NON-STATE THREAT ACTORS

Hacktivist groups, commercial cybercriminals, terrorist digital cells, and insider threats operating within and against India's digital ecosystem. From state-adjacent patriotic hacktivists to Jamtara-style UPI fraud, the non-state threat landscape represents a complex, vertically-integrated industry generating billions in illicit proceeds annually.

Classification: CryptoMize Internal — RestrictedSegment B2.3 / B2.4

14+

Named Hacktivist Groups

$3.6B+

Annual Cybercrime Losses

815M

Aadhaar Records Exposed

40M

AIIMS Records Compromised

Hospital Ransomware (2024)

12,000

Genesis Buyers (IN)

THREAT ACTOR TIER HIERARCHY

Non-State Actor Classification Framework

TIER 1Designated Terrorist Organizations

JeM

Jaish-e-Mohammed

HIGH

Digital cells, social media propaganda, financing through hawala networks

47 ops

LeT

Lashkar-e-Taiba

CRITICAL

Telegram channels, encrypted communications, digital recruitment

63 ops

ISKP

Islamic State Khorasan Province

HIGH

Online propaganda, financing, foreign fighter recruitment

31 ops

TIER 2Organized Crime Syncretic Groups

Syncretic Networks

Criminal-Terrorist Convergence

MEDIUM

Narcotics trafficking funding extremism, weapons smuggling, document forgery

28 ops

Cybercrime Syndicates

Organized Cybercrime Groups

HIGH

Ransomware-for-hire, BEC networks, data broker ecosystems

94 ops

TIER 3Hacktivist Cells

ICA

Indian Cyber Army

MEDIUM

Government adjacency, DDoS operations, patriotic hacktivism

156 ops

KCA

Kashmir Cyber Army

HIGH

ISI coordination, military family targeting, WhatsApp operations

89 ops

DST

Dark Storm Team

MEDIUM

Pakistani-aligned, Bangladesh origin, hospital infrastructure probes

34 ops

Anonymous India

LOW

Episodic ops, brand appropriation, low technical sophistication

22 ops

TIER 4Insider Threats

Maoist

Left-Wing Extremism

MEDIUM

Sabotage, infrastructure targeting, communication intercepts

41 ops

Separatist

Kashmir Separatist Networks

MEDIUM

Intelligence gathering, infrastructure mapping, recruitment

37 ops

Disgruntled

Insider Threat Actors

MEDIUM

Corporate espionage, data theft, sabotage from within organizations

53 ops

CYBERCRIME GEOGRAPHY

India's Threat Hotspots & Regional Crime Corridors

CRITICAL

HIGH

MEDIUM

Jamtara, JHHIGH

UPI Fraud Hub

Smartphone fraud, mule accounts, ₹500Cr+ annual losses

15,420 cases

Mewat, HR/RJCRITICAL

Tech Support Fraud

Call center scams, $150M+ targeting US/UK victims

28,350 cases

Ahmedabad, GJHIGH

Investment Fraud

₹2,000Cr+ Ponzi schemes, NRI targeting

8,750 cases

Bharatpur-Dholpur, RJMEDIUM

Police Impersonation

Legal extortion, caller ID spoofing

4,320 cases

Delhi-NCRCRITICAL

BEC / Dark Web

Genesis Market, LockBit affiliates, 12,000+ dark web buyers

31,200 cases

Mumbai, MHHIGH

Ransomware / SIM Swap

₹2.3Cr SIM swap, AIIMS Hive ransomware, pharma targeting

18,900 cases

TERRORIST ORGANIZATION DIGITAL OPERATIONS

Tier 1 designated organizations — Capabilities and digital footprint

HACKTIVIST GROUP LANDSCAPE

Named groups with documented operations 2010–2026

ICAHIGH

Indian Cyber Army

Pro-India (GoI Adjacent)

156 ops

since ~2010

Oldest organized Indian hacktivist group. Timing correlation with diplomatic events suggests state coordination. Infrastructure exceeds volunteer funding.

Capabilities

DDoSDefacementData LeaksSocial Engineering

Notable Operations

Op Black Shield (2019)

Digital Vijay (2019)

COVID misinformation ops

KCACRITICAL

Kashmir Cyber Army

Pro-Pakistan (ISI Direction)

89 ops

since ~2016

Documented targeting of Indian Army families. WhatsApp channels used by JeM operatives. Infrastructure overlap with APT36 (Transparent Tribe).

Capabilities

WhatsApp OpsMilitary TargetingDoxingISI Coordination

Notable Operations

Military family doxing (2022)

Hospital reconnaissance (2021)

APT36 malware sharing

DSTMEDIUM

Dark Storm Team

Pro-Palestinian / Pakistani

34 ops

since ~2023

Pro-Palestinian group with documented Pakistani alignment. CERT-IN attribution to SideCopy/APT36 TTPs. Hospital infrastructure reconnaissance.

Capabilities

Custom MalwareDDoSDefacementHospital Probing

Notable Operations

Op Hafiza (2020)

NIT Srinagar defacement

Hospital network scanning

Anon-INLOW

Anonymous India

Episodic / Decentralized

22 ops

since ~2012

Brand appropriation, not organization. No accountability or membership. Operations driven by protest events. Low technical sophistication.

Capabilities

DDoS (LOIC)Basic DefacementScript Kiddie Tools

Notable Operations

OpIndia (2012)

Anti-CAA ops (2019)

Beef ban protests (2015)

State Alignment Matrix

DATA BREACH SCALE COMPARISON

Records exposed — Logarithmic scale

Aadhaar (2018)

2018

815M

Solar Industries

2023

40M

AIIMS Delhi

2022

40M

COVID Data (2020)

2020

815M

Genesis Market (IN)

2023

12K

Bengaluru Tech Park

2020

BEC Fake Law Firm

2023

815M Aadhaar — Largest Single Breach

Punjab utility company data breach exposed name, address, photo for 815M Aadhaar holders. No biometric data acknowledged compromised, but demographic data alone enables synthetic identity fraud.

RANSOMWARE ATTACK FLOW

Kill chain from initial access to payment — AIIMS/Solar case patterns

AIIMS Delhi — Nov 2022 Case Study

Ransomware

Hive

Demand

₹200 Crore

Records

40 Million

Recovery

14+ Days

Initial Access

Attackers gain foothold through phishing, vulnerability exploitation, or compromised credentials.

• Phishing Email

• Exploit Kit

• RDP Brute Force

• Supply Chain

Lateral Movement

Privilege escalation and internal network reconnaissance using harvested credentials.

• Mimikatz

• PsExec

• WMI

• Valid Accounts

Data Exfiltration

Sensitive data copied before encryption — dual extortion model.

• Rclone

• MegaSync

• Cloud Exfiltration

• FTP

Encryption

File encryption with military-grade algorithms. Systems rendered inoperable.

• RSA+AES

• ChaCha20

• Hybrid Crypto

• Network Disk

Extortion

Ransom demand issued. Typically 2-5x organization's capacity to pay. Negotiation common.

• Tor Negotiation

• Ransom Note

• DDoS Threat

• Data Leak Site

Payment & Aftermath

60% receive functional keys. 40% get partial/corrupt decryption. Total cost = 4-7x ransom.

• Crypto Exchange

• Mixer Service

• P2P Platform

• Nested Wallets

Ransomware Targeting by Sector (2024)

HealthcareCRITICAL

attacks documented

Avg: ₹8-15 Cr

ManufacturingHIGH

attacks documented

Avg: $5-20M

BFSI (attempts)MEDIUM

150

attacks documented

Avg: $10-50M

Critical InfraHIGH

attacks documented

Avg: State-level

COMMERCIAL CYBERCRIME FINANCIAL IMPACT

Annual losses in $M USD — Major fraud categories

Total Annual Losses

$3,692M+

Primary Driver

Tech Support Fraud

$1000M

Investment Scams

$1200M

Romance Fraud

$672M

BEC Attacks

$300M

UPI Fraud

$240M

Ransomware

$150M

Data Breaches

$85M

SIM Swap

$45M

Key Insight

Romance scams ($672M) and BEC attacks ($300M) primarily target foreign victims — Indian diaspora and international businesses — making recovery nearly impossible through domestic law enforcement.

CYBERCRIME INCIDENT TIMELINE

Major non-state threat incidents 2018–2026

2018

815M Aadhaar records exposed via Punjab utility breach

Data Breach

2019

UK Love Scam Network — GBP 8M losses, Gurgaon operation

Romance Fraud

2020

Noida Tech Support Raids — 26 arrested, $3.2M fraud

Tech Support

2020

COVID phishing wave — 815M records exposed, data broker boom

Data Breach

2021

Power Oil Scheme collapse — INR 5,000Cr, 50,000+ investors

Investment Fraud

2022

AIIMS Delhi Ransomware — Hive, INR 200Cr demand, 40M records

Ransomware

2022

Mumbai SIM Swap — INR 2.3Cr, 5 arrests, 47L recovered

SIM Swap

2023

Solar Industries — 3 attacks, $4M paid, explosives data leaked

Ransomware

2023

Bengaluru SIM Swap — INR 1.7Cr, Gujarat retailer insider

SIM Swap

2024

23 hospital ransomware attacks in 2024, ₹15Cr paid

Ransomware

2025

Genesis Market takedown — 12,000 Indian buyers identified

Dark Web

2026

FORCE continues — 1.5M UPI fraud cases, INR 2,000Cr losses

UPI Fraud

ENFORCEMENT CREDIBILITY GAP

Structural failure in India's cybercrime response capacity

15%

Cybercrime victims who file complaints

89%

Police stations that never registered IT Act case

<500

Digital forensic experts for 1.4B population

18-24mo

Digital forensics backlog

~3%

Cybercrime conviction rate

Romance fraud conviction rate

Why Enforcement Fails

📚

Training Disconnect

Police curricula haven't kept pace with evolving cyber threats

⚖️

Priority Misalignment

Traditional crime clearance rates appear more favorable

🏛️

Jurisdictional Fragmentation

28 states with separate police forces prevent effective coordination

🌐

International Complexity

Cross-border fraud requests face months to years of delay

DARK WEB MARKETS — INDIA PARTICIPATION

Genesis Market Takedown & Post-Migration Landscape

Genesis Market India: 12,000 Indian Buyers

12,000

Indian Purchasers

Global Inventory Share

400+

Indian .onion Services

₹5K-50K

Bulletproof Hosting/mo

Indian CVV Data Dark Web Pricing (2024-2025)

Credit Card CVV + PII

$15-40

Fresh (<24h)

Debit Card CVV + PIN

$20-50

PIN Confirmed

Card + Net Banking

$30-80

Full Access

Card + Aadhaar Linked

$50-120

High-Value Ready

Corporate Card

$100-300

Enterprise

Post-Takedown Migration (April 2023)

Genesis Market (Before Takedown)12,000

Russian Market8,500

Acetone Cookies4,200

Local Indian Fraud Shops6,800

Indian sellers contributed ~3% of Genesis inventory — primarily financial credentials and browser fingerprints

RANSOMWARE-AS-A-SERVICE (RaaS) ECOSYSTEM

Domestic Groups & International Affiliate Networks Operating from India

Domestic Indian RaaS Groups

Thor47 victims

Indian ransomware variant targeting Windows; propagation via phishing

Void31 victims

Python-based ransomware operated by Indian actors; rapid encryption

Dtrack23 victims

North Korean Lazarus Group; found in Indian financial institutions

International RaaS Affiliate Operations (India-Based)

LockBit

IN: 15+Global: 5,000+

Healthcare, Manufacturing

ALPHV/BlackCat

IN: 8+Global: 1,200+

BFSI, Pharma

Conti-TrickBot

IN: 12+Global: 800+

Initial Access Brokering

Ransomware Targeting by Sector (2024)

HealthcareCRITICAL

attacks documented

Demand: ₹8-15 Cr

ManufacturingHIGH

attacks documented

Demand: $5-20M

BFSIMEDIUM

150

attacks documented

Demand: $10-50M

Critical InfraHIGH

attacks documented

Demand: State-level

Post-Payment Reality

60%

Receive functional keys

40%

Partial/corrupt decryption

4-7x

Total cost multiplier

DDoS-FOR-HIRE BOOTER SERVICES

Stressers, Booters & Exam Sabotage Infrastructure

Booter Service Pricing (2024)

Basic

₹500-1,500/mo

10-30 Gbps

Standard

₹2,000-5,000/mo

50-100 Gbps

Professional

₹10,000-25,000/mo

200+ Gbps

Custom

₹50,000+/mo

Unlimited Gbps

Marketing Targets

College StudentsGaming CommunitiesWhatsApp GroupsDiscord ServersEsports Tournaments

Documented Exam/Corporate Sabotage

JEE Main 20234 hours

NTA Registration Systems

Result processing delayed

NEET 20246 hours

Exam Portal

Coaching competitor attributed

Gaming (Nazara)3 hours

Game Servers

Player disconnections

MPLMultiple

Platform

Service degradation

Dream1145 min

During IPL Final

SYN flood

CORPORATE ESPIONAGE MARKET

INR 700-1,500 Crore Annual Market — Indian Companies Attacking Each Other

Market Size Breakdown

₹500-1,000 Cr

Gray Market

₹200-500 Cr

Black Market

₹700-1,500 Cr

Total Market

Documented Cases

IT Services Client Theft2019

Phishing + commercial spyware against competitor

₹200 Cr

Pharma Formulation Theft2021

R&D network compromised, 3 drug formulas stolen

₹50-100 Cr

E-commerce Price Data2023

SQL injection during sale period

Competitive

Background Check Industry2023

Fortune 500 clients, telecom insider bribes

500+ accounts

Corruption Nodes

CDR Data

₹2,000-50,000

FIR Data

₹5,000-50,000

Bank Records

₹2,000-10,000

GSTN Access

₹10,000+

CYBERCRIME-AS-A-SERVICE (CaaS) 6-LAYER STACK

India's Vertically-Integrated Cybercrime Infrastructure

CaaS Stack Architecture

Layer 1Bulletproof Hosting

₹5K-50K/mo

Multiple Indian companies

Layer 2Malware Development

Per-license/subscription

Indian malware developers

Layer 3Access Brokerage

₹50K-5L per network

Indian access brokers

Layer 4Data Stealer Services

Per-record/subscription

Cookie stealers, bankers

Layer 5Money Mule Networks

30-50% of funds

Extensive Indian networks

Layer 6Fraud Call Centers

Per-call/revenue-share

Tech support, IRS, romance

Geographic Distribution

Mumbai

HostingCall CentersMoney Movement

Delhi-NCR

Data BrokersCorporate EspionageGov DB Access

Bengaluru

Malware DevTech-Enabled Fraud

Kolkata

Mule NetworksBanking Insider

Franchise Model

National Network Operator

Controls core infrastructure, malware, money movement

Regional Aggregators

Manage local ops, recruit mules, coordinate cash-out

Local Operators

Execute specific fraud using provided tools

ROMANCE SCAM OPERATIONS

Pig Butchering Call Center Model — $672M Annually

Romance Scam Call Center Flow

Recruitment

Dating apps, social media, wrong-number texts

1-4 weeks

Profile Development

Stolen photos, fabricated bio, fake credentials

Ongoing

Relationship Cultivation

Emotional building, trust establishment

Weeks-Months

Financial Introduction

Crypto platforms, investment opportunities

Gradual

Extraction

Withdrawal barriers, partial returns, then ghosting

Final

UK Love Scam

2019-2021 | Gurgaon

GBP 8M+

Losses

200+ UK

Victims

American Soldier

2020-2022 | Delhi-NCR

$4M+

Losses

200+ US

Victims

Crypto Prince

2021-2023 | Multi-city

$12M+

Losses

Multiple countries

Victims

FBI IC3 Data: India-originating romance fraud losses exceed $672M annually

TECH SUPPORT FRAUD ANATOMY

$1B+ Annual Drain — 65-75% of Global Tech Support Fraud Originates from India

Tech Support Fraud Kill Chain

STEP 1

Lead Generation

• Data brokers

• Malicious ads

• Victim lists

STEP 2

Initial Contact

• Microsoft/Apple/Google impersonation

• Fake security alerts

STEP 3

Remote Access

• TeamViewer/AnyDesk installation

• Full system control

STEP 4

Fabricated Evidence

• Manipulated error logs

• Fake security warnings

STEP 5

Payment Extraction

• Gift cards

• Crypto

• Wire transfer

Documented Organizational Operations

Microsoft Tech Support2018-2021

500,000+

Victims

$15M+

Revenue

Delhi-NCR, Lucknow, Jaipur

Windows Support Raids2020

$3.2M fraud

Victims

26 arrested

Revenue

Noida, Gurugram

Google Support Scam2022-2024

15,000+

Victims

$10M+

Revenue

Delhi-NCR

65-75% of global technical support fraud call volumes originate from Indian operations — US accounts for 80% of losses

UPI FRAUD SUPPLY CHAIN

1.5M Cases, ₹2,000 Crore Losses — Industrialized Fraud Ecosystem

SIM Swap 5-Stage Attack Process

Recon

Gather victim info

Approach

Visit retailer

Swap

Activate new SIM

Window

2-4 hour gap

Drain

Empty accounts

₹2.3 Cr — Mumbai SIM Swap (2022)

5 arrests, INR 47L recovered, Gujarat retailer insider

₹1.7 Cr — Bengaluru SIM Swap (2023)

Gujarat telecom employee, crypto exchange drained

UPI Fraud Supply Chain — Specialized Roles

Data Collectors

Obtain victim identity information

₹500-2,000/record

SIM Swap Coordinators

Arrange fraudulent swaps with telecom insiders

₹5,000-50,000/swap

Account Openers

Create mule bank accounts via synthetic identities

₹1,000-5,000/account

Phone Handlers

Operate phones receiving OTPs

₹2,000-10,000/day

Cashout Networks

Withdraw funds and physically move money

30-50% of funds

Layerers

Move funds through multiple accounts

15-25% of funds

BUSINESS EMAIL COMPROMISE (BEC) CASES

INR 87 Crore in 15 Cases — 12% Average Recovery Rate

Invoice Fraud

Fake vendor invoices, modified payment details

CEO Fraud

Impersonate CEO, urgent wire transfer request

Attorney Impersonation

Fake lawyer, deal closure urgency

INR 87 Crore BEC Frauds2022-2023

15 major cases, multiple foreign companies victimized

15cases

Recovery: 12%

INR 15 Crore Fake Law Firm2023

23 foreign companies, USD, UK, Germany, France

23cases

Recovery: Partial

INR 2.3 Crore BEC (Mumbai)2022

₹2.3Cr lost, 5 arrests, bank mule network

Recovery: INR 47L

85% of cybercrime victims don't report — 89% of police stations have never registered an IT Act case

INSIDER THREAT REGISTER

16 Documented Cases 2016-2026 — Complete Case Documentation

Telecom

Banking

Healthcare

Police

Defence

Corporate

Regulatory

IN-2016-001BSNLTelecom2016-2019

Strategic

IN-2019-002SIDBIBanking2020

₹50-100 Cr

IN-2019-003Yes BankBanking2020

₹100-200 Cr

IN-2019-004Bank of BarodaBanking2019-2021

₹200-500 Cr

IN-2019-005SIFY TechIT Services2019

₹500-700 Cr

IN-2020-006Star HealthHealthcare2024

₹100+ Cr

IN-2021-007Apollo HospitalsHealthcare2023

₹50+ Cr

IN-2022-008TN Health DeptHealthcare2022

₹25-50 Cr

IN-2022-009Maharashtra Crime BranchPolice2023

₹10-20 Cr

IN-2021-010Karnataka PolicePolice2021-2023

₹15-30 Cr

IN-2022-011Delhi PolicePolice2022

₹20-40 Cr

IN-2018-012Ministry of DefenceDefence2018

Unquantifiable

IN-2019-013TRAIRegulatory2019

₹5-10 Cr

IN-2019-014IT Services Co. ACorporate2019

₹200 Cr

IN-2021-015Pharmaceutical Co.Corporate2021

₹50-100 Cr

IN-2022-016KSB LimitedCorporate2022

₹100+ Cr

BSNL-APT41: 200M CDRs compromised, 2016-2019 duration, military numbers targeted, SS7 architecture exposed — No prosecution

NATGRID OPERATIONAL STATUS

Full Operational Capability — December 2025-January 2026

FULLY OPERATIONAL

45,000

Requests/Month

Agencies Connected

24/7

Operations

Connected Agencies

Telecom Operators

Banks

Tax Authorities

Law Enforcement

UIDAI

RBI

UIDAI Architecture Problem

Logs queries but does NOT analyze patterns for anomaly detection

Data brokers can correlate Aadhaar existence across multiple queries

No counterintelligence monitoring assigned — staff focused on operation

INSIDER ACCESS MARKET PRICING

Complete Data Broker Rate Card — Functional & Competitive Market

Telecom

Call Detail Record (CDR)

₹2,000-50,000

Location Data

₹5,000-15,000

SIM Registration

₹500-5,000

Banking

Account Details

₹2,000-10,000

Transaction History

₹5,000-25,000

Credit Card Data

₹3,000-15,000

Healthcare

Basic Patient Record

₹50-500

Medical History

₹500-8,000

ABHA-Linked Record

₹3,000-15,000

Police

FIR Data

₹5,000-50,000

Criminal Records

₹5,000-15,000

Informant Identities

₹50,000-2L

Why Insider Market Persists (5 Factors)

1. Low detection probability

2. Low prosecution rate

3. Rational economic choice

4. Network effects

5. Limited career consequences

SECTOR VULNERABILITY ASSESSMENT

7-Sector Insider Threat Risk Matrix

Risk Assessment

Telecom

IV:95DC:15EC:10Critical

Banking

IV:85DC:25EC:20High

Healthcare

IV:80DC:15EC:10Critical

Police/LE

IV:90DC:30EC:15Critical

Defence

IV:95DC:45EC:40High

Corporate

IV:75DC:25EC:35High

Regulatory

IV:60DC:15EC:10Medium

No single agency has clear responsibility for insider threat detection in civilian sector — structural flaw enabling persistence

CryptoMize Internal Research — Non-State Threat Actors Assessment — March 2026

B2.3 (Hacktivist) / B2.4 (Commercial Cybercrime)