FOCUS MODE
EXTRACT IOC
Threat Research

PrintSteal : Exposing unauthorized CSC-Impersonating Websites Engaging in Large-Scale KYC Document Generation Fraud

CloudSek
PrintSteal : Exposing unauthorized CSC-Impersonating Websites Engaging in Large-Scale KYC Document Generation Fraud
The report examines a widespread criminal operation involved in producing and distributing fake Indian KYC (Know Your Customer) documents via platforms like crrsg.site, which has generated over 167,391 fraudulent documents. This operation exploits a network of affiliates and illicit APIs to maintain extensive reach and profitability, with an estimated profit of ₹40 Lakh. The investigation indicates a significant threat to both financial integrity and public trust in government services. Affected: KYC document services, Common Service Centres, law enforcement, financial institutions, public trust.

Keypoints :

  • Operation known as “PrintSteal” is involved in mass production of fake Indian KYC documents.
  • Platform crrsg.site has over 2,727 registered operators.
  • Generated more than 167,391 fake documents, including over 156,000 fake birth certificates.
  • Utilizes illicit APIs for data retrieval, including sensitive information such as Aadhaar and PAN details.
  • The operation has earned estimated revenues of ₹40 Lakh from fraudulent activities.
  • Over 1,800 domains linked to this operation, with 600+ currently active.
  • Employs a network of affiliates, including mobile shops and cyber cafes, to distribute fake documents.
  • Uses deceptive QR codes in documents that link to counterfeit verification pages.
  • Operates through a virtual wallet system for transaction efficiency.
  • Adapts quickly to law enforcement actions by creating new platforms.

MITRE Techniques :

  • TA0001 – Initial Access: Utilizes accessible technologies and affiliates to gain entry into target networks.
  • TA0003 – Collection: Manipulates various data types for creating fraudulent KYC documents.
  • TA0041 – Exfiltration: Uses APIs to collect sensitive customer data used for document creation.
  • TA0043 – Command and Control: Employs encrypted communication platforms like Telegram to manage operations and affiliates.
  • TA0009 – Resource Development: Acquires software and hosting options from third-party sites to create and run fraudulent platforms.

Indicator of Compromise :

  • [Domain] crrsg.site
  • [IP Address] 157.90.176.32
  • [Email Address] [email protected]
  • [Phone Number] +91 7070635763
  • [Telegram Account] @boss1432m

Full Story: https://www.cloudsek.com/blog/printsteal-exposing-unauthorized-csc-impersonating-websites-engaging-in-large-scale-kyc-document-generation-fraud-2

Tags: EXPLOIT, GOVERNMENT, BANK, SOCIAL MEDIA, FINANCIAL, INITIAL ACCESS, DARK WEB, IMPACT