Executive Summary

‍

This report uncovers a large-scale, organized criminal operation involved in the mass production and distribution of fake Indian KYC (Know Your Customer) documents, commonly known as "print portals," and tracked by CloudSEK as "PrintSteal."  The focus of this analysis is the platform crrsg.site, one of several similar operations, to highlight the extent and complexity of the broader threat. The operation has been active since at least 2021 and utilizes a network of affiliates—such as local mobile shops and cyber cafes—with at least 2,727 registered operators on the crrsg.site platform alone, to create fraudulent documents. Investigations revealed that more than 167,391 fake documents have been generated on this platform, including over 156,000 fake birth certificates, showcasing the operation's vast scale and capabilities. The infrastructure of this operation includes a centralized web platform, access to illicit APIs that provide data like Aadhaar, PAN, and vehicle information, a streamlined payment system, and encrypted communication channels (such as Telegram). The operation's extensive reach, supported by a large network of affiliates and the use of easily accessible illegal APIs, calls for a comprehensive and coordinated counter-response. Additionally, over 1,800+ domains linked to this operation have been identified, further expanding its impact.The operation primarily impersonates csc.gov.in and crsorgi.gov.in to enhance credibility. Financial investigations show that the threat actor behind crrsg.site has generated an estimated 40 Lakhs in revenue from this platform alone.

‍www.crrsg.site stats :

‍

Note : This report uses the crrsg.site platform as a case study to demonstrate the scale and complexity of a wider, multi-platform operation involved in generating fraudulent Indian KYC documents. A significant number of similar sites have been identified.

‍

• Total Historical Domains for PrintSteal Identified by CloudSEK: 1,800+‍
• Active Domains Currently in Operation: 600+

‍

Introduction:

‍

The Common Service Centre (CSC) is a key Indian government initiative that provides a range of essential services to citizens, often involving the handling of sensitive KYC (Know Your Customer) documents. This investigation began after identifying multiple unauthorized websites impersonating the CSC scheme, offering critical KYC services—such as Aadhaar downloads and address updates—at minimal fees while bypassing standard security protocols. The ease of account creation, extensive service offerings, and rapid shifting of domains pointed to a highly organized and dynamic criminal operation. This report analyzes "crrsg.site" as a representative case study, but the scope of the threat is far broader. To date, over 1,800 domains have been identified as part of this operation, with 600+ active domains currently in operation. This extensive domain network underscores the vast scale and resilience of the fraudulent scheme, significantly complicating efforts to mitigate its impact. The scale of these activities poses substantial challenges for law enforcement and highlights the urgent need for coordinated countermeasures.

‍

‍

‍

Modus Operandi: A Complex Fraudulent Network

‍

‍

The PrintSteal operation represents a highly organized, multi-tiered scheme for producing and distributing fake Indian KYC documents. It effectively combines accessible technologies, illicit APIs, and a vast network of unwitting affiliates to scale the operation and maintain efficiency. The success of the operation is driven by the growing demand for quick and convenient document services, while simultaneously obscuring its illegal activities and staying one step ahead of law enforcement. The structure mirrors a sophisticated criminal enterprise, complete with a division of roles and a strong focus on operational security.

‍

Creation and Deployment of Fraudulent Platforms:

‍

‍

‍

The scheme begins with the establishment of fraudulent KYC document generation platforms, which are often created using pre-made templates (such as AdminLTE), reducing the need for extensive development work. The threat actors acquire the source code from third-party sources like ahkwebsolutions.com, hardscripts.com, or pgecm.in, and customize it for specific types of fake documents. These actors or their associates then purchase shared hosting services from providers like GoDaddy, Hosting Concepts, HOSTINGER, and others to deploy multiple platforms, enhancing both the reach and resilience of the operation. While some platforms are basic, others make use of external APIs to broaden their capabilities, enabling the creation of a wider variety of counterfeit documents.

‍

‍

Affiliate Recruitment, Training, and Supervision:

‍

The operation relies heavily on a network of affiliates, primarily local businesses like mobile shops and internet cafes, which serve as points of contact for customers seeking fake documents. Recruitment is carried out both online and offline, with the demand for quick document services attracting new affiliates. These services are promoted heavily through social media platforms such as YouTube and Instagram, where tutorials and promotional content show the simplicity of using the platform. The process for joining the network is straightforward: affiliates register on the platform, fund a virtual wallet, and gain access to the document generation tools.

‍

Ongoing training and guidance are provided through private Telegram groups and YouTube channels, which include tutorials, tips, and updates. These channels also serve as the primary means for the threat actors to maintain control over the network, sharing crucial information on customer verification (especially for sensitive documents like Aadhaar, PAN, and voter IDs) and offering warnings about potential law enforcement scrutiny. The tone of these messages underscores the high risks involved and the importance of maintaining strict operational security.

‍

‍

Document Generation and Data Harvesting:

The document generation process involves several steps:

1. ‍Data Input: The operator manually enters necessary details into the portal's interface.

‍

2. Database Interaction: The platform queries the database to retrieve relevant data based on the entered information and selected parameters (language, type).

3. Document Assembly: The PHP code combines the data retrieved from the database with pre-existing images of official documents to create a PDF.

‍

‍

‍

‍

‍

4. QR Code Generation: The platform generates QR codes using api.qrserver.com, encoding URLs that redirect to deceptive verification pages. This step enhances the document's apparent legitimacy.

5. PDF Generation: A dynamically generated PDF is created.

‍

‍

Deceptive QR Code Verification:

A critical element in the PrintSteal operation's success is its use of deceptive QR codes to enhance the credibility of fraudulent documents. These QR codes, generated using the legitimate api.qrserver.com service, are embedded within the fraudulent documents (Aadhaar cards, birth certificates, death certificates). However, instead of linking to official government verification websites, these QR codes direct users to counterfeit URLs designed to mimic legitimate verification pages. For example, scanning the QR code on a fraudulent birth certificate leads to a URL like

‍

https://crrsg.site/admin/web/index.php/auth/birthCertificate/view/B/bWF4VExRZC9GTnhBWkhtZTNrdWhUZz09.php?id=130272&cont=Anjsjdn

 which displays the fraudulent document itself, creating the false impression of verification from an official source. 

‍

‍

Similarly, death certificate QR codes link to URLs like

https://dc.crsorgi.gov.in.edistrict.site/crs/verifyCertificate.php?id=24 

which mimic official government verification portals. This sophisticated deception makes it extremely difficult to distinguish authentic documents from fraudulent ones, even with basic verification attempts.

‍

‍

Payment System and Profit Sharing:

The operation employs an integrated virtual wallet system for payments. Affiliates deposit funds into their platform accounts, and the cost for each document generated is automatically deducted from their wallet. The threat actors charge a fee for each document (typically ₹20-35 INR on crrsg.site), while affiliates mark up the prices, profiting from the difference and offering added convenience to their customers.

Operational Security (OPSEC) and Response to Law Enforcement:

OPSEC is a critical element of the operation’s success. The threat actors use secure communication channels like Telegram to manage the network, issue warnings about ongoing law enforcement investigations, and provide continuous support to affiliates. When law enforcement actions take down one of their platforms, the operators quickly pivot, deploying new platforms and domains to replace those lost, demonstrating their ability to adapt quickly to enforcement efforts. This proactive approach highlights their understanding of law enforcement tactics and their commitment to keeping the operation running smoothly despite increased scrutiny.

‍

‍

‍

Attribution of www.Crrsg.site : Mg Khaan aka Manish Kumar

The investigation has revealed that Manish Kumar is a central figure in the criminal operation behind “crrsg.site,” other websites are operated by different threat actors.

‍

‍

Motivation:

The primary motive is financial gain through the large-scale generation and distribution of fraudulent KYC documents. Analysis of crrsg.site alone indicates a substantial profit of approximately ₹40 Lakh, based on documented pricing (Rs. 20-35 per document) and the generation of over 160,000 documents. This figure, however, likely represents a significant underestimate of the total profits generated. The actual profits are significantly higher, considering the higher-priced services offered, the existence of multiple similar platforms, and the ongoing nature of the operation. The business model is efficient and scalable, relying on a multi-layered affiliate network for distribution and leveraging readily available illicit APIs for data acquisition.

‍

Technical Analysis:

The platform is built using a PHP-based admin panel/dashboard system that drives its core functionality. The backend is powered by PHP, handling the server-side logic for generating fraudulent documents and managing user interactions. The system uses MySQL as its database to store user inputs, document data, and affiliate information. On the frontend, jQuery and Bootstrap 4 are utilized for responsive design and dynamic content updates, while the AdminLTE framework provides a customizable, user-friendly interface for managing the platform's operations.

‍

‍

• Source Code: The source code, based on a repurposed educational management system obtained from ahkwebsolutions.com, was readily available online. This significantly reduces the barrier to entry for others looking to create similar platforms, increasing the risk of proliferation. The use of a readily available template simplifies development, reducing the need for specialized skills and making it easier for less experienced individuals to set up and operate these fraudulent platforms.
  ‍
• API Integration: The integration of illicit APIs from apizone.in and hhh00.xyz, among others, allows for the efficient retrieval of sensitive data, reducing the amount of data that needs to be collected directly from customers. These APIs typically require an API key and utilize standard HTTP GET requests, suggesting the threat actors possess a basic understanding of API interaction. The use of these APIs highlights the growing threat of readily available illicit data sources on the dark web and other online platforms.

‍

Note : The API services used in this operation require further investigation to understand how they are sourcing and providing sensitive data for fraudulent document generation.

‍

• ‍Hosting Infrastructure: The use of shared hosting from multiple providers makes tracing and disrupting the operation more difficult. There is no evidence of sophisticated techniques to mask IP addresses or origins. This strategy is cost-effective and minimizes the risk of detection.
• Evolution and Variants: The operation has evolved over time, with new platforms emerging to replace those taken down. This indicates ongoing development and adaptation to countermeasures. This demonstrates the resilience and adaptability of the threat actors, highlighting the need for a proactive and dynamic approach to combating this type of criminal activity
• Geographical Distribution of identified fake documents: Analysis of the PrintSteal operation reveals a broad geographic reach across India, with confirmed activity in Andhra Pradesh, Arunachal Pradesh, Assam, Bihar, Chandigarh, Chhattisgarh, Delhi, Gujarat, Haryana, Jammu and Kashmir, Jharkhand, Karnataka, Madhya Pradesh, Maharashtra, Odisha, Punjab, Rajasthan, Tamil Nadu, Telangana, Tripura, Uttar Pradesh, Uttarakhand, and West Bengal. This widespread presence highlights the scale and impact of the criminal enterprise, suggesting a sophisticated network capable of recruiting and managing affiliates across diverse regions. The distribution of activity may reflect various factors, including internet access, socioeconomic conditions, and existing informal networks. However, the precise extent of the operation's geographic reach remains under investigation, and further analysis is necessary to fully map its distribution and understand the underlying factors contributing to its varied presence across these states.

‍

‍

‍

Impact Assessment:

‍

1. Financial Impact:

The PrintSteal operation has caused substantial financial losses. crrsg.site alone generated an estimated ₹40 lakh from over 160,000 fraudulent documents. With over 1,800 domains in the network, the total financial gain is likely much higher. These illegal profits fuel the operation's growth, posing an ongoing financial risk. Furthermore, the illicit distribution of fake KYC documents undermines trust in India’s financial and legal systems, leading to significant long-term financial consequences.

• Fraudulent Identity Usage: Fake KYC documents enable further fraudulent activities like opening bank accounts, obtaining loans, and other financial crimes, amplifying the economic harm.
• Increased Financial Crimes: The widespread use of fake KYC documents facilitates complex crimes like money laundering and tax evasion, undermining national economic security.

‍

2. Reputational Impact:

PrintSteal has severely damaged the reputation of the Common Service Centre (CSC) initiative. By impersonating CSC services and bypassing legitimate processes, the criminals exploit public trust in government systems.

• Public Trust Erosion: Citizens become skeptical of online government services, fearing misuse of sensitive information. This erosion of trust can decrease adoption of critical government services reliant on KYC integrity.
  ‍
• Government Initiatives at Risk: This fraud jeopardizes future initiatives like digital IDs, e-Government schemes, and online registration processes, slowing public adoption and participation.

‍

3. Legal and Regulatory Implications:

The scale and sophistication of PrintSteal have significant legal and regulatory consequences:

• Violation of Identity and Data Protection Laws: The operation breaches Indian laws, including the IT Act, 2000, the Aadhaar Act, 2016, and provisions related to fraud, identity theft, and data privacy. Operators and affiliates face severe penalties.
  ‍
• International Ramifications: Given the operation's nature and global accessibility, international cooperation may be necessary to address these cross-border cybercrime activities.

‍

4. National Security Threats:

The fraudulent creation and circulation of KYC documents pose a broader national security risk:

• Vulnerabilities in Public Services: Fake documents (birth certificates, Aadhaar cards, PAN cards) allow unlawful acquisition of restricted services. Criminal entities could exploit this to gain access to restricted resources, creating a broader national security issue.

‍

Recommendations

1. Immediate Law Enforcement Response:

• Investigate and Prosecute Key Actors: A coordinated national law enforcement effort is required to dismantle the PrintSteal network's leadership. This includes investigating financial flows, identifying key players (e.g., Manish Kumar), and aggressively pursuing criminal charges.
• Cross-Agency Collaboration: Collaboration between cybercrime units, financial authorities (e.g., Enforcement Directorate), and digital forensics teams is crucial to tracing illicit funds, uncovering associated criminal activities, and identifying potential money laundering.

2. Domain and Website Takedown Operations:

• Collaboration with Hosting Providers: Work with global and local hosting providers to quickly identify and shut down PrintSteal platforms. This includes a rapid takedown policy for domains hosting fraudulent websites or engaging in malicious activities.
• IP Blocking and Domain Blacklisting: Utilize cyber intelligence tools to map domain infrastructure, block malicious IP addresses, and blacklist suspicious domains globally. This reduces the availability of fraudulent platforms and disrupts affiliate operations.

3. Disruption of the Affiliate Network:

• Targeted Investigation of Affiliates: Law enforcement and cybersecurity agencies should investigate and disrupt the network of local mobile shops, cyber cafes, and other affiliate businesses. Public awareness campaigns should warn potential participants about the legal risks and penalties.
• Identify and Disrupt Financial Flows: Investigate virtual wallets, UPI IDs, and cryptocurrency transactions to trace financial flows and freeze illicit accounts.

4. Enhanced Security and Authentication Protocols:

• Stronger Verification Methods: Implement stronger identity verification methods, including biometric verification, two-factor authentication (2FA) for KYC updates, and real-time database checks against government records.
• API Security Enhancements: Review all government APIs to ensure they are not vulnerable to unauthorized access. APIs used in KYC and Aadhaar services should be tightly controlled, with access limited to verified entities.

5. Cybersecurity and Infrastructure Protection:

• Constant Monitoring for Fraudulent Activity: Implement real-time monitoring systems to detect unusual activity related to KYC document generation, including tracking suspicious domain patterns, rapid mass document requests, and the use of illicit APIs.
• Blockchain Verification for KYC: Consider adopting blockchain technology for KYC data verification to enhance transparency and authenticity.

6. Public Awareness and Education Campaigns:

• Public Awareness Initiatives: Launch a public education campaign across media platforms to raise awareness about fraudulent KYC websites and the dangers of providing personal information to unverified sources. Include easy-to-follow guides on verifying the authenticity of government-issued documents.
• Highlight Risks of Fake KYC Documents: Promote understanding of the risks associated with using fraudulent KYC documents, especially for financial services, healthcare, and government benefits.

7. International Collaboration for Cybercrime Prevention:

• Cross-Border Cooperation: International cooperation is necessary to address the operation's global reach. Collaborate with cybersecurity agencies in other countries and organizations like INTERPOL to track down and prosecute cross-border criminal networks.
• Collaboration with Dark Web Surveillance Teams: Monitor the dark web for illicit API providers (e.g., apizone.in, hhh00.xyz) and data brokers supplying the PrintSteal operation. Coordinated international efforts can shut down these data sources.

8. Strengthening Legal and Regulatory Frameworks:

• Reform Data Privacy and Cybercrime Laws: Strengthen laws regarding identity theft, data privacy, and cybercrime, with stricter penalties.
• Enforce Stricter Licensing for Service Providers: Impose stricter regulations on businesses offering KYC and document services, requiring clear operating licenses and security protocols.

9. Long-Term Countermeasures:

• AI and Machine Learning for Fraud Detection: Implement machine learning algorithms to identify patterns in fraudulent document generation, such as bulk creation of KYC documents, abnormal QR code activities, and suspicious domain registrations.
• Collaborative Public-Private Sector Response: Encourage partnerships between the government, tech companies, and cybersecurity firms to build better prevention systems, including sharing intelligence about evolving threats and attack vectors.

‍

Appendix

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍