Computer, Cybercrime & Legal Landscape Around the World
Definition: Computer vs Cybercrime
| Term | Definition | Example |
|---|---|---|
| Computer Crime | Crime that requires a computer but may not need the internet | Stealing data from an offline server using a USB drive |
| Cybercrime | Crime committed using the internet or network infrastructure | Phishing attack via email; ransomware spread over network |
| Computer as Target | The attacker wants to damage, disable, or infiltrate the computer itself | DDoS attack, hacking a server, planting malware |
| Computer as Tool | The computer is used to carry out a traditional crime | Online fraud, cyberstalking, child exploitation material |
| Computer as Witness | Computer logs and data serve as evidence of a crime | Email logs proving insider trading; CCTV footage |
Global Legal Landscape — Key Laws by Jurisdiction
| Country / Region | Key Cybercrime Law | Year | Key Provisions |
|---|---|---|---|
| 🇮🇳 India | Information Technology Act (IT Act 2000) + Amendment 2008 | 2000 / 2008 | Hacking (Sec 66), cyber terrorism (Sec 66F), pornography (Sec 67), identity theft (Sec 66C), phishing (Sec 66D), data breach liability (Sec 43A) |
| 🇺🇸 USA | Computer Fraud and Abuse Act (CFAA) | 1986 / updated | Criminalises unauthorised access to protected computers; espionage; identity fraud; denial of service attacks |
| 🇬🇧 UK | Computer Misuse Act (CMA) | 1990 / updated 2015 | Unauthorised access, unauthorised modification of data, DoS attacks; up to 10 years imprisonment |
| 🇪🇺 European Union | EU Directive on Attacks Against Information Systems + GDPR | 2013 / 2018 | Harmonised cybercrime law across EU member states; mandatory minimum sentences; GDPR adds data protection penalties |
| 🌐 International | Budapest Convention on Cybercrime | 2001 | First international treaty on cybercrime; signed by 65+ countries; harmonises definitions and enables cross-border cooperation |
Challenges in Cyber Law Enforcement
India's IT Act 2000 — Overview
The Information Technology Act 2000 is India's primary legislation governing cybercrime, digital signatures, e-commerce, and electronic records. It was significantly amended in 2008 to address emerging threats. Key bodies created under it:
- CERT-IN (Indian Computer Emergency Response Team) — National cybersecurity agency
- Cyber Appellate Tribunal — Hears appeals against adjudicating officer orders
- Adjudicating Officers — Empowered to award compensation for data breaches
- Cyber Crime Cells — Established in all state police departments
- IT Act 2000 (as amended 2008): https://www.meity.gov.in/content/information-technology-act
- Budapest Convention on Cybercrime: https://www.coe.int/en/web/cybercrime/the-budapest-convention
- CFAA (USA): https://www.justice.gov/criminal-ccips/computer-fraud-and-abuse-act
- Gordon & Ford — "On the Definition and Classification of Cybercrime", Journal of Computer Virology, 2006
Criminal Motives of Attackers and Types of Attacks
Attacker Profiles — Who Attacks and Why
Financial Criminals
Motivated purely by money. Target banks, payment systems, e-commerce, and individuals. They sell stolen data on dark web markets or extort victims via ransomware.
Hacktivists
Politically or ideologically motivated hackers. They deface websites, leak documents, or launch DDoS attacks to promote a cause or protest against an organisation or government.
Nation-State Actors
Government-sponsored hackers conducting espionage, sabotage of critical infrastructure, or election interference. The most sophisticated and well-funded attackers.
Script Kiddies
Low-skill attackers who use ready-made hacking tools without understanding them. Motivated by curiosity, fame, or thrill. Can still cause significant damage.
Insider Threats
Disgruntled employees, contractors, or partners with inside access. May be motivated by revenge, financial need (bribed by competitors), or ideological disagreement.
Cyber Terrorists
Attack critical national infrastructure (power grids, water treatment, hospitals) to create fear, casualties, and economic disruption. A subset of nation-state or extremist groups.
Classification of Attacks by Method
| Attack Category | Method | Example | Target |
|---|---|---|---|
| Passive Attacks | Observe/intercept data without modifying it; victim unaware | Network eavesdropping, traffic analysis, packet sniffing | Confidentiality |
| Active Attacks | Modify, destroy, or disrupt data or systems | Data modification, DoS, session hijacking, replay attack | Integrity / Availability |
| Insider Attacks | Exploitation of trusted internal access | Data exfiltration by employee, sabotage of IT systems | All three — CIA |
| Distribution Attacks | Tamper with software/hardware before delivery to victims | Pre-installed malware on devices, poisoned software updates | Supply Chain |
Detailed Attack Types and Techniques
1. Malware Attacks
- Virus: Attaches to executable files; spreads when the host file is run. Requires human action to propagate.
- Worm: Self-replicates across networks without human intervention. Can bring down entire networks (e.g., ILOVEYOU worm — 10 billion USD damage, 2000).
- Trojan Horse: Disguises itself as legitimate software; opens a backdoor for attackers once installed.
- Ransomware: Encrypts victim's files and demands payment for the decryption key. WannaCry (2017) hit 230,000 systems in 150 countries.
- Spyware / Stalkerware: Silently monitors user activity; logs keystrokes, screenshots, location. Used in domestic abuse and corporate espionage.
- Rootkit: Hides deep in the OS, making detection nearly impossible. Gives attacker persistent, stealthy control.
2. Social Engineering Attacks
- Phishing: Mass email campaign using fake sender identity to steal credentials
- Spear Phishing: Targeted phishing using personal details about the victim to increase believability
- Whaling: Spear phishing targeting C-suite executives (CEOs, CFOs)
- Vishing: Voice phishing over phone — fake RBI / CBI officer calls
- Smishing: SMS-based phishing — fake bank/delivery messages
- Baiting: Leaving infected USB drives in public places — curiosity leads victims to plug them in
- Pretexting: Fabricating a believable scenario to extract information — "I'm from IT support, need your password to fix an issue"
- Hadnagy, C. — Social Engineering: The Science of Human Hacking, 2nd Ed., Wiley, 2018
- CERT-IN Annual Report 2023 — Attacker Profile Analysis
- FBI Internet Crime Complaint Center (IC3) Annual Report: https://www.ic3.gov/AnnualReport
Cyber Threats: Cyber Warfare
Dimensions of Cyber Warfare
Offensive Ops
Attacking enemy military systems, communications, power grids, and financial infrastructure to paralyse the adversary before or during kinetic conflict.
Defensive Ops
Protecting national critical infrastructure from foreign cyber attacks. Includes real-time threat detection, patch management, and national cyber exercises.
Cyber Espionage
Infiltrating foreign government and military networks to steal classified information — defence blueprints, diplomatic communications, economic plans.
Influence Operations
Coordinated disinformation campaigns on social media, fake news, and propaganda to destabilise the target nation's political system and public trust.
Critical Infra Attacks
Targeting power grids, water treatment plants, nuclear facilities, and financial systems to create mass disruption and civilian panic.
Major Cyber Warfare Incidents in History
| Incident | Year | Attacker (Suspected) | Target | Impact |
|---|---|---|---|---|
| Estonia DDoS Attacks | 2007 | Russia (suspected) | Estonian government, banks, media | Entire national internet infrastructure paralysed for weeks; first major nation-state cyber attack |
| Stuxnet | 2010 | USA & Israel | Iran's Natanz nuclear centrifuges | Physically destroyed 20% of Iran's uranium enrichment capacity — first cyber weapon causing physical damage |
| Ukraine Power Grid | 2015–16 | Russia (Sandworm APT) | Ukrainian electricity distribution | 230,000 civilians lost power in winter; first confirmed power grid attack via cyber weapons |
| SolarWinds / Sunburst | 2020 | Russia (SVR) | US Federal agencies, 18,000 organisations | Supply chain attack; infiltrated Treasury, Pentagon, DHS; 9 months undetected |
| India–Pakistan Cyber Skirmishes | Ongoing | Both sides — hacktivists & state proxies | Government websites, defence portals, banks | Website defacements, DDoS; significant escalation during military tensions |
India's Cyber Warfare Defence Architecture
- NCIIPC (National Critical Information Infrastructure Protection Centre) — Under NTRO; protects India's critical infrastructure sectors (energy, banking, telecom, transport, space, defence)
- CERT-IN — Handles incident response, threat intelligence sharing, and coordinates with private sector
- Defence Cyber Agency (DCyA) — Tri-service agency of Indian Armed Forces; conducts offensive and defensive cyber operations
- National Cyber Coordination Centre (NCCC) — Real-time threat intelligence and situational awareness at national level
- Tallinn Manual 2.0 — International Law Applicable to Cyber Operations (NATO CCDCOE)
- Rid, T. — Cyber War Will Not Take Place, Oxford University Press, 2013
- NCIIPC: https://nciipc.gov.in
- Defence Cyber Agency, Ministry of Defence (India): https://mod.gov.in
Comprehensive Cyber Security Policy
The Four Pillars of a Comprehensive Policy
Prevention
- Access control policies (RBAC, least privilege)
- Password policy — complexity, rotation
- Patch management schedule
- Network segmentation rules
- Encryption mandates for data at rest & in transit
- Third-party vendor security requirements
Detection
- SIEM implementation & alert thresholds
- IDS/IPS deployment policy
- Log retention requirements (minimum 1 year)
- Vulnerability scanning schedule (monthly)
- Penetration testing frequency (annual)
- User behaviour analytics (UBA)
Response
- Incident Response Plan (IRP) — documented
- Incident classification matrix
- CERT-IN notification procedure (within 6 hours)
- Crisis communication plan
- Digital forensics & evidence preservation
- Law enforcement engagement protocol
Recovery
- Disaster Recovery Plan with defined RTO/RPO
- Business Continuity Plan (BCP)
- Backup policy — frequency, offsite, air-gap
- Post-incident review process
- Insurance and financial recovery planning
- Stakeholder communication after breach
India's National Cyber Security Policy (NCSP) 2013
India's National Cyber Security Policy 2013 was the first comprehensive government-level framework for protecting India's cyberspace. While a revised policy is in development, NCSP 2013 remains the foundational document. Key objectives:
- Create a secure and resilient cyberspace for citizens, businesses, and government
- Establish CERT-IN as the national agency for coordination of cyber incidents
- Develop a skilled cybersecurity workforce of 500,000 professionals by 2018
- Establish 24×7 National Critical Information Infrastructure Protection Centre (NCIIPC)
- Promote Research & Development in cybersecurity technologies in India
- Create a cyber-aware citizenry through awareness campaigns
Policy Development Life Cycle
- National Cyber Security Policy 2013, MEITY: https://www.meity.gov.in/cyber-security-division
- NIST Cybersecurity Framework 2.0: https://www.nist.gov/cyberframework
- ISO/IEC 27001:2022 — Information Security Management Systems
Cybercrimes Targeting Computer Systems and Mobiles
Crimes Targeting Computer Systems
1. Hacking / Unauthorised Access
Gaining access to a computer system without permission. Can range from passive information gathering to full system takeover. Classified under IT Act Section 66.
- Ethical Hacking (White Hat): Authorised security testing by professionals
- Black Hat Hacking: Malicious, unauthorised access for personal gain
- Grey Hat: Breaks in without permission but reports the vulnerability (without causing damage)
2. Denial of Service (DoS) / Distributed DoS (DDoS)
Flooding a server or network with so much traffic that it cannot serve legitimate users. DDoS uses a botnet — thousands of compromised computers acting in concert. Classified under IT Act Section 66F (if used for terrorism) or Section 43 (damage to computer).
3. Ransomware
Encrypts victim's data and demands ransom for the decryption key. Targets both organisations (hospitals, banks, government) and individuals. Modern ransomware groups also exfiltrate data before encrypting and threaten to publish it ("double extortion").
4. Data Theft / Data Breach
Unauthorised copying, transfer, or publication of confidential data from an organisation's systems. IT Act Section 66B (dishonestly receiving stolen computer resources) and Section 43A (compensation for negligent data breach).
5. Logic Bomb
Malicious code planted in a legitimate program that lies dormant until a specific condition is met (a date, a command, an event) — then activates and causes damage. Commonly planted by disgruntled employees.
Crimes Targeting Mobile Devices
SIM Swapping
Attacker convinces telecom provider to transfer victim's phone number to attacker's SIM. Then receives all OTPs and 2FA codes — enabling bank account takeover. India has seen thousands of such cases.
Smishing
SMS-based phishing. Fake messages claiming to be from SBI, IRCTC, Amazon, or courier services with malicious links that steal credentials or install malware when clicked.
Stalkerware / Spyware
Hidden apps installed on a victim's phone (often by an intimate partner) to track location, read messages, listen to calls, and take covert photos. A tool of domestic abuse.
Malicious Apps
Fake apps mimicking legitimate ones (banking apps, games, loan apps) that steal credentials, contacts, photos, and financial data. Distributed via third-party stores or phishing links.
Evil Twin Wi-Fi Attacks
Attacker creates a fake Wi-Fi hotspot with the same name as a legitimate one (airport, café). All traffic from victims connecting to it passes through the attacker's device — a mobile MitM attack.
UPI / Mobile Payment Fraud
Attackers use social engineering combined with UPI features (collect requests, screen sharing) to trick victims into authorising payments. Unique to India's digital payment landscape.
- National Cyber Crime Reporting Portal: https://cybercrime.gov.in
- CERT-IN Mobile Security Advisory: https://www.cert-in.org.in
- MHA Annual Cybercrime Statistics Report 2023
- Jamtara — Sabka Number Ayega (Netflix documentary) — for real-world context
Online Scams and Frauds
Major Categories of Online Scams
Banking & UPI Fraud
Victims are contacted by fake "bank officers" or "RBI representatives" and manipulated into sharing OTPs, card details, or UPI PINs. In "collect request" scams, victims receive a UPI collect request and are tricked into entering their PIN to "receive" money, but actually send it.
Fake Job Offers
Victims receive emails or WhatsApp messages offering high-paying jobs requiring upfront "registration fees," "security deposits," or "visa fees." After payment, the job offer vanishes. Often impersonates major companies like Infosys, TCS, or MNCs.
Romance Scams & Sextortion
Attackers build fake romantic relationships online, eventually requesting money for emergencies. Sextortion involves collecting intimate images/videos and threatening to publish them unless a ransom is paid. Increasingly targeting teenagers.
Fake Cryptocurrency / Stock Tips
Victims are added to WhatsApp/Telegram "investment groups" by fake stockbrokers or crypto gurus. Initial small "gains" are shown; when victims invest large sums, the platform disappears. Called "Pig Butchering" scam internationally.
Fake Tech Support Scams
Victims receive pop-up alerts claiming their computer is "infected" or their "Windows license has expired." Calling the displayed number connects them to fake "Microsoft/Apple support" who remotely access the device and charge for fake fixes or steal financial data.
Lottery & Prize Fraud
"You have won ₹25 lakhs in the KBC lottery!" Victims pay processing fees, taxes, and courier charges to claim prizes that don't exist. Emails and SMS use official-looking logos of KBC, Amazon, or government schemes to appear credible.
Fake CBI / ED / Police Threats
Victims receive video calls from fake police, CBI, or ED officers claiming the victim's Aadhaar is linked to money laundering. Victims are threatened with arrest and pressured to transfer large sums to "verify" their innocence — a new, highly sophisticated Indian scam type.
Online Shopping Frauds
Fake shopping websites or fake social media sellers offer products at steep discounts. After payment, goods are never delivered or counterfeit items arrive. Also includes "Cash on Delivery" fraud where sellers cancel orders and substitute cheap alternatives.
Red Flags — How to Identify an Online Scam
| Red Flag | What It Means |
|---|---|
| Urgency / Time Pressure | "Act within 24 hours or lose the offer" — designed to prevent rational thinking |
| Upfront Payment Required | Legitimate jobs, prizes, and loans never require upfront fees |
| Too Good to Be True | Returns of 50%/month, jobs paying ₹5 lakhs/month for no skills — unrealistic offers |
| Requests for OTP / PIN | No legitimate bank, government body, or company will ever ask for your OTP or ATM PIN |
| Unsolicited Contact | You did not enter any lottery; you cannot win a prize you didn't enter |
| Requests to Install Remote Access Apps | AnyDesk, TeamViewer requests from "bank officers" — they will steal your financial data |
- National Cyber Crime Reporting Portal: https://cybercrime.gov.in
- RBI — Beware of Phishing/Fraudulent Calls advisory: https://www.rbi.org.in
- MHA I4C — Indian Cyber Crime Coordination Centre: https://www.mha.gov.in/en/cybercrime
- Federal Trade Commission (USA) — Consumer Information on Scams: https://consumer.ftc.gov/scams
Cybercrime and Punishments
IT Act 2000 — Key Sections and Punishments
| Section | Offence | Imprisonment | Fine | Type |
|---|---|---|---|---|
| Sec 43 | Unauthorised access, damage to computer / data | — | Compensation up to ₹1 crore (civil) | Civil |
| Sec 43A | Negligent data breach by body corporate | — | Compensation (adjudicating officer decides) | Civil |
| Sec 66 | Computer-related offences (hacking) | Up to 3 years | Up to ₹5 lakh | Both |
| Sec 66B | Receiving stolen computer resource / data dishonestly | Up to 3 years | Up to ₹1 lakh | Both |
| Sec 66C | Identity theft (using another person's digital signature / password / ID) | Up to 3 years | Up to ₹1 lakh | Both |
| Sec 66D | Cheating by impersonation using computer resource | Up to 3 years | Up to ₹1 lakh | Both |
| Sec 66E | Violation of privacy (capturing, publishing private images without consent) | Up to 3 years | Up to ₹2 lakh | Both |
| Sec 66F | Cyber terrorism (attacking critical national infrastructure, causing death/damage) | Life Imprisonment | As court determines | Life |
| Sec 67 | Publishing obscene material in electronic form | First conviction: up to 3 years; subsequent: up to 5 years | First: ₹5 lakh; subsequent: ₹10 lakh | Criminal |
| Sec 67A | Publishing sexually explicit content electronically | Up to 5 years | Up to ₹10 lakh | Criminal |
| Sec 67B | Child sexual abuse material (CSAM) online | First: up to 5 years; subsequent: up to 7 years | Up to ₹10 lakh | Most Severe |
| Sec 69 | Failure to assist Government in decryption of information | Up to 7 years | — | Criminal |
| Sec 72 | Breach of confidentiality and privacy by service providers | Up to 2 years | Up to ₹1 lakh | Both |
IPC / BNS Sections Applicable to Cyber Cases
| IPC Section (BNS Equivalent) | Offence in Cyber Context | Max Punishment |
|---|---|---|
| IPC 420 (BNS 318) | Cheating and dishonestly inducing delivery of property — online fraud | 7 years + fine |
| IPC 384 (BNS 308) | Extortion — ransomware, sextortion | 3 years + fine |
| IPC 499–500 (BNS 356) | Defamation — fake social media posts, morphed images | 2 years + fine |
| IPC 354D (BNS 78) | Cyberstalking — persistent online following, monitoring | 3 years (repeat: 5 years) |
| IPC 153A (BNS 196) | Promoting enmity between groups — hate speech online | 3 years + fine |
| POCSO Act Sec 13–15 | Child sexual exploitation material (CSAM), online grooming | 5–7 years (first offence) |
- IT Act 2000 (Full Text): https://www.meity.gov.in/content/information-technology-act
- Bharatiya Nyaya Sanhita 2023 (BNS): https://legislative.gov.in
- POCSO Act 2012: https://wcd.nic.in/acts/protection-children-sexual-offences-act-2012
- Vakul Sharma — Information Technology Law and Practice, Universal Law Publishing
Cyber Laws & Legal and Ethical Aspects of New Technologies
- Deepfakes: AI-generated fake videos of real people used for political manipulation, non-consensual pornography, or financial fraud. No specific Indian deepfake law yet — prosecuted under IT Act Sec 66E, 67A
- Algorithmic Bias: AI systems trained on biased data produce discriminatory outcomes (in hiring, lending, policing). Ethical obligation to audit AI systems
- AI in Cybercrime: AI used to generate phishing emails, voice clones (vishing), and automated vulnerability scans — lowering the skill barrier for attackers
- Accountability Gap: When AI makes a harmful decision autonomously — who is liable? The developer? The deploying organisation? The user?
- Data Privacy: AI models trained on personal data without consent violates DPDPA 2023 and GDPR
- Massive Attack Surface: Billions of poorly secured IoT devices (smart TVs, cameras, routers) create entry points for attackers. Mirai botnet (2016) weaponised 600,000 IoT devices for a DDoS attack
- Lack of Security Standards: IoT manufacturers prioritise cost over security — no mandatory patch mechanisms, default passwords, no encryption
- Privacy in Smart Homes: Smart speakers, cameras, and appliances collect continuous data about residents' behaviour — who owns this data?
- Medical IoT (IoMT): Hacking a pacemaker or insulin pump can directly endanger life — safety and liability framework unclear
- Critical Infrastructure IoT: SCADA systems, smart grids — compromise can cause city-wide disruption
- Money Laundering: Cryptocurrency's pseudonymity facilitates laundering of criminal proceeds — used by ransomware groups, drug markets, and human traffickers
- Smart Contract Vulnerabilities: Code bugs in smart contracts have led to hundreds of millions in stolen cryptocurrency (e.g., The DAO hack — $60M stolen, 2016)
- Jurisdictional Ambiguity: Decentralised blockchains have no physical location — which country's law applies?
- Regulatory Uncertainty in India: India's stance on crypto has shifted repeatedly — taxed at 30% (2022) but not fully legalised; VDA framework under development
- NFT Fraud: Fake NFT marketplaces, wash trading, and intellectual property theft via unauthorised NFT minting
- What is the Darknet: Part of the internet accessible only via special software (Tor browser); not indexed by search engines. Provides anonymity — used for both legitimate privacy needs and criminal activity
- Illegal Markets: Dark web marketplaces sell drugs, weapons, stolen data, CSAM, and ransomware-as-a-service. Silk Road (2013) was first major dark web takedown by FBI
- Indian Data on Dark Web: CERT-IN has found Indian citizen Aadhaar data, bank credentials, and healthcare records for sale on dark web forums
- Legal Status in India: Accessing the Tor network is not illegal in India. But using it to commit crimes (purchase drugs, CSAM) is prosecuted under IT Act, NDPS Act, and POCSO
- Law Enforcement Challenges: De-anonymising Tor users requires sophisticated techniques and international cooperation (Europol, FBI)
- IT (Intermediary Guidelines & Digital Media Ethics Code) Rules 2021: Social media platforms with 5 million+ users in India classified as "Significant Social Media Intermediaries" (SSMIs) — must appoint Chief Compliance Officer, Grievance Officer, and Nodal Officer in India; must trace originator of messages (controversial for WhatsApp)
- Hate Speech and Fake News: IPC Sec 153A (promoting enmity) and Sec 505 (statements causing public mischief) apply to social media content. Platforms must remove flagged content within 36 hours
- Right to be Forgotten: Under DPDPA 2023, users can request removal of personal data from social media platforms (Data Principal's right to erasure)
- Cyberbullying and Cyberstalking: Persistent harassment, trolling, and threatening behaviour on social media prosecutable under IT Act Sec 66A (struck down in 2015 — Shreya Singhal case), now under BNS Sec 78
- Deepfake Misuse on Social Media: AI-generated morphed images/videos of public figures spread viral misinformation — election interference, reputational damage, non-consensual intimate imagery
- Data Mining by Platforms: Cambridge Analytica scandal — Facebook's data was used to target political advertising without user consent — a landmark privacy violation case
- NITI Aayog — National Strategy for Artificial Intelligence: https://niti.gov.in/national-strategy-artificial-intelligence
- IT (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021: https://www.meity.gov.in
- EU AI Act 2024: https://artificialintelligenceact.eu
- Finance Act 2022 — Virtual Digital Assets (Section 115BBH): https://incometaxindia.gov.in
- Shreya Singhal vs Union of India (2015) — Supreme Court struck down IT Act Sec 66A
Case Studies — Online Scams, Frauds & Cybercrime Punishments
Case Study 1 — Pune Citibank Phishing Case (2007) — India's First Major Phishing Conviction
What Happened
Accused Ashish Arora created a fake website that exactly replicated Citibank India's netbanking portal. He sent bulk emails to Citibank customers claiming their account had been suspended and directing them to the fake site. When victims entered their login credentials, Arora captured them and transferred money to mule accounts.
Technical Method
- Domain spoofing — fake URL resembling the bank's genuine domain
- HTML cloning of the bank's login page
- Email harvesting of customer email addresses
- Use of money mule accounts to layer and withdraw stolen funds
Victims and Loss
Approximately 350 Citibank customers were defrauded of over ₹1.5 crore before the scheme was detected. The cyber crime cell of Mumbai Police traced the accused through his IP address logs.
Legal Outcome
- Charged under IT Act Section 66 (computer-related offences), Section 66D (cheating by impersonation using computer resource)
- Also charged under IPC Section 420 (cheating)
- Convicted and sentenced — this case established that Indian courts would take phishing seriously
Case Study 2 — "Digital Arrest" Scam — Retired Government Officer Loses ₹1 Crore (2024)
What Happened
A retired IAS officer from Bengaluru, aged 68, received a video call from someone claiming to be a senior CBI officer. The fraudster alleged that the victim's Aadhaar number was linked to a money laundering case and that he was under "digital arrest" — meaning he must remain on the video call 24/7 until the matter was resolved. The victim was kept on the call for 13 days and was instructed to transfer money to "safe RBI accounts" to "verify his innocence."
Psychological Manipulation Techniques
- Fake video calls from individuals wearing police uniforms in realistic-looking "offices"
- Use of TRAI/CBI/RBI letterheads and fake warrant documents to create authority
- Isolation — victim told to speak to no one and stay on video call continuously
- Fear of arrest, social humiliation, and family involvement
- Urgency — "transfer within 2 hours or we issue non-bailable warrant"
Financial Loss
The victim transferred ₹1.02 crore across multiple transactions before his family noticed and contacted police. The money had already been layered through multiple accounts and partially converted to cryptocurrency by the time FIR was filed.
Legal Action
- FIR registered under IT Act Sections 66C, 66D and IPC Sections 419, 420, 384
- CERT-IN and I4C (Indian Cyber Crime Coordination Centre) were notified
- PM Modi specifically warned citizens about "Digital Arrest" scams in his October 2024 Mann Ki Baat
Case Study 3 — WannaCry Ransomware — India's Exposure (2017)
What Happened
On May 12, 2017, the WannaCry ransomware infected over 230,000 systems in 150 countries within 24 hours. It exploited the EternalBlue vulnerability in Windows SMB protocol — a zero-day originally developed by the NSA and leaked by the Shadow Brokers hacker group. Once on a machine, WannaCry spread automatically across networks without any user action.
India-Specific Impact
- CERT-IN issued an emergency advisory at 3 AM on May 13, 2017
- Several Indian government systems, state electricity boards, and private companies were affected
- Andhra Pradesh police department's CCTNS (Crime and Criminal Tracking Network) was partially affected
- Multiple Indian banks reported infections but contained damage quickly through network isolation
What Saved Many Indian Systems
- Many Indian organisations still used Windows XP (unsupported) — but Microsoft released an emergency patch even for it due to the global scale
- Quick network isolation by IT teams prevented lateral spread in several organisations
- The "kill switch" discovered by Marcus Hutchins (a British researcher) helped halt global spread within hours
Legal and Policy Response
- CERT-IN mandate: all government systems must report incidents within 6 hours
- MeitY issued patching directives for all government departments
- North Korea's Lazarus Group was officially attributed by USA, UK, and Australia
Case Study 4 — Jamtara SIM Swap Gang Conviction (2021)
Background
The Jamtara cyber fraud network operated across multiple districts of Jharkhand, West Bengal, and Rajasthan. Gang members — many school dropouts — were trained by local "tutors" in vishing and SIM swap techniques. They operated in coordinated call centres, impersonating bank representatives to defraud victims across all Indian states.
Modus Operandi
- Purchased victim's basic personal data (name, bank, phone number) from corrupt insiders or through social media OSINT
- Called victims posing as bank KYC officers, convincing them to share their full card number, CVV, and OTP
- SIM swapping: Submitted fake documents to telecom stores to transfer victim's phone number to a new SIM — capturing all OTPs
- Transferred funds immediately to multiple mule accounts; withdrew cash from ATMs in different cities within hours
Investigation and Outcome
- Operation by Jharkhand Police, Bihar Police, and CBI in a coordinated crackdown in 2020–21
- Over 150 accused arrested across multiple states in a single operation
- Convicted under IT Act Sections 66C, 66D and IPC 419, 420; sentences of 2–3 years imprisonment with fines
- Assets seized including phones, SIM cards, and cash from victims
Case Study 5 — Shreya Singhal vs Union of India (2015) — Landmark Cyber Law Judgment
Background
After the death of politician Bal Thackeray in 2012, Shaheen Dhada posted a Facebook status questioning the Mumbai bandh. Her friend Renu Srinivasan "liked" the post. Both were arrested by Palghar Police under IT Act Section 66A — which criminalised "grossly offensive or menacing" online messages. The arrests caused nationwide outrage, and Shreya Singhal filed a Public Interest Litigation (PIL) in the Supreme Court.
What Section 66A Said
IT Act Section 66A allowed arrest for sending any message that was "grossly offensive," "menacing," or caused "annoyance or inconvenience" electronically — with no clear definition of these terms, giving police unchecked power to arrest for protected speech.
Supreme Court Ruling (2015)
- The Supreme Court unanimously struck down Section 66A as unconstitutional — violating Article 19(1)(a) (Freedom of Speech and Expression)
- Held that the law was vague, overbroad, and chilling on free speech
- Distinguished between "discussion/advocacy" (protected) and "incitement" (not protected)
- Landmark judgment establishing digital speech as protected speech in India
Summary — Lessons Across Case Studies
| Case | Crime Type | Key IT Act Section | Core Lesson |
|---|---|---|---|
| Pune Citibank (2007) | Phishing / Identity theft | Sec 66, 66D | Email authentication + URL verification prevents phishing |
| Digital Arrest Scam (2024) | Social engineering / extortion | Sec 66C, 66D | No law enforcement body ever conducts "digital arrests" — awareness is the only defence |
| WannaCry India (2017) | Ransomware / Critical infrastructure | Sec 43, 66F | Timely patching and network segmentation prevent catastrophic ransomware spread |
| Jamtara SIM Swap (2021) | SIM swapping / Banking fraud | Sec 66C, 66D | Telecom KYC must be hardened; OTP alone is insufficient authentication |
| Shreya Singhal (2015) | Constitutional / Legal | Sec 66A (struck down) | Cyber law must not infringe fundamental rights; judicial review protects free speech |
Cybercrime is not a distant, technical problem — it is a daily reality for Indian citizens, businesses, and government. Understanding the legal framework (IT Act 2000, BNS), recognising attack types, and knowing one's rights under emerging privacy laws are the cornerstones of cyber citizenship. Technology will keep evolving — AI, IoT, blockchain, and the darknet will keep creating new legal challenges. The only lasting defence is an informed, vigilant, and legally empowered population.
- IT Act 2000 & 2008 Amendment — MEITY: https://www.meity.gov.in/content/information-technology-act
- Cybercrime.gov.in (National Reporting Portal): https://cybercrime.gov.in
- Helpline 1930 — National Cybercrime Helpline (MHA)
- Shreya Singhal vs UOI [2015] 5 SCC 1 — Supreme Court of India
- MHA I4C Annual Cybercrime Report 2023: https://www.mha.gov.in
- Budapest Convention on Cybercrime, Council of Europe
- Vakul Sharma — Information Technology Law and Practice, 5th Ed., Universal Law Publishing
- Pavan Duggal — Cyber Law: The Indian Perspective, Saakshar Law Publications