Quick Links
Connect us
Directors Databank (Empannel Yourself)
Become a faculty
Blog
Become an Awards Assessor
Publications
Contact Us
A Story on Digital Crime: A Message for Boards & Directors
By- Institute of Directors | Authored by- Lt. Col. Vivek Gupta (Veteran), PCI, CFE, IIM-K alumni
Jul 08, 2025
In the new world, money does not jingle - it hums quietly through the mesh of Wi-Fi and fibre optics. These yellow cables buried under shallow grounds, and sometimes let loose over it, carry this new world currency – borderless and sometimes anonymous. But all that transfers through these live wires sometimes leaves behind a trail like every human crime ever committed.
The Beginning
It was a usual Wednesday morning, 06:30 AM, when Insp Raghavan was sipping his favourite filter coffee in his small apartment in Mumbai, when his boss called on his mobile. “Morning, Sir”, said Raghavan. “Morning Raghu, something important you need to attend now”, said DSP Mehta, “One textile company in Vasai has reported some data breach. They had approached the DGP, and he wants you to attend the case immediately at their premises. Seems like a cyber-attack, but not sure for now.” “Ok sir, send me the address, I am on it”.
Raghavan, who is with the cybercrime division, by choice - coincidentally, reached the textile company office where he was greeted by the MD, IT head, CSO, two of its founder directors, CFO and a host of others. Evidently, these people have been working since early morning or late last night – some at least, and have approached the Police when everything else failed.
Cryptocurrency investigations in India are still in their infancy. As digital assets grow, so does digital crime.
Crime Scene
They took him to a room where racks, switches, routers and servers were kept connected with a mesh of wires and cables like a puzzle. They explained that last night, their IT team started observing unusual server behaviour. “We initially thought it was some tech error, but eventually it became evident that some outsider is messing with it, and they are trying to block server access to us and take admin control. We tried to protect, but eventually lost the battle”, explained one tech guy in the room. “Who are 'they'?” asked Raghavan. “Don't know, maybe some ghost, a hacker; God knows”.
“We have received an email on my personal ID that they have some demand, and they will contact us by 9:00 AM. That's when we approached the DGP, who is a good friend of one of our directors”, said the MD, Mr Jai.
Insp went on to examine that email address. He passed it on to his team back in the cybercrime office, but he knew that it would only lead to a dead end due to VPNs.
The Brainstorming
By 09:00 AM, the second email received in the MD's mailbox made it all clear that it's a ransomware attack, and they have encrypted the data on the company's server. To decrypt and give back control of the server, they demanded 50 cr in Ethereum – a borderless cryptocurrency and one of the favourites with the hackers.
Initially, the mood of the Directors was to deny the request and try to gain access to the phantom inside the server, but some were of the view that they should bargain with the hackers, while others were arguing to pay the ransom and get it over with.
Raghavan explained that, given the situation, the best course would be to agree to pay the ransom but in instalments and with every instalment they should ask for access to one partition of the hard drive on their server.
After the consensus, Raghavan asked the hackers to share the wallet address, but his attempts to negotiate payments in instalments failed.
The Hunt
For the most standing in that office, finally agreeing to pay the hackers was the end of it all with no assurance of any access to the data later, but for Raghavan, it was just the beginning.
Insp made his way back to his office, and the company got time to arrange for the crypto. When the payment was made (in Ethereum) to an address beginning with 0x45F....it started splitting rapidly into smaller amounts across multiple wallets.
Raghavan's team used Etherscan, a blockchain explorer, to track the movement of Ethereum from one wallet to another. Each transaction was time-stamped and public, that's the fundamental of blockchain.
But here's the trick: while the addresses were visible, the owners weren't. To unmask the people behind these wallets, the team turned to Chainalysis Reactor, a blockchain forensic tool that maps addresses, links them to known exchanges, and flags wallets tied to scams or darknet activity.
A wallet connected to a decentralised exchange (DEX) transaction followed by a deposit to a KYC-enabled Indian exchange identified - Voila.
“Let's see if our guy has left footprints behind”, muttered Raghavan to his team.
What made the investigation challenging was a method called “chain hopping.”
“Sir,” said Vijay, the young tech analyst on his team, “they've used a service called RenBridge to swap Ethereum into Bitcoin, then into Monero — a privacy coin.”
Unlike Ethereum and Bitcoin, Monero is nearly untraceable due to its privacy protocols. But the mistake the scammer made was using centralised exchanges to move the money in and out. And centralised exchanges, at least in India, are required by law to follow KYC guidelines.
A formal request was sent to the Indian exchange via the Financial Intelligence Unit (FIU-IND), which supervises compliance of crypto platforms. Meanwhile, the MD has received an email with the decryption key for the data on the server, and their IT team started the slow and painful process of decrypting the data.
It took two days for Raghavan's team to get a response from FIU. The suspect had used a fake Aadhaar, but the IP address was from a budget hotel in Vasai, Maharashtra. That's where Raghavan's team moved next.
The hotel owner did not recognise the suspect, but using CCTV footage, they identified a man in his twenties with a shabby beard and a cap. Facial recognition matched him to a small-time fraudster named Arjun Despande, previously arrested for SIM swap fraud. He stayed in the hotel for two days, 20 days before the incident. But why stay here for 02 days and open a crypto account with a fake Aadhaar? Was he waiting for someone, maybe some insider from the textile company or maybe not?
Arjun was not working alone. Surveillance on his bank records and crypto logs revealed frequent interaction with wallets linked to a darknet site selling stolen data. Arjun has either purchased company data from Darknet or has an insider working in the company, concluded Raghavan. Irrespective of it, now the scope of the crime had expanded. “This is not just one scam,” Raghavan told his boss, DSP Mehta. “It's a full-fledged syndicate operating out of India using crypto to launder money abroad.”
By tracing the transaction logs backwards, they noticed Arjun had frequently transferred small amounts to a wallet address that interacted with WazirCrypto, a Dubai-based exchange notorious for lax KYC norms. WazirCrypto had been under global scrutiny for enabling money laundering for Southeast Asian scam rings.
Then came the Aha moment: a transfer of crypto held in the fake account opened by Arjun to an Indian exchange. The transfer was not direct but through complicated chains of transactions divided into smaller amounts with different types of Crypto to confuse the trail. Rs 08 lakh in Tether (a stablecoin), converted to rupees and deposited into a bank account in Jaipur.
That account led them to Amzad Qureshi, a tech dropout who had been running crypto scam groups on Telegram from a rented bungalow. Raghavan's team worked with the Rajasthan Police and raided the premises. They found laptops with wallet addresses, SIM cards, fake KYC kits, and most importantly — the cold wallet holding 30% of the textile company's stolen funds.
The company eventually recovered about Rs 15 cr and some data on its server, as the phantom inside it has done the damage. The rest had already been sent abroad likely unrecoverable. Arrests were made, and the ring was silenced – at least for now.
Conclusion
Cryptocurrency investigations in India are still in their infancy. As digital assets grow, so does digital crime. Investigators must blend traditional with the niche, and the boards must understand both the technology and the psychology of fraud.
For Raghavan, this case wasn't just about solving a scam. It was a crash course in the future of crime.
Key Takeaways
• Blockchains like Ethereum are transparent, but privacy coins and chain hopping make tracing harder. Act fast before funds go off-chain.
• A wallet address is just a string. Linking it to a real person requires KYC data, IP logs, and exchange cooperation – which may or may not be forthcoming due to different geographies and jurisdictions.
• Victims/ Investigators must work with exchanges, many of which are legally bound to provide information, if approached through government agencies.
• Scammers can get server information either from the Darknet, if the online security is weak, or from a company insider. Pen test the server security periodically, and equally important is to check the backgrounds of the key appointment holders in the company.
• Lastly, never underestimate the power of telling a story to train your team.
Back to HomeAuthor
Lt. Col. Vivek Gupta (Veteran), PCI, CFE, IIM-K alumni
He is currently serving as Associate Director (Forensic Investigations) at Netrika Consulting. He has over 24 years of rich, crossfunctional experience shaped by a distinguished tenure in Army Intelligence and corporate leadership. A results-driven professional, he thrives at the intersection of strategy, risk management, security, and compliance.
Owned by: Institute of Directors, India
Disclaimer: The opinions expressed in the articles/ stories are the personal opinions of the author. IOD/ Editor is not responsible for the accuracy, completeness, suitability, or validity of any information in those articles. The information, facts or opinions expressed in the articles/ speeches do not reflect the views of IOD/ Editor and IOD/ Editor does not assume any responsibility or liability for the same.
