Chapter 3 · AICITSS Cyber Security

Modus Operandi in Cyber Crimes

An interactive guide to how cybercriminals plan and execute attacks — the methods, patterns, case studies, and how to protect yourself. Based on real global data from 895 cyber incidents.

🎯 15 Attack Types

📊 Real Global Data

🔍 Dani Data Case Study

🛡 Protection Tips

🎓 AICITSS Curriculum

🔍

What is Modus Operandi?

The characteristic methods that cybercriminals use to execute attacks

Modus Operandi (Latin: “mode of operation”) refers to the typical and characteristic methods that cybercriminals or threat actors employ to execute their attacks and achieve malicious objectives. It is a learned behavior — shaped by experience, education, and maturity — just like any other skill.

Understanding the modus operandi of cybercriminals helps law enforcement, investigators, and organizations anticipate, detect, and prevent cyberattacks before they cause damage.

⚙️

3 Core Elements of Every Modus Operandi

At a minimum, every criminal method contains these three elements

Ensure Success

Plan and execute the crime in a way that maximizes the chance of achieving the criminal objective without failure.

Protect Identity

Conceal who the criminal is — using fake IDs, VPNs, shell companies, stolen mobile numbers, and proxy networks.

Effect Escape

Plan an exit strategy — moving funds quickly through crypto, layered accounts, or foreign transfers to avoid detection.

📊

Global Cyberattack Frequency (2020–2021)

Data from 895 global incidents — showing which attack types were most common

895

Total Attacks Analyzed (2020–2021)

37%

Hacking — Most Frequent Attack

155.8M

People Affected by Breaches in 2020

1,291

Data Breaches (Sep 2020–Sep 2021)

1,872

Data Breaches in 2020 (COVID peak)

Rise in Breaches vs 2019

📊 Attack Type Frequency — 895 Global Incidents

🖥 Hacking37%

📧 Spam Emails13%

✉️ Malicious Emails13%

🌐 Malicious Domains9%

📱 Mobile Apps8%

🎣 Phishing7%

🦠 Malware7%

🌍 Browsing / Website Apps6%

💥 DDoS6%

📨 BEC (Business Email Compromise)4%

🔒 Ransomware2%

🤖 Botnet2%

🕵️ APT1%

Source: Global survey — March 2020 to December 2021 · n=895 cyberattack incidents

⚔️

Methods Used for Commission of Crimes

Click each attack type to learn how it works

🔓

A — Privacy Infringement

Mishandling private data like passwords or social security numbers. Data can enter a program directly from users, from databases, or from third-party partners — then gets exposed externally.

Privacy Violation

🕵️

B — Industrial Espionage

Theft of trade secrets through removal, copying, or recording of confidential corporate information for use by a competitor. Involves bribery, blackmail, and technological surveillance.

Corporate Crime

💣

C — Computer Sabotage & Extortion

Deliberate damage to systems — infecting websites with malware or taking down power grids. Cyber extortion pairs an attack with a ransom demand for stopping it.

Sabotage

💸

D — Electronic Money Laundering

Using electronic fund transfers to conceal and move proceeds of crime across jurisdictions at the speed of light. Cryptocurrency and informal banking systems are exploited to bypass regulations.

Financial Crime

🔑

F — Unauthorized Access (Hacking)

Gaining entry to a system without permission — typically through unpatched software vulnerabilities, weak passwords, or social engineering. The most common attack type at 37% of all incidents.

Hacking

🪙

Electronic Tax Evasion

Using digital tools to conceal legitimate income from tax authorities. Cryptocurrencies and overseas banking institutions with privacy protections are commonly exploited for this purpose.

Financial Crime

🎯

Attack Vectors in Cyber Fraud

Common methods used specifically to commit financial fraud — click to expand

🎣 Phishing Critical +

Cybercriminals send deceptive emails or messages impersonating legitimate entities (banks, government agencies, trusted organizations) to trick recipients into revealing sensitive information or clicking malicious links. Often uses urgency tactics to pressure victims into acting quickly without thinking.

🦠 Malware Attacks Critical +

Malicious software used to compromise systems, steal data, or gain unauthorized access. Delivered via infected email attachments, malicious websites, or compromised software downloads. Types include viruses, worms, trojans, spyware, and adware.

🔒 Ransomware Critical +

Cybercriminals encrypt a victim’s data and demand a ransom payment (typically in cryptocurrency) for the decryption key. Usually delivered through phishing emails or exploiting unpatched software vulnerabilities. Hospitals, governments, and corporations are prime targets.

💥 DDoS Attacks (Distributed Denial of Service) High +

Attackers flood a target system or network with an overwhelming volume of traffic from multiple compromised devices (a botnet), making the service unavailable to legitimate users. Often used for extortion, competitive sabotage, or as a distraction during another attack.

👤 Identity Theft Critical +

Stealing someone’s identity using their electronic signature, password, Aadhaar, PAN, or other identifying information. Used for credit card fraud, online share trading scams, e-banking crimes, and fraudulent transactions in the victim’s name.

👨‍💼 Insider Threats High +

Malicious or negligent employees within an organization who steal data, intentionally compromise systems, or inadvertently cause security incidents. Insider threats are particularly dangerous because the person already has legitimate access credentials and system knowledge.

🔑 Credential Theft High +

Stealing usernames and passwords through phishing, keyloggers, or credential stuffing attacks (trying breached password lists against other services). Once obtained, credentials enable unauthorized access to banking, email, corporate systems, and more.

🕳 Zero-Day Exploits Critical +

Exploiting unpatched vulnerabilities in software or hardware that are unknown to the vendor and public. Because no patch exists yet, there is zero days of protection. These are highly valued and often used by sophisticated nation-state attackers.

🤝 Social Engineering High +

Manipulating people — not systems — into divulging confidential information or performing security-compromising actions. Tactics include pretexting (fake scenario), baiting (leaving infected USB drives), vishing (voice phishing calls), and tailgating (physical access).

🔗 Supply Chain Attacks Critical +

Targeting a supplier, vendor, or third-party partner to compromise the ultimate target organization. Attackers inject malware into software updates or compromise the supply chain so every customer of that software becomes infected — as seen in the SolarWinds attack.

🌍 APT — Advanced Persistent Threats Critical +

Long-term, highly sophisticated attacks often associated with nation-state actors. Attackers maintain persistence inside the target network for months or years, quietly gathering intelligence and exfiltrating data without triggering alerts. Very difficult to detect and remove.

🤖 IoT & Botnet Attacks Medium +

Compromising Internet of Things devices (smart cameras, routers, appliances) to build botnets — armies of infected devices controlled remotely. Used to launch massive DDoS attacks, send spam, or distribute malware. Weak IoT security is the primary enabler.

💰 Crypto Jacking Medium +

Secretly using a victim’s computing resources to mine cryptocurrency without their knowledge or consent. This slows down the victim’s device, increases electricity costs, and can cause hardware damage — while the attacker profits from the mined coins.

📋

Attack Type Quick Reference

Summary of key attack vectors and their primary targets

Attack Type	Primary Method	Main Target	Severity
Hacking	Exploiting vulnerabilities	Systems, Networks	Critical
Phishing	Deceptive emails/messages	Individuals, Employees	Critical
Ransomware	Encrypt data + demand ransom	Organizations, Hospitals	Critical
DDoS	Traffic flood via botnet	Websites, Servers	High
Identity Theft	Steal PAN, Aadhaar, passwords	Individuals	Critical
APT	Long-term stealth intrusion	Governments, Enterprises	Critical
Social Engineering	Human manipulation	Employees, Individuals	High
Supply Chain	Compromised software updates	Enterprises via vendors	Critical
Crypto Jacking	Hidden mining scripts	Any device/user	Medium

🎣

Phishing Types & Online Fraud Methods

Select a phishing type below to learn how it works

📧 Deceptive Phishing — Most Common Type

Fraudsters pose as a real, trusted company (bank, government, Amazon, etc.) to obtain personal information or login passwords. These emails use urgency, fear, or authority to terrify recipients into acting immediately — “Your account will be suspended in 24 hours!”

Red Flags: Urgency language · Generic greeting (“Dear Customer”) · Suspicious sender email · Hover over links before clicking · Grammar errors

🦠 Malware-Based Phishing

The attacker attaches a malicious file or link to an email or website that looks useful — a PDF invoice, a Word document, or a “software update.” When opened, it installs malware silently on the victim’s device, giving the attacker remote access or stealing credentials in the background.

Common delivery formats: PDF, .docx, .exe, .zip, .xlsm files · Fake browser extensions · Malicious macro-enabled Office documents

📞 Voice Phishing (Vishing)

Making false phone calls posing as a trustworthy institution — bank security team, TRAI, CBI, IT Department, or a prize notification center. Criminals use caller ID spoofing to display official-looking numbers. Victims are pressured to share OTPs, card numbers, or transfer money immediately.

Example script: “This is State Bank of India fraud department. Your account has been compromised. Please provide your OTP to freeze it immediately.”

🌐 Pharming Attack

A cyberattack where users are automatically redirected to a fraudulent website even when they type the correct URL. Attackers corrupt DNS servers or modify the hosts file on the victim’s device so that legitimate URLs point to fake servers. The fake site looks identical to the real one.

Difference from phishing: Phishing requires the victim to click a link. Pharming happens automatically — even typing the correct URL leads to the fake site.

🖥 Fake / Phishing Websites

Domains designed to look identical to official websites — same logo, layout, and color scheme. Users unknowingly enter their credentials, which are captured by the attacker. How to spot them:

✅ Visit the website directly (type URL manually, don’t click links)
✅ Check the exact URL spelling carefully
✅ Avoid pop-ups and insecure (non-HTTPS) sites
✅ Try entering a fictitious password — real sites reject it, fake sites accept anything
✅ Check the website’s design quality and available payment options

💼 Business Email Compromise (BEC)

Defined by the FBI as a “sophisticated scam targeting firms that engage with international suppliers and/or make frequent wire transfer payments.” Attackers use computer intrusion or social engineering to compromise legitimate company email accounts and instruct employees to make large fraudulent wire transfers — appearing to come from the CEO or CFO.

Why it’s devastating: The email looks completely genuine — it comes from the real executive’s compromised account. Billions of dollars are lost annually to BEC globally.

💳

How Online Financial Fraud Operates — Step by Step

The complete modus operandi of investment/part-time job frauds in India

Advertisement Bait

“Earn Online”, “Part Time Job”, “Work From Home” ads displayed 10am–7pm (peak internet usage). Domains use ‘xyz’ or ‘Wix’ sites that redirect to a messaging platform for private chat.

Lure Phase

Communication via Hijacked Numbers

Multiple Indian mobile numbers used — the actual number holder is unaware their number is being used. Some knowingly share OTPs in exchange for money (money mules).

Identity Concealment

Investment Link Sent

Fraudster sends an investment link over chat with a personal referral code. Communication is in English; Google Translate used for regional victims. Each victim gets a unique account.

Hook Phase

Account Activation + First Task

Victim sends a screenshot to activate account. A small task is assigned to build confidence. Mandatory: load money via unauthorized Payment Gateways. All payments via UPI.

Trust Building

First Payout — The Hook

Victim is allowed to withdraw a small amount to build confidence. This first successful withdrawal is the trap — it makes victims believe the system is genuine and invest more.

Confidence Gained

Escalating Investments

Victim is lured to do more tasks requiring larger deposits. UPI details change daily. Domain changes but source code remains same. Once a large amount is deposited, fraudster goes silent.

Escalation

Money Mule Accounts

Stolen funds flow through bank accounts opened by money mules using real/fake IDs. Account owners receive fixed rent or commission for lending accounts. Account-to-account layering used.

Laundering Layer 1

Shell Companies & Payment Aggregators

Shell companies with dummy directors, fintech companies, and SMS aggregators are used. Aggregator-on-aggregator model conceals identities. Fraudsters operate from outside India.

Laundering Layer 2

Final Termination Points

Money diverted to: cryptocurrency · gold / bullion · foreign wire transfers · person-to-person transfers. These are the final exit points identified by Law Enforcement Agencies (LEAs).

Exit Phase

📰

Case Study: The Dani Data App Scam

A real Ponzi scheme that defrauded ₹1,400 crore from 1,200+ investors across India

⚠️ Educational Purpose: This case study is presented to help students recognize and avoid similar fraud patterns. All details are from public domain information as referenced in the AICITSS curriculum.

₹1,400Cr

Total Amount Defrauded (~US$180 Million)

1,200+

Investors Victimized Across India

Dec 2021

App Launched by Woo Uyanbe

Jun 2022

Scam Collapsed — Operators Disappeared

📌 What Was the Scam?

The Dani Data app promised users high returns on football betting investments, claiming to use Artificial Intelligence to predict match outcomes. Users were invited to invest money and “earn” profits. In reality, it was a classic Ponzi scheme — new investor money was used to pay existing investors, creating an illusion of profitability.

Ponzi Scheme AI as Bait Football Betting Chinese Operator UPI Payments

⚙️ How the Ponzi Mechanism Worked

Step 1: New investors deposit money into the app.
Step 2: Operators use new money to pay “profits” to earlier investors — building trust.
Step 3: Satisfied early investors refer friends and family — the scheme grows.
Step 4: When new investor inflow slows, the scheme cannot sustain payouts.
Step 5: Operators disappear with all remaining funds, leaving all investors with nothing.

👥 Who Were the Victims?

Victims came from all walks of life — young professionals, retirees, homemakers, and small business owners. Many had invested their entire life savings for retirement. The promise of AI-powered guaranteed returns with no visible risk was designed to appeal to people unfamiliar with financial markets.

📚

Key Lessons from the Dani Data Scam

Warning signs every investor must recognize

🚩 Red Flag #1 — Guaranteed High Returns

No legitimate investment guarantees high returns with little or no risk. If it sounds too good to be true — it is. AI cannot predict football match outcomes with certainty.

🚩 Red Flag #2 — Unregulated App / Platform

The app was not registered with SEBI, RBI, or any financial regulator. Always verify if an investment platform is licensed before committing any money.

🚩 Red Flag #3 — Referral-Based Growth

Ponzi schemes rely on referrals to grow. Being asked to bring in friends and family in exchange for bonuses is a classic warning sign of a pyramid/Ponzi structure.

🚩 Red Flag #4 — Large Upfront Payment Required

Requiring large deposits to “unlock” higher profit tiers is a classic Ponzi trap. Legitimate investments never demand large upfront commitments with guaranteed returns.

✅ Protection — Do Your Research

Always research any investment platform before putting money in. Check SEBI registration, look for independent reviews, and consult a certified financial advisor.

✅ Protection — Diversify & Consult Experts

Never invest money you cannot afford to lose. Diversify investments across regulated instruments. Seek professional financial advice before any significant investment decision.

🛡

How to Protect Yourself from Cyber Crimes

Practical steps for individuals and organizations

👤 For Individuals

🔐

Use Strong, Unique Passwords

Use a different strong password for every account. Enable two-factor authentication (2FA) wherever available.

🔗

Verify Before You Click

Hover over links before clicking. Check sender email addresses carefully. When in doubt — go directly to the official website by typing the URL.

📱

Guard Your OTP

Never share OTPs with anyone — including people claiming to be from your bank, TRAI, or any government agency. No legitimate authority ever asks for your OTP.

🔄

Keep Software Updated

Install security patches promptly. Most attacks exploit known vulnerabilities in outdated software. Enable automatic updates for OS and all applications.

💾

Regular Data Backups

Back up important data regularly using the 3-2-1 rule: 3 copies, 2 different media types, 1 offsite. This neutralizes ransomware attacks.

🎓

Cyber Awareness Education

Stay informed about new scam tactics. Follow CERT-In, RBI, and government cybersecurity advisories. Share knowledge with family members who may be vulnerable.

🏦

Monitor Financial Accounts

Review bank statements and credit card transactions regularly. Set up SMS/email alerts for every transaction. Report unauthorized transactions immediately.

📋

Invest Only in Regulated Platforms

Verify SEBI / RBI registration before investing. Avoid apps promising guaranteed high returns. Consult a SEBI-registered financial advisor before investing significant money.

🏢 For Organizations & Businesses

🎯

Employee Cybersecurity Training

Regular phishing simulation drills and cybersecurity awareness programs. Employees are the most common entry point — human error causes 85% of breaches.

🔒

Zero Trust Architecture

Never trust, always verify — even internal traffic. Every access request must be authenticated. Limit user privileges to only what is needed for their role.

🛡

Vulnerability Scanning

Regular penetration testing and vulnerability assessments. Patch management program to ensure no known vulnerabilities remain unpatched in the production environment.

📊

Incident Response Plan

Have a documented, tested incident response plan. Define who to contact, what to do, and how to communicate during a cyber incident to minimize damage and recovery time.

📧

Email Authentication (SPF, DKIM, DMARC)

Implement email security protocols to prevent domain spoofing. This significantly reduces the risk of BEC attacks by ensuring attackers cannot send emails from your domain.

🔍

Supply Chain Risk Assessment

Assess and monitor the cybersecurity posture of all third-party vendors and suppliers. Require vendors to meet security standards. A compromised vendor means a compromised organization.

🧠

Quick Quiz — Test Your Knowledge

Click an option to check if you are correct

1. What does “Modus Operandi” mean in the context of cybercrime?

The tools used by cybercriminals

The typical methods cybercriminals use to execute attacks

The motive behind a cybercrime

The legal punishment for cybercrime

2. According to the global survey (2020–2021), which cyberattack type was the most frequent?

Phishing (7%)

Malware (7%)

Hacking (37%)

Ransomware (2%)

3. The Dani Data app scam was primarily what type of fraud?

Ransomware Attack

Ponzi Scheme

DDoS Attack

Phishing

4. What is “Pharming” in the context of cyber fraud?

Sending fake emails to steal passwords

Installing malware via email attachments

Redirecting users to a fake website even when they type the correct URL

Making fake phone calls to get personal information

5. What does BEC stand for, and who does it typically target?

Binary Encryption Code — targets individuals

Business Email Compromise — targets firms making wire transfers

Botnet Execution Command — targets servers

Browser Exploit Code — targets websites

6. Which of the following is a key characteristic of Advanced Persistent Threats (APTs)?

They are quick, noisy, and easily detected

They target only individual users, not organizations

Long-term stealth attacks often associated with nation-state actors

They require physical access to the target’s systems

7. In the online fraud scenario, what is the main purpose of using Shell Companies?

To provide legitimate business services

To employ money mules openly

To create bank accounts for accepting or paying out fraud proceeds

To develop legitimate payment gateways

8. Crypto Jacking primarily causes harm by:

Encrypting the victim’s files for ransom

Stealing the victim’s cryptocurrency wallet

Using victim’s computing power to mine crypto without consent

Sending fake cryptocurrency transaction alerts