CENTRE FOR CYBERCRIME INVESTIGATION TRAINING & RESEARCH

DIGITAL ARREST
Investigation Procedures
WHAT IS DIGITAL ARREST?
Scammers often contact and scare potential victims over phone, claiming that the
victim has either sent or is supposed to receive a package containing illegal items
such as drugs, counterfeit passports, or other contraband items.

The scammers then demand money to resolve the "case." Occasionally,

unsuspecting victims are coerced into a "Digital Arrest," where they must stay
visible to the scammers via Skype or any another video conferencing platform
until the demands are met. The scammers enhance their credibility by operating
from studios designed to look like police stations or government offices and
wearing uniforms to appear authentic.

HIGHLIGHTS

Fraudsters obtain victim's Fraudsters utilise video call

information from breached platforms like Skype to defraud.
database or other sources

Victims, believing the call to be from

Fraudsters pose as police, CBI, NCB
a legitimate source, pay a hefty
officials, and wear uniforms to
amount.
appear authentic.

CCITR | Digital Arrest Investigation Procedures

DIGITAL ARREST MODUS OPERANDI

Fraudsters typically call potential victims Fraudsters threatens the victim, that he is
over the phone call, informing that parcel is involved in sending/receiving a parcel containing
detained. illegal drugs, fake passports, etc.

Victims are forced to stay visible on Skype or Fraudsters will be posing as police, CBI, and
other video apps, undergoing "digital arrest." NCB, wearing uniform to appear authentic.

Fraudsters demand money from victims to

settle the case.

Picture depicting a fraudster Picture depicting seizure list

posing as a police officer sent by fraudster to victim
CCITR | Digital Arrest Investigation Procedures
 DIGITAL ARREST MONEY TRAIL

VICTIM TRANSFER FUND

TO FRAUDULENT ACCOUNT

Modus -1 Modus -2 Modus -3 Modus -4

1ST lAYER MULE BANK MULE BANK MULE BANK MULE BANK
ACCOUNT ACCOUNT ACCOUNT ACCOUNT

TRANSFER FUND TO
2ND lAYER
SECONDARY SECONDARY SECONDARY
ABROAD MULE
MULE ACCOUNT MULE ACCOUNT MULE ACCOUNT
BANK ACCOUNT

TRANSFER FUND TO TRANSFER FUNDS TO CONVERT INTO

3RD lAYER PURCHASE OF BURNER
ABROAD BANK FOREIGN BANK CRYPTO USDT
CREDIT CARD VIA CASH
ACCOUNT (KINGPIN) ACCOUNT (KINGPIN) (P2P TRANSACTION)

TRANSFER OF CRYPTO TO INVEST IN CRYPTO/

4TH lAYER
CASH WIDRAWAL CASH WIDRAWAL ABROAD VENDOR &
PURCHASE OF
CONVERT INTO DIGITAL
PRODUCTS
CURRENCY

NOTE: First and second layer mule account holders follow instructions from the kingpin, and all
conversations typically occur on Telegram.

In the first layer of the transaction, the initial beneficiary is often a mule account
operated by someone who is usually unaware of the criminal activities.

In the second layer, most transactions are transferred to different mule accounts,
where the account holders are partially aware of the fraudulent activities. These
accounts may be located in India or abroad, such as in Dubai.

In the third layer, funds from various bank accounts are transferred to the kingpin's
foreign bank account, who typically resides outside the country. In some cases, the
funds are converted into cryptocurrency on exchanges like Binance using P2P
transactions, where the fraudster pays high fees to exchange currency with a crypto
vendor. In some cases, a burner credit card is purchased using cryptocurrency or
foreign currency.

In the final stage, common activities include withdrawing cash, storing funds in non-
custodial crypto wallets, converting Indian Rupees into foreign currencies like
dollars, purchasing goods, or in some cases, converting cryptocurrency back into
fiat currency through foreign P2P vendors, such as those in Dubai.

CCITR | Digital Arrest Investigation Procedures

 INVESTIGATION PROCEDURES

1 2 3 4 5

DOCUMENTS TO DOCUMENTS TO BE SEARCH & EXPERT OPINION

REGISTRATION
BE COLLECTED COLLECTED FROM SEIZURE FROM FSL & FINAL
OF COMPLAINT FROM VICTIM INTERMEDIARIES PROCEDURE REPORT

IO has to collect
Written complaint information from
IO has to collect all Best practices for Seeking expert
with relevant intermediaries such
the required search & seizure of opinion from FSL/
sections of law for as banks, payment
documents/ electronic device CFSL and final
FIR registration. gateway, wallets,
evidence from the should be followed report of the case.
cryptocurrency
victim.
exchanges,
messengers.

REGISTRATION OF COMPLAINT

Probable sections of law for registration of complaint: Section 66C/66D of

Information Technology Act 2000, section 419, 420, 384 of IPC (Section of 319(2),
318(2), 308(6), 308(7), 308(2) BNS 2023)

DOCUMENTS TO BE COLLECTED FROM VICTIM

□
Duly attested screenshot/printout of text/videochat, supporting
documents related to fraudulent financial transactions.

□ Details of alleged fraudulent call including Skype ID/phone

numbers/emails/chatting platform, etc.

□ Beneficiary bank account number with IFSC code & other details

□ Beneficiary wallet/payment gateway/ UPI payment details

□ Other details of the incidents along with written complaint

CCITR | Digital Arrest Investigation Procedures

 DOCUMENTS TO BE COLLECTED FROM INTERMEDIATORS

BANK
Notice u/s 91 CrPC (section of SKYPE/VIDEO UPI/PAYMENT GATEWAY TELECOM SERVICE INTERNET SERVICE
94 BNSS 2023) to bank to PLATFORMS PROVIDER PROVIDER
furnish details and freeze the
account

Details of Subscriber Data IPDR

Bank Name, Registration Record (SDR) MSISDN
Details (Full fraudulent Call Details Record
DoB, Phone IMEI
Name, Email ID, transaction (CDR)
number, Address Phone Number) Destination IP
Payment Customer
Email ID, PAN Access Details Address
Application Form
(IP address logs gateway details Cell ID
Number, (CAF) along with
with Timezone) Beneficiary Certificate u/s
Aadhaar Number Payment KYC details
account along Certificate u/s 65B 65B of Indian
Bank Statement Details Evidence
Call History with IFSC Code of Indian Evidence
Money Trail Details. Act(Section 63(4) Act(Section
Wallet under Bharatiya 63(4) under
Activity Logs/IP
registration and Sakshya Bharatiya
Address Logs
Use Epios Tool to access details Adhiniyam, 2023) Sakshya
Money Trail fetch skype ID Adhiniyam,
from email address along with KYC
Details If the fraudulent 2023)
Order history of number is VOIP, then
the wallet use Twilio tool

Use the QR code below to retrieve information on banking/wallet nodal email

IDs, a list of customized OSINT tools designed for investigation of digital arrest
cases, and the notice format.

ccitr.in/da1 ccitr.in/da2 ccitr.in/da3

Bank/UPI/Wallet OSINT Tools for Letter Notice Format
Contact Details Digital Arrest Case
CCITR | Digital Arrest Investigation Procedures
 Investigation of Bank Account

Request (Know Your Customer (KYC)) information from the initial

beneficiary accounts, wallets, etc., and continue this process for
subsequent beneficiaries.

Compile a list of relevant payment gateways, wallets, and bank accounts,

and send an email under section 91 of the Code of Criminal Procedure
(91CrPC)(section of 94 BNSS 2023) to verify the existence of these
accounts using the previously requested KYC information. If the accounts
exist, request further details, including transaction history and account
activity, to identify and investigate any fraudulent activities.

Establish contact between first-layer mule account holders and kingpin to

gather more information and trace the kingpin. After arresting the first or
second layer of account holders, analyze the modus operandi to
understand the money trail.

Investigation of Foreign Bank Account

In the second layer, most funds are transferred to foreign bank accounts.
Investigate the flow of these funds, which are often transferred via wise
with lower fees or through SWIFT transfers with other banks. Request the
After freezing the 2nd Beneficiary's account, please extract the KYC information from the
KYC details and transaction logs of these foreign bank accounts,
fraudulent account and send it to all intermediaries to check if any accounts exist with the
correlate
same the KYC information, and if necessary, try to freeze any
KYC details.
associated
Use OSINT ToolsIndian assets.
from the QR code below to extract more details of the accused.

Investigation of Crypto Funds

In the third layer most of the funds are converted into cryptocurrency such
as USDT, BTC, or ETH using P2P transaction platforms. If the amount is
transferred to any crypto traders, request the following details:

1. UserID/Email ID of the crypto buyer and the name of the exchange

2. Cash transfer method (e.g., delivery service, UPI, IMPS) and the type and
amount of cryptocurrency transferred
3. Any conversation records
4. The crypto address (if available)
5.CCITR
Screenshots
| PAGE NO 5

CCITR | Digital Arrest Investigation Procedures

 Investigation of Cryptocurrency Transaction in Third Layer

Crypto Exchange

Amount is transferred to P2P vendor

non-custodial wallet or custodial

Cryptocurrency is transferred to
2nd Layer
Mule Account

wallet
P2P vendors transfer the
cryptocurrency converted
amount to the kingpin's bank
back into fiat currency
account, and the cash is
through foreign vendors.
withdrawn abroad.

Kingpin Account

After retrieving the user ID of the crypto buyer from P2P Vendor, request
the user details from the exchange. If you obtain the wallet address, use
"Arkham Intelligence" or any other free crypto tracing tool to identify the
endpoint exchange of the transaction.

Under Section 91 of the CrPC (section of 94 BNSS 2023) or with a court

order, request the exchange's KYC details and freeze the account if
necessary.
Burner Credit Cards

In many cases, funds are transferred to services like Zeroforex cards such as
Niyo Global, or the fraudster will purchase disposable credit cards. In such
instances, request details from these services.

Ultimately, tracing the banking money trail or cryptocurrency trail with the
help of KYC and other transaction details will assist in arresting the
kingpin.

CCITR | PAGE NO 5

CCITR | Digital Arrest Investigation Procedures

Investigate Skype Numbers and other Messengers

Submit the Skype number to Microsoft's portal to obtain further

information (https://leportal.microsoft.com) and request details from the
respective platforms for further investigation if you encounter any
messengers.

In most of the cases the IP logs received from Microsoft Skype belongs to
Cambodia region this indicate that the video call was made from
Cambodia. Attempt to gather IP addresses that belong to Indian
jurisdiction.

If the accused is online on WhatsApp and using a VOIP number, use a

packet-capturing OSINT tool to obtain their IP address (refer to the
OSINT Tool list).

First and second layer mule account holders follow instructions from the
kingpin, and all conversations typically occur on Telegram. Request
details from th0e Telegram app under Section 91 of the CrPC (section of
94 BNSS 2023) for registration and access details.

Screenshots of Video Calls:

If a screenshot of a Skype call is provided, perform a reverse image

search
After to identify
freezing the person
the 2nd Beneficiary's (referplease
account, to the OSINT
extract Tool
the KYC list).
information from the
fraudulent account and send it to all intermediaries to check if any accounts exist with the
same KYC details.
Investigate Emails
Use OSINT Tools from the QR code below to extract more details of the accused.

If a fake police notice is sent via email by the fraudster to the victim, use
OSINT tools to gather information about the email. Then, retrieve details
from the email service provider under 91CrPC (section of 94 BNSS 2023).

CDR/IPDR Analysis

Request Call Detail Records (CDR) and Internet Protocol Detail Records
(IPDR) to understand the suspect's browsing history.

Based on the IPDR, use Netinfo tool to analyze their browsing patterns.
For example, if the individual uses Domino's server, it may indicate they
have an account with Domino's and are placing orders.

CCITR | PAGE NO 5

CCITR | Digital Arrest Investigation Procedures

SEARCH & SEIZURE PROCESS

Identify mobile/ Seizure of the mobile

laptop used for phone/Laptop & other
offence devices

If forensic tools are

available, create a
forensic image copy. Procedure for
Otherwise, send the Follow steps if gathering evidence from switched
device to the nearest computer is switched Off/On computers
forensic lab. off/on condition

SEEK EXPERT OPINION FROM FSL ON FOLLOWING ARTIFACTS AVAILABLE IN SEIZED

MOBILE PHONE HANDSET/COMPUTER

Video conferencing applications like Skype application installed on the

device/email account to create video conference platform

Bank account transaction messages and other financial information

Image/document editing tools which was used to edit police notice

Any Deepfake application to impersonate as police officers

Victim details like UPI/profile ID/wallets

Breached Database where suspect has accessed victim details like

phone numbers, address, PAN card number, credit/debit card number
etc.

CCITR | Digital Arrest Investigation Procedures

 Disk Forensics Artifacts

Installed
Password programs
manager
(credentials) Photoshop/
editing apps/crypto
wallets

Applications DISK
FORENSICS Files and
documents
Skype/telegram ARTIFACTS
/whatsapp apps

Virtual Browsing
machine/ history
emulators

Installed Programs: Search for the evidence of installation of cryptocurrency

wallets, as well as video conferencing applications and video/photo editing
software that may have been used to alter images or documents related to
theAfter freezing the 2nd Beneficiary's account, please extract the KYC information from the
fraud.
fraudulent account and send it to all intermediaries to check if any accounts exist with the
same KYC details.
Files
Useand
OSINTDocuments: Investigate
Tools from the QR code below for breached
to extract databases
more details that the accused
of the accused.
may have used to obtain victim information, and search for documents
related to fake identity cards, police notices, or other incriminating evidence
of digital arrest fraud.

Browsing History: Identify suspicious URLs that may indicate fraudulent

activity, and check for saved password logins related to banking,
cryptocurrency exchanges, or payment portals.

Applications: Review installed apps like Skype, Telegram, and WhatsApp for
incriminating conversations or files, and search for evidence of
communication or transactions related to the fraud.

Password Manager: Check if a password manager is installed on the

suspect's machine, and extract and review saved credentials for potential
CCITR | PAGE NO 5
links to fraudulent activities.
CCITR | Digital Arrest Investigation Procedures
 Mobile Forensics Artifacts

Password Installed
manager applications
(credentials)
Wallets/banking apps/
Net banking
crypto wallets
credentials

Photos/ MOBILE
videos FORENSICS Files and
documents
ARTIFACTS

Messengers Browsing
converstions history
Skype/telegram
/whatsapp

Installed Apps: Search for installed apps on Android or iOS devices that
could be related to fraudulent activities, such as payment apps like PhonePe,
Google Pay, PayPal, and various cryptocurrency wallets.
After freezing the 2nd Beneficiary's account, please extract the KYC information from the
fraudulent account and send it to all intermediaries to check if any accounts exist with the
Files and
same KYCDocuments:
details. Examine the phone's file manager for any incriminating
evidence that
Use OSINT might
Tools be QR
from the stored in files
code below and documents
to extract onthe
more details of the device.
accused.

Browsing History: Identify suspicious URLs that may indicate fraudulent

activity, and check for saved password logins related to banking,
cryptocurrency exchanges, or payment portals.

Messenger Conversations: Retrieve chat information from messaging apps

such as Telegram, WhatsApp, and Skype. If chats have been deleted, try to
recover them from cloud backups.

Photos and Videos: Search the device for photos and videos that may
contain incriminating evidence related to the case.

CCITR | PAGE NO 5

CCITR | Digital Arrest Investigation Procedures

 FINAL REPORT

The investigating officer should make all efforts to establish a

correlation between collected evidence and allegations. This can be
achieved by properly seizing the device, obtaining an expert opinion,
and examining other documentary and oral evidence.

Incorporate the chain of custody form highlighting the actions and

activities performed on seized articles.

Certificate u/s 65B of Indian Evidence Act(Section 63(4) under

Bharatiya Sakshya Adhiniyam, 2023), Certificate u/s 2A Bankers Book
of Evidence Act and Self-Attestations wherever necessary.

Proper analysis of the Bank account statement of the fraudster is to be

made, and the money trail to be identified.

Citizens are advised to be alert and spread awareness about

these types of frauds. Upon receiving such calls, citizens
should immediately report the incident to the cybercrime
helpline number 1930 or visit www.cybercrime.gov.in for
assistance.

Author
Manjesh P Shetty,
Consultant, Data Security Council of India

CCITR | Digital Arrest Investigation Procedures

 RESEARCH PUBLICATIONS

MONTHLY NEWSLETTER

Centre for Cybercrime Investigation Training & Research,

2nd Floor, Annexe-2 Building, CID HQRS, # 1, Carlton House,
Palace Road, Bengaluru, Karnataka - 560001
080-2209436 | spccpscid@ksp.gov.in