Evolving Threats in India's Cybersecurity Landscape: From Phishing to Steganography

The end of the 20th century witnessed a significant boom in global computerization, with India emerging as a primary beneficiary and a global leader in IT services. This technological revolution created job opportunities for a large segment of the youth and now contributes to approximately 10% of India's GDP. Over the past 25 years, Indians have come to occupy top leadership roles in numerous global IT and technology-driven companies.

Rapid technological advancements have transformed everyday life in India in the last decade. Mobile connectivity, paired with affordable internet, has penetrated even the country's most remote corners. As of early 2025, India had approximately 1.12 billion active mobile connections, accounting for nearly 76.6% of the total population of 1.46 billion. Smartphone usage has also surged, with around 712 million users and a penetration rate of 48.8%.

Today, there are far more smartphones than communication devices. Voice calling is one of many features, often not the primary one. However, not all mobile users in India are technologically literate. With the growth of digital access, the misuse of such technologies, particularly for financial fraud, has also escalated. Financial fraud is not a new phenomenon, as it has been a part of trade and finance for a long time. What's changed is its adaptation to emerging digital platforms and tools.

In the financial year 2024–25 alone, there were 29,082 reported cyber fraud cases involving sums of ₹1 lakh and above, resulting in total financial losses of ₹177.05 crore.

Jamtara to Nuh: Evolution of Phishing

Jamtara in Jharkhand has long been associated with phishing and cyber fraud in India, as numerous incidents across the country have been traced back to this region. Hackers operating from Jamtara deploy a wide array of cybercrime techniques—including SMS phishing, app-based phishing, malware, spyware, adware, click fraud, man-in-the-middle (MitM) attacks, SIM swapping, social engineering, fake app cloning, and even digital arrest scams.

In recent years, Nuh district (formerly known as Mewat) in Haryana has emerged as a significant cybercrime hotspot, drawing national attention for its deepening involvement in organized phishing and digital fraud operations. Investigations have revealed that cybercriminals operating from Nuh have adopted increasingly sophisticated methods, once primarily associated with Jamtara in Jharkhand, such as the use of encrypted messaging platforms, cloned mobile apps, and spoofed caller IDs to target unsuspecting victims across India.

On April 28, 2023, law enforcement authorities launched a massive crackdown in Nuh, conducting raids across 14 villages with 102 teams comprising over 5,000 police personnel, resulting in the detention of 125 suspects. According to the Haryana Police, this operation led to unearthing of over 28,000 cybercrime cases linked to frauds committed nationwide, with cumulative losses estimated at ₹100 crore. Again, in May 2024, a follow-up operation resulted in the arrest of 40 youths from various parts of Nuh in connection with additional cyber fraud cases. Nuh has since gained the label of the "new Jamtara".

Officials confirmed that the latest arrests were facilitated through advanced digital tools, notably the Integrated Cyber Crime Coordination Centre's (I4C) 'Pratibimb' app, which enables real-time tracking of a suspected fraudster's phone location. The app has proven instrumental in enhancing operational efficiency and tactical precision in cybercrime investigations. These developments signal a concerning trend: cyber fraud networks are spreading geographically and becoming more technologically advanced, organized, and complex to detect.

Digital Arrest Scams

Digital arrest scams have become a significant cyber threat, resulting in substantial financial losses. The modus operandi involves impersonating law enforcement officers or regulatory officials to intimidate victims into transferring money under the pretext of legal action. According to data presented in the Rajya Sabha: [1]

• 2022: 39,925 cases; ₹91.14 crore defrauded
• 2023: 60,676 cases; ₹339.03 crore defrauded
• 2024: 123,672 cases; ₹1,935.51 crore defrauded
• Jan–Feb 2025: 17,718 cases; ₹210.21 crore defrauded

This reflects a nearly threefold increase in cases from 2022 to 2024, while financial losses have increased more than twentyfold.

The Internationalization of Cybercrime

An alarming trend is the increasing victimization of Indian nationals by international cybercrime syndicates, especially in Southeast Asia. These individuals are lured by promises of lucrative overseas jobs, only to be trafficked and forced into operating fraudulent cyber centers particularly along the Myanmar-Thailand border.

The Government of India has been actively engaged in diplomatic and intelligence efforts to rescue and repatriate such victims who were coerced into executing cyber scams under duress.

Steganography: A New Threat Vector

A recent incident in Jabalpur, Madhya Pradesh, exemplifies the next level of cyber fraud. A victim lost nearly ₹2 lakh after downloading an image file sent via WhatsApp from an unknown number. The scam leveraged a technique called steganography, specifically the Least Significant Bit (LSB) method, to conceal malware within the image.

Steganography is the art of concealing information within another file or medium to avoid detection. This can include hiding text, images, videos, or audio within another digital object. The word originates from the Greek words steganos(hidden) and graphein (to write). Steganography has historical roots—from messages carved into wood and concealed with wax in ancient Greece to invisible inks used in Roman times. Today, its digital form is a weapon of choice in cyber espionage and covert malware distribution.

Notable Incidents Involving Steganography. While not as common as other attack vectors, steganography has been a tool in high-profile cyber-espionage campaigns and malware delivery. Some notable examples include:

• APT29 (Cozy Bear) – Operation Hammertoss targeting NATO, governments, and defense contractors (2015–2017)
• APT32 (OceanLotus) – Stegano Malware targeting Southeast Asian governments and corporations (2017)
• Sunburst Malware (SolarWinds Hack) – Impacted U.S. agencies and Indian tech firms (2020)
• Lurk Banking Trojan – Attacked Russian financial institutions (2016–2018)
• Stegoloader – Targeted Latin American banks (2019)
• Vawtrak Banking Malware – Global Financial Targets (2015)
• AdGholas Malvertising Campaign – Compromised ad networks (2017)
• Operation Sharpshooter – Hit finance, energy, and defense sectors (2018)
• RomCom RAT – Targeted Ukrainian military and Western organizations (2023)
• Agent Tesla – Targeted companies in India, U.S., and Europe (2021–2023)

These incidents show how steganography, though rare, is deployed in highly sophisticated attacks often linked to state-backed or advanced persistent threat (APT) actors.

Conclusion

The evolution of cyber fraud in India underscores a disturbing trend: criminals are increasingly leveraging advanced and often untraceable technologies. Steganography, in particular, presents a severe challenge as it is almost impossible for ordinary users to detect. To counter these threats, the Indian government and financial institutions must modernize digital infrastructure, implement multi-level authentication protocols, and deploy geo-fencing and behavioral transaction analytics. The fight against digital crime must evolve as fast as the threats themselves.

NOTES

[1] Ministry of Home Affairs. (2025, March 12). Combating digital arrest, blackmail, and cyber impersonation of law enforcement agencies: Rajya Sabha Unstarred Question No. 1505. Government of India. https://rajyasabha.nic.in