How India's Cybercrime Ecosystem Works
Cybercrime is India's fastest-growing crime category: NCRB 2023 recorded 31.2% growth to approximately 86,000 cases; NCRB 2024 recorded a further 17% rise to 1.01 lakh (101,000) cases — representing only the tip of an iceberg since massive under-reporting characterises cybercrime.
The India Cyber Threat Report 2025 by DSCI documented 369 million malware detections across 8.44 million endpoints, averaging 702 potential attacks per minute on India's digital infrastructure. The most significant new category in 2024 was the "Digital Arrest" scam — where criminals impersonating CBI, Customs, or police officers conduct video calls threatening immediate arrest and extort victims into transferring their life savings; the PM had to address this specifically in his Mann Ki Baat broadcast, indicating its scale and social impact.
![]() |
| Representational Graphic: How India's Cybercrime Ecosystem Works |
The second is sophisticated cyberattack infrastructure — ransomware,
state-sponsored intrusion, DDoS attacks on critical infrastructure —
predominantly from Chinese and Pakistani state-adjacent actors as documented in
Label 8. Both categories are growing; the law enforcement response is
structurally underprepared.
What You Need to Know
- NCRB
2024 cybercrime: 1.01 lakh cases — a 17% rise from 2023's 86,000; fraud
dominant motive (70%+ of cases); digital arrest scams the major new trend;
cybercrime rate 7.3 per lakh population (up from 6.2 in 2023); Delhi and
Maharashtra highest absolute case counts.
- I4C
(Indian Cybercrime Coordination Centre): MHA body coordinating state
police cybercrime response; manages cybercrime.gov.in reporting portal; in
2024–25 blocked 7 lakh SIMs used in fraud, blocked 1,11,185
"suspicious" online content items; operates Samanvay Platform
for inter-state cybercrime coordination.
- Digital
arrest scam mechanics: criminals call victims (typically elderly or less
digitally literate) on video call; impersonate police/CBI/Customs
officials; show fake "arrest warrant"; claim victim's
phone/Aadhaar linked to crime; demand "penalty" or
"bail" transferred digitally to "safe account";
sophisticated operations use fake agency uniforms, fake offices in video
backgrounds; estimated losses ₹1,500+ crore nationally in 2024.
- Southeast
Asian cyber fraud connection: Indian nationals (and some foreign
nationals) trafficked to Myanmar, Cambodia, Thailand, and Laos to operate
cyber fraud call centres under criminal control; trafficked individuals
are forced to conduct phone/internet fraud against Indian victims;
Ministry of External Affairs has assisted in repatriation of some victims.
- Cybercrime
hotspots: Jamtara (Jharkhand) — documented as India's "phishing
capital," specialising in OTP fraud, mobile banking fraud, UPI
cloning; Mewat (Nuh district, Haryana) — extensive sextortion, fake loan
app fraud; Bharatpur (Rajasthan); Black zones documented by CERT-In and
I4C for unusual concentration of fraud origination.
How It Works in Practice
1. The cybercrime reporting and response gap: A
cybercrime victim who loses money can: file a complaint on cybercrime.gov.in
(24/7 portal); call 1930 (cybercrime helpline); file a local FIR at the nearest
police station (referring to cybercrime unit). In practice: most victims who
file complaints on cybercrime.gov.in receive automated acknowledgment but no
active investigation; only large-value cases receive dedicated investigation
attention; district police cybercrime units are understaffed; the 1930 helpline
has improved fund-freeze response time (30-minute window for freezing
transferred funds), reducing actual loss in some cases.
2. The jurisdictional fragmentation problem:
Cybercrime is inherently multi-jurisdictional: a fraud call originates in Mewat
(Haryana), the victim's bank account is in Bengaluru, funds are transferred to
a mule account in Kolkata, and ultimately withdrawn in Delhi. The investigation
requires coordination across four state police forces, national banks, NPCI
(UPI transaction records), and potentially international agencies; state police
forces are reluctant to share jurisdiction; the I4C's Samanvay Platform facilitates
coordination but does not resolve the fundamental jurisdictional issue.
3. Jamtara and the organised cybercrime cluster model:
Jamtara's rise as India's phishing capital — documented in Netflix's
"Jamtara" docudrama — illustrates how criminal specialisation
clusters develop: early success in phone fraud attracted more participants;
informal mentoring spread skills; equipment (SIM cards, smartphones, fake
banking apps) became locally available; the local political economy tolerated
the activity (income generation in a poor district); police raids disrupted but
did not eliminate the cluster. The Mewat sextortion model similarly involves
thousands of operators running relatively low-sophistication but high-volume
fraud operations.
4. The foreign cyber fraud connection: India's most
sophisticated cyber fraud networks have Southeast Asian connections:
recruitment agents in Indian cities target young men (and some women) with
offers of data entry jobs in Thailand or Cambodia; victims travel to
Myanmar/Cambodia border areas; their passports are confiscated; they are forced
to conduct phone/online fraud under criminal supervision; Indian MEA has
repatriated hundreds of such trafficking victims from Myanmar and Cambodia. The
cybercrime is therefore both a domestic law enforcement problem and an
international human trafficking problem.
5. Legal framework for cybercrime: The primary
cybercrime law remains the IT Act 2000 (with 2008 amendments); the BNS and BNSS
do not substantially change cybercrime law; key cybercrime provisions: IT Act
Sections 66 (computer-related offences), 66C (identity theft), 66D
(impersonation using computer resource), 43 (compensation for computer damage),
66F (cyber terrorism, up to life imprisonment). The DPDPA 2023 adds data
protection requirements that indirectly address some cybercrime enabling
conditions. India lacks a standalone cyber crime act similar to the US Computer
Fraud and Abuse Act.
What People Often Misunderstand
- Most
cybercrime victims in India are defrauded, not hacked: The dominant
cybercrime category is social engineering fraud (convincing victims to
voluntarily transfer money), not sophisticated hacking; the "digital
arrest" scam requires no technical hacking skill, only social
manipulation; technical defences (strong passwords, two-factor
authentication) protect against hacking but not against social
engineering.
- Cybercrime.gov.in
reporting is not the same as active investigation: The portal
processes millions of complaints; only a small fraction receive active
police investigation; the primary near-term utility of reporting is
enabling the 1930 helpline's fund freeze function (which requires rapid
complaint for effectiveness) rather than expecting prosecution.
- Young
men in Jamtara are victims of economic exploitation as well as
perpetrators: Jamtara's cyber fraud operators typically have minimal
education and limited employment alternatives in a poor region; the
criminal organisations benefit disproportionately from their risk-taking;
criminal justice approaches that focus on prosecution without addressing
economic development have limited deterrent effect in the long run.
- India's
49% of global real-time transactions makes UPI fraud a globally
significant problem: UPI's extraordinary scale means that UPI fraud —
cloned QR codes, fake payment requests, phishing for UPI PINs — is among
the world's largest digital payment fraud problems in absolute terms; even
a small fraud rate on trillions of rupees of annual transactions is
significant.
- Not
all cybercrime investigations are stymied by cross-border jurisdictions:
The majority of India's cybercrime (Jamtara, Mewat patterns) is domestic —
domestic perpetrators, domestic victims; the jurisdictional challenge is
inter-state coordination within India, not international, for the dominant
fraud categories; the international dimension (Chinese and Pakistani state
hackers) is a distinct and smaller category.
What Changes Over Time
CERT-In's 2025 comprehensive cybersecurity audit
requirements for critical sectors — mandating annual third-party audits — will
improve detection of critical infrastructure vulnerabilities. The AI-driven
threat detection that CERT-In is deploying (WEF Cybersecurity Outlook 2025
highlighted) will improve national-level cyber threat awareness. The 30-minute
fund freeze window at the 1930 helpline — operational since 2023 — has made
rapid reporting the single most actionable victim response available.
Sources and Further Reading
- Drishti
IAS — NCRB 2024: https://www.drishtiias.com/daily-updates/daily-news-analysis/ncrbs-crime-in-india-2024-report
- Carnegie
Endowment — India Cybersecurity 2025: https://carnegieendowment.org/research/2025/09/mapping-indias-cybersecurity-administration-in-2025?lang=en
- CIVICUS
Monitor — India: https://monitor.civicus.org
- PIB — CERT-In 2025: https://www.pib.gov.in/PressReleasePage.aspx?PRID=2217537®=3&lang=1
