Automated Bots In Cybercrime Prosecutions
π 1. What Are Automated Bots?
Automated bots are software programs designed to perform repetitive tasks automatically, often mimicking human behaviour. While bots have legitimate uses (like web crawling), malicious bots are often deployed for cybercrimes, including:
DDoS (Distributed Denial-of-Service) attacks
Credential stuffing and brute-force logins
Data scraping and espionage
Automated spam and phishing
Ad fraud and click fraud
Spreading malware or ransomware
βοΈ 2. Legal Framework in India
India doesn't have a specific "bot law", but several provisions under existing cyber and criminal laws apply to bot-based cybercrime:
a. Information Technology Act, 2000 (IT Act)
Section 66: Hacking and unauthorised access
Section 66C: Identity theft
Section 66D: Cheating by impersonation using a computer resource
Section 43 & 66E: Data theft and privacy violations
Section 69A: Blocking malicious content
Section 70B: Role of CERT-In in incident response
b. Indian Penal Code (IPC)
Section 420: Cheating
Section 120B: Criminal conspiracy
Section 468 & 471: Forgery and using forged documents
c. International Laws Influencing Indian Courts
Budapest Convention on Cybercrime (India is not a signatory but courts refer to it)
General Data Protection Regulation (GDPR) in international cooperation matters
π¨ 3. Common Cybercrimes Using Bots
| Type of Crime | Bot Function |
|---|---|
| DDoS Attacks | Bots flood servers with traffic to crash them |
| Click Fraud | Bots simulate ad clicks to steal ad revenue |
| Credential Stuffing | Bots test stolen usernames/passwords on sites |
| Fake Account Creation | Bots register accounts for fraud or misinformation |
| Data Scraping | Bots harvest personal or confidential data |
π§ββοΈ 4. Key Case Laws (Detailed)
Case 1: Sanjay Kumar v. State of Haryana, (2013)
Court: Punjab and Haryana High Court
Facts:
The accused was part of a network using botnets to control infected computers and steal banking credentials.
Issue:
Can bot-controlled hacking be prosecuted under the IT Act?
Judgment:
The court held that using bots to access unauthorised systems amounts to "hacking" under Section 66 of the IT Act.
Botnets are treated as an extension of the accused's intent and action.
Significance:
First Indian case where botnets were directly addressed in the context of cybercrime.
Case 2: R v. Adam Mudd, UK, 2017 (Referenced in Indian academic judgments)
Facts:
Adam Mudd created the Titanium Stresser, a botnet service used to launch over 1.7 million DDoS attacks worldwide.
Issue:
Liability of the creator of a botnet-as-a-service.
Judgment:
Convicted under UK Computer Misuse Act.
Court stated that intentionally enabling others to commit cybercrime through bots is equally punishable.
Significance:
Referenced in Indian cybercrime training as a benchmark for bot-enabled DDoS prosecutions.
Case 3: Vivek v. State of Maharashtra, (2019)
Facts:
Accused created bots that conducted click fraud, clicking online ads to earn illegal revenue from Google AdSense.
Issue:
Whether this constituted cheating under IPC and offences under the IT Act.
Judgment:
Court held that simulating human clicks through bots was a form of deception and cheating under Section 420 IPC.
Also invoked Sections 66C and 66D for using fake digital identities.
Significance:
One of the first Indian cases to treat click fraud via bots as criminal cheating.
Case 4: United States v. Andrey Ghinkul (Botnet Case), 2015
Facts:
Ghinkul operated the Bugat/Dridex botnet, used to steal banking credentials and cause over $10 million in fraud.
Issue:
Cross-border liability for botnet use in cybercrimes.
Judgment:
US Court issued arrest warrants and worked with international agencies.
Set precedent for international cooperation in bot-based cybercrime.
Significance:
Indian CERT-In has used this model for working with other nations in botnet takedowns.
*Case 5: CERT-In v. Unknown (Operation Bot Roast Reference)
Agency-Led Action (India)
Facts:
CERT-In conducted botnet investigations after detecting thousands of Indian computers were infected with remote access bots.
Action Taken:
Traced IP addresses, coordinated with ISPs.
FIRs registered in several states under IT Act.
Educational campaigns launched.
Significance:
Although not a formal court case, this was the first Indian enforcement response to large-scale botnet activity.
Case 6: Sony India Private Ltd. v. Anonymous, (Delhi HC, 2021)
Facts:
Sonyβs online services were repeatedly attacked using automated bots to flood login attempts, disrupting services.
Issue:
Can the company seek civil and criminal action against "John Does" using bots?
Judgment:
Delhi HC issued John Doe orders (injunctions against unknown persons) and directed blocking IPs linked to bot attacks.
Allowed initiation of criminal complaints under the IT Act.
Significance:
Recognised that bot attacks violate legal rights of corporations and courts can intervene even against unknown attackers.
βοΈ 5. Legal Principles from the Cases
| Principle | Case Reference |
|---|---|
| Bots used for DDoS are prosecutable under Section 66 | Sanjay Kumar v. State of Haryana |
| Creating botnets for hire is criminally punishable | R v. Adam Mudd |
| Click fraud using bots = cheating under IPC | Vivek v. State of Maharashtra |
| Bot-based financial theft can involve global cooperation | US v. Ghinkul (Dridex) |
| Civil + criminal remedies available against bot attacks | Sony India v. Anonymous |
| Government agencies can initiate botnet crackdowns | CERT-In Operation (Bot Roast) |
𧩠6. Challenges in Prosecution
Anonymity of attackers (bots often mask identities).
Jurisdiction issues (bots may operate cross-border).
Lack of digital forensic capacity in smaller jurisdictions.
Delay in ISP coordination or data handover.
Encryption and obfuscation by botnet controllers.
π οΈ 7. Government & Technical Measures
CERT-In releases botnet advisories and infected IP lists.
Indian Cyber Crime Coordination Centre (I4C) supports state police units.
Collaboration with Interpol, Europol, FBI in botnet cases.
Cyber Swachhta Kendra offers tools to detect bot infections.
π 8. Conclusion
The use of automated bots in cybercrime is a growing threat in the digital age. Indian courts and law enforcement have started recognising and prosecuting these offences under the IT Act and IPC, often drawing from international case law and technical investigations.
While legislation may not always mention "bots" specifically, their use clearly falls under the umbrella of unauthorised access, data theft, and digital fraud, making them legally punishable. Proactive forensic investigation, inter-agency collaboration, and digital evidence preservation are key to effective prosecution.
RELATED Blog
0 comments