CloudSEK Identifies Large-Scale 'PrintSteal' Fake KYC Document Generation Scam in India

Cybersecurity firm CloudSEK has identified a large-scale fraud operation in India that involves the generation of fake Know Your Customer (KYC) documents. Dubbed 'PrintSteal', the operation involved the use of several fake domains that impersonated government websites. The scammers reportedly generated over 1.67 lakh fake documents, generating more than Rs. 40 lakh in the process. The firm also found that the fraudulent documents were generated using personally identifiable information (PII) harvested from documents provided by unsuspecting customers.

'PrintSteal' Fraud Operation Imitated Legitimate CSCs to Trick Users

In a detailed post explaining how the fraudulent scheme was executed, the CloudSEK reports that the scammers set up over 50 websites that were designed to imitate the government's Common Services Centres (CSCs). CSCs are an important part of the e-governance mechanism in the country, and the fraudulent websites would use domain names that were similar to the ones used by official CSCs.

A print portal dashboard used by the fraudsters (tap to expand)
Photo Credit: CloudSEK

The fraudsters would then use social media, search engine optimisation, chat apps, and even cybercafés to promote the fake websites. When users visit these sites, they are asked to provide a lot of PII, including their physical address, phone number, Aadhaar number, photographs, date of birth, PAN card details, and even their UPI IDs and bank information.

As the fake websites were designed to copy legitimate government websites, unsuspecting users would think that they are sharing their data with an official website. The security firm states that once the information was provided by a user, the system would generate fraudulent documents that resemble genuine ones, such as a PAN card, Aadhaar card, driving licence, or even a voter ID.

QR codes on the fake documents lead to fraudulent sites (tap to expand)
Photo Credit: CloudSEK

The firm said the threat actors would charge a fee that ranged between Rs. 20 to Rs. 35 to generate a single document. Their associates, involved in the distribution of these documents, would charge the customer a higher amount to make a profit. The fake KYC documents even include QR codes that lead to a website that displays the document, in order to fool customers into thinking they are visiting a legitimate government website.

During its investigation, the firm also discovered that the fake KYC documents generated by the scammers were stored on cloud storage services like ImgBB and ImgPile, instead of being discarded — this cloud infrastructure could potentially be used to sell some of these fraudulently created documents.

A screenshot of the scammer warning associates about investigations
Photo Credit: CloudSEK

CloudSEK estimates the fraudsters generated Rs. 40 lakh in revenue from the identified network of websites, which has generated over 1,60,000 fake documents. It also warned that it had detected similar sites, with over 1,800 domains — 600 of these are currently active. These platforms are set up using predesigned templates and external APIs.

The fraudulent operation could pose several risks, including financial fraud and identity theft, as these documents are typically issued by the government after verification. CloudSEK also points out that they could pose a risk to national security, if these fake documents are used to hide identities while committing serious crimes.

Some of the firm's recommendations include prosecution of key actors, cross agency (and international) collaboration, website and domain takedowns, shutting down local networks, two-factor (or biometric) authentication for verification, real-time verification, public awareness, and the use of AI and machine learning to detect fraud.