In early 2025, Ravi (name changed), a 40-year-old from Hyderabad, saw a stock market investment opportunity promising quick returns on his Facebook feed. Curious, he clicked on it and was instantly pulled into a WhatsApp group filled with supposed “trading experts” discussing market moves, profits and investment strategies. It looked convincing. Screenshots of gains flooded the group. Others appeared to be making money. Ravi wanted in.
He downloaded trading apps shared through links in the group and, over time, transferred `36 lakh as “investments” into bank accounts provided by the fraudsters. Whenever he hesitated, he was pressured to invest more, unlock bigger profits and withdraw later.
Also Read: Trust at risk: Cyber crime is becoming a branding crisis for banks
Then one day, the apps stopped responding. The profits could no longer be withdrawn and the “trading experts” stopped responding.
Ravi realised he had been duped. He approached Hyderabad’s Cyber Crime Police Station.
Investigators began pulling apart the fraud trail. First came the bank accounts.
About Rs 12 lakh was withdrawn in Gujarat. Cops travelled there and tracked down an account holder allegedly involved in the transaction chain. Interrogation led officers to a middleman who allegedly sourced and distributed the bank accounts used by cyber fraud syndicates.
The money was eventually routed to a handler operating out of Mumbai, who coordinated directly with a Chinese national through Telegram channels. At this level, the money was converted from rupees into USDT, a cryptocurrency, before being moved further through crypto channels.
What began as an investigation into a Facebook scam now stretched across multiple states, banking channels, shell accounts, crypto networks and international actors.
Case after case, the cops encountered the same pattern: frontline fraudsters luring in victims, mule accounts, ghost SIMs, crypto fund transfers, Telegram-based handlers and layers of intermediaries sitting between victims and kingpins.
The recurring pattern prompted Hyderabad Police Commissioner VC Sajjanar to launch Operation Octopus in late 2025—a multiphase crackdown targeting the infrastructure that enables cyber fraud.
Over the last few years, Hyderabad, like most major Indian cities, has seen an explosion in investment scams, trading frauds, “digital arrests”, phishing attacks, fake job rackets and social engineering frauds.
Sajjanar estimates that about `400 crore is being lost annually in Hyderabad to cyber frauds. While cops receive hundreds of complaints daily, not every instance gets reported. Victims range from young professionals and traders to homemakers and senior citizens. Many lost their life savings.
For years, cybercrime investigations in India have remained fragmented, with the police often struggling to peel the layers, merely arresting the mules. Operation Octopus, which is currently live, was born out of the need to move beyond individual arrests.
Also Read: Indians among over 600 foreigners arrested for cybercrime in Sri Lanka
Investigators say the operation gradually unfolded in phases, each exposing a different layer of the fraud ecosystem.
CHAPTER ONE: THE MULE PHASE
According to Deputy Commissioner of Police V Aravind Babu, the operation was split into smaller teams to move on multiple targets simultaneously: “An octopus spreads its legs in multiple directions. Teams move simultaneously across states in different directions.
Each Octopus team, typically led by a police inspector, had around 10 cops, including a technical expert handling digital analyses and money trails, a writer documenting procedures and evidence, and supporting staff for field ops, surveillance, coordination and raids.
Multiple such teams were deployed to track account holders, suppliers, telecom agents and other links in the fraud chain before suspects disappeared or destroyed evidence.
A senior officer explains the structure of those they were targeting: “At the top, there is a controller or kingpin. Then there are different channels. Frontline callers who speak to victims. Procurement lines sourcing mule accounts and SIM cards. Middlemen. Aggregators. Multiple layers.”
Mule accounts were the invisible plumbing of cyber fraud, and that’s what the first phase focused on. Investigators say networks sourced accounts through commissions, fake firms, vulnerable individuals, students, gig workers and people persuaded to “rent” their accounts for easy money.
Fraud money moves with startling speed. A victim sitting in Hyderabad may transfer money after being manipulated through a fake trading app or “digital arrest” threat. Within minutes, money would be split across multiple accounts. Parts of it may be withdrawn immediately. Some may be converted into crypto assets. In one case, money from one mule account was routed through a network of 4,500 accounts. “The first 30 minutes to one hour are critical. After that, the money fragments,” says an officer.
Earlier this year, they uncovered over 350 mule accounts linked to more than 850 cases involving transactions of about `150 crore, and 104 individuals were apprehended, which included mule account holders, account suppliers and a relationship manager from Bandhan Bank. “The apprehended individuals were linked to 1,055 cyber fraud cases registered across India, involving a total fraud amount of around `127 crore,” the Hyderabad Police said.
How were so many accounts being opened so easily in the first place? The arrest of the bank employee shaped the direction Operation Octopus phase 2 would take.
CHAPTER TWO: THE BANKING LAYER
Investigators were surprised by the systemic loopholes being exploited inside the banking ecosystem.
During field verification, they began examining account-opening procedures, KYC documentation, geotagging records and branchlevel approvals. What repeatedly emerged is incomplete documentation, weak due diligence and, in some cases, alleged collusion by bank employees. The second phase focused on some bank officials.
In April, Operation Octopus sent 16 teams across nine states. By the end of the operation, police had arrested 52 individuals, including 32 bank employees holding roles ranging from branch managers and relationship managers to KYC verifiers and operations staff.
These included employees of AU Small Finance Bank, Bandhan Bank, Bank of Baroda, Federal Bank, IDFC First Bank, IndusInd Bank, Karnataka Bank, Karur Vysya Bank, Equitas Small Finance Bank and HDFC Bank. The accused were spread across Delhi, Gujarat, Hyderabad, Mumbai and other parts of Maharashtra, Andhra Pradesh, West Bengal and Karnataka.
“One of the biggest revelations from the second phase was how deeply incentive structures may have contributed to the problem. Bank officials at branch levels are often under pressure to open a certain number of bank accounts,” says Sajjanar, adding that some bank officials resorted to fraudulent methods.
The Hyderabad Police has since written to the RBI arguing that aggressive accountopening targets, weak KYC enforcement and poor internal accountability mechanisms were creating vulnerabilities that the organised fraud networks were systematically exploiting. He argued that structural changes were required to fix this.
It also drew the attention of the Department of Financial Services (DFS), which convened a meeting in New Delhi on April 30 with senior banking officials where the Hyderabad Police presented their findings.
The discussions triggered directives around mandatory mule-account detection systems, stronger vigilance mechanisms and tighter coordination between banks and law enforcement.
CHAPTER THREE: GHOST SIMs
Meanwhile, back in Hyderabad, the police moved onto the next layer. While mule accounts moved the money, ghost SIMs helped conceal identities.
Investigations had revealed that anonymous communication was enabled by mobile connections activated using the names of unsuspecting subscribers.
“Mobile connections activated fraudulently in the names of unsuspecting or exploited subscribers are the primary communication tool used by cyber fraudsters to mask their identity. It provides the anonymity backbone for organised cyber criminals across India,” Sajjanar says.
Identifying and dismantling this network was the core objective of the third phase. The police went after telecom point-of-sale agents, SIM suppliers and distributors enabling fraudulent SIM activations.
They identified 1,194 ghost SIMs linked to such cases and deployed 18 teams across 13 states in a week-long operation.
Sixty-six individuals were apprehended. Investigators say the methods were deceptively simple. Some point-of-sale agents activated additional SIM cards during regular customer verifications. In other cases, people were persuaded to hand over SIM cards in exchange for money or “free activation” offers. Bulk SIM camps targeted digitally illiterate individuals in villages.
CHAPTER FOUR: THE PREVENTION PUSH
But Operation Octopus is not just about raids and arrests. Parallel to the crackdown, the cops are building an entire response system. One of its critical parts is called C-MITRA.
Every day, two teams of 11 personnel proactively call citizens who have reported frauds through the 1930 helpline. Many victims initially report incidents online but never proceed with formal FIRs, often because they are overwhelmed, confused, embarrassed, or simply unaware of the process.
C-MITRA officers call them back, verify complaint details, explain the next steps, help them file FIRs and guide them through the system. The team makes about 70-80 such calls daily across two shifts, helps file an average of 10 FIRs per day and follows up with respective police stations.
Officers say the calls are not easy.
“Usually, victims are in shock. There is emotional stress, anger, the feeling of being deceived. Many are initially too embarrassed to even tell family members. Sometimes they refuse to trust us as well. In such cases we ask them to walk into the office, so we can help them directly,” says an officer.
The centre also sees several walk-ins: a woman who lost a few lakh rupees because her son downloaded a scam game, a man who clicked on the wrong link and had his phone hacked and `90,000 withdrawn, three young boys who paid `20 lakh to a man who promised them an IT job and then disappeared.
Investigators say quick reporting through 1930 significantly improves the chances of freezing money before it disappears.
The cops have also launched aggressive awareness campaigns: that “golden hour” messaging is central.
Data shared exclusively with ET shows that in 2025, out of the money people lost to cybercrimes, only `30.97 crore was refunded to victims, while in 2026 so far, just `3.77 crore has been recovered, which the police says, reflect the core challenge that once funds move through layers of mule accounts, recovery drops sharply.
CHAPTER FIVE: WHAT NEXT?
According to internal estimates, complaint volumes have started to moderate, dropping from around 85 daily last year to roughly 60-75 now.
Cyber fraud today has evolved into an extensive network built on loopholes, speed, anonymity and scale. Dismantling it will require far more than arrests.
The real reform has to be far more systemic: tighter KYC systems, real-time anomaly detection, stronger telecom oversight, faster bank response protocols, better public awareness and greater institutional accountability.
For now, the operation continues. The kingpins and those who control the layers beneath are still at large.
When asked what comes next, DCP Babu laughs. “Can’t reveal that,” he says. “We don’t want to alert anyone.”
aniltikotekar4sme.com 