Rising Cyber Crime: An Upcoming Challenge for Indian Law Professional

Abstract

Cyber crime has moved from a niche policing concern to a systemic risk for India’s economy, citizens, and institutions. It now spans low-value social engineering scams and high-impact attacks such as ransomware, data breaches, deepfake-enabled impersonation, and supply-chain compromises. For advocates, this shift creates an expanding and technically complex docket: criminal prosecution and defence, civil recovery, regulatory enforcement, cross-border evidence, intermediary liability, and privacy litigation.

Using recent official statistics, selected Indian case law, and comparative references to mature international frameworks, this paper maps the cyber-crime landscape and the Indian legal toolkit. It highlights definitional gaps and procedural bottlenecks that reduce deterrence and complicate fair adjudication, especially around attribution, electronic evidence, and jurisdiction. It then proposes a reform agenda that strengthens victim redress, investigative capacity, and due-process safeguards, while aligning India’s cyber-law practice with global best standards.

Key words

Cyber crime; Information Technology Act, 2000; Bharatiya Nyaya Sanhita, 2023; electronic evidence; Section 65B; intermediary liability; CERT-In; I4C; digital payments fraud; ransomware; data protection; cross-border assistance.

1. Context and problem statement

India’s rapid digitisation is a success story. UPI-scale payments. Digital public infrastructure. Online banking. Remote work. Cloud adoption. Social platforms at mass scale.

Yet the same scale expands the attack surface. Every smartphone is a potential entry point. Every identity credential is a target. Every payment rail is a fraud vector.

For advocates, the consequence is not merely “more cases”. It is “different cases”.

Cases that demand: (i) comprehension of technology, (ii) procedural fluency with electronic evidence, (iii) strategic use of multi-statutory remedies, and (iv) coordination across agencies and borders.

Cyber crime also stresses the traditional criminal-law model. “Actus reus” and “mens rea” still matter. But digital acts are often automated, layered through intermediaries, and routed through multiple jurisdictions within seconds.

Therefore, the advocate’s role evolves. From courtroom argument to incident-response advisor. From drafting complaints to orchestrating preservation. From bail strategy to attribution strategy. From compensation claims to regulatory representation.

2. Evidence of rise: what the data indicates

Any measurement of cyber crime must be read cautiously. Under-reporting remains significant. Recording practices vary across States. Some incidents are treated as “fraud” without tagging cyber modality. Victims often seek quiet settlement.

Even with these caveats, the direction is unambiguous. Official crime statistics show a steep multi-year rise in registered cyber crime cases. In the NCRB series, registered cyber crime cases increased from 65,893 (2022) to 86,420 (2023), i.e., a year-on-year rise of about 31.2%.

Operational incident handling also signals a larger threat environment. CERT-In reported handling 15,92,917 cyber security incidents in 2023. Government releases also report a rise in cyber security incidents from 10.29 lakh (2022) to 22.68 lakh (2024).

For advocates, the implication is practical: digital disputes and cyber-enabled fraud will become routine across districts, not limited to metros.

Pattern shift matters as much as volume. A large share of registered cyber crime is linked to fraud and financial deception. Beyond individual victims, corporate and institutional attacks are rising: ransomware, data exfiltration, business email compromise, and insider-enabled breaches.

Victim profile has broadened. Students. Senior citizens. Small traders. Micro and small enterprises. Professionals. Public officials. High-net-worth families. And increasingly, organisations holding large datasets.

3. Core definitions: what is “cyber crime” in Indian law

Indian law does not use one single, exhaustive definition of “cyber crime”. Instead, it criminalises specific conducts involving computers, networks, electronic records, and digital identities.

Thus “cyber crime” is best treated as a family of offences where:

• the computer system is the target (for example: hacking, data destruction, ransomware); or
• the computer system is the tool (for example: online cheating, impersonation, extortion, obscene publication); or
• the computer system is the environment where a conventional offence is amplified (for example: stalking, intimidation, organised crime using digital means).

In India, the principal statute is the Information Technology Act, 2000 (as amended). It is supplemented by general penal law (now the Bharatiya Nyaya Sanhita, 2023), specialised rules (intermediary rules, CERT-In directions), and procedural/evidence statutes (BNSS/CrPC transition, Indian Evidence Act provisions on electronic evidence).

Below is an advocate-friendly taxonomy aligned to common fact patterns.

2.1 What “incident counts” mean (and why advocates should not overstate them)

Public discussion often mixes two different metrics: (i) registered criminal cases, and (ii) cyber security incidents handled by a response team such as CERT-In.

Registered cases reflect crimes reported and recorded under a legal head. They are useful for policing and policy, but can be limited by reporting behaviour, and by classification errors.

Incident counts may include malware infections, phishing URLs, vulnerability reports, botnet activity, defacement, and other security events. They are closer to a threat telemetry indicator than a crime indicator.

For advocates, careful use of numbers matters. Overstating crime numbers can undermine credibility in court. Understating the threat can weaken urgency for preservation and restitution.

A balanced approach is to cite both: NCRB for registered cases; CERT-In for incident handling; and government press releases or parliamentary answers for operational interventions such as blocking of SIMs/IMEIs linked to fraud.

2.2 Institutional response: reporting, blocking, and coordination mechanisms

India’s cyber response ecosystem has expanded materially in recent years.

Key mechanisms relevant to advocates:

• National Cyber Crime Reporting Portal and the 1930 helpline for cyber fraud reporting, designed to enable rapid reporting and fund-freezing coordination.
• Indian Cyber Crime Coordination Centre (I4C) initiatives, including cooperation with banks and platforms, and support for cyber police capacities (the details evolve through executive action and advisories).
• CERT-In as the national incident response agency, issuing advisories and operating an incident-handling workflow; its annual reports provide a macro view of incidents handled.
• Government interventions to disrupt fraud infrastructure, including blocking of SIM cards and IMEIs linked to fraud, as disclosed in official releases and parliamentary statements.

For advocates, these mechanisms create new procedural options. A well-drafted complaint can trigger faster operational action than a purely narrative FIR. Conversely, failure to report quickly can be fatal to restitution efforts.

Practical note. In financial fraud matters, the “golden window” is often measured in hours. Freezing a mule account early may preserve recoverable value; delay usually converts the dispute into a long recovery suit with low success.

3.1 Unauthorised access and interference offences (IT Act)

Unauthorised access and interference sits at the heart of cyber crime.

Key concepts. “Computer resource”. “Access”. “Without permission”. “Damage”. “Data”. “System”.

Typical conduct patterns:

• Credential theft leading to account takeover.
• Exploiting vulnerabilities to enter servers.
• Installing malware or remote-access trojans.
• Altering data or disrupting service (including DDoS).
• Encrypting data for ransom (ransomware).

Legal hooks commonly used:

• Section 43 IT Act (civil liability for unauthorised access, data copying, introducing virus, disruption, etc.).
• Section 66 IT Act (criminalisation when Section 43 acts are done dishonestly or fraudulently).
• Section 65 IT Act (tampering with computer source documents).

Advocate note. In practice, Section 66 is frequently pairedwith cheating provisions under the penal code for fraud-based intrusions.

3.6 Common cyber-crime categories with indicative statutory mapping (practice chart in prose)

Advocates often need a quick mapping from fact pattern to sections. The table below is expressed in prose to keep this paper self-contained.

A) Phishing, vishing, smishing.

• Typical facts: a link or call induces credentials/OTP disclosure; funds are transferred.
• Likely sections: IT Act 66C/66D; cheating provisions under penal law; conspiracy and abetment where mule accounts are used.

B) SIM swap / device takeover.

• Typical facts: SIM is fraudulently re-issued; OTPs are intercepted; banking access is reset.
• Likely sections: IT Act 66C/66D; penal-law provisions for cheating/forgery; telecom KYC violations can create regulatory exposure for service providers.

C) Account hacking and social-media compromise.

• Typical facts: password reset via compromised email; attacker posts scams or extorts user.
• Likely sections: IT Act 66 (read with 43); extortion provisions under penal law; intimidation provisions where threats are issued.

D) Ransomware and data breach.

• Typical facts: malware encrypts systems; attacker demands cryptocurrency; may threaten to leak data.
• Likely sections: IT Act 66 (unauthorised access with fraudulent intent), 65 (source tampering in certain contexts); extortion provisions under penal law; if critical infrastructure impacted, additional reporting and security duties are triggered.

E) Online defamation and reputation attacks.

• Typical facts: fake profiles, morphed images, defamatory posts, coordinated harassment.
• Likely sections: penal-law defamation provisions; IT Act 67/67A in sexualised content; civil injunction and takedown strategy is central.

F) Child sexual material offences.

• Typical facts: possession, distribution, grooming, live streaming exploitation.
• Likely sections: IT Act 67B; Protection of Children from Sexual Offences Act (POCSO) where applicable; strong emphasis on victim protection and trauma-informed process.

G) Crypto-investment scams and pyramid schemes.

• Typical facts: fake exchanges, “guaranteed returns”, referral chains, influencer marketing.
• Likely sections: cheating; potential money-laundering exposure depending on proceeds; regulatory dimensions may arise.

H) Cyber-enabled organised crime.

• Typical facts: structured groups running scam call-centres, mule-account networks, or ransomware affiliates.
• The Bharatiya Nyaya Sanhita, 2023 introduces and updates organised crime concepts, explicitly recognising cyber-crime committed on behalf of a crime syndicate as within the organised crime idea in policy discourse; advocates must watch how charging practices evolve.

3.2 Identity, impersonation and financial deception

India’s largest cyber-crime burden is cyber-enabled fraud.

Key concepts. “Electronic signature”. “Identity”. “Authentication factor”. “OTP”. “SIM swap”. “Social engineering”. “Authorised access vs induced authorisation”.

Common offences and provisions:

• Section 66C IT Act: identity theft (fraudulent or dishonest use of another’s electronic signature, password, or unique identification feature).
• Section 66D IT Act: cheating by personation using computer resources.
• Penal-law cheating and forgery provisions (now under BNS) often apply where false documents, deepfakes, or forged communications are deployed.

Real-life patterns seen in India:

• KYC update scams. Bank account “freeze” threats. Fake customer-care numbers.
• Remote screen-sharing apps induced on the victim’s phone.
• UPI collect-request traps and QR-code misuse.
• “Digital arrest” scams using spoofed police or court identities.
• Business Email Compromise: vendor-payment diversion using spoofed domains and invoices.

3.3 Obscenity, sexual exploitation, cyberstalking, and harassment

Cyber offences affecting dignity and bodily autonomy raise acute evidentiary and victim-protection needs.

IT Act provisions commonly invoked:

• Section 67: publishing/transmitting obscene material in electronic form.
• Section 67A: sexually explicit material.
• Section 67B: child sexual material and related acts.

Penal-law provisions (BNS) and special laws can also apply for stalking, intimidation, and sexual offences.

Landmark enforcement learning came early in Suhas Katti (Tamil Nadu, 2004), where conviction was secured for posting obscene and defamatory content online, demonstrating that rapid investigation and admissible electronic evidence can make outcomes credible.

Advocate note. In sensitive offences, advocates often handle parallel tracks: criminal complaint, urgent takedown and preservation requests, restraining orders, and counselling around victim privacy.

3.4 Intermediary liability and content regulation

Many cyber disputes sit at the boundary between user conduct and platform responsibility.

The IT Act’s intermediary framework (notably Section 79 and the allied rules) attempts to balance innovation and speech with accountability.

In Shreya Singhal v Union of India (2015), the Supreme Court struck down Section 66A as unconstitutional, while also clarifying the conditions under which intermediaries can be required to take down content and what “actual knowledge” means in law.

Advocate note. Content takedown, account tracing, and metadata preservation are time-sensitive. Litigation strategy often focuses on procedural compliance: notice formats, jurisdiction, and safe-harbour conditions.

3.5 Critical infrastructure, incident reporting, and institutional duties

Modern cyber risk is also regulatory.

CERT-In operates as the national nodal agency for incident response. Its directions and reporting regimes affect how organisations respond to incidents and preserve logs.

Advocate note. Many corporate matters begin not in a criminal court but as a board-level incident requiring: legal privilege strategy, engagement with CERT-In, liaison with law enforcement, contractual notifications, and potential sectoral regulator reporting (for example in finance).

4. Why cyber cases are difficult: unique complexities for advocates

Cyber-crime litigation is hard because the “facts” are digital. They live in logs. Packets. Device images. Cloud dashboards. Service-provider records. And they degrade with time.

Four recurring complexity clusters:

1) Attribution. The person using an account may not be the account holder. IP addresses can be shared, masked, or routed through VPNs. Devices can be remotely controlled. “Who did it?” needs layered proof.

2) Jurisdiction. The victim sits in one State. The bank server sits in another. The fraudster uses a number from a third. The messaging platform is hosted abroad. Choosing the correct forum and ensuring lawful process becomes strategic.

3) Electronic evidence. Courts demand admissibility. Section 65B certification (and its evolving jurisprudence) is often the make-or-break point.

4) Speed. Fraud proceeds move fast. Data deletion occurs fast. Victims expect immediate recovery. Delay destroys traces.

These features expand the advocate’s duties beyond argument. An advocate must design evidence preservation early. Ensure chain-of-custody. Engage technical experts. And prevent procedural defects that later collapse the case.

5. Case law learning: Indian courts on cyber crime and digital evidence

Case law provides a practical map of how Indian courts think about cyber offences.

5.1 Shreya Singhal v Union of India (2015).

• Section 66A was struck down for vagueness and overbreadth. This curtailed arbitrary criminalisation of online speech.
• The Court also clarified intermediary liability and upheld the blocking framework under Section 69A with procedural safeguards.

Advocacy significance. Defence strategy often relies on constitutional challenges where provisions are vague. Prosecution strategy must avoid “speech” offences without clear statutory basis.

5.2 Avnish Bajaj v State (Bazee.com) (Delhi High Court, 2008 and related proceedings).

• The case explored the extent to which platform operators and executives can be drawn into prosecutions for third-party content, and the relevance of due diligence and company-offence provisions.

Advocacy significance. It illustrates how cyber cases can create personal criminal exposure for management, making compliance and response protocols legally critical.

5.3 Suhas Katti (2004).

• Early conviction for online harassment/obscenity highlighted operational feasibility of cyber policing when evidence is collected quickly and coherently.

Advocacy significance. Victim-side counsel should push for immediate preservation. Defence counsel must test chain-of-custody and authorship.

5.4 Electronic evidence and Section 65B.

• In Arjun Panditrao Khotkar v Kailash Kushanrao Gorantyal (2020), the Supreme Court reaffirmed that a Section 65B(4) certificate is generally mandatory when relying on electronic records (unless the original device is produced).

Advocacy significance. Many cyber cases fail not on merits but on admissibility. Advocates must plan certification, source access, and witness strategy early.

6. Definitional and structural gaps in Indian cyber-crime law

India’s framework has matured, but gaps remain. These gaps do not merely reduce conviction rates; they also create uncertainty and inconsistent application, which harms both victims and accused.

Important. This paper does not provide advice on how to evade law enforcement or “escape” liability. Instead, it analyses how ambiguity and procedural weakness can lead to wrongful acquittals or wrongful arrests, and how the system should be improved for deterrence with due process.

6.1 Fragmentation across statutes.

Cyber conduct is split between IT Act, penal code (BNS), sectoral laws, and rules. Police sometimes apply the wrong mix. Charges become over-inclusive (“add every section”). Courts then prune aggressively.

Reform direction. Develop standard charging templates and cyber offence schedules aligned to fact patterns.

6.2 Obsolete or missing offence categories.

Technology evolves faster than statutes. Examples where explicit coverage is debated:

• Deepfake impersonation and synthetic media harms (beyond general forgery/personation).
• Ransomware plus data exfiltration (double extortion) and leak-site coercion.
• Large-scale credential stuffing and bot-driven abuse.
• Supply-chain compromises where liability is diffused.

Reform direction. Add technology-neutral offence definitions based on harm and intent, not on device type.

6.3 Mens rea and “induced authorisation”.

Many frauds involve victims voluntarily sending OTPs or installing apps under deception. Defence may argue “authorisation” existed. Prosecution argues “consent was vitiated by fraud”.

Reform direction. Clarify in statute and guidance that authorisation obtained by deception is not valid authorisation for cyber offences.

6.4 Jurisdiction and cross-border evidence.

Mutual legal assistance is slow. Platforms may be abroad. Evidence can disappear.

Reform direction. Strengthen 24×7 points of contact, standardise preservation requests, and create fast-track cyber warrants with judicial oversight.

6.5 Overbreadth risk and rights concerns.

Broad provisions can be misused against speech, research, or legitimate security testing. Advocates must guard against overcriminalisation.

Reform direction. Introduce explicit research and responsible disclosure safe harbours with conditions, and strong proportionality safeguards.

4.1 Electronic evidence: definitions and the advocate’s “integrity checklist”

Key words explained.

Electronic record. A record or data generated, stored, received or sent in an electronic form. Examples: emails, chats, server logs, CCTV digital files, call detail records, cloud exports.

Metadata. Data about data. For example: timestamp, device ID, EXIF data in a photo, header lines in an email, log fields in a firewall record.

Hash value. A digital fingerprint (for example SHA-256). If the file changes even slightly, the hash changes, helping to prove integrity.

Chain of custody. A documented trail of who handled evidence, when, and how, to prevent tampering allegations.

Section 65B certificate. A statutory certificate for admitting secondary electronic records, confirming the manner of production and reliability of the computer system.

Integrity checklist (for advocates):

• Identify the best evidence source (original device or system).
• Preserve quickly. Use write-blocking and imaging where possible.
• Record hashes of images and extracted files.
• Maintain a seizure memo and handover logs.
• Ensure time synchronisation issues are addressed (device clock drift).
• Plan Section 65B certification early; do not leave it for trial stage.
• Avoid screenshots as the only evidence when logs or exports exist; screenshots are easy to challenge.
• Engage a forensic expert for interpretation, but keep the legal narrative clear.

7. Advocate’s toolbox: end-to-end handling of a cyber-crime matter

This section is practice-oriented. It focuses on what an advocate should do to protect the client’s legal interests while preserving technical truth.

7.1 First 24 hours: triage and preservation.

Victim-side steps:

• Document the timeline. Save screenshots. Record transaction IDs. Preserve emails with headers. Export chat logs where possible.
• Immediately report financial fraud through the national helpline (1930) and the cybercrime reporting portal. Seek account freezing and lien marking through banks where available.
• Issue preservation notices to platforms, email providers, and telecoms. Time is critical because logs are retained for limited periods.

Accused-side steps:

• Preserve exculpatory evidence: device custody, employment logs, travel records, legitimate access authorisations.
• Ensure counsel-led interaction with investigators. Avoid self-incrimination while cooperating lawfully.

7.2 Drafting the complaint and FIR strategy.

Good cyber complaints are technical but readable. They contain:

• specific URLs, phone numbers, UPI IDs, wallet IDs, domain names;
• exact timestamps with time zone;
• transaction traces (UTR, bank statements);
• device details (IMEI if available, handset model);
• harm statement and suspected modus.

7.3 Electronic evidence and Section 65B planning.

• Identify the “source” device/system: phone, CCTV DVR, server, cloud account, platform export.
• Decide whether to produce the original device or rely on secondary copies with certification.
• Arrange a competent person to issue the certificate: system administrator, service provider, custodian.
• Maintain chain-of-custody. Use hash values when imaging devices.

7.4 Civil and regulatory parallel remedies.

Not all relief is criminal.

• Civil suit for injunction, data return, or damages (where feasible).
• Consumer forums for service deficiency in certain contexts.
• Sectoral regulator engagement (for example, financial sector complaints, KYC or payment-system disputes).
• Employment and contract actions where insider involvement is suspected.

7.5 Bail, custody, and proportionality.

Cyber cases often involve device seizure, custodial interrogation demands, and accusations of large “digital trail”. Advocates should press for:

• limited and supervised device imaging rather than indefinite seizure, where possible;
• clear necessity for custody;
• proportional conditions and privacy-aware handling of personal data.

7.6 Trial strategy.

Cyber trials need experts. They need clear exhibits. They need demonstrative explanation without jargon.

Focus areas:

• authorship and access control;
• integrity of logs;
• admissibility and certification;
• motive and benefit flow (money trail).

8. International practices: what India can learn (and what to avoid)

Comparative law helps identify improvement points without blindly copying foreign models.

8.1 Budapest Convention model (Council of Europe).

The Budapest Convention is a leading international framework on cyber crime. It enumerates core offences such as illegal access, illegal interception, data interference, system interference, misuse of devices, and computer-related fraud/forgery, and it creates procedural tools for preservation, search and seizure of computer data, and rapid international cooperation including a 24/7 contact network.

Learning for India:

• Harmonised offence definitions make cross-border cooperation easier.
• Procedural powers are paired with safeguards and proportionality.
• Institutionalised cooperation is as important as substantive offences.

8.2 United Kingdom. Computer Misuse Act, 1990.

The UK’s approach is offence-focused: unauthorised access, unauthorised access with intent to commit further offences, and unauthorised acts with intent to impair operation.

Learning for India:

• Clarity around “unauthorised access” reduces definitional dispute.
• Stronger treatment of attacks that impair services aligns with critical infrastructure protection.

8.3 United States. Computer Fraud and Abuse Act (CFAA).

The CFAA criminalises unauthorised access or exceeding authorised access to protected computers, especially where fraud, damage, or extortion occurs.

Caution for India:

• In the US, overbroad interpretations of “exceeds authorised access” have generated debate about criminalising policy violations. India should avoid language that could penalise ordinary user behaviour.

8.4 European Union: cybersecurity governance and data protection.

EU cybersecurity is increasingly regulated through frameworks like the NIS2 Directive, which places risk-management and incident-handling duties on essential and important entities across critical sectors. EU data protection (GDPR) drives breach accountability through strong rights and penalties.

Learning for India:

• Combine cyber crime enforcement with governance duties: minimum security controls, reporting discipline, and executive accountability.
• Strengthen breach notification and victim communication in a privacy-respecting way.

9. Reform agenda for Indian cyber-crime law and practice

Reform should target three outcomes simultaneously: deterrence, victim restitution, and rights-protective due process.

9.1 Substantive law improvements.

• Technology-neutral definitions focusing on harm and intent.
• Clear coverage for deepfake-enabled impersonation, large-scale phishing infrastructure, and ransomware extortion with data-leak coercion.
• Calibrated penalties based on scale of harm and victim vulnerability (for example, scams targeting seniors).

9.2 Procedural improvements.

• Faster preservation and production mechanisms for digital evidence with judicial oversight.
• Standardised cross-border request templates and time-bound response commitments where feasible.
• Dedicated cyber prosecutors and cyber magistrate training for consistent standards.

9.3 Victim-centric restitution.

• Faster freezing of fraudulent proceeds and streamlined return where ownership is clear.
• Stronger coordination between banks, wallets, telecoms, and platforms.
• Legal aid and counselling support for vulnerable victims.

9.4 Capacity building and ethical advocacy.

• Continuous training for advocates on basic network concepts, mobile forensics, OSINT limits, and log interpretation.
• Engagement with forensic experts under clear ethical boundaries.
• Respect for privacy and privilege during corporate investigations.

10. Conclusion

Cyber crime will remain an expanding challenge for Indian advocates because it is intertwined with India’s digital growth. The advocate’s value lies in converting technical facts into legal truth while protecting rights and enabling restitution.

A future-ready cyber practice in India will require: stronger offence clarity, faster and fairer procedure, credible electronic evidence handling, and sustained international cooperation. The legal profession must adapt—through training, standardisation, and ethical technical competence—so that cyber justice remains both effective and constitutional.

Selected references (for further reading)

National Crime Records Bureau (NCRB), Crime in India reports (latest editions).

Indian Computer Emergency Response Team (CERT-In), Annual Reports and Digital Threat Reports.

Information Technology Act, 2000 (as amended) and allied rules/directions.

Shreya Singhal v Union of India, Supreme Court of India (2015).

Arjun Panditrao Khotkar v Kailash Kushanrao Gorantyal, Supreme Court of India (2020).

Avnish Bajaj v State (NCT of Delhi), Delhi High Court (2008) and related proceedings.

Council of Europe, Convention on Cybercrime (Budapest Convention).

UK Computer Misuse Act, 1990.

United States 18 U.S.C. §1030 (Computer Fraud and Abuse Act).

EU NIS2 Directive resources (European Commission).

11. Mini case studies: how facts translate into legal strategy

Case study 1: UPI collect-request fraud against a small trader.

Facts. The victim receives a call claiming to be from a supplier. A “collect request” is sent, labelled as a refund. Victim enters UPI PIN believing it confirms receipt, but it authorises payment.

Legal strategy.

• Immediate steps: report on helpline 1930; inform bank/PSP; request freezing and reversal; preserve call recordings and chat messages; capture UPI request screen with transaction ID.
• Likely offences: cheating by personation (IT Act 66D), identity feature misuse (66C if credentials were misused), cheating under penal law, and conspiracy if mule accounts are involved.
• Evidence focus: UPI transaction trace, device logs, bank KYC of beneficiary, telecom subscriber verification, and platform logs.

Case study 2: Ransomware attack on a mid-sized hospital.

Facts. Hospital systems are encrypted; appointments and diagnostic reports disrupted. Attacker demands cryptocurrency and threatens to leak patient data.

Legal strategy.

• Parallel tracks: incident containment and forensic imaging; CERT-In reporting duties; police complaint for extortion and unauthorised access; potential civil claims against negligent vendors depending on contracts; patient communication obligations depending on sectoral rules and data protection governance.
• Evidence focus: malware samples, encryption notes, network logs, endpoint telemetry, email gateways, and cryptocurrency wallet traces.

Case study 3: Deepfake video used to defame a professional.

Facts. A synthetic video circulates on messaging groups, claiming misconduct. The victim suffers reputational and professional harm.

Legal strategy.

• Immediate steps: seek takedown through platform reporting and legal notices; file complaint for impersonation and defamation; seek injunction against re-upload and a John Doe order where necessary; preserve original files and forwarding trails.
• Evidence focus: source identification, dissemination map, expert opinion on manipulation indicators, and platform metadata.

Case study 4: Business Email Compromise in a manufacturing company.

Facts. Accounts staff receives an email from a look-alike domain asking to pay a new bank account for a vendor. Payment is made; vendor later claims non-receipt.

Legal strategy.

• Corporate actions: notify bank swiftly; freeze; insurer notification; forensic review of mail rules and login events; contractual dispute management with vendor; criminal complaint and civil recovery.
• Evidence focus: full email headers, domain registration data, bank beneficiary KYC, and internal control assessment.

12. Building cyber competence in the legal profession

Cyber practice is not only for specialists in metro cities. District practice will increasingly face cyber elements in routine matters: matrimonial disputes (online harassment), commercial disputes (email evidence), employment matters (data theft), and consumer disputes (payment fraud).

Skill domains that strengthen an advocate’s effectiveness:

• Basic technology literacy: how networks route, what logs exist, what a VPN is, what 2FA means.
• Evidence discipline: preservation, hashing basics, Section 65B workflow.
• Negotiation and restitution: coordinating with banks, wallets, telecoms, and platforms to freeze proceeds.
• Cross-border awareness: MLAT pathways, platform law-enforcementportals, and realistic timelines.
• Ethics and confidentiality: maintaining privilege in corporate incident response; avoiding conflicts when advising multiple stakeholders.
• Courtroom communication: explaining complex cyber facts in simple, legally relevant language.

13. Cyber crime and privacy: balancing enforcement with constitutional rights

Cyber crime enforcement requires data access: subscriber information, location trails, device identifiers, content, and metadata. At the same time, privacy is a constitutional right recognised by the Supreme Court in K.S. Puttaswamy (2017).

Therefore, cyber policing must be rights-sensitive.

Advocates should press for:

• necessity and proportionality in search and seizure of devices;
• minimisation: imaging only relevant data where feasible;
• secure storage and controlled access to seized data;
• time-bound retention and return of devices after imaging;
• protection against fishing expeditions.

With the emergence of a comprehensive data protection regime (such as the Digital Personal Data Protection Act, 2023, and its evolving rules), organisations will face additional obligations for security safeguards, breach management, and grievance redress. Cyber crime and data protection will increasingly intersect in litigation.

14. Courtroom pitfalls: where cyber cases commonly succeed or fail

Cyber trials frequently turn on a small number of technical issues rather than on broad moral narratives.

Pitfall 1: Poor attribution story.

If the prosecution cannot connect the accused to the device, the account, and the benefit flow, courts are reluctant to convict. Defence may legitimately highlight alternative hypotheses: shared devices, spoofed identities, compromised accounts, or weak subscriber verification.

Advocate response.

• Prosecution-side: build a layered link chain (device + login + location + money trail + witness).
• Defence-side: test each link for gaps; highlight missing logs, missing custody memos, or inconclusive forensics.

Pitfall 2: Admissibility and Section 65B defects.

Courts may exclude electronic records if certification is missing or the source is unclear.

Advocate response.

• Plan certification early; avoid relying solely on printouts or screenshots.
• Where a service provider controls evidence, move the court for appropriate directions to produce records in certified form.

Pitfall 3: Overcharging and vagueness.

Adding too many sections can dilute focus and create contradictions.

Advocate response.

• Draft crisp charges aligned to provable facts; use alternative counts only when legally justified.

Pitfall 4: Delay in reporting and preservation.

Late reporting leads to missing logs, changed device states, and irretrievable funds.

Advocate response.

• Educate clients to report promptly; use preservation letters; document immediate steps.

Pitfall 5: Procedural rights and proportionality issues.

Overbroad device seizures and uncontrolled data extraction can create privacy violations and can weaken the case.

Advocate response.

• Seek imaging under supervision; request return of devices; ensure seizure is limited to necessity.

15. Global cooperation: Budapest Convention and the new UN Convention against Cybercrime

Cross-border cyber crime is now routine. Fraud call-centres, phishing infrastructure, cloud-hosted command-and-control servers, and cryptocurrency laundering often sit outside the victim’s country.

Two international frameworks dominate current policy conversations.

Budapest Convention (2001).

• It provides harmonised offence definitions and procedural powers, and it operationalises cooperation through mechanisms such as expedited preservation and a 24/7 contact network.
• India has not acceded to the Budapest Convention, but participates in certain cooperation networks and uses MLAT routes for evidence requests.

United Nations Convention against Cybercrime (adopted 24 December 2024).

• The UN Convention was adopted by the UN General Assembly on 24 December 2024 (Resolution 79/243) and opened for signature in October 2025, aiming to strengthen international cooperation for combating cybercrime and for sharing electronic evidence for serious crimes.
• The Convention is significant because it is global in ambition, not limited to a regional bloc, and it explicitly recognises the centrality of electronic evidence. It is also debated internationally for its scope and safeguards, which means domestic implementation will matter as much as the text.

Advocate implication.

• Cross-border cases will increasingly require treaty literacy: what requests can be made, through which channels, with what timelines, and what safeguards protect rights.
• India’s choices on accession, implementation, and bilateral arrangements will shape the daily practice of cyber crime advocacy, especially for matters involving foreign platforms and cloud providers.

16. One-page advocate checklist (quick reference)

Before filing: capture evidence (screens, headers, URLs), record timestamps, and preserve devices in their current state.

Report fast: use helpline/portal for fraud, and insist on prompt freezing requests to the destination accounts.

Preserve formally: send preservation notices to banks, PSPs, telecoms, and platforms; ask for retention of logs and KYC records.

Draft precisely: include transaction IDs, UPI IDs, phone numbers, and a clear loss computation.

Plan admissibility: map every critical electronic record to its source and a Section 65B path or original-device production.

Stay proportional: challenge overbroad seizures; seek supervised imaging and return of devices.

Keep it intelligible: translate technical facts into simple propositions supported by exhibits and expert testimony.

Appendix: word-count (excluding author block and title)

Approximate word count of main text: 5045 words.