Duplicate SIM, Duplicate Fraud: Landmark IT Act Ruling After 22 Unauthorized Transactions
Synopsis
In a landmark adjudication under the Information Technology Act, an Ahmedabad company named Collective Tradelink Pvt. Ltd., led by Bharatkumar I. Mehta and Prakash I. Mehta and they recovered the money stolen after fraudsters used a duplicate SIM (a SIM-swap) to intercept OTPs and drain the company’s bank account. The adjudicating officer ordered ICICI Bank to pay ₹1.05 crore (with a ₹10 lakh penalty) and directed Vodafone Idea Ltd. to pay a ₹5 lakh penalty for lapses in SIM-issuance/KYC procedures. The order follows a March 2023 SIM-swap where roughly ₹1.19 crore left the account in 22 unauthorised transfers.
On March 11, 2023, a group of fraudsters caused a duplicate SIM to be activated for the company director’s number; and with intercepted OTPs they initiated 22 transfers totalling about ₹1.19 crore. The victims discovered the transactions too late to halt them in real time. Cyber Crime police eventually arrested six individuals linked to the scam, operating from West Bengal.
The victims of the complaint named Bharatkumar I. Mehta and Prakash I. Mehta filed complaints with cybercrime police and later a civil claim before the adjudicating authority under the IT Act. The Cyber Crime cell investigated and made arrests; the adjudicator (Principal Secretary, DST) issued a final order in late July 2025 directing compensation and penalties.
Sections Invoked
The adjudication relied on civil liability and compensation provisions in the Information Technology Act, 2000 (IT Act):
- Section 43: imposes civil liability for unauthorised access, tampering or causing damage to computer systems and data. The clause is broad and can be read to include acts that facilitate unauthorised access. (for example, enabling someone to receive OTPs and take control of an online banking session).
- Section 43A: creates liability for a body corporate that, while handling sensitive personal data, is negligent in implementing “reasonable security practices and procedures” and thereby causes wrongful loss or gain to any person; the body corporate can be ordered to pay compensation. This provision is frequently used where a bank, telecom or other service-provider failed to secure customer data or processes.
- Section 43(g) (a sub-clause of Section 43): the IT Act’s sub-clauses list specific wrongful acts (e.g., tampering that causes a person to be charged for another’s services).
- In this case reporting, telecom lapses in SIM-swap procedures were treated as negligence enabling unauthorised access which is categorised as a form of civil wrong picked up under Section 43’s umbrella and referenced by the adjudicator.
| Act / Section | Provision Summary | Relevance to the Case |
| Section 43, IT Act, 2000 | Imposes liability for unauthorized access, data theft, or damage to computer resources. | Addressed the unauthorized SIM swap and access to the victims’ bank accounts. |
| Section 66, IT Act, 2000 | Criminalizes dishonest or fraudulent use of computer resources. | Applied to the fraudulent withdrawal of funds after gaining access. |
| Section 66C, IT Act, 2000 | Punishes identity theft involving passwords or identification features. | Used to prosecute the use of the victims’ personal details for SIM swap activation. |
| Section 66D, IT Act, 2000 | Punishes cheating by personation using computer resources. | Targeted impersonation of victims to deceive telecom and banking systems. |
| Section 419, IPC | Cheating by personation. | Parallel provision to strengthen the fraud charge. |
| Section 420, IPC | Cheating and dishonestly inducing delivery of property. | Applied to the wrongful gain of ₹1.20 crore from victims’ accounts. |
Why the adjudicator held the bank and the telecom responsible
Two separate failures mattered:
- Telecom (Vodafone Idea) – the duplicate SIM was activated after a fraudulent email request; the adjudication found gaps in KYC/authentication at the time of SIM re-issuance, which directly enabled interception of OTPs and account takeover. That procedural lapse triggered civil penalty directions.
2. Bank (ICICI) – the bank was faulted for not detecting an unusually large set of transfers in a short window, and for insufficient due diligence and beneficiary-addition/transaction controls that should have flagged or halted suspicious activity. The order invoked Section 43/43A reasoning (negligent security practices causing wrongful loss) and referenced RBI expectations for banks on fraud detection and transaction controls.
Wider regulatory context (what banks & telcos are expected to do)
RBI and other regulators have been strengthening obligations: banks must implement risk-based transaction monitoring, OTP controls (for critical operations like adding a payee), and enhanced fraud-risk frameworks. Recent RBI master directions and fraud-risk guidelines emphasise continuous monitoring, stronger authentication, incident response and customer awareness programs which are all relevant to why the adjudicator expected better controls from the bank. Telecom operators are also under greater regulatory scrutiny for secure SIM-issuance and KYC processes.
From Crisis to Compensation: The Strategic Role of Law Firms in IT Fraud Cases
A firm like Narendra Madhu Associates, with its demonstrated success in securing one of the largest SIM-swap recoveries in India, offers exactly that edge:
1. Pre-Incident Legal Fortification
o Drafting watertight agreements with banks, telecoms, and fintech service providers that clearly outline security obligations, liability triggers, and rapid escalation protocols.
o Ensuring that these contracts carry teeth clauses that halt suspicious debits, compel immediate verification, and impose penalties for lapses.
2. Rapid Incident Response Command
o The first hours after a breach are decisive. A capable firm moves like a crisis unit freezing accounts, issuing legal notices, preserving forensic evidence, and triggering both civil and criminal processes in parallel.
o Direct liaison with cybercrime police ensures that the case doesn’t languish in procedural delay while funds vanish into digital ether.
3. Civil Recovery Through the IT Act
o Strategically invoking Sections 43, 43A, and related provisions to hold negligent corporates financially accountable.
o Presenting evidence in a format that meets both technical admissibility standards and persuasive courtroom advocacy.
4. Client Education as Risk Mitigation
o Turning boardrooms into cyber-awareness command centres through targeted workshops.
o Equipping decision-makers with actionable “red flag” indicators, from detecting SIM hijacks to spotting abnormal transaction patterns.
5. Policy Advocacy and Precedent Building
o Using high-profile victories to shape regulatory discourse, pressuring service providers to raise their security game.
o Ensuring that each case fought is not just a win for the client, but a brick laid in the wall of national cyber resilience.
Practical takeaways for business owners
- Register alternate communication channels with banks (email + app notifications), and enable non-SMS multi-factor authentication where possible.
- Treat any unexpected OTP or service change request as suspicious; verify via an independent channel before authorising.
- Keep a written log of who can request SIM changes for company numbers and require in-person verification for critical lines.
• Report suspected fraud immediately to bank + cybercrime police and preserve all emails/SMS/screenshots for evidence.
Closing
The Gujarat adjudication is more than just another cyber fraud recovery as it stands as one of the biggest and most high-value SIM-swap fraud cases decided under the Information Technology Act in recent years.
For businesses, the lesson is to tighten processes now; for legal firms, it’s an opening to offer integrated prevention, rapid response, and awareness programs. This case shows that with the right representation and persistence, justice and financial restitution are within reach, even in the fast-evolving arena of cybercrime.
In the end, the recovery of ₹1.20 crore in this SIM-swap fraud stands as proof that well-timed legal intervention can turn the tide in even the most complex cybercrime cases. Guided by steady legal representation, the victims navigated a maze of procedural, technical, and evidentiary hurdles to secure a result that not only restored their losses but also strengthened the precedent for future IT fraud claims.
The quiet but decisive role played by the counsel, ensured that the case was pursued with both precision and persistence — a reminder that in the fast-moving arena of digital fraud, expertise and timing can make all the difference.
