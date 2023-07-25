In April, when a Dubai-based businessman arrived in India to meet his daughter studying at an engineering college in Delhi, he discovered a problem with his Indian bank account. As one normally would, Anil Nautiyal looked up a helpline number for his bank, made a call, and asked for help. What followed was a series of conversations that led Nautiyal — by now convinced he was coordinating with State Bank of India staff — to giving up his account’s access to scammers based in Jharkhand. The 51-year-old Nautiyal would go on to lose ₹10 lakh. HT Image

When police received his complaint, little apart from the amount of funds stolen stood out at the outset. Such scams have become uncomfortably common in India, where a rapid digital revolution has left behind many with inadequate awareness of how to discern the genuine from the fraud at risk. But as investigators began following clues from the first phone number Nautiyal called, they uncovered a trail that led them to Jamtara, in Jharkhand, and then to Murshidabad in West Bengal. In all, they arrested six people but it was one specific person who represented a crucial cog of what the investigators later realised was a formidable underground cyber fraud machinery: 31-year-old Nasim Malitya.

Malitya, Delhi Police officers investigating the case told HT, made a business out of supplying active mobile connections and pre-activated user accounts (which need a mobile number) to cyber scammers, defying the mandated know-your-customer (KYC) processes that companies enforce before they hand out connections. Such pre-activated connections are registered with telecom companies under genuine names of people who may have lost or had their phones stolen (but never bothered to have them blocked) or, worse, may not even know their identity documents were misused.

It is a supply chain of such connections that underpins India’s burgeoning spam and fraud industry — the National Crime Records Bureau is yet to track it as a separate crime — since the bad actors are never linked to the numbers they use, making it difficult for law enforcement to catch them and telecom companies to keep them off their networks.

“When we visited Malitya’s house, we found 21,761 SIM cards that he kept in buckets and iron boxes. The cards were all pre-activated and ready to re-use,” said Raman Kumar Singh, station house officer (SHO) of outer-north district’s cyber cell police station, who led the investigation into Nautiyal’s case.

The number is staggering: 21,761.

SIM in a stack of scrapTo understand what enabled Malitya’s SIM laundering business requires a look at where he comes from. Once an AC mechanic, Malitya lives in Heropara village in Kashipur town, an hour’s drive from Murshidabad. Heropara is home to a thriving scrap business – specifically, of old mobile phones, whether stolen or lost.

“When we visited Heropara village where Malitya lived, we were astonished to see that mobile phones were sold as scrap on pushcarts in neighbourhoods. Such items in bulk were lying in open on several properties. The villagers as well as the local police weren’t considering it a crime but a prime source of earning,” said sub-inspector (SI) Jagdeep Nara of the outer district cyber cell, who was part of the team that arrested Malitya.

Malitya, Nara said citing the man’s statements to police, entered the scrap business five years ago. But Matiya was smarter: unlike his fellow villagers, who mostly refurbished old or damaged mobile phones and sold them as used devices, he saw an opportunity in the fact that many of the devices still had SIM cards.

“He would put the SIM cards in his cellphones to check if they were still active and in about 8% to 10% of the cases, they worked,” the first officer quoted above said. “He would separate these SIM cards from the dead ones, and keep them to sell.”

During the investigation, when police looked up how many connections were at one point associated with one of his phones (by looking up what is known as IMEI records), they found Malitya had inserted at least 12,500 active chips between March 2022 and March 2023.

Of the 21,761 SIM cards found during searches at his home, there were connections from least four more countries — United Arab Emirates (the UAE), Bangladesh, Sri Lanka, Bhutan and Nepal.

Murshidabad to Jamtara, via MewatMalitya did not merely sell these SIM cards to scammers, who use numbers that cannot be traced back to them for attacks like phishing and vishing, in which they convince targets like Anil Nautiyal to give up access or sensitive information. He offered his own value-added service.

What Malitya did additionally was use the SIM cards to offer one-time passwords, or OTPs, for scammers to sign up on services such as WhatsApp and e-commerce websites such as OLX. It is often these websites that become a platform for scams.

“There are groups of cyber scamsters on encrypted mobile apps such as Telegram and Signal who look for such OTPs. Malitya would offer to sell OTPs to the groups through these messengers. The interested individual would strike a deal with him and the OTP would be sold at rates ranging between ₹5 and ₹20, depending on the apps against which it was generated,” the first officer said.

“The buyers of OTPs are mostly from Mewat regions, such as Bharatpur in Rajasthan, which in the recent years has emerged as another major hub of cyber crooks,” said the officer, and added that on average, Malitya earned around ₹300 everyday by selling 20 to 30 OTPs.

Once he generated, and sold, enough OTPs from a SIM card, he marked the cards themselves for sale. “Malitya would prepare a packet of 100-200 SIM cards and reach a local market, where he would sell them to prospective buyers. These buyers are members of syndicates that involve in procurement and supply of pre-activated SIM cards to cyber crooks in Jamtara and other states. Malitya sold one SIM card for prices ranging between ₹200 and ₹400. Thus, he earned anything between ₹2,000 and ₹4,000 per day,” said the officer.

The Murshidabad Police, however, disagreed with the characterisation of the Heropara village.”It may be that one person was involved. But such allegations that stolen mobile phones and SIM cards were being openly sold are not true. We haven’t come across any such things,” said a senior police officer of Murshidabad district, asking not to be named.

How security checks failAs on April, India had a little over a billion active mobile connections, according to data from the Telecom Regulatory Authority of India (Trai). Among these, even if 0.1% lost SIM card over the year and chose not to have it blocked, that would make a potential of a 1 million connections .

The Delhi Police officials said the failing of KYC checks has meant that there is an interstate network of cyber fraud so wide, that investigations often lead them to various suspects in faraway locations in West Bengal, Jharkhand, Haryana and Odisha, where different cogs of the industry work in close coordination.

The groups that procure SIM cards for fraud use carriers and couriers for transporting them to cyber crime in hotspots. Consignments are sent through human carriers and by concealing in gift packs and wedding invitation cards, the second officer said.

“Hundreds of truckers from the Mewat, Alwar and Bharatpur regions frequent states such as Assam, Odisha and West Bengal to deliver goods. While returning, they bring along consignments of SIM cards with them and deliver them to cyber criminals back home. The truckers are suitably paid for the safe transportation,” added the first officer.

While Malitya’s way of functioning is novel, the bulk of the illegal SIM card access still happens through dealers in states such as West Bengal, Odisha and Assam, where identity checks are lax. This mainly happens in two ways: one, when a SIM card seller fools genuine customers in scanning their fingerprint for Aadhaar authentication (one of the quickest and easiest identity verification) multiple times, and two, when they use identity documents obtained without consent.

“When cyber crooks obtain pre-activated SIM cards, they not only use them for financial frauds, impersonation and cheating but also create fake websites and identities on social media,” said Amit Dubey, a cybersecurity expert who has worked on cyber forensics with law enforcement agencies.

Nautiyal’s first brush with the cyber scammers was, in fact, when he called a fraud number which was listed as a genuine helpline on a search page -- something that can be done by misusing legitimate phone numbers.

“Nine SIM cards can be issued on one Aadhar Card. Criminals involved in cyber crimes use IDs of poor and uneducated people living in remote villages of Odisha and West Bengal to obtain multiple SIM cards and open bank accounts, thus bypassing the mandated KYC. The government has now decreased this number to three , hoping that it would decrease the misuse of SIM cards in cyber and other crimes. However, a lot more needs to be done by the government to curb the rising cases of such crimes. Special attention and action is required in the 35 areas in Jharkhand, Rajasthan and West Bengal that have been identified as cybercrime hotspots in India,” added Dubey.

Malitya is still in Tihar prison while of the ₹10 lakh Nautiyal lost, the police have recovered ₹9.73 lakh that has since been refunded to the account, the investigating team said.

ABOUT THE AUTHOR Karn Pratap Singh Karn Pratap Singh has been writing on crime, policing, and issues of safety in Delhi for almost a decade. He covers high-intensity spot news, including terror strikes, serial blasts and security threats in the national capital. ...view detail