New Delhi: In the first week of December, police in Jharkhand’s Jamtara district were conducting a routine investigation into multiple cybercrime cases. Nestled between West Bengal on one side and Dhanbad, Dumka, and Deoghar on the other, Jamtara district is notorious for being a hotspot of online fraud and sees frequent arrests related to such crimes.
What began as a seemingly routine interrogation led to the discovery of a cybercrime module that affected nearly 3,000 mobile users and defrauded people of approximately Rs 12 crore. According to Jamtara Police, the operation—allegedly run by school dropouts using the pseudonym “DK Boss”—was linked to more than 500 cybercrime cases.
During the investigation, police discovered that these school dropouts leveraged modern technologies like ChatGPT to identify glitches in the Android application packages (APKs) they developed, having learned the process through YouTube tutorials. An APK is a file format used to install mobile applications on Android devices.
These APKs were sold to low-key cyber criminals at a hefty cost of Rs 25,000 per month, which then enabled them to infiltrate the mobile phones of government scheme beneficiaries and account holders of major banks such as Punjab National Bank and Canara Bank.
Police officials estimate that the module was involved in transactions exceeding Rs 50 crore, including Rs 12.6 crore directly siphoned from victims through cyber fraud. They further revealed that data from approximately 2,700 victims—comprising nearly 2.5 lakh messages containing WhatsApp OTPs, PhonePe login OTPs, banking transaction details, and more—was recovered from a website created by the gang members.
Additionally, investigators recovered data from nearly 2,000 Punjab National Bank account holders and 500 from Canara Bank.
After over a month-long investigation, the Jamtara district police Saturday evening arrested six suspects—Mahboob Alam (25), Aarif Ansari (27), Belal (27), Safaiddin Ansari (26), Jashim Ansari (30) and Ajay Mandal (28)—from the district’s Narayanpur area.
Speaking to ThePrint, Jamtara Superintendent of Police Ehtesham Waquarib said that officers could establish at least 415 complaints against apps linked to this syndicate registered twith the repository maintained by the Indian Cyber Crime Coordination Centre (I4C) till the time of arrest of gang members.
‘Cyber crime as a service’
Having been led to this organised cybercrime module, the Jamtara SP formed a special investigation team (SIT) led by Assistant Superintendent of Police (ASP) Raghvendra Sharma to uncover its origins and modus operandi.
One among a second set of accused during questioning revealed to investigators that he was once approached by a middleman who offered APKs of apps to defraud people.
“The cost of Rs 25,000 per APK was too much for him and he backed out of the plan. But his revelation was a confirmation that one pseudonym DK Boss was running this module of fake apps and frauds,” ASP Sharma told ThePrint.
But investigators discovered a crucial link on the accused’s phone, which had been sent to him as part of an offer to purchase the fraudulent APKs.
What investigators uncovered through the links was shocking.
“There was a proper mechanism set up digitally by DK Boss to give his subscribers access to data being captured fraudulently through APKs generated by him, as well as sensitive information such as the data stored in phones of victims preyed upon by them. How many mobile phones and kind of data these APKs could extract was available to subscribers,” a police officer privy to the investigation told ThePrint.
The Jamtara SP stated that, according to the module, fraudulent APKs were created in the names of major PSU banks like Punjab National Bank and Canara Bank to target their large customer bases. Additionally, APKs named “PM Kisan Yojna.apk” and “PM Fasal Bima Yojna.apk” were designed to deceive beneficiaries of these government schemes.
The SP further explained that cyber criminals purchasing these fraudulent APKs were offered a one-month guarantee, during which any issues, including malware or malfunctions, would be addressed.
“As per the module, Cyber criminals had to purchase these APKs at a price of Rs 25,000 monthly for which they were guaranteed smooth functioning as well as access to all information and data extracted from the phones of targeted victims,” another police officer said.
The Jamtara SP described the operation as a “Cyber Crime as a Service” model, likening it to the Software as a Service (SaaS) ecosystem, where organised, digital delivery of fraudulent products was provided to customers.
Another police officer said that more than 100 such customers of APKs have been found so far, adding that there are chances of one customer purchasing more than one APKs.
“They have been developing and selling these APKs for some time now and there are hundreds of customers. The sheer volume of customers and the organised level of service suggests it to be on par with SaaS industry,” SP Waquarib told ThePrint.
YouTube, AI make up for lack of formal education
Officials revealed that the six arrested suspects operated like a well-organized firm. Aarif Ansari, Mahboob Alam, and Belal worked under pseudonyms, with Aarif and Mahboob responsible for developing the APKs, while Belal supplied them to cyber criminals using the same aliases.
Safaiddin Ansari and Jashim Ansari facilitated the transfer of defrauded amounts by providing banking accounts for the transactions.
“After facilitating the deposit of defrauded money into bank accounts, Jashim Ansari would withdraw the funds and hand over cash to cybercriminals who had purchased APKs. However, he kept a commission of about 40 percent for himself. The cybercriminals used these APKs to infiltrate the phones of unsuspecting victims, using their accounts to transfer the stolen funds. This is why investigators struggled to trace the money trail back to the criminals,” ASP Sharma told ThePrint.
To repair the APKs they sold, they utilised AI platforms like ChatGPT, seeking assistance in identifying and fixing flaws in the code.
The prime accused, Mahboob Alam, was a school dropout but taught himself coding through YouTube videos sent to him by professional trainers from outside Jharkhand. He was the key figure behind building the fraudulent APKs.
“There are also email trails that establish him learning coding through trainers on email and digital platforms. ChatGPT was used to find out the flaws in the codes that created malfunctions or were exposed to malware and were fixed by them,” senior police officer said.
The officers further explained that on panels developed by the gang members, 28 mobile numbers were discovered. When these numbers were cross-referenced with data stored in Samanvaya, a joint platform between I4C and other law enforcement agencies like state police, connections to 114 additional cases were found. This brought the total number of fraud cases linked to this module to 529.
The digital chase
Initially, investigators followed leads that pointed to 15-20 contact numbers, but none proved significant as they were all switched off and inactive, offering no clue about their location. However, a detailed call data record (CDR) analysis, combined with cross-referencing the IMEI numbers of the handsets using these numbers, revealed one unique contact number—it was the only number associated with handsets having similar IMEI numbers, and it was still active.
“That number was some 5-6 years old and was purchased by Aarif in his own name, possibly before starting his criminal journey,” a police officer said.
The mobile number led the police to the Ahilyapur area in the neighboring Giridih district, where they arrested Akhtar, a relative of Arif, who worked as a developer of their fraudulent APKs.
Akhtar’s arrest earlier this month provided the first breakthrough regarding the real identity of “DK Boss”. Akhtar revealed it was the pseudonym used by Arif and Mahboob. “The number registsred in Arif’s name was later handed over to Akhtar,” the officer further added.
However, the investigation remained limited as Akhtar had never been contacted through a regular voice call. As a result, he could only provide the WhatsApp numbers used for communication.
“They never communicated even with their family members on normal calls. It was all through WhatsApp calls based on numbers which were inactive. They either used numbers which were discontinued by telecom providers or were issued in some other name, hence zeroing in on one number was quite a task,” another police officer said.
However, through a trial-and-error method, investigators tracked down one active number, which was seen in various locations across the country for a period of 10-12 days—a sign, investigators said, that established that suspects were on the move.
After nearly a month of pursuit using digital tools and techniques, the accused were arrested Saturday night and have since been sent to judicial custody, the Jamtara SP said.
(Edited by Zinnia Ray Chaudhuri)