Law in 30 Seconds? The Rise of Influencer Hype and Legal Misinformation

Introduction

Twitter Inc.’s appeal against barring orders for specific accounts issued by the Ministry of Electronics and Information Technology was denied by a single judge on the Karnataka High Court. Twitter Inc. was also given an Rs. 50 lakh fine by Justice Krishna Dixit, who claimed the social media corporation had approached the court defying government directives.

As a foreign corporation, Twitter’s locus standi had been called into doubt by the government, which said they were ineligible to apply Articles 19 and 21 to their situation. Additionally, the government claimed that because Twitter was only designed to serve as an intermediary, there was no “jural relationship” between Twitter and its users.

The Issue

In accordance with Section 69A of the Information Technology Act, the Ministry issued the directives. Nevertheless, Twitter had argued in its appeal that the orders “fall foul of Section 69A both substantially and procedurally.” Twitter argued that in accordance with 69A, account holders were to be notified before having their tweets and accounts deleted. However, the Ministry failed to provide these account holders with any notices.

On June 4, 2022, and again on June 6, 2022, the government sent letters to Twitter’s compliance officer requesting that they come before them and provide an explanation for why the Blocking Orders were not followed and why no action should be taken against them.

Twitter replied on June 9 that the content against which it had not followed the blocking orders does not seem to be a violation of Section 69A. On June 27, 2022, the Government issued another notice stating Twitter was violating its directions. On June 29, Twitter replied, asking the Government to reconsider the direction on the basis of the doctrine of proportionality. On June 30, 2022, the Government withdrew blocking orders on ten account-level URLs but gave an additional list of 27 URLs to be blocked. On July 10, more accounts were blocked. Compiling the orders “under protest,” Twitter approached the HC with the petition challenging the orders.

Legality

Additionally, the government claimed that because Twitter was only designed to serve as an intermediary, there was no “jural relationship” between Twitter and its users.

Government attorney Additional Solicitor General R Sankaranarayanan argued that tweets mentioning “Indian Occupied Kashmir” and the survival of LTTE commander Velupillai Prabhakaran were serious enough to undermine the integrity of the nation.

Twitter, on the other hand, claimed that its users have pushed for these rights. Additionally, Twitter maintained that under Article 14 of the Constitution, even as a foreign company, they were entitled to certain rights, such as the right to equality. They also argued that the reason for the account blocking in each case was not stated and that Section 69a’s provision for blocking a URL should only apply to the offending URL rather than the entire account because blocking the entire account would prevent the creation of information while blocking the offending tweet only applied to already-created information.

Conclusion

The evolution of cyberspace has been substantiated by big tech companies like Facebook, Google, Twitter, Amazon and many more. These companies have been instrumental in leading the spectrum of emerging technologies and creating a blanket of ease and accessibility for users. Compliance with laws and policies is of utmost priority for the government, and the new bills and policies are empowering the Indian cyberspace. Non Compliance will be taken very seriously, and the same is legalised under the Intermediary Guidelines 2021 and 2022 by Meity. Referring to Section 79 of the Information Technology Act, which pertains to an exemption from liability of intermediary in some instances, it was said, “Intermediary is bound to obey the orders which the designate authority/agency which the government fixes from time to time.”

Introduction
‍

The recent investigation of Patan Cyber Crime Police as part of Operation Mule Hunt 2.0 reveals the sheer scale and intricacy of India's burgeoning cyber fraud economy. Police found that a total of 13 current accounts were being operated at a cooperative bank in the Patan district of Gujarat and used for siphoning 398.43 crore of cyber fraud transaction data on 228 cybercrime cases across states. Further investigations against 14 current account holders and intermediaries show the indispensability of mule accounts in laundering criminal money. The recent incident cannot be taken as isolated; the story points at a formalised and industrialised fraud economy with a robust banking infrastructure, a growing payment gateway, and complex networks.
‍

What Is a Mule Account and Why Should You Care?
‍

The term "mule account" is benign but plays a critical role in modern cybercrime networks. The Reserve Bank of India defines a mule account as a bank account that serves as a vehicle to transfer money proceeds from unlawful transactions and can be operated by people coerced by the prospect of high earnings or by way of inducement.

This mechanism can be witnessed through the investigation of the Patan cybercrime incident, where an investor can be defrauded by a fake investment website, employment fraud, or a digital arrest scheme. After transactions from the victim account, funds would quickly flow into the mule account, which would be held by a legitimate KYC customer. These transactions would then be passed on, between 1 lakh and 5 lakh transactions within hours, to multiple accounts as alleged by the Indian Cyber Crime Coordination Centre (I4C) before they get difficult to trace by being passed through informal channels or converted to cryptocurrency.

In the Patan case, it is alleged that the middlemen enticed locals and offered commissions to open firms and current accounts at Harij Nagrik Sahakari Bank and subsequently gave up their ATM cards, checkbooks, SIMs, and net banking facilities to the operators of the account. It is estimated that such accounts channeled an amount of 398.43 crore to 228 Indian cybercrime cases.

‍

The Scale of India's Mule Account Crisis

‍

The scale of the mule account ecosystem is reflected in India's rapidly worsening cybercrime statistics. As of data from the National Cyber Crime Reporting Portal (NCCRP), a total of 22.68 lakh complaints were registered in 2024, a jump by 42% from 2023. This was not even half the rate of financial loss, which jumped by 206% in 2023 (22,845 crore) and stood at 22,495 crore in 2025 (complaints jumped to 28.15 lakh). The increase in fraudulent transactions therefore outweighs the stability in financial losses significantly.

Mule accounts are the backbone of this crime network. To curb this phenomenon, the Indian Cyber Crime Coordination Centre (I4C) launched a Suspect Registry along with Indian banks and financial institutions in September 2024. 24.67 lakh accounts of suspected mules were identified in this, preventing over 8,031 crore in fraudulent transactions. Despite these efforts, a recent statement from the ED found over 12,000 crore being routed via mule accounts, shell firms, and cryptocurrency.

This isn't isolated to certain banks. 2024 alone saw over 65,000 mule accounts detected in Karnataka. By analyzing the Citizen Financial Cyber Frauds Reporting and Management System, about 40,000 such accounts were detected in SBI branches, and thousands more were detected across the PNB, Canara Bank, Kotak Mahindra Bank, and Airtel Payments Bank. The Patan case also clearly highlights that cooperative banks' lack of compliance and lower levels of transaction-monitoring systems contribute to easily creating and using mule accounts.

‍

Operation Mule Hunt: Gujarat's Coordinated Offensive

‍

This bust in Patan is just one manifestation of a much wider coordinated effort by the state government. Operation Mule Hunt 1.0, which ran from November to December 2025 across the state of Gujarat, was a month-long campaign by Gujarat Police's Cyber Centre of Excellence (CCOE) that unearthed 2,289 crore of fraudulent transactions, led to the registration of 565 FIRs, arrest of 638 accused, and impounding of 913 mule accounts with connections to over 4,000 cases of cybercrime nationwide.

This was followed up with the second installment of the operation, which was kicked off in all districts of Gujarat in 2026. The two-week campaign, which began across the state on January 8 this year, resulted in the Surat City Police alone arresting 77 people and uncovering close to 23.85 crore in fraudulent transactions. In what looks like one of the single largest single-district bust-ups in the operation, the Patan incident itself, with a staggering 398.43 crore routed through only 13 accounts, is remarkable.

The extraordinary nature of the operation is seen in the intelligence capabilities that drove it. It wasn't that police accidentally stumbled upon the Patan network; they worked back on it. After using data from the union government’s inter-agency platform, SAMANVAYA, a coordination platform for data on cybercrimes and the NCCRP, they traced suspicious clusters of transactions in the Harij Nagrik Sahakari Bank accounts to build a chain of evidence connecting the accountholders to the middlemen and, from the middlemen, to the whole ring of fraud. Twenty accused have been chargesheeted under the Bharatiya Nyaya Sanhita (BNS), and fourteen have been arrested, while six are still absconding.

‍

The Human Cost Nobody Talks About

‍

Behind every crore of scam money lies a real person who actually lost the real money. Of the 75%+ fraud losses incurred in 2025, 75% are from investment scams alone. Victims of stock trading scams lost ₹4,636 crore, spread across 2.28 lakh complaints filed in 2024. "Digital arrest" scams, in which fraudsters posing as law enforcement officials psychologically blackmail the victims to transfer money,  claimed ₹2,576 crore between 2022 and the first quarter of 2025.

For the victims it's never about the money: it's the retired teacher's lifetime savings from Chhattisgarh, the small trader's capital from Rajkot, the emergency money of the Bhopal family, or just savings from an ordinary person. And the mule accounts' networks are why most of it is never retrieved. Once the money is thrown into the layering chain, it's exponentially more difficult to trace it after every jump.

Then there's another category of victims that often gets overlooked, and they are the mule account holders themselves, many being semi-literate people from semi-urban or rural backgrounds approached with ₹10,000 in commission and with no awareness about the legalities of lending their bank details. With the BNS now they stand to get convicted for grave crimes, but the awareness of this trap is very low.

‍

Recommendations and Suggestions

‍

This isn't something India is facing passively. I4C, along with RBI, has developed Mule Account Hunter software. This software can be used by banks for the detection of suspect accounts through the use of behavioral analysis, device intel, and transaction pattern recognition. The Union Home Minister has directly asked all cooperative banks across the country to adopt this software at the earliest. Failure to do so, he warned, would make consumer safety from cyber fraud incomplete.

Apart from technology, three other areas need to go hand in hand: stringent KYC enforcement for cooperative and small finance banks; the prime locations of the mule recruitment network; greater awareness for the masses regarding the criminal liability one takes up when lending their accounts; and efficient inter-agency coordination so that the intelligence gathered on platforms like SAMANVAYA is converted into arrests before the accounts are dumped and the network reforms in another location.

Operation Mule Hunt 2.0 proves that this is feasible. 13 accounts in a small district of Gujarat. 398 crore. 228 victims. 14 arrested. The pipeline did exist, and it has been broken.

Yet, even as one network is broken, another is forming, somewhere right now. The accounts will appear legitimate. The holders of these accounts may not even realize what they have got into. That is the true danger of the mule accounts and work that cannot stop.

‍

Conclusion

‍

The Patan investigation has clearly shown that mule accounts have now moved from being a subsidiary tool of financial crime to becoming the infrastructure that underpins the economy of cyber-fraud in India. Every financial fraud, including investment fraud, digital arrest fraud, and phishing scams, is backed by a string of real bank accounts where the proceeds of crime are transferred and the trail is obscured. Though attempts such as the I4C Suspect Registry have made attempts to break down this network, it remains an overwhelming task. Robust KYC norms, real-time monitoring of transactions, and coordination between banks, police, and regulators are the key in preventing further industrialisation of cyber financial fraud in India.

‍

References

1. https://timesofindia.indiatimes.com/city/ahmedabad/operation-mule-hunt-2-0-gujarat-
2. police-bust-rs-398-43-crore-cyber-fraud-14-held/articleshow/131594240.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst
3. https://the420.in/india-cybercrime-2024-42-percent-spike-sims-imei-mule-accounts/
4. https://www.thehansindia.com/news/national/ed-explains-how-mule-accounts-and-crypto-networks-enabled-12000-crore-cyber-fraud-1047606
5. https://www.zigram.tech/article/mule-accounts-tier-1-tier-2-cities-india/
6. https://risk.lexisnexis.com/global/en/insights-resources/article/stopping-money-mules-in-india
7. https://timesofindia.indiatimes.com/city/ahmedabad/operation-mule-hunt-2-0-gujarat-police-bust-rs-398-43-crore-cyber-fraud-14-held/articleshow/131594240.cms

‍

Introduction

‍

On June 2nd, 2026, even as thousands of Class 12 students across the nation flocked to submit re-evaluation and verification applications on the CBSE’s newly rolled-out On-Screen Marking (OSM) portal, a decidedly different kind of visitor had logged in an attacker carrying automation scripts, botnet traffic, and malicious intentions to either shut the system down or steal its contents. The attack, which CBSE then openly reported on its official X account, flooded the portal with 1.5 million hits in two minutes and sent over a lakh unauthorized file access attempts.

‍

Understanding the Attack Architecture: The Two-Pronged Operation

‍

The CBSE cyberattack was actually not a single exploit but rather a layered, orchestrated attack. The attack can be understood in two prongs:

‍

1. The DoS Attack:Firstly, attackers initiated a large-scale DoS (Denial of Service) attack, producing approximately 1.5 million requests in 120 seconds, or approximately 12,500 per second, in order to saturate the server. By overloading the systems with bogus requests, the attackers sought not just to disable the site but also to throw off security personnel from their primary task of stabilizing the portal during its launch period.

‍

The File Probing: These attacks usually include the following methods:

‍

1. Path Traversal Attacks - Attackers will attempt to navigate outside of the current directory by supplying inputs such as "../../etc/passwd" in URL parameters or in a file upload. 
2. Forced Browsing / Directory Enumeration - An attacker may have used tools to attempt to find vulnerable files and directories like answer sheets, exam scans, student identification documents, and admin-related files by systematically guessing names.
3. API Endpoint Fuzzing: If any REST or GraphQL API was present for the portal, the attacker may have tried sending a various number of inputs to parameters to attempt to retrieve records, find IDORs, or escalate privileges. 
4. Session Token Harvesting - For high-load environments, some systems may use insecure session management. Attackers would attempt to predict or guess the token to hijack another student's or administrator's session.

‍

‍

Why Are Educational Portals High-Value Targets?

‍

Here's why the Indian education sector is an attractive target for cyber-attacks:

‍

1. Concentrated PII: Millions of students are present on these education portals, and their data (names, birth dates, Aadhaar linkage information, parents' details, address, education profiles, etc.) is of the highest value on the dark web and can be used for identity theft, financial fraud, credential reuse, and targeting.
2. Low Investment Relative to the Data Value: The education system is chronically under-invested in cybersecurity. Many of these systems were built for a function/scale, rather than security by design, and are highly vulnerable.
3. High-Pressure Launches: Launching a massive, public-facing system like the CBSE OSM verification site that needs to service millions of students on day 1 often requires time constraints that preclude proper penetration testing, stress testing, security auditing, or staged deployment; these launches often launch with numerous known security flaws.
4. Large Attack Surface: The education ecosystem is comprised of many integrated systems, APIs, cloud instances, third-party systems, and authentication infrastructure. Each dependency increases the overall attack surface and provides multiple potential avenues to compromise these systems, such as IDOR, API abuse, or credential-based attacks.
5. Geopolitical Motivation: Following the Op Sindoor attack in 2025, there was a significant increase in public institutions targeted by cyber-attacks with prolonged DDoS against critical systems. Highly visible, public-facing student portals catering to more than 35 million students make a tantalizing target for both nation-state attackers and hacktivist groups to cause disruption or gather intelligence.

‍

The CBSE's Response

‍

A balanced perspective on CBSE's public response is necessary:

‍

1. The portal did not go down and served about 14000 users at any point during the attack and had over 28000 successful submissions by 10pm June 2nd.
2. In real-time, sessions are continuously being optimized for the students, and session timeouts are being extended.
3. Management was on top of the situation and maintained good communication through social media.

‍

To withstand a sustained attack volume of roughly 12,500 requests per second, CBSE would surely need more than one security control implemented on its infrastructure. In all probability, rate limiting was the primary reason it could sustain this attack volume by limiting the requests from an IP or client over a certain period of time and automatically aborting requests from systems sending automated data. This, coupled with perhaps load balancing, will distribute the attack across several systems, none of which will have become bottlenecks. Finally, it is possible that traffic could have also been routed via a Content Delivery System (CDN) or dedicated DDoS mitigation service capable of detecting and cleaning requests of malicious code before they even reach the origin servers.

‍

Technical Recommendations

‍

It is not sustainable for India's exam infrastructure to continue operating in a post-breach, patching-in mode forever. The systems need to embrace Privacy By Design (PBD) as an integral part of their DNA. Here are suggestions for short-term hardening and long-term resilience:

1. Deploy a zero-trust file access architecture: Each request to access any file should be authenticated, authorized using role-based access control (RBAC), and logged in an immutable audit trail. Direct access to file paths should not be permissible; rather, pre-signed, time-limited tokens are recommended to control file access.
2. Implement a multi-layered DDoS mitigation architecture: A combination of network edge traffic scrubbing (CDNs & DDoS mitigation services) along with rate limiting at the application layer via WAF is necessary. An Anycast-based multi-PoP architecture and pre-provisioning scrubbing capacity may further increase resiliency
3. Conduct pre-launch penetration testing and red teaming exercises: Penetration testing with OWASP Top 10 audits, API security reviews, and load-based penetration testing should be conducted by CERT-In empanelled auditors prior to the launch of the examination. The red team exercise should simulate blended DoS and file-probing attacks.
4. Secure Payments: The secure payment surface should support PCI-DSS Level 1 certified payments and tokenisation and employ velocity checks against automated abuse and support 3D Secure 2.0 (3DS2) on card payments.
5. Implement SOC: Security operations centers (SOCs) should have real-time access to CERT-In threat feeds and ISAC intelligence, allowing them to act quickly on emerging attack vectors before anything malicious can be exploited.
6. Encryption: Students' data should be encrypted with AES-256; keys should be stored separately in a Hardware Security Module (HSM) system and not co-located with the data storage system. Student data must also support the data minimisation principle, while storing it should be encrypted with AES-256 and keys should be stored securely in HSM.
7. Monitoring: 24/7 SOC monitoring, ongoing vulnerability scanning on all pipelines, anomalous detection baselining, and frequent tabletop exercises for cyber resilience at 24x7 and post-examination activities.

‍

Beyond the Breach: Governance, Accountability, and the Growing Cyber Threat to India's Education Sector

‍

The CBSE attack is merely one example of a wider truth, a truth that extends beyond an isolated security event and highlights security as not only an issue of governance but of national security. Although it was during a period in which there was considerable change in leadership within the CBSE (some officials had been removed from their positions), and although it may be impossible to prevent administrative change, security vulnerability is an inherent risk when it cannot be ensured that the new incumbents have had knowledge transferred from the previous administration in terms of system design, vendor management, configuration, and incident response procedures. It has become apparent that a requirement for digital system governance must be considered to be just as serious a requirement as an academic and administrative governance requirement.

The attack is also indicative of a wider problem, and in 2025 there were in excess of 265 million cyber-attacks, and increasingly, critical infrastructure is being attacked by all manner of actors, including criminals, hacktivists, and state-sponsored groups. Educational institutions offer a prime target due to the amount of personal data held within their systems and the historically low security investment they tend to have. Worldwide trends that support the similar narrative of "data of immense value protected by under-resourced programs" (universities hit by ransomware and mass student data breaches included) are being constantly illustrated. For an examining body of tens of millions of students, cybersecurity cannot be an afterthought and needs to be clearly addressed within the governance and risk-management framework of the institution and, therefore, become a fundamental pillar of public trust.

‍

Conclusion

‍

The June 2026 cyberattack on the CBSE's OSM portal both illustrated the advancing capabilities of today's threat actors and highlighted the critical role cyber resilience must play in India's education sector. A high-volume DoS attack combined with over 100,000 file access attempts indicates a concerted and strategic operation both for disruption and the opportunity for data theft. Though the CBSE's infrastructure did hold, the attack should not offer comfort. Educational institutions are responsible for a significant amount of sensitive personal data, and they are major targets to state-sponsored and financially motivated attackers. Attacks are bound to continue. It is essential that cybersecurity become a fundamental pillar of the governance and trustworthiness of education and not a technical afterthought.

‍

References

‍

1. CBSE Official Statement on Cyberattack, X (formerly Twitter), @cbseindia29, June 2, 2026.
2. Indian Express, "CBSE OSM Row: Portal attack was a 'coordinated, two-pronged operation' says cybersecurity expert," June 3, 2026.
3. Srinivas L, Joint MD & Joint CEO, 63SATS Cybertech (subsidiary of 63 moons technologies limited), was quoted in Indian Express, June 3, 2026.
4. The Federal, "CBSE re-evaluation portal faces cyberattack, records 1.5 million hits in two minutes," June 2, 2026. https://thefederal.com
5. CERT-In (Indian Computer Emergency Response Team), Empanelled Security Auditor Framework. https://www.cert-in.org.in
6. OWASP Top 10 Web Application Security Risks, 2021 edition. https://owasp.org/www-project-top-ten/
7. National Institute of Standards and Technology (NIST), Zero Trust Architecture (SP 800-207), August 2020. https://doi.org/10.6028/NIST.SP.800-207
8. Indian Express, "What CBSE ignored: Its own panel found glitches in dry run, said delay OSM by a year," June 3, 2026.
9. Asianet Newsable, "CBSE Class 12 re-evaluation portal withstands major DoS cyberattack," June 2, 2026. https://newsable.asianetnews.com