Cybercrime In India with The Rise of AI: Legal Framework and Challenges

Leave a Comment / Legal Articles / By

Published On: December 17th 2025

Authored By: Patel Krishna Natubhai
Faculty of Law, The Maharaja Sayajirao University of Baroda

Abstract 

In today’s digital era, people rely on digital platforms for day-to-day activities such as bank transactions, investments, loans, etc. However, it has both advantages and disadvantages, and also presents challenges, particularly in the realm of cybercrime. Increased use of Artificial Intelligence increases the risk of violating privacy. This article examines the Indian Legal Framework, including the Information Technology Act, 2000, and the new Digital Personal Data Protection Act, 2023, addressing challenges. It reviews landmark judgements on the real- world challenges, such as Deepfakes, UPI scams, cryptocurrency theft, digital arrest, and privacy issues faced by people. It also highlights loopholes such as enforcement, delay in admissibility, lack of experts, jurisdictional issues, privacy concerns, and the dark web. It concludes with suggestions for strengthening India’s cyber law.

Introduction 

India’s rapid adoption of digital payments, extending from street vendors to beggars equipped with QR codes, has positioned the country as a global leader in digital transactions. Technical challenges are rising with the advancement of technology. Cybercrime is borderless. Where the offence is affected in India, but is in another country. Deepfakes are fake audio/video that closely mimic a real person, posing new verification challenges. Metadata should be correctly interpreted to establish timestamps and geolocation data authenticity.

Cyber offenses, especially involving indecent photographs, cyberbullying, forgery, identity theft, hacking, data theft, etc., are severely impacting societal norms, with women being the primary victims and facing lifelong trauma. According to the NCRB ‘Crime in India’ Report, 2022, cybercrime cases rose 24 percent as compared to 2021, with the motive of fraud nearly

64.8 percent of all cases. Crime rate under this category has increased from 3.9 in 2021 to 4.8 in 2022. A majority of the offences, such as AI tools like voice cloning, automated phishing, and deepfakes for misinformation and extortion, metadata, hacking, have challenges like being difficult to enforce, making traditional investigation methods insufficient in nature.

Internationally, the Budapest Convention is a universal convention for the prevention of organized cybercrime, which provides the mechanism for investigation, arrest, etc. of offenders involved at the international level. However, the provisions of this convention are not abbreviated in India. In India, the investigation is carried out as per the IPC (BNS), and the sections charged are as per the IT Act. This significant approach creates hurdles in tackling crimes that are inherently multinational and now, increasingly AI-driven.

Laws 

Indian Penal Code, 1860[1]/ Bharatiya Nyaya Sanhita, 2023[2]

The Indian Penal Code (IPC), 1860, has been replaced by the Bharatiya Nyaya Sanhita (BNS), 2023. The BNS aims to modernize criminal law by addressing contemporary crimes, incorporating stricter penalties for certain offences, and consolidating provisions related to offences against women and children.

  • Section 354D: Stalking related to deepfakes, fake profiles, cyber harassment. Replaced by Section 78 of BNS.
  • Section 419: Cheating by personation, and it is linked with AI-Voice cloning and deepfakes, cryptocurrency. Replaced by Section 319(2) of BNS.
  • Section 420: Cheating and dishonesty are widely applied to UPI or Crypto Replaced by Section 318 of BNS.
  • Section 499 & 500: Defamation and punishment with fine or It is replaced by Section 356 of BNS.

Constitution of India, 1950[3]

  • 19(1)(a) & 21: Right to Freedom of Speech and Expression and right to life and personal liberty includes the Right to privacy.

Information Technology Act, 2000[4]

Main objective of this act is to give legal recognition to electronic documents, digital signatures. It facilitates e-fillings of documents with govt. departments and also facilitates electronic storage of data, legality of electronic fund transfer.

  • Section 43 of the IT Act talks about penalties and compensation for unauthorized access and damage to computer resources.
  • Section 66 doesn’t explicitly talk about hacking. However, there are certain acts define which are equivalent to hacking like access to computer, computer system or computer networks introduces or causes damage to any computer or destroys or delete or steal any computer source code with intention to cause damage. In India, clause (B) specifically deals with hacking.
  • Sections 66C & D deals with identity theft and cheating by personation using computer resources or devices.
  • Sections 67A & B talks about publishing or transmitting of obscene material, sexually explicit acts, and Child Sexual Abuse Material (CSAM).
  • Sections 70 & 72 deal with protected systems and penalize breaches of confidentiality and privacy.

IT Rules, 2021[5]

  • It was introduced to establish a more structured and balanced framework for intermediatory liability

CERT-In Directions, 2022: It mandates reporting of cyber incidents within 6 hours.[6]

Digital Data Protection Act, 2023[7]

In India, there is no data privacy law to date. After years since the Digital Personal Data Protection Act, 2023, received the president’s assent and was published in the official gazette. Because of this, cybercrime and misuse of personal data have increased. This also makes it difficult to admit digital evidence in court, and at the same time raises serious concerns about the privacy of consumers. However, its full implementation including the formation of Digital Data Protection Bill is still in progress. This gap leaves misuse of personal data without consent for training AI models. Strengthening laws, better-trained forensic teams, and well-prepared judges to protect people’s privacy and ensure justice is served in the digital age.

Landmark cases Online Speech Case:

In the landmark case of Shreya Singhal vs. Union of India[8], the Supreme Court struck down

  • 66A of the Information Technology Act, 2000, which had criminalized sending offensive messages. The court held that this provision was unconstitutional, as it violated the freedom of speech and expression guaranteed under Article 19(1)(a) of the Constitution. Following this, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 were introduced to establish a more structured and balanced framework for intermediatory liability.

Privacy Case:

In K. S. Puttaswamy vs. Union of India[9], the Supreme Court recognized the right to privacy as a fundamental right under Article 21. The case was brought by Justice K.S. Puttaswamy (Retd.) concerning the constitutionality of the Aadhaar biometric identification system, and several concerns arose regarding the state’s collection and use of personal data. Such implications of this ruling have been cited in many digital rights, data breach, and surveillance-related cases and have also directly impacted the drafting of India’s Digital Personal Data Protection Act, 2023.[10]

Cyber harassment Case:

In State of Tamil Nadu v. Suhas Katti (2004) the court gave one of India’s first convictions for cybercrime. The accused was found guilty of harassing a divorced woman on a Yahoo chat group. Though this case doesn’t involve AI, this is an important step showing that harassment can be punished under this law.[11]

Platform Policy or Privacy Case:

In the Facebook vs. Union of India case, the Delhi High Court has an issue before it where WhatsApp’s new policy allows the sharing of data with Facebook. The Court held that such a take-it-or-leave-it policy is against the competition law as well as the right to privacy under Article 21. Hence, it shouldn’t be allowed. The application highlighted that the new privacy policy offers lower privacy protections to Indian users as compared to European users. The case is still pending before the Supreme Court.[12]

Digital Financial Crime Case:

In the case of Dharmendra V. State of UP, the court emphasized the necessity for thorough police investigations of crimes, encouraging courts to permit further inquiries if needed. It noted a significant increase in digital financial crimes, with scammers utilizing advanced technologies such as artificial intelligence and deepfake techniques for complex cyber fraud schemes, as reported by the Finance Ministry.[13]

Real world Challenges/ Implications  

  • Jurisdictional issues: Cybercrime is borderless, and it is committed beyond the borders while residing in another country. This jurisdictional issue makes it difficult to arrest the offenders.
  • Lack of awareness: Users don’t have knowledge about the misuse of their personal information, or they aren’t very aware of the scams that can happen through online
  • Delay in admissibility: Court faces challenges in admitting the electronic evidence as it can be tampered with, stolen, etc. After checking the validity of the evidence, it is admissible in the court. It is a long procedure that delays the admissibility.
  • Privacy Concerns: tools like AI Saree trend, Ghibli art studio, nano banana image, etc. often use the images and other personal information of the users without consent.

Digital Arrest Scams & Economic Impact: 

  • Fake police officers confine victims on long video calls and demand money under fabricated criminal charges.[14]
  • Cybercrime has a broader economic impact beyond just individual victims. It affects the telecom and banking sectors, which often face additional losses. For example, Airtel’s focused anti-fraud program reduced cybercrime-related losses by nearly 68.7%. This demonstrates how partnerships in the private sector can make enforcement much more effective.[15]

Suggestions/Recommendations 

  • Strict Regulation for AI Tools: Strict regulations should be enforced for AI Tools to protect users’ privacy. There should be an introduction to the liability of the person who misuses AI-generated content, specifically, such as Deepfakes and fraud.
  • Special Cyber Courts: There should be a dedicated bench for adjudicating cyber cases for speedy judgment and disposal.
  • Consumer Awareness: There should be awareness campaigns against UPI Scams, digital arrest, and AI-based Impersonation.
  • Harmonize laws with Budapest Convention Standards: There should be alignment of Indian standard laws with the Budapest Convention.

Judicial mechanisms are providing new solutions for cybercrime. Recently, Lok Adalat’s throughout India helped refund ₹929 crore to victims of cybercrime. This shows how alternative dispute resolution tools can offer quick financial relief, reduce litigation delays, and rebuild public trust. Establishing these practices as a permanent part of the system could significantly improve the way we handle the growing number of cyber fraud cases.[16]

India needs a benefit-sharing framework for data used in AI training without the consent of the users, including personal information. This kind of risk weakens the purpose of the DPDP Act, 2023. Its main objective was to design to safeguard individual rights.[17]

Conclusion

Technology can protect lives, and some people are misusing it for their own purposes. Digital Technology is growing day by day, whether it is about all facets of life, including criminal activity, hacking, scams, tampering with evidence or data, in recent times. Technology has become more advanced, and cybercrimes pose a significant threat to society. Cybercrime investigation is mainly based on the digital evidence stored in the electronic device. Digital evidence is essential to be admissible in cybercrime investigations in India.

References

1 The Indian Penal Code, 1860, Act No. 45 of 1860, § 354D, 419, 420, 499, 500.

2 The Bharatiya Nyaya Sanhita, 2023, Act No. 45 of 2023, § 78, 318, 319(2), 356.

3 The Constitution of India, 1950, art. 19(1)(a), 21.

4 The Information Technology Act, 2000, Act No. 21 of 2000, § 43, 66, 66C, 66D, 67A, 67B, 70, 72.

5 The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 

6 CERT-In Directions, 2022

7 The Digital Personal Data Protection Act, 2023, Act No. 22 of 2023

8 Shreya Singhal v Union of India (2015) 5 SCC 1

9 K.S. Puttaswamy (Retd.) v Union of India (2017) 10 SCC 1

10 Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India, MANU/SC/0911/2017

11 State of Tamil Nadu v Suhas Katti (2004) [not in SCC]

12 Facebook/WhatsApp Policy Case 

13 Dharmendra v State of UP, Criminal Misc. Bail Application No. 56170 of 2023 (Allahabad HC, 2023).

14 Newsmeter, ‘Digital Arrest Scam: How Cyber Crooks Cash in on Fear Psychosis’ (Newsmeter, 2024) https://newsmeter.in/top-stories/digital-arrest-scam-how-cyber-crooks-cash-in-on-fear-psychosisdigital-arrest-scam-how-cybercriminals-play-mind-games-with-their-targets-755187 accessed 18 September 2025.

15 Deccan Chronicle, ‘Airtel Anti-Fraud Push Cuts Cybercrime Losses by 68.7%: MHA’ (Deccan Chronicle, 2024) https://www.deccanchronicle.com/news/business-tech/airtel-anti-fraud-push-cuts-cybercrime-losses-by-687-mha-  1904284 accessed 18 September 2025.

16 The Hindu, ‘₹929 Crore Refunds Facilitated for Cybercrime Victims through Latest Lok Adalat’ (The Hindu, 2024)   https://www.thehindu.com/news/cities/Hyderabad/929-crore-refunds-facilitated-for-cybercrime-victims-through-latest-lok-adalat/article70057671.ece accessed 18 September 2025.

17 Manupatra, ‘A Benefit Sharing Framework for AI Training Data in India’ (Manupatra Articles, 2023) https://articles.manupatra.com/article-details/A-BENEFIT-SHARING-FRAMEWORK-FOR-AI-TRAINING-DATA- IN-INDIA accessed 18 September 2025

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Subscribe
Subscribe
Scroll to Top