CloudSEK, a leading AI-driven cybersecurity intelligence firm, has exposed a sophisticated criminal network involved in the mass production and distribution of fraudulent Know Your Customer documents across India.
This operation, dubbed “PrintSteal” by CloudSEK, primarily targets the Indian government’s Common Service Centre initiative, creating unauthorized websites that impersonate legitimate CSC portals. These websites offer critical KYC services, such as Aadhaar downloads and address updates, at minimal fees while bypassing standard security protocols.
The PrintSteal operation has been active since at least 2021 and utilizes a network of over 2,727 registered operators, often local mobile shops and cybercafes, to distribute the fraudulent documents. CloudSEK investigations revealed that more than 167,391 fake documents have been generated through these platforms, including over 156,000 fake birth certificates. The operation has a significant online presence, with over 1,800 domains linked to it, including 600+ currently active.
Key Findings of the CloudSEK Investigation
- Massive Scale: The fraudulent operation has been linked to over 1,800 domains, with at least 600 active websites facilitating the generation of counterfeit KYC documents.
- Fake Document Factory: 167,391+ fake documents generated on the crrsg.site platform, including over 156,000 fake birth certificates.
- Criminal Network: 2,727+ registered operators on the crrsg.site platform alone, utilizing local mobile shops and cybercafés to distribute fake documents.
- Financial Gain: The platform under investigation, crrsg.site, has generated an estimated ₹40 lakh in revenue, showcasing the profitability of these fraudulent services.
- Sophisticated Infrastructure: The operation employs encrypted communication via Telegram, illicit APIs to access Aadhaar and PAN data, a structured payment system, and pre-built templates for quick document generation.
- Geographic Reach: Confirmed activity in 24 states across India, highlighting the operation’s widespread presence. Bihar and Uttar Pradesh have the highest percentage of identified fake documents.
The CloudSEK report provides a detailed analysis of one platform, crrsg.site, as a case study to illustrate the complexity and scale of the broader threat. The platform offers a streamlined process for generating fake documents, including access to illicit APIs that provide Aadhaar, PAN, and vehicle information. It also features a centralized payment system and encrypted communication channels, such as Telegram, for training and coordinating with affiliate operators.
The threat actor behind crrsg.site has generated an estimated ₹40 Lakhs in revenue from this platform alone. However, considering the higher-priced services offered, the existence of multiple similar platforms, and the ongoing nature of the operation, the actual profits are likely much higher.
How the PrintSteal Scam Works:
- Fake Websites: Scammers create websites that look like official government sites to trick people.
- Easy Access: These fake websites offer quick and easy “services” to get KYC documents like Aadhaar cards or PAN cards for a small fee.
- Hidden Network: The scammers work with local shops and internet cafes, who act as middlemen to bring in customers.
- Data Input: When someone wants a document, these middlemen enter the person’s details into the fake website.
- Document Forgery: The website uses this information and pre-existing templates to create a fake document that looks real.
- Fake QR Codes: To make the documents seem even more real, they add QR codes that link to other fake websites, pretending to be for verification.
- Profit Sharing: The scammers charge the middlemen a small fee for each document, and the middlemen charge the customers a higher fee, pocketing the difference.
- Staying Hidden: The Scammers are careful to hide their activities. They use secure messaging apps and change websites frequently to avoid getting caught.
“The ease with which these fake documents are being generated and sold highlights a major cybersecurity and regulatory challenge. The scale of this operation and the ease with which it can generate fake KYC documents is alarming. It is crucial for the government, law enforcement agencies, and cybersecurity firms to work together to dismantle this network and protect citizens from identity theft and financial fraud,” said a CloudSEK security researcher.
The CloudSEK report provides detailed recommendations for countering the PrintSteal threat, including:
- Immediate law enforcement response to investigate and prosecute key actors.
- Domain and website takedown operations in collaboration with hosting providers.
- Disruption of the affiliate network through targeted investigations and public awareness campaigns.
- Enhanced security and authentication protocols for KYC services.
- Public awareness and education campaigns to inform citizens about the risks of fraudulent KYC websites.
- International collaboration for cybercrime prevention.
CloudSEK urges the public to be vigilant and avoid providing personal information to unverified websites or individuals. The company also encourages anyone with information about the PrintSteal operation to contact law enforcement authorities.