A sophisticated cyber criminal operation known as “PrintSteal” has been discovered generating and distributing fraudulent Indian identity documents on a massive scale. The operation relies on a widespread network of affiliates, including local mobile shops and cyber cafes, who serve as distribution points for these counterfeit documents. The criminal network has generated more than 167,000 fake documents, including Aadhaar cards, PAN cards, and birth certificates, earning an estimated ₹40 Lakhs in illicit profits from a single platform alone. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Security analysts at CloudSek noted that these affiliates are recruited through social media platforms like YouTube and Instagram, where tutorials and promotional content advertise the service. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The fraudulent documents include QR codes that, when scanned, direct users to fake verification websites mimicking official government portals. The operation spans across multiple Indian states, with confirmed activity in regions including Andhra Pradesh, Gujarat, Jharkhand, Karnataka, Madhya Pradesh, and Uttar Pradesh. The source code for these platforms is based on repurposed educational management systems readily available online, significantly reducing the technical barriers to creating similar operations. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. Communication and operational security are maintained through private Telegram groups, where affiliates receive warnings about ongoing law enforcement investigations. Investigation has attributed one of the main platforms, crrsg.site, to an individual identified as Manish Kumar, who uses the alias “Mg Khaan” and operates the Telegram channel @royalprint_site. This deceptive verification system creates the false impression that the documents are legitimate, making them difficult to identify as forgeries through basic verification attempts. The technical analysis reveals that PrintSteal’s platforms are built using PHP with MySQL databases to store document templates and user inputs. The threat actors distribute their platforms’ source code through various channels, facilitating the rapid proliferation of similar fraudulent operations. The operation integrates with illicit API services, primarily apizone.in and hhh00.xyz, to access sensitive data needed for document generation.
This Cyber News was published on cybersecuritynews.com. Publication date: Sun, 09 Mar 2025 13:30:07 +0000