
₹250 Crore Cyber Scam Busted: Gujarat Police Arrest 19, Including MBA Student
Summarize this blog post with:
ChatGPT | Perplexity | Claude | Grok
You've probably assumed that cyber fraud in India is mostly about someone tricking a victim into sharing an OTP over the phone. What this case reveals is a far more organized machine: fake companies, rented bank accounts, and even a student allegedly turning his own accounts into a laundering pipeline for strangers. In this guide, you'll learn exactly how this ₹250 crore network operated, who was arrested, and what it means for anyone worried their own bank account could unknowingly become part of the next one.
Key Takeaways
- ▸Gujarat's Cyber Centre of Excellence (CCoE) arrested 19 individuals in connection with a cyber fraud network involving financial transactions exceeding ₹250 crore across 21 states.
- ▸Investigators linked the network to 146 cybercrime cases registered nationwide, spanning investment fraud, online trading scams, deposit fraud, and UPI-based attacks.
- ▸One accused, an MBA student at a private Vadodara university, allegedly opened more than 10 bank accounts under false pretenses, funneling ₹7.40 crore in fraudulent transactions linked to 28 separate cybercrime cases.
- ▸The operation, part of the broader "Operation Mule Hunt 2.0," uncovered fake business entities used specifically to open current accounts for routing scam proceeds.
- ▸Investigators found evidence of malicious APK files installed on victims' phones to gain unauthorized access to banking credentials.
- ▸The network showed international connections to Dubai, with at least one previously arrested suspect allegedly planning to restart operations from there.
- ▸Authorities emphasized that allowing your own bank account to be used by another person can make you part of a cybercrime investigation, even without direct involvement in the fraud itself.
What Happened in the Gujarat Cyber Fraud Bust?
Gujarat Police's Cyber Centre of Excellence arrested 19 individuals as part of an investigation into a cyber fraud network responsible for financial transactions exceeding ₹250 crore across 21 states. The operation forms part of the state's ongoing "Operation Mule Hunt 2.0" initiative, which specifically targets the financial infrastructure — bank accounts, shell companies, and payment channels — that cybercrime syndicates rely on to move stolen money, rather than only chasing the individuals who make the initial fraudulent calls or messages.
Verification through India's National Cyber Crime Reporting Portal (NCCRP) linked the recovered accounts and firms to 146 acknowledgement numbers filed by victims across the country, tied to five major categories of fraud. For example, investigators identified victims targeted through fake investment schemes, fraudulent online trading platforms, fake deposit schemes, and UPI-based payment scams — a spread that suggests the same underlying financial infrastructure was rented out to multiple, possibly unrelated scam operators rather than run by a single group end to end.
Why Does This Bust Matter?
This case matters because it illustrates how much of large-scale cyber fraud in India depends on ordinary people's bank accounts rather than sophisticated hacking alone. A single mule account — a bank account opened or handed over to move fraudulently obtained money — can be linked to dozens of separate victim complaints filed in completely different states. In this case, one accused's mule account network alone connected to 28 acknowledgement numbers spanning eight FIRs registered across multiple states.
At the same time, the scale of financial damage tied to a relatively small number of arrests underscores how efficiently these networks can operate. Nationwide reporting on the broader Operation Mule Hunt 2.0 initiative has linked related investigations to more than 1,100 cybercrime complaints and over ₹800 crore in fraud when combined across multiple separate cases — Source: Organiser, 2026. This means dismantling the financial channels, not just catching individual scammers, has become a central strategy for Indian cybercrime investigators.
How Did the Scam Network Operate?
The network combined three distinct techniques — fake companies, rented personal bank accounts, and credential-stealing mobile apps — to move fraud proceeds while making the money trail difficult to trace back to the actual scammers.
Fake Firms and Mule Bank Accounts
For example, investigators found that the syndicate used fabricated business entities to open current bank accounts specifically designed to receive and move large volumes of fraud proceeds without raising immediate suspicion. Current accounts registered to seemingly legitimate businesses can process bulk transactions without triggering the same scrutiny applied to individual personal accounts, which is precisely why fake firms are a recurring tool in large-scale mule account networks. One earlier phase of the broader operation identified a fake firm accounts linked to 253 acknowledgement numbers and more than ₹161 crore in alleged fraud on its own.
Credential Theft Through Malicious Apps
Beyond fake firms, investigators alleged the group identified individuals holding corporate accounts with bulk transaction facilities and persuaded them to hand over Aadhaar and PAN details, cheque book images, ATM card photographs, and internet banking credentials in exchange for a commission. This can allow attackers to gain full operational control of a victim's account by installing APK files that facilitate remote access, effectively turning a willing or unwitting account holder into a long-term laundering conduit for the syndicate.
The MBA Student's Role
One of the more striking details in this case involves an MBA student at a private Vadodara university who allegedly made more than 10 of his own bank accounts available to co-accused involved in the mule account racket. According to investigators, he opened the accounts while studying alongside another student, and the accounts were ultimately linked to 28 acknowledgement numbers and eight FIRs registered across different states, involving alleged fraud exceeding ₹7.40 crore. This detail is a useful reminder that mule account recruitment doesn't only target vulnerable or unsophisticated individuals — it can reach students who may not fully grasp the legal exposure of handing over account access for a fee.
What International Connections Were Found?
Investigators uncovered links suggesting parts of the network operated with international coordination, including connections to Dubai. One previously arrested suspect, who investigators say had been arrested four times before in criminal cases, had reportedly operated the network from Dubai and was allegedly planning to restart operations in Ahmedabad. This pattern — domestic mule account infrastructure coordinated with operators based overseas — is increasingly common in large-scale Indian cyber fraud cases, since it complicates jurisdiction and extradition for law enforcement pursuing the organizers behind the scenes.
How Can You Protect Yourself From Becoming Part of a Mule Network?
The single most important protection is refusing to share banking credentials, documents, or account access with anyone offering payment in exchange, regardless of how legitimate the request sounds. Investigators and cybercrime experts have repeatedly emphasized that handing over an account — even without direct involvement in the underlying fraud — can make the account holder a subject of criminal investigation.
- ▸Never share your Aadhaar, PAN, cheque book images, ATM card photos, or internet banking credentials with anyone offering a commission or fee for account access.
- ▸Be suspicious of any offer that requires opening a new bank account specifically to be handed over or "rented" to a third party.
- ▸Refuse to install unfamiliar APK files sent through messaging apps or unofficial sources, since these are commonly used to gain remote access to banking credentials.
- ▸Verify any investment or trading platform independently before depositing funds, rather than trusting claims made through social media or messaging groups.
- ▸Never share OTPs under any circumstances, even with someone claiming to represent your bank or a government agency.
Before trusting an unfamiliar investment or trading website, a WHOIS domain lookup can reveal how recently the site was registered — a strong red flag if a "trusted" investment platform was only set up weeks ago. An SSL certificate checker is also worth running to confirm the site isn't spoofing a legitimate financial institution's certificate chain.
[Insert image: Diagram of how mule account networks move fraud proceeds through fake firms | Alt text: "Gujarat cyber fraud mule account network diagram"]
What Should You Do If You're a Victim?
If you believe you've been targeted by investment fraud, online trading scams, or UPI-based fraud connected to a network like this one, acting quickly meaningfully improves the odds of fund recovery.
Report immediately through India's National Cyber Crime Reporting Portal or the 1930 helpline, since acknowledgement numbers generated through this system are exactly what investigators use to link cases across states.
Preserve all transaction records, screenshots, and communication with the alleged scammer, since this evidence supports both your own case and broader investigations.
Contact your bank immediately to flag the fraudulent transaction and request a freeze on the receiving account where possible.
File a complaint with local police in addition to the national portal, particularly if the fraud involved a significant amount.
Organizations concerned about fake firms or lookalike domains impersonating their brand for fraud purposes can use a subdomain enumeration tool to check for unauthorized infrastructure, and an IP reputation lookup to investigate suspicious infrastructure referenced in fraud reports.
What's Next? Tracking Operation Mule Hunt 2.0
Gujarat's Cyber Centre of Excellence has indicated that investigations across all three related cases are continuing, with further arrests anticipated.
- ▸Watch for additional arrests as investigators trace remaining beneficiaries and international money laundering channels connected to this network.
- ▸Follow developments on the broader Operation Mule Hunt 2.0 initiative, which has already linked related cases to more than 1,100 cybercrime complaints and over ₹800 crore in alleged fraud nationwide.
- ▸Review our related coverage of the Accenture data breach claims and the AnyDesk phishing campaign for how stolen credentials and remote access tools frequently feed into the same fraud ecosystems these mule networks rely on.
- ▸Bookmark our cybersecurity news hub for continued coverage of cyber fraud enforcement across India.
Conclusion
This case is a clear illustration of how organized cyber fraud in India increasingly depends on financial infrastructure — mule accounts, fake firms, and rented credentials — as much as it depends on the initial deception itself. With 19 arrests, ₹250 crore in tracked transactions, and links to 146 cybercrime cases across 21 states, this bust shows both the scale of the problem and the effectiveness of targeting the money trail rather than individual scammers alone. Whether you're an individual protecting your own bank account or a business monitoring for impersonation, the underlying lesson is the same: never hand over financial access to a stranger, no matter what's offered in return. Stay subscribed to trusted cybersecurity and law enforcement updates so you can recognize these schemes before they reach you.
Written by ReconShield Editorial Team — a cybersecurity publication covering cyber threats, data breaches, vulnerabilities, malware, threat intelligence, and online privacy, providing practical insights to help readers stay informed and secure.
Reviewed by Surendra Reddy, Founder & Principal Security Engineer, ReconShield — a cybersecurity researcher specializing in OSINT, infrastructure exposure intelligence, and passive diagnostic tooling.
Disclaimer: This article was initially drafted using AI assistance. However, the content has undergone thorough revisions, editing, and fact-checking by human editors and subject matter experts to ensure accuracy.
Read More:
AI Bug Hunting: How Security Researchers Use AI to Find Vulnerabilities in
CVE-2026-46331: New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries
Update Chrome Now: 382 Security Vulnerabilities Patched, Including 15 Critical Bugs
Security Alert: Multiple FatFs Vulnerabilities Impact Embedded Devices Worldwide
Top 15 Critical CVE-2026 Vulnerabilities Every IT Team Should Know
Breaking: Hackers Claim Massive Accenture Data Breach, 35GB of Source Code Allegedly Stolen
## Analyst Commentary & Implementation Blueprint
Security advisory
Continuous security exposure assessment is critical to identifying public vulnerabilities before they are exploited. Organizations should maintain a passive inventory of all web servers, TLS configs, and open ports, ensuring that default configurations are eliminated and security advisories are actively implemented.
Hardened Security Configuration Blueprint
# General Security Hardening Directive
ServerTokens ProductOnly
ServerSignature Off
FileETag NoneActionable Mitigation Checklist
- ✔Perform passive asset inventories weekly.
- ✔Restrict administrative ports using local firewall controls.
- ✔Monitor active CVE alerts for exposed software.
Common Inquiries & FAQs
Why is passive scanning preferred for continuous auditing?
Passive audits do not cause operational impact or trigger firewall blocks, making them ideal for constant surveillance of internet-facing assets.
What should I do if a vulnerability is flagged?
Apply the latest vendor patches, restrict access to the resource via firewalls, or verify configuration flags to mitigate risks.
Surendra Reddy
Surendra Reddy is a cybersecurity researcher and founder of ReconShield, specializing in OSINT and defensive infrastructure analysis.
Connect on LinkedIn ↗// AUDIT BRIEFING DISCUSSION (2 COMMENTS)
Great breakdown of the passive infrastructure vectors. We recently audited our external DNS zones and found multiple dangling staging environments. Implementing wildcard certificates reduced our CT log leaks significantly.
Is there any automated tooling you recommend for daily crt.sh scraping? Manually checking CT logs is becoming unsustainable for our domain portfolio.
// MORE ARTICLES

Critical Tenda Router Backdoor (CVE-2026-11405): Check If Your Device Is Vulnerable Now
CVE-2026-11405 is an unpatched Tenda router backdoor granting full admin access without a password. Check if your model is affected now.

Microsoft Defender Zero-Day Patched: What IT Teams Need to Know
Microsoft patches RoguePlanet, a Defender zero-day (CVE-2026-50656) letting attackers gain SYSTEM access. Here's what IT teams need to know.

Google Chrome Security Update Patches 27 Vulnerabilities and Two Dangerous Code Execution Bugs
Chrome 150 patches 27 vulnerabilities, including two critical code execution bugs. Learn what's fixed, the risk, and how to update now.