Finding ‘DK Boss’: How a network of Jamtara youths ran a layered cyberfraud operation that conned thousands

Just a week earlier, in another seemingly unconnected case of cybercrime, police had detained a suspect whose questioning revealed that his modus operandi was distributing malicious Android package kits (APKs) that are used to install apps designed to steal data.

When ASP Sharma examined the suspect’s phone and scrutinised his WhatsApp chats, he found that these APKs were sold to the man by someone who went by the alias DK Boss. “The seller’s WhatsApp display picture was just the words ‘DK Boss’ written out, and the account description said ‘contact for any APK or panel’,” Sharma recalled.

Police said that when they ran the WhatsApp number through telecom operators, they found it was registered under the name of someone unconnected with the incidents. “The person using the messaging app had fraudulently gained access to it (the number) for the purpose of selling APKs,” said the ASP. When the name crept up again in a different case a few days later, police started looking for it in more cases.

The common thread

Since then, police have found that DK Boss is a common thread in several cybercrime cases. A full-scale investigation was launched, headed by ASP Sharma and DSP Chandra Shekhar, and supervised by SP Ehtesham Waquarib, to trace DK Boss.

On January 25, after a month-long operation, the team unveiled a “sophisticated and well-organised crime syndicate”, and arrested not one, but three different people who went by “DK Boss”, as well as three accomplices.

“The investigation wasn’t straightforward,” said the ASP. “Initially, we interrogated several criminals who had used the fake apps developed by DK Boss to scam people, but all of them claimed they did not know his true identity.” What was clear, however, was that DK Boss’s apps were “well-regarded within the cybercrime world due to their flawless design and functionality”, he said.

Many DK Bosses

During the investigation, police came across around 10-15 fake phone numbers, all using WhatsApp profiles of “DK Boss” and selling the malicious apps, through APKs, to cyber criminals.

A breakthrough came when the police arrested one Akhtar. “He was found using an old phone of his relative’s – Aarif Ansari – to sell APKs,” Sharma said. Akhtar then revealed that three people – Aarif, Mahboob Alam and Sk Belal – were behind the DK Boss alias.

Further investigations tracked them to Haryana and then Kashmir, before the probe team received a tip that the suspects were back in Jamtara.

Acting on the information, police set a trap at Kenduatanr village in the Narayanpur area. They camped there from the early hours of January 24, and by nighttime the next day, they had identified two cars the suspects were travelling in and arrested all six occupants. They were Mahboob Alam (25), Safauddin Ansari (26), Aarif Ansari (27), Jashim Ansari (30), Sk Belal (27), and Ajay Mandal (28).

Identical apps

According to police, the questioning of these arrested suspects revealed the layers of sophistication in their operation.

“Mehboob, Aarif, and Belal developed the malicious apps, while Mandal distributed and sold them,” said SP Waquarib. Safauddin and Jashim arranged bank accounts to launder the stolen money.

The officer said that these “malicious apps” mimicked legitimate banking and government apps, like those of the State Bank of India, Canara Bank, Punjab National Bank, Axis Bank, PM Kisan Yojana, and PM Fasal Bima Yojana.

“They seemed identical to the official banking and government apps,” said the SP.

Unlike traditional scams that trick victims into revealing OTPs, these apps allow the scammers access to the victims’ phones remotely.

“Once installed, the apps will request various phone permissions. If granted, the scammers can remotely access the victim’s phone – text messages, phone calls, banking apps. The scammers then don’t need to ask victims for OTPs as they can access the OTPs themselves,” the SP explained.

Chain reaction

ASP Sharma said that ground-level agents “shoot” (send in bulk) these APKs to thousands of people at a time. “Their idea is simple: even if only a small percentage of recipients install the apps, it would result in financial gains of lakhs,” he said.

The ASP said that once a phone is hacked, it is used to scam more people in the victim’s contact list. “Once they get access to one phone, they remotely log into WhatsApp and send the APK to the victim’s contacts and groups asking them to install it. If one of them do, then this continues in a chain reaction.”

From the arrested suspects, police also found a spreadsheet with details of around 2,000 Punjab National Bank and 500 Canara Bank account holders. “The scammers sent specific fake apps to specific victims, matching their information, to make the scam appear more credible,” said Sharma.

To move the stolen money, the accused used dummy bank accounts procured, for a commission, from labour contractors who use their workers’ Aadhaar cards to open such accounts, the ASP said, adding that the scammers would never use one bank account for more than 8-10 days.

From small-time to the big leagues

Sharma said all the six arrested had stopped studies after class 10 and 12 and were “small-time cyber fraudsters” before they came in contact, between April and June 2023, with a software engineer who “gave them online tutorials on app development”.

The group used Java programming language to create these apps and generative AI-based chatbot ChatGPT to fine-tune it. “If any issues were found, they would use ChatGPT to generate new code that would bypass antivirus checks,” he said.

The group also took extreme precautions to avoid being tracked. “They frequently changed locations and used random open fields for their operations. To further hide their tracks, they only used encrypted communication through WhatsApp accounts that were made using fake SIM cards, preventing phone tracing,” Sharma explained.

Fourteen mobile phones, 23 SIM cards, 10 ATM cards, one laptop, two cars, Rs 1,08,800 in cash, a DSLR camera, and a drone were recovered from the accused, SP Waquarib said.

“Over 100 malicious APKs” and a centralised panel to control them were found on their devices, according to the SP.

Analysing these with the help of the Jharkhand CID’s tech support team and the Indian Cyber Crime Coordination Centre, police made further discoveries.

“From the centralised panel, we found data of over 2,700 victims, including more than 2,70,000 messages (OTPs and banking transaction details),” Waquarib said. Many more such panels were previously operated by the accused, police suspect.

The SP said the six accused have so far been linked to over 415 cybercrime complaints across India with a total defrauded amount estimated at over Rs 11 crore.

“As their network was involved not just in directly defrauding thousands of people, but also in supplying these malicious apps to other cybercriminals, the amount defrauded through their operations could be much bigger,” he said.

Police are now looking into the full scale of the operation and are making efforts to track down the remaining members of the network.