You've been blocked!

In January 2025, Anurag Roy received a call from the cybersecurity department of the Kolkata Police, asking for help in tracking a cybercrime. West Bengal government agencies have been seeking help from the third-year BTech student of Kolkata's Techno India University in tracking cybercrimes ever since Roy won a hackathon organised by the city police as a 12th-grade student.

The call early this year was about a retired man from Kolkata who had lost his savings in minutes, well before he realised that he was the victim of a cybercrime. The police called Roy after the victim filed a complaint. Roy found that the fraudsters used encrypted platforms and software that were hard to penetrate. The investigation led to the recovery of only a small fraction of the money, around ₹2 lakh, while over ₹50 lakh vanished through mule bank accounts. Specifically worrying for Roy — and the police — was the swindling of the victim's Aadhaar number, which had been used to obtain SIM cards later employed in duping other people. The result was a chain of crimes.

During his investigations, Roy and the cybercrime department of the Kolkata Police discovered that the victim's Aadhaar card details had been openly posted in a Telegram group that advertised breached Indian data for sale.

To infiltrate the Telegram network, Roy posed as a rival data seller and created a fake group on the instant messaging site. The scammers reached out to Roy, offering to collaborate, thereby allowing him to move the conversation to a phone call. Through the call, he managed to capture the scammer's real IP address, which was handed over to the police. The scammer was arrested in West Bengal.

The investigation revealed that the fraudster was using a method called SIM boxing. Roy describes it as a device containing hundreds of SIM slots, filled with fake SIMs obtained using stolen Aadhaar data. This set-up allowed fraudsters to reroute calls automatically, making it nearly impossible to trace them. Police recovered some cash and mobile phones, but most of the money had already moved across borders. The arrested individual, Roy says, did not even know the identity of the mastermind operating from outside India, which made the case even harder to crack.

Roy first kept track of the criminals' mobile devices using a desktop application called Tower Dump, while monitoring their internet activity using Internet Protocol Detail Records (IPDR). He then used Open-Source Intelligence (OSINT) frameworks for dark web monitoring, an activity that is becoming increasingly critical in combating scams and cybercrimes. OSINT is a cybersecurity tool that analyses publicly available data and detects vulnerabilities in information technology (IT) systems.

Roy deals with such crimes regularly, as fraudsters are learning to use increasingly sophisticated tools to dupe people and leave without a trace. Roy, on the other hand, has been constantly trying to stay ahead of the criminals from a technological standpoint, keeping abreast of the tools developed worldwide to tackle cybercrime. "Staying a step ahead isn't optional," says Roy. "It's the only way to keep people safe in the digital age."

Cybercrime has been increasing rapidly in India over the past few years, mirroring global trends. According to the Ministry of Home Affairs, which disclosed the figures on July 22, 2025, in response to a parliamentary question, Indians lost ₹22,845 crore in value terms from cybercrimes in 2024, an increase of 206% over the previous year. According to the World Bank, global losses amounted to $9.5 trillion in 2024, up from $8 trillion in 2023. It is projected to be $10.5 trillion this year. "As India's digital economy grows, the attack surface grows with it," says Pavan Kushwaha, CEO of cybersecurity companies Threatcop, in the Bay Area in the United States, and Kratikal, headquartered in Noida.

Kushwaha and his friends started Kratikal in 2013 during their college days at the Motilal Nehru National Institute of Technology Allahabad. They had realised that cyberattacks required rapid responses and saw a future business opportunity. In 2018, Kratikal developed Threatcop, a simulation tool that trains individuals in companies to react within the breach time — the tiny window when a malicious link is delivered and when an employee either clicks on it or reports it. By combining simulation, measurement, and training, it first creates realistic attack scenarios across multiple channels, such as email, SMS, WhatsApp, and QR codes, exposing employees to the same tactics that hackers would use. These simulations reveal how quickly users respond, whether by clicking on the link or reporting it, and the platform records this data to calculate the organisation's average breach time. Employees who fall for the trap are given immediate, personalised training through short videos, quizzes, or game-based lessons, while those who report quickly are reinforced as positive examples. At the system level, Threatcop integrates with platforms such as Google Workspace and Microsoft 365, automatically analysing and removing malicious emails from across the organisation if a real attack occurs.

In a case study, for a finance company with 16,000 employees, Kushwaha's team conducted phishing simulations and discovered that nearly 3,000 employees had entered their email IDs and passwords on fake landing pages. This highlighted how widespread the risk was, since even a single compromised account could open the door to attackers. Over time, by running repeated simulations and providing targeted training based on each employee's vulnerability score, they steadily improved awareness. Within a few months, the number of employees who fell for the attacks dropped from a few thousand to a few hundred.

The most crucial step in ensuring data security is setting a strong password. However, many people struggle to create one or end up forgetting it if it's too complex. Mainack Mondal, a computer scientist at the Indian Institute of Technology (IIT) Kharagpur, had been wondering how to solve this problem. In the summer of 2022, he went to Leibniz University Hannover, in Germany, on a fellowship and was at a conference when an idea struck him. How about making passphrases instead of passwords, he thought. These are easy for users to remember but difficult for attackers to crack by using machine learning (ML). The passphrases have to be nonsensical for them to be effective – for example, "I dance rice" instead of "I eat rice", and "I code home" instead of "I go home."

However, the problem that continued to bother Mondal was how to generate strong passphrases that were easy to remember yet difficult to crack. Leibniz University had strong artificial intelligence (AI) and Natural Language Processing research groups, and Mondal consulted them and attended their meetings to develop potential solutions. After returning to India, his group at IIT created a system called 'MASCARA: Systematically Generating Memorable And Secure Passphrases' to generate passphrases that were both secure and easy to recall (bit.ly/MASCARA-Phrase). Their study of nearly 73,000 real-user passphrases helped design a method to measure both memorability and security. Tests showed that MASCARA passphrases were more difficult to guess than user-created ones and easier to remember than the existing machine-generated ones, with recall rates up to 100% higher.

Mondal is now trying to improve the memorability of passwords. One thread of his research focuses on emerging technologies, such as archival systems like Facebook or Instagram, that never forget anything. The problem of designing systems that created very memorable phrases which were difficult for others to guess brought them into the domain of memory and how it affected security and privacy. "You want your password to be memorable, but you don't want systems to remember everything you did over the past ten years," he says.

Mondal used a constrained Markov model, a method where each step depends only on the present and not on a participant's past steps. His team analysed a large corpus of words to see common follow-ups to widely used words. Likely word sequences produced passwords that were easy to remember but easy to crack, while improbable sequences were hard to predict, but equally hard to remember. Using moderately likely sequences, however, they generated passwords that users could remember but attackers would find difficult to guess.

Cyberattacks can be particularly destructive when they extend beyond individual attacks and target a country's critical infrastructure. A decade ago, Sandeep Shukla, now the Director of the International Institute of Information Technology, Hyderabad, had identified vulnerabilities in infrastructures such as power systems, highways, and railway communications that heavily relied on network communications. In 2015, while at IIT Kanpur, Shukla mooted the idea of creating a centre to study the cybersecurity of critical infrastructure. "Power systems were very dependent on network communication — particularly power system operation and control, which had become totally digital," he says.

Shukla's group set up a laboratory at IIT Kanpur that mirrored real industrial environments, covering power transmission, power generation, water treatment plants, multi-stage discrete control systems, and industrial robotics. Using Supervisory Control and Data Acquisition (SCADA), a system used to monitor and control industrial processes remotely through real-time data collection and automated control, his group discovered several vulnerabilities in these systems, which were listed on the U.S. National Vulnerability Database (NVD) maintained by the National Institute of Standards and Technology. That experience, Shukla says, got the group to focus more on how to ward off such cyberattacks.

Shukla discovered that Programmable Logic Controllers (PLCs), specialised computers used to control processes in manufacturing, were often managed through small web servers that utilised outdated protocols with no encryption or authentication. This left them vulnerable to attacks such as Address Resolution Protocol (ARP) poisoning, where an attacker tricks a network into sending data to their device instead of the intended destination, allowing them to spy on or alter the information. Such flaws, he notes, were among those his centre had reported to the NVD.

At IIT Kanpur, Shukla and his students focused on protections such as intrusion detection methods, malware analysis, network intrusion detection, and web application firewalls. These efforts led them to collaborate with organisations such as the National Highways Authority of India, where they worked on protecting IT systems at the Delhi headquarters, and the Indian Ports Association, where they investigated vulnerabilities in port infrastructure.

As cryptocurrencies such as Bitcoin, Ethereum, and TRON move deeper into mainstream finance, they are also becoming fertile ground for fraud, money laundering, and other illicit activities that are difficult to detect. Blockchain transactions are public, but their sheer volume and the anonymity of users make it hard to follow the money. Shukla's group has developed an investigative platform called BlockStash Intelligence, designed for law enforcement agencies, banks, and compliance teams. The tool works on blockchain, a digital ledger that permanently records all transactions. It combines the open record of transactions (on-chain) with details from exchanges and user accounts (off-chain) on the blockchain. By linking these two data streams in real time, the system can map transactions, flag suspicious wallet activity, and trace funds from digital wallets to exchanges. Investigators can visualise entire transaction networks, monitor transfers as they happen, and assess the risk level of wallets or exchanges. In effect, the platform acts as a digital detective, automating the detection of hidden links and patterns that human analysts might miss.

In 2016, cryptologist Bimal Roy, former Director of the Indian Statistical Institute (ISI) in Kolkata, asked a bank manager about the safety of the bank's locker system, as copies of physical keys could be easily made. The question triggered a chain of events, including a newspaper article by the cryptologist that drew the attention of the then Reserve Bank of India (RBI) Governor, Urjit Patel. A meeting ensued between Patel and Bimal Roy, during which the latter proposed the idea of a digital lock system as an alternative to mechanical lockers. A mathematical method that could make bank lockers safe and fraud-free is being considered for implementation by the RBI. The cryptologist suggested replacing mechanical lockers with a digital locking system. Instead of using physical keys, this system would use digital keys. He explains that these digital keys were composed of sequences of 0s and 1s, and their security could be verified using simple rules of logic.

In one version of his idea, a digital key of 128 digits could be split into two equal parts. These two parts could then be used to draw a straight line. The customer would receive one point on the line, and the bank manager another. When these points were converted back into numbers, they could be used to unlock the digital locker.

"This was just the simplest version of the idea. Many other variations are possible," he says. He adds that the same approach is also vital in multi-party computation, where several people interact and exchange information. Such methods have wide applications in finance, blockchain and cryptocurrencies, supply chain management, digital auctions, advertising, and many other areas.

Bimal Roy also works in an area called zero-knowledge proof. The idea is deceptively simple: it involves proving one's identity online without revealing any actual personal information. When people send emails, it is easy for someone to fake the header and make a message appear genuine. Banks had attempted to address this issue with one-time passwords (OTPs), but even these were vulnerable, as stolen phones or SIM cards could be used to obtain OTPs from users. Knowledge protocols went a step further, allowing one to prove who they were while convincing the other of that fact, without either side exposing sensitive details.

For example, voter identification at polling booths could be strengthened by real-time identity algorithms. At present, officers rely on paper voter IDs and often poor-quality photos to verify voters. Linking Aadhaar could be helpful, but unreliable internet connections in rural areas make it impractical. He points out that Election Commission officials are sceptical about such systems being able to work in under 50 seconds, the average time it takes a polling officer to clear a voter. Roy's team at ISI is also looking at ways to share sensitive data without exposing personal details. For example, if anonymised credit data of big loan defaulters were published, the public could gauge how much lending happened, the share of bad loans, or whether only a few large loans caused most defaults. This kind of openness would encourage managers to be more cautious in approving risky loans. The idea could also work in healthcare: while individual patient records must remain private, hospitals could still share overall surgery success rates to ensure accountability. "In short, whether it is protecting elections, securing banks, or safeguarding personal data, mathematics, probability, and clever algorithms are quietly reshaping the science of trust in the digital age," he says.

Cybersecurity professionals and researchers believe that India still lags in many areas. Law enforcement agencies are waging a complex battle against crimes that are often hidden behind layers of technology. End-to-end encryption — used by popular platforms such as WhatsApp, Telegram, and Signal — safeguards users' privacy but also shields offenders, making it nearly impossible to intercept communications even with court warrants. This creates a major hurdle in investigating serious crimes like child sexual exploitation, terrorist funding, and drug trafficking. Adding to the challenge are anonymity tools such as The Onion Router (Tor), Virtual Private Networks (VPNs), the Invisible Internet Project (I2P), and proxy chains, which allow criminals to mask their identities while operating on darknet marketplaces that trade in illegal drugs, counterfeit currency, and weapons.

Tracing a suspect's real Internet Protocol (IP) address becomes a cat-and-mouse chase, and conventional forensic techniques often fail without advanced open-source intelligence systems and darknet monitoring tools. Cryptocurrencies such as Bitcoin and privacy coins like Monero have opened another front: criminals now launder money through thousands of untraceable digital wallets, beyond the reach of traditional banks. A new threat looms in the form of AI-generated content: deepfake videos, synthetic voices, and AI-written text used to spread misinformation, commit fraud, and harass victims. "These tools can destroy reputations within seconds, while investigators struggle to prove the authenticity of digital evidence, develop forensic AI tools to detect manipulated content, and keep pace with technologies that are evolving far faster than the legal frameworks meant to contain them," explains Kolkata student Anurag Roy.

Shukla was part of a government-commissioned study that investigated Chinese-manufactured phones after Lithuania banned a particular model in 2022 for allegedly being used to send user data abroad. His team found that even without SIM cards, these phones connected to numerous overseas IP addresses, including those that were blocked. Comparisons with other Chinese brands, a South Korean and an Indian model revealed a similar pattern. "The problem was pre-installed bloatware, extra apps added by manufacturers for profit that can't be removed but silently collect data," says Shukla. Unlike South Korea and China, which mandate disclosure or uninstall options, India has no such rules.

Yet, tools and technology alone may not be enough to solve everything. "When hackers operate from other countries, it is difficult to track their identities, and even harder to recover stolen money," says Mrinmoy Banerjee, Officer-in-Charge, Cyber-fraud recovery section, Cybercrime branch, Kolkata Police. He emphasises that in investigations, "it is human intelligence that makes the difference".

On the other hand, AI is reshaping cybersecurity, providing defenders with powerful tools to outpace evolving threats. By automating routine tasks and analysing massive volumes of data, AI can detect anomalies early, prioritise alerts, and uncover hidden risks. It can classify vulnerabilities, automate patching, manage system configurations, and even act as a virtual Chief Information Security Officer to guide decision-making. Emerging AI agents could further help teams optimise scarce resources.

Large language models (LLMs) are adding another layer of defence. They can analyse attacker behaviour, questions, and linguistic patterns to refine threat-intelligence systems. It helps cybersecurity teams enhance content analysis and triage, and strengthens real-time monitoring for vulnerabilities, such as zero-day exploits. Advanced systems using behavioural analysis, network segmentation, and machine learning can also contain breaches and limit attacker persistence.

A promising frontier is embedding LLMs in honeypots, a decoy system or network set up to trick cyber-criminals, to keep track of them and understand how they attack without putting real systems in danger. Unlike static traps, LLM-powered honeypots can engage in human-like conversations, adapting to attacker behaviour in real-time. This prolongs engagement, misleads intruders, and reveals their methods and intentions, providing defenders with valuable intelligence.

India needs more trained professionals, education, and funding in cybersecurity to combat attacks on both individuals and the country.

This October, Threatcop will launch what it calls Cybersecurity Olympics — a contest in cybersecurity with participants resolving real-life challenges — to drive home the point that awareness doesn't have to be boring. "The goal is simple: make security culture something people enjoy participating in, not something they avoid," Kushwaha adds.

See also: 

For a 'cybershield'
Quantum is the key