[This Article has been authored by Rishiraj Singh Shekhawat, a student at Hidayatullah National Law University.]

Introduction

Recently, the Supreme Court tasked the Central Bureau of Investigation (“CBI”) with investigating the rising number of cases of “digital arrest” scams, while granting it unrestricted authority to act against bankers involved in facilitating the opening of mule accounts linked to the scammers.

This direction followed the Supreme Court’s order regarding a suo motu petition involving an elderly couple who were victims of the scam in question. The Supreme Court took suo motu cognisance in this case because the scammers fabricated fake Supreme Court orders, which were used to induce the couple into giving them money. The Supreme Court saw it as an attack on the public trust in the judiciary. The rising number of cases was also a reason why these scams were referred to the CBI instead of the regular state police. As most of these scams are interstate in nature, the CBI was considered to be the competent authority for the probe. 

The Supreme Court’s direction addressed several issues, which raise questions regarding cyber-crimes crossing state boundaries, bankers’ liability in opening mule accounts and the threat to public trust due to fabrication of judicial orders. This article attempts to analyse some of these questions and examines the effects of these types of cyber scams on the functioning of the justice system and public trust in  authority.

The Imperative of Centralised Investigation

A digital arrest scam is a crime that transcends state boundaries, as a scammer from Maharashtra can defraud a person from Chhattisgarh through an electronic medium. The Information Technology Act, 2000, which primarily governs cybercrime, states that the jurisdiction at the state level is to be read with the Bhartiya Nagarik Nyaya Sanhita (BNSS).

Section 199 of the BNSS specifically grants jurisdiction to the court (and thus the police for inquiry or investigation) in the place where the act constituting the offence was done, or where the victim suffered the consequence (such as financial loss or reputational damage). Hence, if a person from State A scams someone in State B, both states have the jurisdiction to investigate the crime. 

The problem with the digital arrest scam is that one person defrauds multiple people across different states. This leads to FIRs being registered in multiple states, which makes the investigation fragmented into separate cases, which ultimately affects coordination between state police and may result in significant procedural bottlenecks. 

The Mule Account Bottleneck

Another problem that may arise due to jurisdictional shortcomings is that if the money is transferred into a mule account located in State A, the investigating officer from State B, to freeze the mule account, has to go through a legal procedure, such as obtaining a formal order from the magistrate in State A (as mandated by the BNSS). 

The time taken to obtain the legal order and execute the freezing action results in  significant delays in the investigation. It leads to the transfer of the concerned money to cryptocurrency, as they are decentralised and largely irreversible. Once the money is converted, the freezing order is ineffective. Fraudsters use these loopholes to their advantage as procedural hurdles become tools for them to bypass authorities and retain the money from victims. 

These loopholes can be tackled through a centralised investigation, such as one conducted by the CBI, as the apex court directed. Centralised investigation will streamline the legal formalities, and the fraud can be detected before the money is converted.

Bankers’ Liability in Digital Arrest Scams

The decision of the Supreme Court to grant a free hand to CBI to act against the bankers’ negligence responsible for the creation of mule accounts marks a decisive shift from treating such failures as routine regulatory lapses to subjecting them to criminal scrutiny. This marks a jurisprudential departure from the traditional view of banks as neutral intermediaries in financial transactions.

This decision comes in  light of a Rs.58-crore scam where a couple was forced to pay the money to a fraudster in a mule account. After the investigation, the Additional Director General (ADG) of the Maharashtra Cyber Department stated that banks are also to blame for this scam due to lapses in KYC and biometric verification of the mule accounts. 

Behavioural Biometrics as Against the Traditional Verification

Behavioural biometrics is an effective method to mitigate fraud happening through mule accounts. The practice involves a pattern analysis of certain behaviour that a mule account often showcases. These include controlling the account through remote access tools (RAT), abrupt navigation jumps or multi-operated signature conflict. This method creates a clear distinction between genuine and mule accounts, which may help with the investigation and detect fraud before the money leaves the banking domain.

Indian banks can incorporate some behavioural indicators commonly associated with that the mule accounts. These include “cognitive strain signatures,” in which the fraudster exhibits micro-behavioural signs of stress and decision lag, such as delayed response times before clicking key transaction buttons, repeated back-and-forth navigation between screens, and inconsistent typing cadence when entering sensitive data or PINs.

This process of analysing the pattern of mule accounts can help in further classifying mule accounts, therefore, preventing the transaction of money through these accounts.

Fabrication of Authority and Public Distrust

The decision of the Supreme Court to take suo motu cognisance of the petition was not only taken due to the severity and recurrence of cases of “digital arrest”, but also because, in the petition, the victim was induced and coerced into giving money through the threat of a fabricated Supreme Court order.

The forgery of this document, in which the signatures of judges were also forged, is being treated as a matter of grave concern, as it strikes at the very core of the public trust in law enforcement and the judiciary. 

Public confidence in courts rests upon the presumption that  the command issued by the judiciary is  authentic, enforceable, and immune from manipulation. The normalisation of counterfeit judicial processes will generate an atmosphere of risks that establishes a climate of procedural scepticism. In this way, digital arrest scams directly endanger the rule of law while also threatening cybersecurity. From  perspective of criminal law, these acts of forgery not only indicate a crime under Section 318 of BNS (cheating) and Section 319 (impersonation), but also constitute a crime under Section 337 of BNS for forgery of record of  a court or of a public register, etc.

The Supreme Court’s suo motu intervention is therefore not only confined to victim compensation, but also reflects a deeper institutional concern: the integrity of judicial authority in the digital age. When citizens are coerced  into compliance through forged court orders, the damage goes beyond the spectrum of  private loss and enters the domain of systemic constitutional injury.

A Way Forward

The cases  of “digital arrests” have emerged as a prominent form of cybercrime. These incidents have been rising rapidly, as per the data in 2022, 39,925 such incidents were reported, with a total of Rs 91.14 crore defrauded. This figure escalated to 1,23,672 cases in 2024 and the total defrauded amount jumped to an astounding Rs 19,35.51 crore a 21-fold increase. 

Often, victims become entangled in a series of procedural hurdles, and by the time the investigation takes place, the defrauded money taken is already converted into untraceable assets. Therefore, the Supreme Court’s order to task the CBI with investigating these cases seems appropriate, as it will streamline due procedure and highlight the gravity of these cases.

As for the mule accounts, behavioural biometrics can be both, a preventive measure as well as one fraught with legal issues and raise certain regulatory questions. Traditional KYC measures, which are discrete and transactional, behavioural analytics relies on continuous monitoring of user interactions, navigation patterns, response latency, and cognitive cues. Such monitoring  necessarily constitutes the processing of personal data, engaging the right to privacy under Article 21 as articulated in Puttaswamy v. Union of India. Therefore, any large-scale  implementation of behavioural biometrics must be accompanied by clearly defined regulatory standards for risk thresholds; auditability and explainability of detection models; and safeguards under data protection law regarding purpose limitation and retention.

 In addition, bankers’ liability must be institutionally clarified. The legal system should prosecute only those who demonstrate any willful blindness or active participation in criminal activities, but the organisations that repeatedly fail to meet KYC requirements should face escalating penalties, including supervisory sanctions, license restrictions, and personal responsibility for compliance officers. Public awareness functions as a preventive mechanism that serves essential purposes in prevention work. The peculiar effectiveness of digital arrest scams lies in their psychological manipulation of authority and fear. 

Also, citizens need to understand that no arrest, notification or court order ever uses video calls or messaging platforms, and this requires sustained public education campaigns which need to clear up this fraud. The effective response to this situation requires more than just criminal prosecution. 

The system requires multiple jurisdictions to work together while using technology for regulations, also requiring banks to be accountable and to implement surveillance systems that protect privacy rights and due process protections.