Hello again!
Great to see you return to this week’s Politics to Policy edition. This week, we are going to talk about a digital scam that has made headlines throughout the country and even made the Supreme Court of India stand up and take notice. Read on.

Between 2024 and 2025, Indian citizens lost close to Rs 44,000 crore to cyber fraud. Since 2022, the Home Ministry of India has clocked over 2.41 lakh complaints related to digital arrest scams alone, involving losses of approximately Rs 30,000 crore. In April 2026, Chief Justice of the Supreme Court of India, Surya Kant, told a packed courtroom that barely 10% of the defrauded amount could be traced or recovered, and that the Financial Action Task Force (FATF) estimates nearly 15% of the adult population globally has been exposed to or fallen victim to cybercrime attempts.
The CJI described digital arrest as the "most disturbing" and lethal among cybercrimes, an offence against human dignity, something much more than a mere economic offence. The use of this language seems deliberate because what India is dealing with has moved well beyond fraud. It has morphed into a governance problem that the Indian state alone cannot solve, a constitutional problem it has only partially confronted, and a transnational problem rooted in a geography where state authority has effectively collapsed.
Understanding how we got here requires following the money, the people and the algorithms that move in three simultaneous directions at once.
Understanding a digital arrest
The mechanics are worth understanding precisely because they are so far removed from what people imagine when they hear the word "scam."
A victim receives a call, typically via WhatsApp, from someone claiming to be an official of the Telecom Regulatory Authority of India (TRAI). The voice is authoritative. The script is rehearsed. The caller informs the victim that their mobile number has been used to send illegal messages, or that a parcel bearing their Aadhaar details (a 12-digit unique identity number issued by the Unique Identification Authority of India to residents of India based on their biometric and demographic data) has been intercepted carrying contraband.
A "transfer" then happens to a "senior Central Bureau of Investigation (CBI) officer" on a video call. The officer sits at a desk in what appears to be a police station. Uniforms. Documents bearing official seals. Sometimes, a fake Supreme Court of India logo in the background.
The victim is told they are under "digital arrest." They must stay on the call. They must tell no one. They must transfer money as "security" or risk immediate physical arrest. Some victims stay on these calls for days. An 82-year-old textile magnate lost Rs 7 crore. A neurologist at a national medical institute paid Rs 2.81 crore to end the ordeal. An estimated Rs 1,000 crore was haemorrhaging from Indian pockets monthly in the first half of 2025 alone.
There is no provision under Indian law for an arrest conducted over a video call. None of it is real. Only the terror is.

The factory behind the screen
The people running these calls are frequently themselves victims. Across the border regions of Myanmar, particularly around the town of Myawaddy near Thailand, and across parts of Cambodia and Laos, a network of scam compounds operates at industrial scale. The UN estimates that approximately 120,000 people in Myanmar alone are trapped in forced labour inside these operations, alongside another 100,000 in Cambodia. Between 2020 and 2024, victims worldwide lost approximately $75 billion to Southeast Asian-based cyber scams, according to recent estimates.
The trafficking pipeline follows a consistent route. Workers are recruited through fraudulent job advertisements promising IT or digital marketing roles with attractive salaries. They travel to Bangkok, exploiting visa-free arrangements. From Thailand, they are moved across the border into Myanmar's Karen State, where Border Guard Forces allied with the military junta control the territory. Documents are confiscated. Debt bondage is established through inflated "transport fees." The compounds function as digital sweatshops where trafficked workers run elaborate fraud operations under threat of violence, with quotas to meet and punishment for failure.
India faces this problem from two directions simultaneously. Thousands of its citizens have been trafficked into these compounds as forced perpetrators. Thousands more at home are the targets of the frauds those captives are compelled to run.
The Myanmar junta both profits from and occasionally raids these operations. The pattern is consistent: crackdowns happen under pressure from China, whose own citizens are trafficked in large numbers and whose criminal syndicates largely orchestrate the networks. The junta stages high-profile operations, announces arrests and allows new compounds to establish themselves in less visible locations. The KK Park compound near the Thai border was raided in October 2025, generating considerable international coverage. Work continued uninterrupted at other centres. The industry has generated tens of billions of dollars annually, and the junta taxes it.
Proceeds are laundered through mule accounts and entities like Cambodia's Huione Pay before conversion into cryptocurrency. In September 2025, the US Treasury sanctioned companies and individuals connected to Myanmar and Cambodia scam operations. In January 2026, Chen Zhi, founder of the Prince Group of Cambodia, was arrested on wire fraud and money laundering charges related to operating at least ten scam centres. The US Department of Justice moved against the financial infrastructure. India, on the other hand, has largely operated bilaterally.
India faces the digital arrest problem from two directions simultaneously. Thousands of its citizens have been trafficked into foreign scam compounds as forced perpetrators. Thousands more at home are the targets of the frauds those captives are compelled to run.
The domestic response and its tensions
The Supreme Court’s intervention in November 2025 was, by ordinary standards, extraordinary. The court tasked the CBI with a pan-India investigation into digital arrest scams, overriding the normal requirement for state consent, on the grounds that the menace transcends state jurisdictions. It directed the Reserve Bank of India (RBI) to deploy AI and machine learning to trace the "layering" of proceeds through multiple mule accounts. It ordered telecom operators to address what the Chief Justice described as an "alarming, negligent and irresponsible approach" to issuing multiple SIM cards in the same name. It directed online intermediaries to cooperate with the CBI under the Information Technology Rules 2021.
It was specifically this mandate that produced, as recently as on 24 June 2026, a concrete operational outcome. Under Operation Chakra-VI, the CBI deployed 60 special teams across 16 states. The teams conducted coordinated searches at more than 80 locations tied to over 200 cases of digital arrest fraud. Two accused were arrested: Naresh from Chennai and Sanjib Saha from Kolkata, both allegedly involved in incorporating shell companies and operating mule bank accounts used to launder approximately Rs 2 crore in suspected proceeds of crime. Forensic examination of seized devices and transaction records is continuing, and the CBI has indicated that further arrests are possible as additional links in the network are traced. The investigation has also found that the same network may have defrauded citizens of several foreign countries; the CBI has alerted the relevant law enforcement agencies through appropriate channels.
Meanwhile, the government has moved on several fronts. The Department of Telecommunications (DoT) issued a "SIM binding" direction requiring messaging platforms like WhatsApp and Telegram to disable accounts when the associated SIM is removed from the device. This addresses one specific vulnerability: scammers using WhatsApp across multiple devices on a single registration, making tracing difficult.
The more contentious measure was the DoT's December 2025 order requiring smartphone manufacturers to pre-install the government-built Sanchar Saathi app on all new devices from March 2026, with an explicit direction that the app's functionalities cannot be disabled or restricted. The app enables IMEI verification, stolen phone reporting, and SIM identification. The Sanchar Saathi portal and app have genuine utility: by December 2025, they had helped detect and disconnect approximately 1.75 crore fraudulent mobile connections, traced 26 lakh stolen phones, and recovered 7.5 lakh devices.
The pre-installation mandate, however, was withdrawn within days. The government cited a tenfold increase in voluntary downloads as justification, though the timing suggested that opposition from manufacturers including Apple, which had already declined to comply, was the more immediate factor.
The source code question went further. Under the proposed Indian Telecom Security Assurance Requirements drafted in 2023, smartphone manufacturers would be required to provide access to source code for "vulnerability analysis" at designated Indian labs. Manufacturers would also have to alert the government to major software updates before releasing them to users, store records of a phone's activities on-device for at least one year, and enable automatic malware scanning. Apple had declined China's request for source code between 2014 and 2016. The Ministry of Electronics and Information Technology (MeitY) later characterised the consultation as routine and said it had an "open mind" on the proposals. The process remains unresolved.
The Supreme Court of India tasked the CBI with a pan-India investigation into digital arrest scams, overriding the normal requirement for state consent, on the grounds that the menace transcends state jurisdictions.
The constitutional problem beneath the regulatory one
The Sanchar Saathi controversy has laid bare a tension that runs through every element of India's cyber governance response: the state's legitimate interest in tracing fraud versus the individual's constitutional right to privacy established in the Supreme Court of India’s Puttaswamy judgment of 2017.
Puttaswamy established that any state intrusion into privacy must satisfy legality, necessity and proportionality. A pre-installed application that cannot be disabled, operating as a persistent verification and reporting tool on every smartphone in India, raises proportionality questions that the government's stated objective, preventing counterfeit handsets and IMEI spoofing, does not fully answer. Less invasive alternatives existed: the Sanchar Saathi web portal, SMS-based verification, USSD codes. By proceeding to mandatory pre-installation before those alternatives were demonstrated to be insufficient, the directive stretched past proportionality.
The source code proposals carry the same structural problem at greater intensity. Requiring manufacturers to pre-disclose security patches to a government centre before users receive them creates a window of vulnerability that the requirement to protect against is designed to close. Storing one year of a device's activity records on the device creates a persistent data reservoir whose security implications extend well beyond whatever cyber fraud the requirement targets.
This is what digital constitutionalism asks us to examine. The extension of constitutional principles into digital governance stops being a mere theoretical question. It becomes a practical one about whether the state's growing ability to surveil, audit and control digital infrastructure is being exercised within the limits the Constitution sets. As governance becomes more data-driven, as KYC verification, welfare distribution, financial regulation and law enforcement all increasingly operate through digital channels, the concentration of control over those channels becomes a constitutional question of the same order as the powers the Constitution explicitly constrains.
India's Information Technology Act of 2000 was designed to govern platforms. The Digital Personal Data Protection Act of 2023 addresses data handling. Neither provides a comprehensive framework for the conditions under which state access to device-level data, pre-installed government applications, or source code disclosure can be required and against what judicial or independent oversight.
The extension of constitutional principles into digital governance stops being a mere theoretical question. It becomes a practical one about whether the state's growing ability to surveil, audit and control digital infrastructure is being exercised within the limits the Constitution sets.
What the governance gap actually requires
The domestic response has moved faster than the international one, and the mismatch is consequential. The Supreme Court directing the CBI, the RBI deploying AI for mule account tracing, the DoT mandating SIM binding: these address the India-facing symptoms of a problem whose origins are in a conflict zone outside India's jurisdiction and largely beyond bilateral diplomatic reach.
The Myanmar compounds operate because the junta benefits from them, Chinese criminal syndicates run them, and the international community has not applied pressure sufficient to change either calculus. The US has moved against the financial infrastructure through Treasury sanctions and DOJ indictments. ASEAN has issued statements. The UN has documented the scale. India has repatriated citizens, worked with Myanmar's Border Guard Force and Thai authorities on specific operations, and formed a high-level inter-departmental committee. None of this adds up to the coordinated multilateral pressure that the scale of the problem requires.
Domestically in India, the battle on awareness and capacity is real but underpowered. The government has deployed considerable infrastructure: the Indian Cybercrime Coordination Centre, the Citizen Financial Cyber Fraud Reporting System, the Sanchar Saathi ecosystem, the Chakshu facility for pre-emptive reporting of suspicious communications. The 'Pratibimb' module on the Samanvaya platform had identified over 1.5 lakh criminal connections by the end of 2025 and contributed to 12,987 arrests. These are genuine operational achievements.
However, none of them address the structural vulnerability. Digital arrest works because the victims have no prior understanding of how law enforcement actually operates, what a real government communication looks like, and what rights they hold in an interaction with a state official. Awareness campaigns exist. They reach some people. The scam industry refines its scripts faster than awareness campaigns update their content, and the AI-powered personalisation of fraud operations, using deepfake video and voice cloning that can simulate specific known individuals, is outpacing every public education effort currently deployed.
None of the governmental solutions address the structural vulnerability. Digital arrest works because the victims have no prior understanding of how law enforcement actually operates, what a real government communication looks like, and what rights they hold in an interaction with a state official.
The governance question that persists
India is a country rapidly building digital infrastructure for governance, while the constitutional frameworks for governing that infrastructure remain incomplete. Welfare transfers, identity verification, financial regulation, law enforcement: each of these is becoming more digital, more automated and more dependent on the security and integrity of systems that carry the state's authority.
The scam industry has identified the gap between that digital authority and the citizen'’ ability to verify or contest it. A fake Supreme Court seal on a video call works because most people have no framework for authenticating digital authority. A fake CBI officer works because the CBI has real authority, and the state has not built adequate mechanisms for citizens to verify who is actually exercising it.
The CBI's forensic work under Operation Chakra-VI revealed that the network had registered a domain deceptively similar to the official Supreme Court of India website. The domain was used to stage legal proceedings against victims; fabricated court orders and forged law enforcement documents were presented to make the arrests appear legitimate. Based on a complaint from the Supreme Court Registry, the CBI registered a separate FIR and commenced an investigation. The fake website marks an evolution in the fraud's logic: the scammers have moved from impersonating authority in a phone call to impersonating the Court's own digital infrastructure. The citizen has no mechanism for checking whether the Supreme Court website they are looking at is genuine. The state has not built that mechanism.
The regulatory response, from SIM binding to source code requirements, represents the state reaching for tools that extend its control over digital infrastructure in the name of protecting citizens from those who exploit that infrastructure. Some of those tools are appropriate and proportionate. Others reach past the line the Puttaswamy judgment drew.
Getting that distinction right matters beyond any individual regulation. A state that builds surveillance capacity without constitutional guardrails, even in pursuit of legitimate security objectives, creates infrastructure that outlasts the objectives it was built to serve. The cyber fraud crisis is real and severe. The constitutional framework for governing the response to it is the question that will determine what kind of digital governance India builds as it moves deeper into the algorithmic century.
The people trapped in the compounds of Myanmar cannot be rescued by a SIM binding directive. The elderly pensioners defrauded of their life savings cannot be made whole by a Sanchar Saathi app. What they both require is a state that moves with the same urgency on the international diplomatic front and the domestic constitutional front that it has demonstrated on the regulatory and judicial ones. The infrastructure is being built. The question is whether the accountability framework is being built alongside it.
Thank you for reading through.
I am always awaiting your feedback. If you want me to discuss a specific policy or governance question, reply to this email. If there was something in this article that you did not agree with, let me know that, too. I would love to discuss this with you in even more detail.
This newsletter gets better the more you engage with it. So please hit reply. I read every response.
Until next time.
Anas Ahmad Tak