New Delhi: The Delhi Police Crime Branch has uncovered a sophisticated cyber-laundering network that used Chinese-controlled mobile apps and fake company bank accounts to convert proceeds of cyber fraud into cryptocurrency. Two suspects have been arrested, and investigators say the racket spans multiple states with links to foreign handlers.

Elderly Victim Defrauded of ₹33.10 Lakh in Stock Investment Scam

The investigation began after an elderly Delhi resident filed an online FIR reporting a ₹33.10 lakh loss in a fake stock investment scheme. According to DCP (Crime Branch) Aditya Gautam, the victim was lured with promises of high returns before the money was siphoned off through multiple fake entities.

A team led by Inspector Ashok Kumar traced the fund trail and discovered that the money had been split and deposited across fake company accounts to obscure its origin.

Ayodhya Resident First Arrested After Fake Company Account Identified

Police found that ₹10.38 lakh was transferred to the bank account of a fictitious company named Belcrest. The account holder, Lakshya Singh of Ayodhya, was arrested on November 19.

Singh admitted he opened the account using forged documents provided by another accused, Shubham, in exchange for ₹20,000. He claimed no knowledge of the fraud and said he simply “rented out” his account.

Mastermind Shubham Nabbed Through IP Tracking of Social Media Accounts

Shubham had been evading arrest by frequently switching mobile numbers and locations. However, Crime Branch officers traced him using the IP address of his Instagram account, eventually leading to his arrest in Tilak Nagar.

During interrogation, he confessed to working under the instructions of a foreign handler, helping move fraudulent funds through India-based shell companies.

Chinese-Controlled “Cool” App Used to Convert Stolen Funds Into Cryptocurrency

A major breakthrough in the case was the discovery that the gang used a Chinese-controlled app named “Cool” to convert stolen money into cryptocurrency.

How the laundering network operated:

• Victim funds were funneled into accounts of shell companies.
• Money was then transferred to the Cool app.
• The app was used to buy cryptocurrency on behalf of the foreign handler.
• Crypto assets were sold abroad, making the money difficult to trace.
• Shubham received a commission in cryptocurrency for each transaction.

Police say this method allowed the network to bypass traditional financial checkpoints and move money across borders instantly.

Suspect Tried to Destroy Evidence After Accomplice’s Arrest

After learning of Singh’s arrest, Shubham attempted to destroy crucial evidence by burning the cheque book and SIM card associated with the Belcrest account. Despite this, police recovered his mobile phone, containing key chats, logs, and transaction details with foreign handlers.

Investigators have also identified six additional fake companies linked to the same network.

Probe Expands as Police Track Foreign Handler and More Associates

Delhi Police are now tracing other members involved in the cyber-laundering ring and working to identify the overseas handler who coordinated the movement of funds.

Officials say the case highlights how Chinese apps, fake companies, and cryptocurrency are increasingly being used to launder cybercrime proceeds in India.

Ahmedabad / Gandhinagar: Gujarat Police have exposed one of the most organized international cyber-trafficking networks in South and Southeast Asia, centered on 29-year-old Nilesh Purohit, also known as Neel or “The Ghost.” Purohit is accused of orchestrating a transnational pipeline that lured job seekers and forced them into cyber-fraud camps abroad.

The operation reportedly affected over 500 victims in under two years, spanning India, Pakistan, China, Myanmar, Cambodia, Vietnam, and Thailand.

Airport Arrest Prevents Escape

On November 16, 2025, Gujarat Police intercepted Purohit at Sardar Vallabhbhai Patel International Airport in Ahmedabad as he attempted to flee to Malaysia. Officials say that even a few minutes’ delay could have allowed him to evade capture, earning him the moniker “The Ghost.”

Purohit faces five FIRs across Gujarat, Maharashtra, and West Bengal, with charges including human trafficking, cheating, and cybercrime. He has been remanded to Sabarmati Central Jail, and the CBI has opened investigations into his role in multiple international cyber-slavery cases.

Building a Transnational Cyber Empire

Investigators say Purohit’s criminal network expanded rapidly after moving to Dubai in early 2024, where he gained exposure to cyber-crime operations and forged links with Pakistani and Chinese agents. He later traveled to Thailand and Myanmar, operating in hubs like KK Park in Myawaddy Township, known for coercing trafficked workers into online scams.

The Recruitment Model: Recruit, Funnel, Coerce

Purohit reportedly ran a sub-agent network of 126 operatives across India, with connections to over 30 Pakistani agents and 100+ foreign companies. Victims were recruited with promises of legitimate jobs abroad and transported via a route: Bangkok → Tak (Thailand) → jungle trek → Moei/Thaungyin River → Myawaddy, Myanmar.

Victims were primarily sourced through WhatsApp, Telegram, Facebook, and Instagram, often reinforced by word-of-mouth in smaller towns.

Financial Mechanics: High Earnings and Crypto Transfers

For each victim trafficked, Purohit allegedly earned ₹1.76 lakh to ₹3.96 lakh, using mule bank accounts and multiple cryptocurrency wallets (including Binance) to obscure the financial trail. These transfers corresponded with increased recruitment activity from October 2024 onward.

Inside KK Park: Contracts, Coercion, and Cyber-Fraud Operations

At the camps, victims were forced to sign two-year contracts with early-exit penalties of ₹3.5–₹5 lakh. Those resisting faced physical and psychological abuse. Tasks included phishing, crypto scams, Ponzi schemes, investment fraud, and romance scams, targeting individuals worldwide.

Several victims remain too traumatized to report incidents, prompting authorities to file FIRs on behalf of the State in some cases.

Breaking the Chain: Sub-Agents Lead to Purohit

Intelligence gathered in November led to arrests of sub-agents Hitesh Arjan Somaiya (Porbandar) and Sonal Faldu (Junagadh), both of whom identified Purohit as their handler. At least 22 youths from Gujarat have been linked directly to his trafficking operations, with investigations ongoing in other states.

Repatriations and Regional Efforts

Coordinated operations between India, Thailand, and Myanmar have facilitated the repatriation of over 4,000 Indian citizens from scam camps. Myanmar authorities, under international pressure, have conducted repeated crackdowns, though many trafficked individuals fled during raids.

Policy and Enforcement Challenges Ahead

The case highlights the growing complexity of borderless cybercrime, social-media-based recruitment, and crypto-monetized human trafficking. Authorities emphasize the need for cross-border cooperation to dismantle both the supply and demand sides of these networks.

A senior officer remarked:
“This isn’t just cybercrime; it is the most predatory face of modern human trafficking, powered by the internet and monetized through crypto.”

ew Delhi: A startling twin data-wipe incident at the Indian Council of Agricultural Research (ICAR) and its recruitment body, the Agricultural Scientists Recruitment Board (ASRB), has triggered serious concerns over systemic vulnerabilities, potential insider involvement and the possibility of a larger cover-up. Sensitive data vanished first from ICAR’s primary server in New Delhi in February, and within days, an identical wipe-out occurred in the backup system stored at the Disaster Recovery Centre (DRC) in Hyderabad.

Despite clear government protocols, the institution reported the matter late, refrained from issuing any detailed official statement, and initiated formal inquiry procedures only after weeks of delay — developments that have fuelled suspicion that this was more than a routine cybersecurity lapse.

How the ICAR–ASRB Data Disappeared

According to officials familiar with the matter, the first indications of a breach surfaced in early February, when recruitment and evaluation documents maintained by the ASRB became inaccessible. At first, the disruption was assumed to be a temporary technical fault. But preliminary checks quickly revealed that several key files had been erased from the Delhi server.

What deepened the crisis was the discovery, days later, that the Hyderabad DRC — which is meant to act as the final safeguard against system failure — had an identical set of deletions. The simultaneous loss of primary and backup datasets is seen by cybersecurity professionals as highly unusual and extremely difficult to execute without deliberate intervention.

Experts point out that such matching patterns of deletion are not characteristic of common system errors or random glitches. The incident, they say, points either to a deep-level targeted cyberattack or to internal interference by an individual with high-level administrative access.

What Data Went Missing

The data erased from the ICAR–ASRB ecosystem covered several critical operational functions, including:

• Recruitment applications and candidate records
• Eligibility assessments, evaluation sheets and interview marks
• Key documents related to research projects
• Vigilance and disciplinary records
• Internal communication logs and administrative files

These records form the backbone of ICAR’s recruitment, research oversight and institutional governance framework. Their disappearance raises questions not only about the integrity of ongoing processes, but also about past selections, assessments and project monitoring.

Silence From India’s Top Agricultural Research Body

One of the most contentious aspects of the episode has been ICAR’s muted response. Despite the scale of the incident, the institution did not issue an immediate public statement. Sources indicate that the mandatory reporting to central cybersecurity agencies was also delayed, in violation of standard protocols that require immediate notification in cases of data breach or deletion.

Experts call this delay a “serious procedural lapse.”
According to a senior cybersecurity analyst:

“When both primary and backup servers show identical data loss, it is a clear red flag. Such a situation warrants instant escalation and a coordinated response. ICAR’s slow and guarded reaction is unusual for an incident of this magnitude.”

Delays, Missing Logs and Fear of a Cover-up

By March, the pattern of the deletions had become clearer, but the formation of a formal inquiry committee within ICAR reportedly took longer than expected. Meanwhile, several essential system logs — crucial for forensic examination — were not preserved in time, weakening the prospects of a full technical audit.

These lapses have intensified concerns among experts that the data erasure may not have been accidental. Some believe the deletions may have been intended to remove sensitive information related to recruitments, evaluations or vigilance matters. While no official confirmation has been provided, the possibility of insider involvement remains open.

Is the Cyberattack Angle Still Valid?

Technical teams have not ruled out the possibility of an external cyberattack. However, they have found no clear evidence of widespread intrusion, ransomware signatures or system compromise typically associated with major cyber offensives.

Even so, some specialists believe that if a cyberattack did occur, it would have been highly sophisticated and specifically designed to target selected records without triggering large-scale alerts.

What Next?

The twin data wipe has exposed glaring weaknesses in the cybersecurity and administrative oversight mechanisms of one of India’s most critical research institutions. As ICAR plays a central role in shaping agricultural policy, research and human-resource capacity, the loss of such critical data is expected to have long-term implications.

Calls for a high-level, independent investigation are growing. Experts emphasize that unless ICAR provides a transparent account and preserves all remaining digital evidence, questions over whether this was a cyber breach or an orchestrated clean-up will continue to loom.