When Durgesh Nishad’s uncle needed a birth certificate for his son's passport application, he turned to India’s Centralised Civil Registration System (CRS)—the official portal for birth and death records. But what should have been a routine process quickly turned into a close call with a scam.
His uncle, who lives abroad, landed on what he thought was the official CRS website. The site asked for an online payment, but since he couldn’t use UPI from overseas, he asked Durgesh, a Bengaluru resident, for help.
At first, everything seemed fine—until Durgesh reached the payment page. Instead of a standard fee, the site asked him to load money into a digital wallet in fixed amounts of Rs 100. “I checked online, and the actual cost of a birth certificate was just Rs 20. That’s when I started getting suspicious,” he told Decode.
His doubts were confirmed when the Paytm gateway displayed a random name—Ravi. A domain check revealed the worst: the website was fake. “On digging deeper, I found out that anyone could create an account on such portals and generate fraudulent birth certificates. These sites look exactly like the real ones and steal personal details like Aadhaar numbers,” said Durgesh.
Durgesh was lucky to spot the red flags in time, but as a recent investigation by CloudSEK reveals, this elaborate scam has been ongoing since at least 2021, with thousands of operators involved—primarily mobile shops and cybercafes acting as intermediaries.
How Does the Scam Work?
A criminal network mass-producing and distributing fake Know Your Customer (KYC) documents across India has been uncovered by CloudSEK. The operation, dubbed PrintSteal, exploits vulnerabilities in the Indian government’s Common Service Centre (CSC) initiative, which provides digital services like Aadhaar enrollment, PAN card applications, and banking assistance in rural and remote areas.
During its investigation, CloudSEK found that scammers store fake KYC documents on cloud services like ImgBB and ImgPile instead of discarding them—potentially selling them later for illicit use.
Here’s how the scam operates:
Fake Websites: Scammers create lookalike government sites, including CSC portals, to deceive users.
Quick Services: They offer Aadhaar, PAN, and other KYC documents for a small fee, bypassing security checks.
Local Middlemen: Cybercafes and mobile shops act as intermediaries, luring customers.
Data Collection: Middlemen enter customer details into the fake site.
Forgery: The site generates fake documents using pre-existing templates.
Fake QR Codes: QR codes link to fraudulent sites to appear authentic.
Profit Chain: Middlemen pay scammers per document and overcharge customers.
Staying Undetected: Scammers use encrypted messaging and frequently change domains to evade authorities.
The Scale of the Scam
The PrintSteal scam is linked to over 1,800 domains, with at least 600 active websites producing fake KYC documents. Fraudulent operations have been detected in 24 states, with Bihar (55.9%) and Uttar Pradesh (22.6%) recording the highest share of fake documents.
One platform under investigation, crrsg.site, has generated over 1,67,391 fake documents, including more than 1,56,000 fraudulent birth certificates. It has over 2,727 registered operators, mainly cybercafes and mobile shops, facilitating the scam.
Investigators estimate that crrsg.site alone has earned around Rs 40 lakh through these fraudulent activities.
Cyber threat intelligence researcher Abhishek Mathew from CloudSEK told Decode that the scam thrives due to a lack of awareness, with victims often unaware that they are receiving fake documents.
“The complex, time-consuming legal procedures push people toward quicker, fraudulent alternatives. Cybercafé operators exploit this by bypassing official processes and fees,” Mathew said.
He further pointed out how fraudsters access unregulated tools and APIs to extract sensitive data, bypass verification, and operate undetected. “Fraudulent websites, often hosted on shared servers, frequently shift domains to evade takedowns,” he added.
Fraudulent Docs, Phony Portals
According to Mathew, the fake KYC documents generated by this operation are highly sophisticated and can pass some verification checks but not all.
“These fraudulent documents contain QR codes that redirect to counterfeit verification pages, designed to mimic legitimate government sites. This makes it difficult to distinguish real from fake just by scanning the code,” he explained.
The documents are created using pre-existing templates combined with legitimate data extracted via illicit APIs. This gives them a high degree of authenticity, making fake birth certificates, Aadhaar cards, and PAN cards closely resemble genuine ones.
“Superficial checks—such as scanning the QR code or examining the design—may not expose the fraud. However, deeper verification by banks or government agencies would likely reveal discrepancies,” Mathew noted.
Platforms and Scams: A Recurring Pattern
The scam has expanded due to aggressive marketing on social media platforms like YouTube and Instagram. Mathew highlighted that fraudsters create tutorials and promotional content demonstrating how easy it is to generate fake documents, attracting affiliates—mainly local businesses like mobile shops and cybercafes—who then offer these services to customers.
Tutorial videos for phony portals available on YouTube (Courtesy: CloudSEK)
CloudSEK identified these activities through fake URLs, phishing schemes, and deceptive social media handles, which helped uncover the fraudulent networks. The firm also monitored encrypted communications on messaging platforms to map out the criminal operations.
“Telegram plays a key role as a secure channel where operators train affiliates, share updates, and provide operational security guidance to avoid detection,” Mathew added. Fraudsters use VPNs, encrypted messaging, and disposable domains to keep their activities hidden.
Telegram groups also serve as hubs for launching new platforms, refining scam methods, and coordinating efforts to bypass law enforcement scrutiny.
The said messaging platform has long been exploited to promote scams, making it difficult for authorities to track and dismantle these networks.
Investigations by Decode have previously uncovered how fraudsters use Telegram’s encrypted chats and secret PIN-protected conversations to execute scams and evade detection. In one case, a child modeling scam used Facebook pages and Telegram groups to target families with fake promises of modeling contracts, only to exploit them later.
In another instance, deepfake videos of Bollywood and cricket celebrities were circulated on Telegram and Instagram, tricking victims into illegal betting schemes.
With scams constantly evolving and fraudsters using advanced tools to stay ahead of enforcement, the PrintSteal operation is just the latest in a series of cyber-enabled frauds that thrive on people’s need for quick solutions and authorities' struggle to keep pace with digital threats.