Cyber Crime Defence & Reporting

A fraudulent UPI debit, a phishing OTP that drained the salary account, a morphed photo on a public Telegram channel, a ransomware note on the office server — the response in the first 60 minutes decides whether you get the money back, whether the file moves at all, and whether anyone is eventually convicted. India's cyber-crime architecture in 2026 is layered: the 1930 helpline, the National Cyber Crime Reporting Portal, local police, cyber cells, CERT-In, the Data Protection Board, sectoral regulators, and the criminal courts. They each speak a different procedural language.

You need someone who knows where the report goes, what evidence to lock down before it is overwritten, which Section 63 BSA certificate to obtain from whom, and how to keep the bank's chargeback window from closing while the police file moves forward. Cyber Crime Defence & Reporting at Legal Suvidha is built around that timeline — golden-hour first, paperwork after.

At a Glance

• Who needs this: Victims of online fraud, phishing, identity theft, ransomware, doxxing and morphed-image cases; businesses facing data breaches; and anyone wrongly accused under IT Act or BNS cyber provisions.
• Governing law: IT Act 2000 (Sections 43, 65, 66, 66C, 66D, 67, 67A, 79); IT Rules 2021 and 2023 amendments; Bharatiya Nyaya Sanhita 2023; Bharatiya Nagarik Suraksha Sanhita 2023; Bharatiya Sakshya Adhiniyam 2023 (Section 63); DPDP Act 2023 and DPDP Rules 2025; CERT-In Directions 2022.
• First-response window: 1930 helpline plus cybercrime.gov.in within 60 minutes for financial fraud; 6 hours to CERT-In for organisational incidents.
• Takedown timeline: 24 hours for non-consensual intimate imagery under Rule 3(2)(b)(ii); 36-72 hours for other unlawful content under Rule 3(1)(d).
• FIR and investigation: 30-180 days typical; chargesheet under Section 193 BNSS; Section 175(3) BNSS available to compel FIR registration where police decline.
• Where it is heard: Magistrate or Sessions Court depending on offence and quantum; designated cyber courts in some states; parallel civil recovery in commercial courts.

What's New for FY 2026-27

The cyber-crime regulatory and procedural map has shifted materially over the last 18 months. The points below decide how a 2026 case is built differently from a 2024 case.

• BSA Section 63 fully embedded: Section 63 of the Bharatiya Sakshya Adhiniyam 2023 replaced the old Section 65B Evidence Act in July 2024. FY 2026-27 has produced the first wave of acquittals where the certificate was missing or defective — making early-stage certificate collection the single most important evidence-side discipline.
• DPDP Rules 2025 operational: The Data Protection Board is taking complaints; breach notification timelines to the Board and to data principals are codified; significant data fiduciaries face tighter obligations on impact assessments and grievance redress.
• IT Rules 2023 GACs maturing: Three Grievance Appellate Committees are operational and have issued binding orders against intermediaries that ignored Rule 3(2) takedown notices — giving victims a fast, low-cost escalation route before going to court.
• 1930 helpline now bank-integrated: The RBI-NPCI workflow mandates real-time beneficiary-account flagging on receipt of a 1930 complaint within the first 60 minutes. Recorded reversal rates are measurably higher than 2024.
• BNSS Section 175(3) well-established: With the new criminal procedure code in force through 2025-26, magistrates are exercising powers to direct FIR registration where police decline. The procedural route is now routine, not exceptional.
• Deepfake and AI-content rules tightening: MeitY amendments to IT Rules 2021 add labelling and traceability obligations for synthetic content; misuse falls under Sections 66 and 66D IT Act and BNS Sections 318 and 319 (cheating by personation).

Why Speed and Discipline Matter

Cyber cases are won and lost on inputs from the first 48 hours. Each point below is a window that closes, often quietly.

• The 60-minute window: Bank fraud-monitoring desks can flag the beneficiary account and freeze the funds only while they sit in the receiving account. Once swept through three or four mule accounts, recovery is statistically near-zero.
• Volatile evidence: Phishing pages, fake social profiles and Telegram channels disappear within hours. Without server-side preservation requests sent on Day 1, you are left with screenshots and no Section 63 backing for them.
• Bank chargeback windows: The RBI 'limited liability of customers' framework gives you a specific number of days to report a fraudulent debit before the liability shifts. Miss the window and the bank's good-faith defence carries.
• FIR before investigation: A cyber-cell NCRP entry alone does not trigger investigation. The chargesheet flows from a Section 173 BNSS FIR. Without it, no arrest, no seizure, no recovery.
• Section 63 certificates that don't exist by trial: Witnesses retire, devices are sold, custodians forget. The certificate must be drafted while the witness is willing and the device is still in their possession — years before the trial.
• Reputation damage compounds: Morphed images and doxxing posts spread by the hour. A takedown notice sent on Day 1 reaches a hundred copies; on Day 7, a thousand.

How It Actually Works

The workflow runs across seven coordinated steps. The first two are time-critical; the later steps build the long-term recovery and prosecution.

Step 1: Incident Triage and Evidence Freeze (Hour 0-2)

The first call is to your bank's 24x7 fraud-monitoring desk and to 1930. We dictate the written incident summary while you remain on the line — what was stolen, when, from where, the beneficiary handle visible on the SMS, the device used. We then walk you through device isolation: no factory reset, no app deletion, screenshots saved to a separate cloud, the SIM kept active in the same phone.

Section 63 BSA certificate templates go out to your bank, your employer (if a work device), and you as the device owner. This is the most fragile two hours of the entire case.

Step 2: Formal Reporting — 1930, NCRP, FIR

We file the National Cyber Crime Reporting Portal complaint at cybercrime.gov.in with attached evidence and the 1930 reference. A written complaint is delivered to the jurisdictional cyber cell and local police station. Where the police accept the complaint but do not register an FIR within a reasonable time, we move an application under Section 175(3) BNSS before the Magistrate.

For organisational incidents, the CERT-In incident report follows within the six-hour window from awareness, in the prescribed format.

Step 3: Takedown and Civil Recovery

Rule 3(2)(b) takedown notices are dispatched to platform grievance officers — 24-hour clock for non-consensual intimate imagery, 36-72 hours for other unlawful content. We simultaneously file the bank's formal dispute under the RBI Master Direction on Customer Protection, raise the merchant chargeback where the loss flowed through a card transaction, and trigger the insurance notification where a cyber-insurance cover is in place.

Step 4: Investigation Coordination

The investigating officer needs structured help: beneficiary-account KYC requests to banks, IP-log requests to intermediaries, CDR requests to telecom operators, hash-value preservation of digital exhibits. We prepare each requisition in the form the IO can sign and send.

Where the IO drifts, we escalate to the Superintendent of Police (Cyber) or the Commissioner with a written status memo.

Step 5: Chargesheet, Trial and Recovery

Once the chargesheet is filed under Section 193 BNSS, the prosecution moves through the Magistrate or Sessions Court depending on offence and quantum. We coordinate with the public prosecutor, lead victim evidence, and ensure each Section 63 certificate is on record before the corresponding electronic exhibit is exhibited.

A parallel recovery petition under Section 107 BNSS or a civil suit runs alongside, with attachment of identified mule-account balances.

Step 6: DPDP and Regulator Closure

For organisations, the case ends with three closures: Data Protection Board grievance response and final order under the DPDP Act 2023; sectoral regulator (RBI, IRDAI, SEBI, TRAI) compliance closure; and insurance claim settlement.

For individuals, closure is a court order or recovered funds plus the deletion confirmation from the intermediary.

Step 7: Defence Where You Are the Accused

If you have received a notice, an arrest threat, or a takedown demand naming you, the workflow inverts. We move bail and anticipatory bail under BNSS, challenge defective Section 63 certificates, raise Section 79 IT Act safe-harbour for intermediaries, and pursue quashing under Article 226 or Section 528 BNSS where the prosecution is malicious or jurisdictionally infirm.

A Real Example: ₹4.8 Lakh Phishing Debit and Partial Recovery

Take a salaried professional in Pune. On a Tuesday morning, an SMS prompts an OTP for a 'KYC update' on the salary account; ₹4,80,000 leaves in four IMPS transfers across 22 minutes to four beneficiary accounts.

• 11.07 am: The victim calls 1930 and stays on the line while the bank fraud-desk is conferenced in.
• 11.42 am: Three of the four beneficiary accounts are flagged; ₹3,15,000 sits frozen in the receiving accounts.
• 4.00 pm: NCRP complaint is filed with screenshots, the SMS thread and the IMPS reference numbers; a written complaint goes to the local cyber cell with diary number.
• Day 2: Bank dispute under the RBI Master Direction is filed in writing; Section 63 BSA certificates requested from the bank and the device owner.
• Day 9: Cyber cell hesitates on FIR; a Section 175(3) BNSS application before the Magistrate produces an FIR order the same day.
• Day 30: ₹3,15,000 is credited back through the bank's frozen-funds process; the remaining ₹1,65,000 becomes the chargesheet target with two mule-account holders traced under Sections 66C and 66D IT Act read with Section 318 BNS.

The ₹3.15 lakh that came back is not luck. It is the 35 minutes between fraud and the first 1930 call.

The single biggest predictor of recovery is how quickly the first formal report reaches the bank in writing — not the size of the fraud or the sophistication of the fraudster.

What Backs Up Each Complaint — The Evidence Stack

Every cyber file is held up by six parallel evidence layers. Missing any one of them weakens the rest.

• Bank evidence: Statement with fraudulent debits highlighted, IMPS/UPI/NEFT reference numbers, the 24x7 fraud-desk reference, the written dispute acknowledgement, and the Section 63 BSA certificate from the bank's nodal officer covering each electronic record.
• Device evidence: Screenshots with timestamps and metadata intact, screen recordings of the fraudulent app or page, full SMS export, app permission logs, and the Section 63 certificate from you as the device owner.
• Intermediary evidence: Grievance-officer ticket numbers, takedown acknowledgements, server-side log preservation requests sent to the platform, and the Section 63 certificate from the platform's nodal officer where logs are produced.
• Telecom and CDR: Subscriber-detail requests to the telecom operator for the calling and receiving numbers, CDR for the relevant window, and the Section 63 certificate from the records custodian.
• Procedural file: NCRP acknowledgement, 1930 reference, written police complaint with diary number, FIR copy, Section 175(3) BNSS application where applicable, and the vakalatnama.
• Regulator file (organisations): CERT-In incident report, DPDP Data Protection Board notification, sectoral regulator filing (RBI, SEBI, IRDAI or TRAI), and the internal forensic report from the engaged DFIR vendor.

Where It Goes Wrong

The recurring failure modes below account for most cyber files that go nowhere — and each is preventable with first-week discipline.

• Calling the bank verbally and not following up in writing: The bank's liability clock starts at written notice. A phone call without a complaint reference number rarely counts when the chargeback team reviews the file three weeks later.
• Factory-resetting the phone 'to be safe': Every byte of evidence is gone. Volatile memory, app caches, push-notification logs — all overwritten. The investigation loses its single best source.
• Filing only on NCRP and waiting: NCRP is administrative. Without an FIR, no investigation moves. The Section 175(3) BNSS route exists for exactly this gap.
• Sending takedown notices to the wrong address: Platforms have specific grievance-officer addresses notified under Rule 3 IT Rules 2021. Generic support emails do not start the 24-hour clock.
• Screenshots without Section 63 backing: A screenshot pasted into a complaint is not evidence in court. The Section 63 certificate from the person in lawful control of the device is the bridge between the print-out and admissibility.
• Mixing personal and corporate response: Where an employee is the victim of a work-device compromise, the employer's CERT-In and DPDP obligations are separate from the employee's criminal complaint. Conflating the two confuses both files.
• Settling quietly with the fraudster's 'agent': Mule networks send recovery agents offering partial repayment in exchange for withdrawing complaints. The withdrawal extinguishes the criminal case without guaranteeing payment — and forecloses insurance and chargeback.
• Missing the cyber-insurance notification window: Most policies require notification within 48-72 hours of discovery. Beyond the window, the insurer denies the claim regardless of merit.

What You Receive at the End

• 1930 complaint reference and NCRP acknowledgement
• Written complaint to police or cyber cell with diary number, and FIR copy where registered
• Section 175(3) BNSS application, magistrate's order and resulting FIR (where required)
• Bank dispute file with RBI Master Direction citations and recovery correspondence
• Rule 3(2)(b) takedown notices issued and platform responses received
• Section 63 BSA certificates collected for each electronic record on file
• CERT-In incident report copy (for organisations)
• DPDP Data Protection Board grievance, response and order (where applicable)
• Sectoral regulator filings (RBI / IRDAI / SEBI / TRAI) where relevant
• Insurance claim file with supporting documents and insurer correspondence
• Chargesheet, trial coordination notes and final court orders
• Closure memo summarising recovered amount, prosecution status and pending tracks

How to Get Started

If a fraud has just happened, the call to 1930 cannot wait for paperwork — make it now, then reach us. If the incident is older than 48 hours, reach out anyway: the takedown, FIR, chargeback and insurance tracks remain open for weeks even where the freeze window has closed.

Send us a one-page incident note: what happened, when, from which device or account, what reference numbers exist, what you have already done. We come back within the same business day with the action plan, the evidence list, the Section 63 templates, and a fee quote that covers the chosen tracks — reporting only, takedown plus recovery, or full prosecution-and-recovery defence. For organisations, the DPDP and CERT-In tracks are quoted as a separate workstream because their timelines are tighter and the regulator-facing voice has to be consistent across all three filings.