Full Report
India's Central Bureau of Investigation (CBI) has revealed that it has arrested four individuals and dismantled two illegal call centers that were found to be engaging in a sophisticated transnational tech support scam targeting Japanese citizens. The law enforcement agency said it conducted coordinated searches at 19 locations across Delhi, Haryana, and Uttar Pradesh on May 28, 2025, as part of
Analysis Summary
# Incident Report: Dismantling of Indian Tech Support Scam Targeting Japanese Citizens
## Executive Summary
The Central Bureau of Investigation (CBI) in India, in collaboration with Microsoft and the National Police Agency of Japan, dismantled two illegal call centers operating sophisticated transnational tech support scams against Japanese citizens. The syndicates used social engineering and AI-enhanced tactics to impersonate multinational corporations like Microsoft, coercing victims into transferring funds under the false pretense of device compromise. The operation resulted in four arrests and the seizure of extensive digital evidence.
## Incident Details
- Discovery Date: May 28, 2025 (through coordinated action/raids)
- Incident Date: Ongoing operations prior to May 28, 2025
- Affected Organization: Various multinational corporations (impersonated); Japanese citizens (victims)
- Sector: Cybercrime / Financial Fraud (Tech Support Scam)
- Geography: Operations based in Delhi, Haryana, and Uttar Pradesh, India; Victims primarily in Japan
## Timeline of Events
### Initial Access
- Date/Time: Ongoing prior to May 28, 2025
- Vector: Social Engineering via impersonation (Tech Support Scam)
- Details: Call center operatives contacted Japanese victims, falsely claiming to be technical support personnel from major companies (e.g., Microsoft), convincing victims their electronic devices were compromised.
### Lateral Movement
- *Not explicitly described in the context of network penetration, but operational scale implies coordination across lead generators, pop-up creators, and payment processors.*
### Data Exfiltration/Impact
- Impact: Financial fraud involving victims being coerced into transferring funds into mule accounts.
- Scope: The broader effort, including Microsoft's prior actions since May 2024, involved taking down approximately 66,000 malicious domains globally, indicating a wide operational reach.
### Detection & Response
- Date/Time: Coordinated searches conducted on May 28, 2025.
- Detection: Collaboration between CBI, National Police Agency of Japan, and Microsoft.
- Response actions taken: Coordinated searches across 19 locations; four individuals arrested; seizure of computers, storage devices, DVRs, and phones; international data sharing and partnership (Operation Chakra V).
## Attack Methodology
- Initial Access: Social engineering, masquerading as tech support personnel.
- Persistence: Not detailed, but implied maintenance of call center infrastructure.
- Privilege Escalation: Not applicable in the traditional sense; financial coercion was the primary goal.
- Defense Evasion: Use of sophisticated social engineering and likely obfuscation of malicious infrastructure.
- Credential Access: Not explicitly mentioned, focus was on financial transfer/coercion.
- Discovery: Use of generative AI to identify potential victims and automate malicious pop-up window creation.
- Lateral Movement: Cross-border transactional network involving lead generators and payment processors.
- Collection: Identifying victims through AI-driven means.
- Exfiltration: Transferring funds to mule accounts under false pretexts.
- Impact: Financial loss to Japanese citizens.
## Impact Assessment
- Financial: Victims coerced into transferring funds; scale implied to be transnational and significant.
- Data Breach: Potential data compromise related to fraudulent service interactions, though direct customer data breach by the call centers was not the primary focus.
- Operational: Disruption of illegal business operations through raid and arrests.
- Reputational: Damage to trust in multinational tech support services, particularly affecting Japanese customers.
## Indicators of Compromise
- **Network indicators (Defanged for summary):** Malicious domains used in pop-ups (66,000 taken down since May 2024 in related activity). Links to TA associated with the broader ecosystem (pop-up creators, optimizers, etc.).
- **File indicators:** Seized digital evidence (computers, storage devices).
- **Behavioral indicators:** Use of generative AI for victim identification and localized malicious content creation (language translation).
## Response Actions
- **Containment measures:** Coordinated raids by CBI in Delhi, Haryana, and Uttar Pradesh across 19 locations.
- **Eradication steps:** Dismantling of two illegal call centers.
- **Recovery actions:** Seizure of evidence (computers, storage, phones) for forensic analysis. Enhanced collaboration between international partners.
## Lessons Learned
- The increasing sophistication of cybercrime-as-a-service models requires global, multi-agency collaboration.
- Generative AI is being leveraged to scale operations, including victim identification and localized deception (language translation).
- The complexity of these operations necessitates tracking the entire ecosystem, including pop-up creators, lead generators, and payment processors, not just the immediate call center operators.
## Recommendations
- Enhance proactive monitoring and disruption campaigns against known infrastructure patterns associated with tech support scams.
- Continue strengthening information-sharing protocols between law enforcement agencies (e.g., CBI, NPA Japan) and private sector partners (e.g., Microsoft).
- Develop specific defense mechanisms against AI-generated malicious content used for social engineering targeting specific linguistic groups.