When a 49-year-old resident of Kankarai village installed what he believed was an official traffic challan application sent through WhatsApp on an October afternoon, the file appeared ordinary. It bore a familiar abbreviation — “RTO Challan” — and mimicked the tone of official correspondence. Within hours, however, the man discovered that ₹7.20 lakh had disappeared from his HDFC Bank account through a series of unauthorised withdrawals.
The complaint he filed two days later set off a cross-state hunt that illustrates both the vulnerabilities exploited by cybercriminals and the capacities Indian police forces are racing to build in response.
A Case that Began with a Message
According to police records, the victim, Sukanta Kumar Pradhan, received the APK file from an unknown WhatsApp number on October 10, 2025. The file prompted him to install an application appearing to be related to traffic penalty processing — a routine concern in a country where digital payment notifications from transport offices have become commonplace.
But behind the interface lay a remote-access trojan, investigators said, enabling the accused to siphon money across multiple transfers. The fraudulent withdrawals continued until the victim discovered the loss and lodged a complaint on October 12 at Angul Cyber Crime & Economic Offence Police Station. A case was registered under Sections 318(4)/319(2) of the Bharatiya Nyaya Sanhita and Section 66-D of the Information Technology Act, which addresses cheating by personation using electronic communication.
Digital Footprints Lead Investigators to Prayagraj
Inspector Santosh Kumar Jena, who led the investigation, said the team followed a typical but increasingly effective sequence: tracing the financial trail, analyzing SIM activations, and piecing together bank transaction metadata. The trail pointed to Prayagraj in Uttar Pradesh, where at least ₹7 lakh was found to have been routed into a Bank of Baroda account.
A special team left Angul last week to coordinate a raid with local police in the jurisdiction of Airport Police Station. The suspect, identified as Md. Adil, arrested without incident, was brought to Odisha on transit remand. During interrogation, he confessed to having transferred and spent part of the stolen amount, investigators said.
Among the items seized were multiple identity cards — Aadhaar, PAN, voter ID, driving licence — a smartphone believed to have been used for coordinating the scam, an ATM card, and records from a mobile shop.
A Growing Pattern of APK-Based Cyber Fraud
While phishing emails and fraudulent payment links remain common tools in cybercrime, malicious APK files distributed through instant messaging platforms are becoming an increasingly favored method among fraud networks. Cybersecurity officials say the technique leverages routine public dependence on government digital services, particularly e-challan and licence-related notifications.
In small towns and rural areas — where institutional awareness often lags behind technology adoption — these attacks have accelerated. Police officials in Odisha and elsewhere say the problem has outpaced the capabilities of conventional investigation and demands deeper inter-state coordination and digital forensics training.
The Angul Police Commissionerate publicly praised the team — Inspector Jena and constables Anil Kumar Sahu, Rohit Kumar Majhi, and Soumya Ranjan Majhi — describing the swift arrest as evidence that cybercrime enforcement can be effective when banks and telecom partners cooperate.
As the accused awaits further legal proceedings, the case continues to unfold, offering both a cautionary tale for digital consumers and a window into the changing face of crime in India’s rapidly expanding online economy.
