🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Imagine thousands of fake identity documents being generated at the click of a button—Aadhaar cards, PAN cards, birth certificates—all convincingly real, but entirely fraudulent. That’s exactly what the "PrintSteal" operation has been doing on a massive scale. This investigation uncovers a highly organized criminal network running over 1,800 fake domains, impersonating government websites, and using cyber cafés, Telegram groups, and illicit APIs to distribute fraudulent KYC documents. With over 167,000 fake documents created and ₹40 Lakh in illicit profits, this isn’t just fraud—it’s a direct attack on India’s digital security. The full report dives into how this scam works, who’s behind it, and what needs to be done to stop it. If you care about financial security, digital identity protection, or cybercrime prevention, you won’t want to miss it. Read on to uncover the full story.
Proactively monitor and defend your organization against threats from the dark web with CloudSEK XVigil.
Schedule a Demo
This report uncovers a large-scale, organized criminal operation involved in the mass production and distribution of fake Indian KYC (Know Your Customer) documents, commonly known as "print portals," and tracked by CloudSEK as "PrintSteal." The focus of this analysis is the platform crrsg.site, one of several similar operations, to highlight the extent and complexity of the broader threat. The operation has been active since at least 2021 and utilizes a network of affiliates—such as local mobile shops and cyber cafes—with at least 2,727 registered operators on the crrsg.site platform alone, to create fraudulent documents. Investigations revealed that more than 167,391 fake documents have been generated on this platform, including over 156,000 fake birth certificates, showcasing the operation's vast scale and capabilities. The infrastructure of this operation includes a centralized web platform, access to illicit APIs that provide data like Aadhaar, PAN, and vehicle information, a streamlined payment system, and encrypted communication channels (such as Telegram). The operation's extensive reach, supported by a large network of affiliates and the use of easily accessible illegal APIs, calls for a comprehensive and coordinated counter-response. Additionally, over 1,800+ domains linked to this operation have been identified, further expanding its impact.The operation primarily impersonates csc.gov.in and crsorgi.gov.in to enhance credibility. Financial investigations show that the threat actor behind crrsg.site has generated an estimated 40 Lakhs in revenue from this platform alone.
www.crrsg.site stats :
Note : This report uses the crrsg.site platform as a case study to demonstrate the scale and complexity of a wider, multi-platform operation involved in generating fraudulent Indian KYC documents. A significant number of similar sites have been identified.
The Common Service Centre (CSC) is a key Indian government initiative that provides a range of essential services to citizens, often involving the handling of sensitive KYC (Know Your Customer) documents. This investigation began after identifying multiple unauthorized websites impersonating the CSC scheme, offering critical KYC services—such as Aadhaar downloads and address updates—at minimal fees while bypassing standard security protocols. The ease of account creation, extensive service offerings, and rapid shifting of domains pointed to a highly organized and dynamic criminal operation. This report analyzes "crrsg.site" as a representative case study, but the scope of the threat is far broader. To date, over 1,800 domains have been identified as part of this operation, with 600+ active domains currently in operation. This extensive domain network underscores the vast scale and resilience of the fraudulent scheme, significantly complicating efforts to mitigate its impact. The scale of these activities poses substantial challenges for law enforcement and highlights the urgent need for coordinated countermeasures.
The PrintSteal operation represents a highly organized, multi-tiered scheme for producing and distributing fake Indian KYC documents. It effectively combines accessible technologies, illicit APIs, and a vast network of unwitting affiliates to scale the operation and maintain efficiency. The success of the operation is driven by the growing demand for quick and convenient document services, while simultaneously obscuring its illegal activities and staying one step ahead of law enforcement. The structure mirrors a sophisticated criminal enterprise, complete with a division of roles and a strong focus on operational security.
The scheme begins with the establishment of fraudulent KYC document generation platforms, which are often created using pre-made templates (such as AdminLTE), reducing the need for extensive development work. The threat actors acquire the source code from third-party sources like ahkwebsolutions.com, hardscripts.com, or pgecm.in, and customize it for specific types of fake documents. These actors or their associates then purchase shared hosting services from providers like GoDaddy, Hosting Concepts, HOSTINGER, and others to deploy multiple platforms, enhancing both the reach and resilience of the operation. While some platforms are basic, others make use of external APIs to broaden their capabilities, enabling the creation of a wider variety of counterfeit documents.
The operation relies heavily on a network of affiliates, primarily local businesses like mobile shops and internet cafes, which serve as points of contact for customers seeking fake documents. Recruitment is carried out both online and offline, with the demand for quick document services attracting new affiliates. These services are promoted heavily through social media platforms such as YouTube and Instagram, where tutorials and promotional content show the simplicity of using the platform. The process for joining the network is straightforward: affiliates register on the platform, fund a virtual wallet, and gain access to the document generation tools.
Ongoing training and guidance are provided through private Telegram groups and YouTube channels, which include tutorials, tips, and updates. These channels also serve as the primary means for the threat actors to maintain control over the network, sharing crucial information on customer verification (especially for sensitive documents like Aadhaar, PAN, and voter IDs) and offering warnings about potential law enforcement scrutiny. The tone of these messages underscores the high risks involved and the importance of maintaining strict operational security.
The document generation process involves several steps:
2. Database Interaction: The platform queries the database to retrieve relevant data based on the entered information and selected parameters (language, type).
3. Document Assembly: The PHP code combines the data retrieved from the database with pre-existing images of official documents to create a PDF.
4. QR Code Generation: The platform generates QR codes using api.qrserver.com, encoding URLs that redirect to deceptive verification pages. This step enhances the document's apparent legitimacy.
5. PDF Generation: A dynamically generated PDF is created.
A critical element in the PrintSteal operation's success is its use of deceptive QR codes to enhance the credibility of fraudulent documents. These QR codes, generated using the legitimate api.qrserver.com service, are embedded within the fraudulent documents (Aadhaar cards, birth certificates, death certificates). However, instead of linking to official government verification websites, these QR codes direct users to counterfeit URLs designed to mimic legitimate verification pages. For example, scanning the QR code on a fraudulent birth certificate leads to a URL like
https://crrsg.site/admin/web/index.php/auth/birthCertificate/view/B/bWF4VExRZC9GTnhBWkhtZTNrdWhUZz09.php?id=130272&cont=Anjsjdn
which displays the fraudulent document itself, creating the false impression of verification from an official source.
Similarly, death certificate QR codes link to URLs like
https://dc.crsorgi.gov.in.edistrict.site/crs/verifyCertificate.php?id=24
which mimic official government verification portals. This sophisticated deception makes it extremely difficult to distinguish authentic documents from fraudulent ones, even with basic verification attempts.
The operation employs an integrated virtual wallet system for payments. Affiliates deposit funds into their platform accounts, and the cost for each document generated is automatically deducted from their wallet. The threat actors charge a fee for each document (typically ₹20-35 INR on crrsg.site), while affiliates mark up the prices, profiting from the difference and offering added convenience to their customers.
OPSEC is a critical element of the operation’s success. The threat actors use secure communication channels like Telegram to manage the network, issue warnings about ongoing law enforcement investigations, and provide continuous support to affiliates. When law enforcement actions take down one of their platforms, the operators quickly pivot, deploying new platforms and domains to replace those lost, demonstrating their ability to adapt quickly to enforcement efforts. This proactive approach highlights their understanding of law enforcement tactics and their commitment to keeping the operation running smoothly despite increased scrutiny.
Attribution of www.Crrsg.site : Mg Khaan aka Manish Kumar
The investigation has revealed that Manish Kumar is a central figure in the criminal operation behind “crrsg.site,” other websites are operated by different threat actors.
The primary motive is financial gain through the large-scale generation and distribution of fraudulent KYC documents. Analysis of crrsg.site alone indicates a substantial profit of approximately ₹40 Lakh, based on documented pricing (Rs. 20-35 per document) and the generation of over 160,000 documents. This figure, however, likely represents a significant underestimate of the total profits generated. The actual profits are significantly higher, considering the higher-priced services offered, the existence of multiple similar platforms, and the ongoing nature of the operation. The business model is efficient and scalable, relying on a multi-layered affiliate network for distribution and leveraging readily available illicit APIs for data acquisition.
The platform is built using a PHP-based admin panel/dashboard system that drives its core functionality. The backend is powered by PHP, handling the server-side logic for generating fraudulent documents and managing user interactions. The system uses MySQL as its database to store user inputs, document data, and affiliate information. On the frontend, jQuery and Bootstrap 4 are utilized for responsive design and dynamic content updates, while the AdminLTE framework provides a customizable, user-friendly interface for managing the platform's operations.
Note : The API services used in this operation require further investigation to understand how they are sourcing and providing sensitive data for fraudulent document generation.
Impact Assessment:
1. Financial Impact:
The PrintSteal operation has caused substantial financial losses. crrsg.site alone generated an estimated ₹40 lakh from over 160,000 fraudulent documents. With over 1,800 domains in the network, the total financial gain is likely much higher. These illegal profits fuel the operation's growth, posing an ongoing financial risk. Furthermore, the illicit distribution of fake KYC documents undermines trust in India’s financial and legal systems, leading to significant long-term financial consequences.
2. Reputational Impact:
PrintSteal has severely damaged the reputation of the Common Service Centre (CSC) initiative. By impersonating CSC services and bypassing legitimate processes, the criminals exploit public trust in government systems.
3. Legal and Regulatory Implications:
The scale and sophistication of PrintSteal have significant legal and regulatory consequences:
4. National Security Threats:
The fraudulent creation and circulation of KYC documents pose a broader national security risk:
4. Enhanced Security and Authentication Protocols:
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
5
min read
Imagine thousands of fake identity documents being generated at the click of a button—Aadhaar cards, PAN cards, birth certificates—all convincingly real, but entirely fraudulent. That’s exactly what the "PrintSteal" operation has been doing on a massive scale. This investigation uncovers a highly organized criminal network running over 1,800 fake domains, impersonating government websites, and using cyber cafés, Telegram groups, and illicit APIs to distribute fraudulent KYC documents. With over 167,000 fake documents created and ₹40 Lakh in illicit profits, this isn’t just fraud—it’s a direct attack on India’s digital security. The full report dives into how this scam works, who’s behind it, and what needs to be done to stop it. If you care about financial security, digital identity protection, or cybercrime prevention, you won’t want to miss it. Read on to uncover the full story.
This report uncovers a large-scale, organized criminal operation involved in the mass production and distribution of fake Indian KYC (Know Your Customer) documents, commonly known as "print portals," and tracked by CloudSEK as "PrintSteal." The focus of this analysis is the platform crrsg.site, one of several similar operations, to highlight the extent and complexity of the broader threat. The operation has been active since at least 2021 and utilizes a network of affiliates—such as local mobile shops and cyber cafes—with at least 2,727 registered operators on the crrsg.site platform alone, to create fraudulent documents. Investigations revealed that more than 167,391 fake documents have been generated on this platform, including over 156,000 fake birth certificates, showcasing the operation's vast scale and capabilities. The infrastructure of this operation includes a centralized web platform, access to illicit APIs that provide data like Aadhaar, PAN, and vehicle information, a streamlined payment system, and encrypted communication channels (such as Telegram). The operation's extensive reach, supported by a large network of affiliates and the use of easily accessible illegal APIs, calls for a comprehensive and coordinated counter-response. Additionally, over 1,800+ domains linked to this operation have been identified, further expanding its impact.The operation primarily impersonates csc.gov.in and crsorgi.gov.in to enhance credibility. Financial investigations show that the threat actor behind crrsg.site has generated an estimated 40 Lakhs in revenue from this platform alone.
www.crrsg.site stats :
Note : This report uses the crrsg.site platform as a case study to demonstrate the scale and complexity of a wider, multi-platform operation involved in generating fraudulent Indian KYC documents. A significant number of similar sites have been identified.
The Common Service Centre (CSC) is a key Indian government initiative that provides a range of essential services to citizens, often involving the handling of sensitive KYC (Know Your Customer) documents. This investigation began after identifying multiple unauthorized websites impersonating the CSC scheme, offering critical KYC services—such as Aadhaar downloads and address updates—at minimal fees while bypassing standard security protocols. The ease of account creation, extensive service offerings, and rapid shifting of domains pointed to a highly organized and dynamic criminal operation. This report analyzes "crrsg.site" as a representative case study, but the scope of the threat is far broader. To date, over 1,800 domains have been identified as part of this operation, with 600+ active domains currently in operation. This extensive domain network underscores the vast scale and resilience of the fraudulent scheme, significantly complicating efforts to mitigate its impact. The scale of these activities poses substantial challenges for law enforcement and highlights the urgent need for coordinated countermeasures.
The PrintSteal operation represents a highly organized, multi-tiered scheme for producing and distributing fake Indian KYC documents. It effectively combines accessible technologies, illicit APIs, and a vast network of unwitting affiliates to scale the operation and maintain efficiency. The success of the operation is driven by the growing demand for quick and convenient document services, while simultaneously obscuring its illegal activities and staying one step ahead of law enforcement. The structure mirrors a sophisticated criminal enterprise, complete with a division of roles and a strong focus on operational security.
The scheme begins with the establishment of fraudulent KYC document generation platforms, which are often created using pre-made templates (such as AdminLTE), reducing the need for extensive development work. The threat actors acquire the source code from third-party sources like ahkwebsolutions.com, hardscripts.com, or pgecm.in, and customize it for specific types of fake documents. These actors or their associates then purchase shared hosting services from providers like GoDaddy, Hosting Concepts, HOSTINGER, and others to deploy multiple platforms, enhancing both the reach and resilience of the operation. While some platforms are basic, others make use of external APIs to broaden their capabilities, enabling the creation of a wider variety of counterfeit documents.
The operation relies heavily on a network of affiliates, primarily local businesses like mobile shops and internet cafes, which serve as points of contact for customers seeking fake documents. Recruitment is carried out both online and offline, with the demand for quick document services attracting new affiliates. These services are promoted heavily through social media platforms such as YouTube and Instagram, where tutorials and promotional content show the simplicity of using the platform. The process for joining the network is straightforward: affiliates register on the platform, fund a virtual wallet, and gain access to the document generation tools.
Ongoing training and guidance are provided through private Telegram groups and YouTube channels, which include tutorials, tips, and updates. These channels also serve as the primary means for the threat actors to maintain control over the network, sharing crucial information on customer verification (especially for sensitive documents like Aadhaar, PAN, and voter IDs) and offering warnings about potential law enforcement scrutiny. The tone of these messages underscores the high risks involved and the importance of maintaining strict operational security.
The document generation process involves several steps:
2. Database Interaction: The platform queries the database to retrieve relevant data based on the entered information and selected parameters (language, type).
3. Document Assembly: The PHP code combines the data retrieved from the database with pre-existing images of official documents to create a PDF.
4. QR Code Generation: The platform generates QR codes using api.qrserver.com, encoding URLs that redirect to deceptive verification pages. This step enhances the document's apparent legitimacy.
5. PDF Generation: A dynamically generated PDF is created.
A critical element in the PrintSteal operation's success is its use of deceptive QR codes to enhance the credibility of fraudulent documents. These QR codes, generated using the legitimate api.qrserver.com service, are embedded within the fraudulent documents (Aadhaar cards, birth certificates, death certificates). However, instead of linking to official government verification websites, these QR codes direct users to counterfeit URLs designed to mimic legitimate verification pages. For example, scanning the QR code on a fraudulent birth certificate leads to a URL like
https://crrsg.site/admin/web/index.php/auth/birthCertificate/view/B/bWF4VExRZC9GTnhBWkhtZTNrdWhUZz09.php?id=130272&cont=Anjsjdn
which displays the fraudulent document itself, creating the false impression of verification from an official source.
Similarly, death certificate QR codes link to URLs like
https://dc.crsorgi.gov.in.edistrict.site/crs/verifyCertificate.php?id=24
which mimic official government verification portals. This sophisticated deception makes it extremely difficult to distinguish authentic documents from fraudulent ones, even with basic verification attempts.
The operation employs an integrated virtual wallet system for payments. Affiliates deposit funds into their platform accounts, and the cost for each document generated is automatically deducted from their wallet. The threat actors charge a fee for each document (typically ₹20-35 INR on crrsg.site), while affiliates mark up the prices, profiting from the difference and offering added convenience to their customers.
OPSEC is a critical element of the operation’s success. The threat actors use secure communication channels like Telegram to manage the network, issue warnings about ongoing law enforcement investigations, and provide continuous support to affiliates. When law enforcement actions take down one of their platforms, the operators quickly pivot, deploying new platforms and domains to replace those lost, demonstrating their ability to adapt quickly to enforcement efforts. This proactive approach highlights their understanding of law enforcement tactics and their commitment to keeping the operation running smoothly despite increased scrutiny.
Attribution of www.Crrsg.site : Mg Khaan aka Manish Kumar
The investigation has revealed that Manish Kumar is a central figure in the criminal operation behind “crrsg.site,” other websites are operated by different threat actors.
The primary motive is financial gain through the large-scale generation and distribution of fraudulent KYC documents. Analysis of crrsg.site alone indicates a substantial profit of approximately ₹40 Lakh, based on documented pricing (Rs. 20-35 per document) and the generation of over 160,000 documents. This figure, however, likely represents a significant underestimate of the total profits generated. The actual profits are significantly higher, considering the higher-priced services offered, the existence of multiple similar platforms, and the ongoing nature of the operation. The business model is efficient and scalable, relying on a multi-layered affiliate network for distribution and leveraging readily available illicit APIs for data acquisition.
The platform is built using a PHP-based admin panel/dashboard system that drives its core functionality. The backend is powered by PHP, handling the server-side logic for generating fraudulent documents and managing user interactions. The system uses MySQL as its database to store user inputs, document data, and affiliate information. On the frontend, jQuery and Bootstrap 4 are utilized for responsive design and dynamic content updates, while the AdminLTE framework provides a customizable, user-friendly interface for managing the platform's operations.
Note : The API services used in this operation require further investigation to understand how they are sourcing and providing sensitive data for fraudulent document generation.
Impact Assessment:
1. Financial Impact:
The PrintSteal operation has caused substantial financial losses. crrsg.site alone generated an estimated ₹40 lakh from over 160,000 fraudulent documents. With over 1,800 domains in the network, the total financial gain is likely much higher. These illegal profits fuel the operation's growth, posing an ongoing financial risk. Furthermore, the illicit distribution of fake KYC documents undermines trust in India’s financial and legal systems, leading to significant long-term financial consequences.
2. Reputational Impact:
PrintSteal has severely damaged the reputation of the Common Service Centre (CSC) initiative. By impersonating CSC services and bypassing legitimate processes, the criminals exploit public trust in government systems.
3. Legal and Regulatory Implications:
The scale and sophistication of PrintSteal have significant legal and regulatory consequences:
4. National Security Threats:
The fraudulent creation and circulation of KYC documents pose a broader national security risk:
4. Enhanced Security and Authentication Protocols: