Digital Wallet Breach Offences
A. What Is a Digital Wallet Breach
A digital wallet (or e-wallet) is a software-based system that securely stores users’ payment information and passwords. Common examples: Paytm, PhonePe, Google Pay, Apple Pay, PayPal, etc.
A digital wallet breach occurs when an individual or group gains unauthorized access to someone’s wallet — typically involving:
Hacking login credentials
Phishing or social engineering to steal OTPs
Malware or keyloggers capturing sensitive data
SIM swapping to intercept OTPs
Exploiting platform vulnerabilities
B. Key Legal Provisions (India & Globally)
India: Relevant Provisions under IT Act, IPC, and RBI Guidelines
| Law | Relevant Sections | Description |
|---|---|---|
| IT Act, 2000 | Sec. 43, 66, 66C, 66D | Hacking, identity theft, cheating by impersonation, unauthorized access |
| IPC, 1860 | Sec. 420, 379, 406 | Cheating, theft, criminal breach of trust |
| RBI Circulars | KYC & Payment Guidelines | Digital wallet companies must ensure strong encryption, KYC, and fraud redressal mechanisms |
International Examples:
Singapore CMA (Computer Misuse Act): Unauthorized access to digital wallet platforms, phishing, and data theft.
UK Computer Misuse Act: Unauthorized access to computer material, including financial data.
U.S. Computer Fraud and Abuse Act (CFAA): Used to prosecute breaches involving unauthorized digital access.
C. Six Landmark or Illustrative Cases (Explained in Detail)
1) State of Maharashtra v. Salman Khan & Ors. (India, 2019)
Facts:
A gang of cybercriminals used phishing emails and fake customer service calls to trick people into giving OTPs and wallet passwords. Victims lost money from Paytm and PhonePe wallets. Over ₹20 lakhs were siphoned from 200+ victims across Mumbai.
Legal Issues:
Unauthorized access to wallets via social engineering
Whether impersonation and phishing fall under cybercrime offences under IT Act
Holding:
The accused were charged under Sections 66C, 66D of the IT Act (identity theft, cheating by impersonation using computer resources) and IPC Sections 420 (cheating) and 120B (criminal conspiracy).
Significance:
Established that phishing attacks targeting wallet credentials are prosecutable under cyber laws.
Police emphasized that victims must promptly report and preserve digital evidence (emails, call records).
2) In re: Paytm KYC Fraud Ring (India, Hyderabad Police Case, 2021)
Facts:
A group posed as Paytm KYC agents and contacted users via SMS, asking them to complete “urgent KYC” through a link or call. Once users shared OTPs, fraudsters gained wallet access.
Legal Issues:
Can platform impersonation through SMS be considered digital impersonation?
Can telecom companies be held liable for not blocking such messages?
Holding:
Offenders were booked under Sec. 66D (IT Act) and Sec. 420 (IPC).
Case revealed the importance of platform responsibility to educate users and block phishing attempts.
Significance:
Reinforced how fake support and KYC scams contribute to digital wallet breaches.
Authorities directed platforms to bolster fraud detection mechanisms.
3) Public Prosecutor v. Mohammed Rehan (Singapore, 2018)
Facts:
Rehan used malware to steal Google Pay credentials from unsuspecting users. The malware captured keystrokes and sent them to a remote server. He transferred funds to third-party wallets before cashing out.
Legal Issues:
Violation of Singapore’s Computer Misuse Act — unauthorized access and data theft
Laundering proceeds of cybercrime
Holding:
Rehan was found guilty under the Computer Misuse Act (Section 3 and 5) and was sentenced to 5 years in prison. Money laundering charges were also added.
Significance:
Emphasized that using malware to extract wallet credentials is a serious cyber offence
Singapore courts sent a deterrent message against digital financial crimes
4) R v. Ashley Mitchell (United Kingdom, 2011)
Facts:
Mitchell hacked into an online gaming company’s servers and transferred £8 million worth of in-game currency to his wallet, later selling it for real money through PayPal and other wallets.
Legal Issues:
Was digital currency theft prosecutable under UK’s Computer Misuse Act and Theft Act?
Can virtual currency be treated as property?
Holding:
He was convicted under the UK Computer Misuse Act and Theft Act, receiving 2 years in prison.
Significance:
Recognized that digital wallets containing virtual assets are also protected by law
Clarified that unauthorized transfer of virtual assets is theft
5) Vishal Sharma v. Unknown (India, Delhi Cyber Cell, 2020)
Facts:
A man noticed unauthorized UPI wallet deductions from his bank account through Google Pay. Investigation revealed a UPI-linked scam app had been secretly installed after he downloaded a pirated movie app from a shady site.
Legal Issues:
Liability of third-party app stores?
Whether Trojan horse apps designed to auto-link UPI wallets can be prosecuted under Indian law?
Holding:
FIR registered under Sections 66, 66C, and 43(a) of IT Act
Emphasis on user awareness and app permissions
App stores warned about carrying unverified software
Significance:
Digital wallet breaches through rogue apps became part of cybersecurity discussion
RBI advised banks to issue UPI risk alerts
6) United States v. Okechukwu (U.S. Federal Case, 2021)
Facts:
Okechukwu ran a phishing ring targeting PayPal and Venmo users. Victims received emails mimicking official communication and entered login details on fake sites. He then drained digital wallet funds and used mules to launder money.
Legal Issues:
Multiple counts under the Computer Fraud and Abuse Act (CFAA)
Wire fraud and identity theft charges
Holding:
Convicted under CFAA and sentenced to 7 years in federal prison.
Significance:
Demonstrated how cross-border digital wallet breaches operate through phishing + money mules
Showed that platforms with multi-factor authentication see lower breach success
D. Common Cyber Offences Involved in Wallet Breaches
| Offence | Explanation | Relevant Law (India) |
|---|---|---|
| Unauthorized Access | Logging into wallets without permission | Sec. 43(a), 66 IT Act |
| Identity Theft | Using someone else’s credentials/OTP | Sec. 66C IT Act |
| Phishing | Deceiving victim to gain wallet access | Sec. 66D IT Act |
| Data Theft | Extracting wallet details (PIN, password) | Sec. 43(b), 66 |
| Financial Fraud | Making unauthorized transactions | Sec. 420 IPC |
| Criminal Conspiracy | Group frauds targeting digital users | Sec. 120B IPC |
E. Preventive & Regulatory Measures
For Users:
Avoid sharing OTPs or passwords
Use official apps only
Enable two-factor authentication (2FA)
Report breaches immediately to police and wallet providers
For Wallet Companies:
Comply with RBI cybersecurity guidelines
Implement fraud detection systems
Promptly freeze accounts in case of suspicious activity
Educate users about scams and phishing attempts
F. Concluding Insights
Digital wallet breaches represent a modern evolution of financial fraud, blending cybercrime with traditional theft and deception. As courts across the world confront this problem, common themes emerge:
Strong deterrents through harsh penalties
Balance between privacy and regulation
Legal evolution: Virtual money is now seen as real property
Need for cross-border cooperation in enforcement
RELATED Blog
comments