,” he said.
“AI may be weaponized against gaming platforms, but the right defenses can turn it into the strongest shield – protecting the integrity of the game for both sportsbooks and bettors, he added.”
How to protect yourself from AI-driven scams
As for what users can do to try and protect themselves, DataDome researchers say to always use unique and strong passwords for each site, even better if generated by a password manager.
They remind users that “credential stuffing attacks work” mainly because people tend to reuse the same email and passwords across different websites and applications.
Experts say users should also be aware that AI makes it simple for scammers to create realistic messages and ads promoting fake deals, such as free online betting, discounted food delivery services, and even cut-rate tickets.
So, unless a site's legitimacy can be absolutely confirmed, users should block questionable emails and texts and ignore Super Bowl-related ads on Facebook, Instagram, WhatsApp, and even LinkedIn.
The Super Bowl game between the Philadelphia Eagles and the Kansas City Chiefs takes place on Sunday, February 9th at 6:30 p.m. Eastern Time at the New Orleans’ Caesars Superdome.
Your email address will not be published. Required fields are markedmarked