The report examines a widespread criminal operation involved in producing and distributing fake Indian KYC (Know Your Customer) documents via platforms like crrsg.site, which has generated over 167,391 fraudulent documents. This operation exploits a network of affiliates and illicit APIs to maintain extensive reach and profitability, with an estimated profit of ₹40 Lakh. The investigation indicates a significant threat to both financial integrity and public trust in government services. Affected: KYC document services, Common Service Centres, law enforcement, financial institutions, public trust.
Keypoints :
- Operation known as “PrintSteal” is involved in mass production of fake Indian KYC documents.
- Platform crrsg.site has over 2,727 registered operators.
- Generated more than 167,391 fake documents, including over 156,000 fake birth certificates.
- Utilizes illicit APIs for data retrieval, including sensitive information such as Aadhaar and PAN details.
- The operation has earned estimated revenues of ₹40 Lakh from fraudulent activities.
- Over 1,800 domains linked to this operation, with 600+ currently active.
- Employs a network of affiliates, including mobile shops and cyber cafes, to distribute fake documents.
- Uses deceptive QR codes in documents that link to counterfeit verification pages.
- Operates through a virtual wallet system for transaction efficiency.
- Adapts quickly to law enforcement actions by creating new platforms.
MITRE Techniques :
- TA0001 – Initial Access: Utilizes accessible technologies and affiliates to gain entry into target networks.
- TA0003 – Collection: Manipulates various data types for creating fraudulent KYC documents.
- TA0041 – Exfiltration: Uses APIs to collect sensitive customer data used for document creation.
- TA0043 – Command and Control: Employs encrypted communication platforms like Telegram to manage operations and affiliates.
- TA0009 – Resource Development: Acquires software and hosting options from third-party sites to create and run fraudulent platforms.
Indicator of Compromise :
- [Domain] crrsg.site
- [IP Address] 157.90.176.32
- [Email Address] [email protected]
- [Phone Number] +91 7070635763
- [Telegram Account] @boss1432m