The Delhi Police Cyber Cell arrested ten individuals following a complaint registered at the Cyber South West Police Station, solving four separate cyber fraud cases as part of a coordinated operation. The accused used three distinct methods to gain unauthorised access to victims’ bank accounts: malicious APK files delivered via WhatsApp, impersonation of bank and utility officials, and remote-access techniques that handed fraudsters full control of a victim’s mobile phone.
The modus operandi followed a consistent pattern. Accused persons posed as bank officials or representatives of utility services and contacted victims on various pretexts, including assistance with senior citizen cards, credit card KYC verification, and traffic challans. Victims were then persuaded to download APK files sent through WhatsApp. Once installed, the malware gave the fraudsters access to internet banking credentials and one-time passwords, allowing them to siphon money directly from the accounts.
The Indian Cybercrime Coordination Centre has previously warned that once a malicious APK file is installed, hackers gain control of the device and can drain bank accounts within minutes. The Delhi operation demonstrates precisely how this threat plays out in practice, moving from a deceptive message to a completed financial fraud through a sequence that takes very little time and requires no technical sophistication from the victim.
The Cases Broken Down
The most significant case involved a senior citizen who lost Rs 18.50 lakh. Fraudsters posed as bank officials, offered to help obtain a senior citizen card, sent a forged identity document to establish credibility, and then persuaded the victim to install a malicious application. Once access was gained, the money was withdrawn through mule bank accounts.
Based on technical surveillance and interstate raids in Jharkhand, police arrested the alleged kingpin, Manjoor Alam, along with five associates who were responsible for arranging the mule accounts used to route the stolen funds. In separate operations forming part of the same investigation, police arrested Ravindra Kumar Mandal in connection with a Rs 1.01 lakh credit card KYC fraud, Ramvijay Kumar Das for a fake M-Parivahan challan malware scam involving Rs 1.09 lakh, and Ankit Kumar along with Golu Kumar in a fake BSES electricity officials’ scam in which a victim lost Rs 6.31 lakh.
Investigators recovered 14 mobile phones, a laptop, digital evidence, and a Mahindra Thar Roxx SUV that police allege was purchased using the proceeds of crime. The presence of a luxury vehicle among the recovered assets points to a syndicate that was generating meaningful returns from its operations.
A Shared Infrastructure Across Multiple Frauds
What links these otherwise distinct cases is the infrastructure the accused shared. Police said the syndicate operated by circulating SIM cards, mobile phones, mule bank accounts, UPI IDs, and internet connectivity among its members to execute frauds across multiple states. This kind of shared operational stack, where different members contribute specific resources rather than running self-contained operations, is a defining feature of organised cyber fraud networks.
The Jharkhand connection in the kingpin’s arrest is also significant. The Jamtara belt of Jharkhand has been repeatedly identified as a hub for APK-based cyber fraud, with criminals there evolving from earlier phone-based OTP scams to more technically sophisticated malware operations. The Delhi operation’s interstate dimension, with raids stretching to Jharkhand to reach the alleged kingpin, underlines that even urban cyber fraud cases often have roots in well-established criminal geographies.
APK files impersonating services such as bank KYC portals, RTO e-challans, and electricity bill update services have been developed and sold to other fraudsters through Telegram bots, with individual developers reportedly supplying malicious software to hundreds of criminal operators across the country. What appears to a victim as a single fraudulent message may, in reality, be the end-point of a supply chain that spans developers, distributors, callers, and account handlers working across state lines.
What Comes Next
Further investigation is underway to identify additional members of the network and establish the full extent of the fraud operation. The recovery of a vehicle linked to crime proceeds also opens a potential avenue for attachment proceedings under money laundering provisions.
For victims, the cases reinforce a well-documented pattern: APK files disguised as legitimate services and delivered through WhatsApp remain one of the most effective tools cyber fraudsters use to compromise mobile phones, steal credentials, and drain accounts. Authorities have consistently advised that APK files from outside official app stores should never be downloaded, regardless of the apparent identity of the sender or the urgency of the message accompanying them.
