One call to ‘Yahoo customer care’ — and a retired Delhi scientist lost Rs 40 lakh. How was he conned?

Within five minutes, he found a number online and dialled it. A man, who sounded like he was in his 30s, answered. When Gupta explained his problem, the man said it could be solved easily. “He said all I needed to do is reinstall the Yahoo app using a file they would send to me,” he said.

Little did Gupta know that the call would wipe Rs 40 lakh from his bank account. He was in shock.

The money was his safety net, especially after he was diagnosed with cancer in 2023. He recently underwent a bone marrow transplant at BLK Hospital at Pusa Road.

He visits the hospital every three months for further treatment that costs Rs 15,000 per session.

“… If something serious happens to me, the hospital bills will cost me Rs 1 lakh a day, if not more. Even if I get half of my money back, I would be glad,” he said.

‘Gone in a minute’

When it came to technology, Gupta was no novice. In his years working with the CSIR as a professor and an editor of one of their journals, he’s seen the internet evolve. He has relied on Google numerous times to get an address here and a contact there.

With a PhD in Chemistry, he joined CSIR’s Indian Institute of Petroleum Research (IIP) in Dehradun in 1992. After three years as an assistant professor, he moved to Delhi to CSIR’s National Institute of Science Communication and Information Resources (NSC).

From 1995 to 2021, he worked at NSC as an editor for their Industrial Research journal; then as a professor of Research Ethics, Methodology and Communications at the Pusa Road institute.

In 2021, Gupta retired. Every now and then, he enjoys a gig as a guest lecturer at colleges. His last one was in March at Vels college in Chennai.

How, then, did he of all people fall prey to a scam?

Sitting in his two-bedroom pad in a DDA MIG (Middle Income Group) society, where he lives alone, Gupta tried to make sense of it.

“My 22-year-old son, who’s pursuing his MBA, and wife live in Dwarka Sector 18. That day, I never thought of asking anyone if the number was legitimate. I always assumed phone numbers on Google were the official ones, and I’ve never faced any problems before.”

So he found nothing alarming about this regular ‘customer care’ call. “The person on the call told me that I would receive a link to download an app from Yahoo where I would need to fill up my details,” Gupta recalled.

The file he received, from a WhatsApp number, was an APK (Android Package Kit) file. When he clicked on it, a form opened on his screen asking for his name, contact number and email ID; Gupta filled them in.

He was now assured by the voice on the phone that the discrepancies with his e-mail would be resolved in no time. “He said the new app would help me access my email ID and then cut the call,” he said.

But Gupta’s account, which had his savings from his 35 years, was emptied of Rs 26 lakh.

Using the remote access on his device through the APK — this one turned out to be unauthorised malicious software — the fraudsters broke his FD and cleaned out another Rs 14 lakh.

“Through remote access, the fraudsters could see everything on his phone. When Gupta entered his account number, they saw it and used it to access his account. The OTPs that came on his phone after that, required for transferring the money, were also visible to them,” a police officer said.

Gupta said the deductions were done in two tranches. “But it all happened in a minute. While I was still reeling from the shock of losing Rs 26 lakh, I lost another Rs 14 (lakh) from my account,” he said.

Gupta tried calling the number, but it was switched off. He never heard that customer care voice again.

According to Surendra Chaudhary, Deputy Commissioner of Police (Southwest), “The scammers got his banking credentials as the APK file gave them access to his phone. They defrauded him of Rs 40 lakh from his savings account as well as his fixed deposit… They had access to his bank account app for seven days.”

A new entrant in the cyber scam playbook, APK files, usually used by app developers to distribute and install different apps on the Android operating system, are now being sold on Telegram groups for a daily or monthly fee.

“Fraudsters make APKs of malicious apps that can give them access to your device. The usual rate for using these files is Rs 2,500 a day for short periods and Rs 15,000 a month if you ‘subscribe’ to them for a longer period. Since they are not cheap, the objective of the scammers is to make the most use of them by duping victims of a hefty amount,” a cyber police official said.

On the scammer’s trail

After Gupta filed a complaint, a team from the Cyber Police Station (Southwest) district, led by SI Jagdeep Nara, and supervised by SHO (Cyber) Vikas Kumar Buldak and DCP Chaudhary, got to work to trace the fraudsters.

They started by analysing the APK file — it had a slew of IP addresses as it had been used on multiple devices across multiple locations, most of them tracing back to cybercrime hubs of Deogarh and Jamtara in Jharkhand and Mewat in Rajasthan, the police said.

“A further analysis of CDR [call detail records] of the number to which Gupta made the call, IPDR [Internet Protocol Detail Record] of banking logs, and analysis of Google’s intermediary reports confirmed that the fraud was orchestrated from Jharkhand and Mewat,” DCP Chaudhary added.

Police then looked at the money trail and found that the defrauded amount was transferred to an online payment gateway.

“Usually, with online payment wallets, it could take months to get details of the account user. It’s because these wallets don’t have the infrastructure to maintain a customer database and don’t have any interest in tracing the accused either,” a police officer said.

Once they got the account details in March, police said, it was revealed that the money from the online wallet was subsequently transferred to a bank account based in Mewat.

Here, police got their first lead. The money had been used to buy gold coins worth Rs 8 lakh online from a website. “The coins were delivered to an address in Betul, Madhya Pradesh, to a man named Hamid Ahmad. But the IP address revealed that the order was placed from Mewat,” a police officer said.

The police team wasted no time. They reached Betul on March 6 and questioned Hamid. “Hamid revealed that he got a call from his relative, Sabid Ansari, who lives in Mewat, to receive the gold,” the officer said.

On March 8, the police team departed for Mewat, where they questioned Sabid. “He said he was approached by his friend, Narula Ahmad… who told him he was in urgent need of cash and would give him an equivalent amount of gold for it. But Narula insisted the gold be delivered somewhere else, as it was not safe to have it delivered here,” the officer said.

The police then raided Narula’s house, just a few kilometers away from Sabid’s place. Narula, however, had fled by then.

For the next four days, all leads on Narula went cold — until another transaction was made from the bank account used to order the gold coins. This time, an order for gym gear and protein powder cans was placed on an online shopping website. The address — Dumka, Jharkhand.

A city almost an hour’s drive away from Deogarh, Dumka recently made it to the list of hotspots for cyber fraudsters. Police said that many recent cases, both closed and ongoing, have their footprints in the city.

The team reached the city on March 17 and raided the delivery address — a single-floor house.

Police said the owner of the house and a recent acquirer of a gym membership, Iqbal Ansari, 27, was the man who allegedly sent the APK file to the ex-CSIR employee.

“Ansari, however, managed to flee as locals had informed him about the movement of men who resembled ‘police wale’. As the area has a very active network of people either directly involved in cybercrime or associated with fraudsters in some manner, everyone is wary of the police. He was then traced to Deogarh using a phone number we got from local sources and arrested on March 18,” the police officer said.

Following Ansari’s arrest, police found that he and Narula spearheaded the operation with three other men who were subsequently arrested.

While Sajid Khan, 32, was nabbed from Alwar, Salman Khan, 27, was caught in Aligarh, and Narender Kumar, 29, from Bharatpur in Rajasthan.

Narula, police say, who is a relative of Ansari, is still on the run. A non-bailable warrant has been issued against him.

Muscleman to conman

According to police, Ansari was the brain behind the racket. “He would post his phone number frequently on Google ads of companies… When unsuspecting victims called him up, he would talk to them and send them the APK files,” DCP Chaudhary said.

He had been doing this for two years.

Before he got involved in the business of cyber cons, police said, Ansari was a part-time muscleman. “He used to be involved in local kushtis (wrestling) and worked as a muscleman at events. But the income was not enough,” a police officer said.

A father to two daughters, this was his way of earning a pretty buck, the police officer said. “He also wanted to join a gym for the longest time, but couldn’t because of financial distress.”

“He realised earlier this year that OTP frauds were getting outdated and that the modus operandi had been cracked by the police. That’s why he moved to the APK file method,” the officer added.

With the defrauded money, Ansari was ready to go the fitness route, with a gym membership and a batch of supplements. Officers involved in the investigation said if not for his protein powder order, Ansari was close to executing the ‘perfect’ scam.

“We are not sure how we would have found him if he hadn’t placed the order. Narula was the one who ordered the gold, and he is on the run. The phone used in the scam was being operated around Mewat, nowhere near Dumka. Ansari was a completely hidden player in the case before he used the account,” another police officer said.

The other accused handled various legs of Ansari’s operation.

Salman and Sajid, allegedly, would con a different category of victims — job seekers. “Salman would filter names and contact job seekers on social media while Sajid would make calls to them and conduct fake interviews,” DCP Chaudhary said.

Kumar allegedly operated a mule account that was used to receive the defrauded money and then encash it.

The entire operation, police said, was executed using five smartphones.

More than two months after Gupta was conned, on March 21, the Delhi Police released a statement saying the case had been cracked with the arrest of four people from different states. Police said they are still processing the money and will give some part of it to Gupta soon.

After the incident, when Gupta informed his family about the scam, he said they did react with a fair bit of shock, considering the exorbitant amount, but sounded as helpless as him.

“When I explained to my son and other relatives, they also felt that the way I got the phone number was the usual way to go about it. I mean, what else will anyone say? None of them know how to undo it,” he said.

Of his stolen Rs 40 lakh, Gupta has now got back Rs 2 lac. A very tiny portion, he said, but a start nonetheless.

“The Investigating Officer is a helpful chap. They have arrested the culprits as well. I am aware it’s a long process [of getting the full amount]. But all I can do is wait,” he said.