Shonali*, a 48-year-old lecturer from West Bengal was laid off from a private university in March 2020. The lecturer, facing financial stress, turned to Chinese-owned instant loan applications that provide microloans without collateral, but at high-interest rates. Shonali started using these apps to meet expenses in September but began defaulting by October 2020.
These digital lending apps which provide micro-loans of as little as Rs 1,000 have a shorter repayment period and a much higher interest rate. They typically also charge 14% to 15% of the loan amount as a processing fee and a standard interest rate of 1% a day on average. The interest rates also compound on a weekly or fortnightly basis.
“To pay off one loan I ended up taking loans from about 25 instant loan apps. It was a debt trap and at the time I didn't know any better,” says Shonali. She took instant loans to the tune of Rs 2.4 lakh and faced harassment calls and threats to pay back the loans. “We paid Rs 7.8 lakh with interest as loan repayment. The harassment nearly drove me to suicide but I survived,” she adds. But the nightmare didn't end there.
In December 2020, Shonali briefly lost access to three of her bank accounts. The instant loan app had allegedly gained access to all her personal details from her phone. She then noticed an email from Kotak Mahindra Bank, congratulating her for opening a bank account. She also received an OTP email from Bitbns, a cryptocurrency exchange for an account she has no knowledge of. Cryptocurrency exchanges act as a platform for trading in digital currencies such as Bitcoin, Ethereum, Ripple and converting it into real money. “I didn't open any bank account with Kotak nor did I know what a cryptocurrency exchange was. I didn't have access to both these accounts either,” adds Shonali.
Vikram*, from Chennai, who used Chinese instant loan apps, noticed an SBI bank account, which he did not have access to, had been created using his KYC details in February 2021. He had received an OTP from Binance, a cryptocurrency exchange, via email as well.
Savethem India Foundation, a team of cybersecurity professionals researching the Chinese-operated instant loan and online betting apps since March 2020, has been assisting loan app users who have been duped and connecting them to law enforcement agencies. In February 2021, they documented five instances where accounts were created on crypto exchanges using KYC details of the loan defaulters. While all had crypto exchange wallets created in their name, two also had bank accounts opened in their name. The loan app users were unaware of these bank and crypto exchange accounts being operated using their KYC details. The independent investigators believe there could be many such fake bank and crypto exchange accounts being used to funnel money out of India in the form of cryptocurrencies.
Instant loan users like Shonali defaulted payment in one app and found themselves being redirected to other instant loan apps to repay the initial default. Of the 25 apps used by Shonali, four apps are under investigation by the Hyderabad police. The entities that operate the instant loan apps, through a web of shell companies, are linked to online betting and gaming apps. They also share user information with the different types of apps operated by them. “For example, a shell company by name Huahuo did collections for a lending app kredit bear. One of the directors was a part of Linkyun Technologies that ran Dokypay betting app. This is a big little network doing different clandestine businesses not limited to betting and digital lending,” points out Balaji Vijayaraghavan, General Secretary of Savethem India Foundation, “They use Indian directors only for registering the company. The Indian directors are removed once a foreign director is onboarded,” he adds.
Chinese-operated instant loan and online betting apps have been under investigation by the Telangana, Tamil Nadu, Karnataka, Delhi police as well as the Enforcement Directorate (ED). The Hyderabad Police’s Crime Division had sought the removal of hundreds of these apps from the Google Play Store, however, cybersecurity researchers say many of these loan and betting apps are still operating with impunity.
So far, seven Chinese nationals and over 35 Indians have been arrested as part of a crackdown on instant loan apps.
In the two documented instances of fake bank accounts, the victims had shared their KYC details such as Aadhaar, PAN card, drivers’ licence and other documents with the loan apps. The loan app victims are unsure which of the instant loan apps they used misused the KYC details to open bank and crypto exchange accounts.
Those trading in cryptocurrency exchanges can buy and sell digital currencies without a KYC. However, a KYC verification is required if a bank account is to be linked to these crypto exchanges. Regulations in the cryptocurrency sector in India are still vague and there is no standardisation of KYC verification processes on these platforms, say blockchain experts.
“There could be many such fake bank accounts being used for crypto exchanges that we are unaware of,” says Sandeep Sahoo, director at Savethem India Foundation. These China-based actors are gaming the loopholes in our banking system, he adds.
Sandeep explains that KYC data collected from the loan app users are being used to open bank accounts. These bank accounts linked to crypto exchanges are being used to siphon money abroad, “The data is also sold over the darknet and can be used by any scammer for money laundering. The loan app scammers are clearly using this modus operandi,” he alleges.
In the case of Shonali, she had shared her Aadhaar details with the loan apps as KYC to avail the loans. “In December, I got locked out of my ICICI, HDFC and SBI accounts. Someone had changed my net banking login credentials,” Shonali said. She managed to recover the lost money with the help of the Kolkata cyber crime police and the banks. TNM had earlier reported that the instant loan apps, once installed, gain full access to the address book, gallery, SMS, location and other details.
Sandeep claims to have come across several security vulnerabilities in mobile devices that these loan apps use to data-mine the victims. “When you install loan apps you are giving them access to everything in your phone. They only need your phone to receive OTP via SMS or email,” he adds.
On June 11, the Enforcement Directorate issued a show-cause notice to WazirX, an India-based cryptocurrency exchange for alleged violations of the Foreign Exchange Management Act (FEMA) 1999. The ED’s FEMA notice was initiated on the basis of the ongoing money-laundering investigation into Chinese-owned illegal online betting applications.
The ED alleged Chinese nationals had laundered Rs 57 crore using WazirX. Indian rupees were converted into the cryptocurrency Tether and transferred to a Binance wallet (Binance acquired WazirX in 2019).
A crypto wallet helps store a user's digital currency, keeping it safe and accessible only to them. It's a service that allows a crypto trader to send, receive and spend cryptocurrencies. It also enables trade over crypto exchanges where the cryptocurrency can be converted into real money. Binance is one of the world’s largest cryptocurrency exchanges. The ED claims to have detected transactions worth Rs 2,790.74 crore which were suspicious in nature.
In a statement, the agency said WazirX users received cryptocurrency worth Rs 880 crore from Binance accounts and transferred out Rs 1,400 crore to the Binance accounts. “None of these transactions is available on the blockchain for any audit/investigation,” the ED said. Crypto exchanges allow transactions of Indian rupees into cryptocurrencies and vice versa. They also allow exchanging cryptocurrencies between persons and transferring cryptocurrencies into wallets of other crypto exchanges. The ED alleged the accounts to which these digital currencies get transferred could be owned by foreigners.
In a statement, WazirX said it follows KYC and Anti Money Laundering (AML) norms and is ready to cooperate with law enforcement agencies. The company says it will be able to trace all users on their platform with official identity information. It added that it is in compliance with all applicable laws, and goes beyond its legal obligations by following KYC and AML processes and “have always provided information to law enforcement authorities whenever required”.
“Should we receive a formal communication or notice from the ED, we'll fully cooperate in the investigation,” the company added.
In response to TNM’s queries, WazirX said it has a robust transaction monitoring system in place. “We perform a stringent KYC verification of every user including their PAN card, photo and address proof. We also do a secondary KYC verification through linked bank accounts of users to ensure that we receive deposits only from these whitelisted bank accounts before allowing a customer to transact on WazirX. Lastly, we allow only KYC-verified and whitelisted accounts to withdraw funds from our exchange,” it said.
Sandeep says cryptocurrency exchanges will only be able to track transactions of digital currency that are decentralised, such as Bitcoin, Ethereum, Ripple etc. The transactions of these decentralised cryptocurrencies are recorded in the blockchain ledgers which are accessible to law enforcement agencies for scrutiny. “But the transactions cannot be traced once the cryptocurrency is converted into privacy coins, such as Monero, Zcash, DASH, Grin and others and stored in crypto wallets. The crypto wallets are free and you can create multiple wallets. If I am a scammer I can create multiple wallets, convert the cryptocurrency into privacy coins and send them to a proxy wallet who can then encash it at an exchange. It is like using a VPN to hide your IP address,” he explains.
The privacy coins are then converted back into a digital currency and eventually into a foreign currency of the scammer's choice. “If we hire more blockchain experts then we can find some loophole and track this, but it takes technical expertise,” he adds.
Sandeep says he had reached out to the Bitbns team in February this year and alerted them about the four crypto exchange accounts being opened in the name of the loan app users but received no response. Bitbns was founded by Gaurav Dahake and Prashant Singh, its parent company Buyhatke Internet was incorporated in 2015 and is based in Bengaluru. TNM reached out to Bitbns with a detailed questionnaire, and this story will be updated if they respond.
Sharat Chandra, Blockchain and Emerging Tech Evangelist say cryptocurrency exchanges in India have been calling for better regulation but have not been proactive in self-regulating, “There are cryptocurrency exchanges that have been in the sector for years and have come up with self-regulation measures. Such cryptocurrency exchanges have adopted KYC and AML tools, products and services to ensure that the customers they onboard are authentic. These are the same tools used by banks and payment processors,” says Sharat, adding that due to a lack of government guidelines for the sector, cryptocurrency exchanges in India have not given much thought on KYC and AML tools, services and products.
At present there is no clear picture of what KYC and AML tools, products and services are being used by the Indian cryptocurrency exchanges to minimise KYC frauds being detected. There is no standardisation in the type of KYC being used either. Sharat says clear regulation will help crypto exchanges in minimising abuse of their platforms, and crypto exchanges have been calling for regulation as well. “There is a common view that the crypto exchanges could be brought under the Prevention of Money-Laundering Act, 2002 and the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005. The guidelines under them could be used for crypto exchanges, thus whatever guidelines thus apply to banking transactions will then apply to crypto transactions. The Union government has to just issue a circular,” Sharat says.
An official with the State Level Bankers' Committee (SLBC) in Telangana told TNM that a fake bank account can only be opened without user consent if a scammer has access to the OTP received via text or email. “The cybercrime police routinely flag OTP related bank frauds, but in these instances, the victim voluntarily gives their sensitive bank details to a scammer over a phone call. But hacking a phone to gain access to OTP has not come to our notice. Banks usually resolve such issues internally,” he added.
Sharat points out that fintech and crypto entities mainly in the US and UK are now going passwordless in an effort to minimise frauds “They are using biometrics which are harder to fake as part of customer onboarding process. They do not rely on OTP and passwords which can be stolen. It’s better to rely on biometrics which is impossible to hack, the biometric data is also stored on the device, not on the central server like an OTP or password,” he opines.
The regulation of the crypto exchanges sector will not be the final solution to prevent such scams, says Sharat “We still have bank accounts being opened with fake KYC. The solution depends on the intent of the sector in implementing the regulations,” he added.
Recently, banks had started sending emails out to customers flagging their crypto transactions based on the 2018 circular of the RBI, which was since overturned. The RBI clarified that the banks cannot cite 2018 circular, but later reiterated that it has “major concerns” about cryptocurrency.
The RBI also formed a working committee to form regulations for digital lenders was formed after media reports about instant loan app victims dying by suicide owing to harsh recovery methods and the subsequent police investigations.
(*names changed)