Rise of Cybercrime in India: Challenges under the Bharatiya Nyaya Sanhita, 2023 and Information Technology Act, 2000

User avatar placeholder
Written by Legalosphere

July 3, 2026

This article is written by Suhani Sharma, Fifth Year B.B.A LL.B student of Army Law College.

Abstract

India makes multiple changes for digitization to take larger socioeconomic benefits.[1] But this has led to the exponential increase in cybercrime. The present write-up covers the increasing threat of cybercrime in India and the legal framework regulating such offences through the amendments made through the Information Technology Act, 2000 (IT Act) and the recently enacted Bharatiya Nyaya Sanhita, 2023 (BNS).[2] It identifies key statutory provisions, discusses challenges of enforcement, and evaluates landmark judicial pronouncements shaping India in cybercrime jurisprudence. It concludes with recommendations for legislative and institutional reforms to strengthen the Indian legal response to digital crime.

I. Introduction

Having over 800 million internet users and a growing number of digital financial services, e-Government platforms and communications networks, India is one of the most digitally engaged countries in the world.[3] Although the growth of this digital economy has been rapid and inclusive, it has also provided new opportunities for criminality to take advantage of the anonymity and cross-border nature of the internet. Examples of cybercrime include online financial frauds, identity theft, hacking, cyber stalking, child sexual abuse material (CSAM) and terrorism; there is no limit to what a person can do with a computer.[4]

The cybercrime legal framework in India has expanded through two main periods of time. The first period started with the passing of the Information Technology Act in 2000,[5] which established the first statute for electronic records/digital signatures/cybercrime. A newer phase started when the Bharatiya Nyaya Sanhita replaced the 1860 Indian Penal Code with modernised definitions of crimes on 1 July 2024.[6] Together these two laws are the main means to fight against cybercrime in India.

While there are laws in place to deal with cybercrime, it continues to increase faster than either the ability to enforce those laws or adapt them to current technology. This article will look at the nature of that rise, how well current statutes can handle the rise, what problems there are with enforcement and what types of changes may be necessary for effective reform.

II. The Rise of Cybercrime in India: A Statistical Overview

The central repository for crime-related data in India is the National Crime Records Bureau (NCRB), which operates under the aegis of the Ministry of Home Affairs, Government of India. The latest report on Crime in India 2023 issued by the NCRB shows that cybercrime in India increased by 31.2% from the previous year, with a total of 86,420 cases of cybercrime having been reported.[7]

This trend continued into 2024, when the NCRB’s Crime In India 2024 Report showed that there were 101,928 cases of cybercrime for an increase of 17.9% since 2023.[8]

The rate of cybercrime per lakh of population increased from 6.2 in 2023 to 7.3 in 2024.[9]

Additionally, the data indicates that cyber fraud was the most prominent form of cybercrime, accounting for 72.6% of the total number of cybercrimes reported in 2024 (73,987 cases).[10] Other significant motives for committing cybercrime included sexual exploitation, extortion, causing disrepute, and personal revenge. Telangana, Karnataka, and Maharashtra have consistently recorded the highest number of cases of cybercrime due to their higher levels of digital/information technology usage.

Table 1: Trend in Cybercrime Cases in India (2021–2024)

YearCybercrime Cases RegisteredPercentage Change (YoY)Primary Motive
202152,974N/AFinancial Fraud / Cheating
202265,893+24.4%Financial Fraud / Cheating
202386,420+31.2%Cyber Fraud (65% of cases)
20241,01,928+17.9%Cyber Fraud (72.6% of cases)

Source: National Crime Records Bureau, Crime in India Reports (2021–2024)

The NCRB’s 2024 report highlighted an increasing number of frauds called ‘Digital Arrests’ – where cybercriminals pose as either CBI or Customs department officials and, through video calls, threaten victims with arrest unless they send large amounts of money. A significant increase in AI-assisted phishing, voice cloning, and highly sophisticated types of investment fraud underlines cybercriminals’ growing technological sophistication.

III. Legal Framework under the Information Technology Act, 2000

The Information Technology Act, 2000 (Act No. 21 of 2000) was enacted on 9 June 2000 and brought into force on 17 October 2000. It was enacted with the primary objective of providing legal recognition to electronic records and digital signatures, facilitating e-commerce, and creating a statutory mechanism to deal with cybercrime. A landmark amendment was introduced through the Information Technology (Amendment) Act, 2008, which significantly expanded the scope of offences and introduced several new provisions.

3.1 Key Penal Provisions under the IT Act, 2000

Chapter XI of the IT Act (Sections 65 to 74) contains the penal provisions relating to cybercrime. The principal provisions are as follows:

(a) Section 43 – Unauthorised Access and Damage to Computer Systems: This section provides for civil liability in cases of unauthorised access to computer systems, downloading or copying of data, introduction of computer viruses or contaminants, damage to computers, or denial of access to an authorised person. Compensation of up to Rs. 1 crore may be awarded.

(b) Section 66 – Computer-Related Offences: Any act committed under Section 43 with a dishonest or fraudulent intent attracts criminal liability under this section. The punishment prescribed is imprisonment for a term extending to three years, or a fine up to Rs. 5 lakh, or both.

(c) Section 66C – Identity Theft: Fraudulent or dishonest use of another person’s electronic signature, password, or other unique identification feature is punishable with imprisonment up to three years and a fine up to Rs. 1 lakh.

(d) Section 66D – Cheating by Personation: Cheating through impersonation by means of a computer resource or communication device attracts punishment of up to three years’ imprisonment and a fine of up to Rs. 1 lakh.

(e) Section 66E – Violation of Privacy: Knowingly capturing, publishing, or transmitting images of a private area of any person without consent is punishable with imprisonment up to three years or a fine up to Rs. 2 lakh, or both.

(f) Section 66F – Cyber Terrorism: This provision addresses acts that threaten the unity, integrity, security, or sovereignty of India through the denial of access to authorised personnel, penetration of computer resources, or introduction of contaminants. The punishment is imprisonment extending to life.[11]

(g) Section 67 – Obscene Material in Electronic Form: Publication or transmission of obscene material through electronic form attracts imprisonment up to three years and a fine up to Rs. 5 lakh on first conviction, and up to five years and Rs. 10 lakh on subsequent convictions. Sections 67A and 67B deal with sexually explicit material and child pornography respectively, with enhanced punishments.

(h) Section 72 – Breach of Confidentiality and Privacy: Disclosure of personal information accessed in the course of exercising powers under the IT Act without the consent of the person concerned is punishable with imprisonment up to two years or a fine up to Rs. 1 lakh, or both.

IV. Cybercrime under the Bharatiya Nyaya Sanhita, 2023

On 25 December 2023, the President of India gave his assent to the Bharatiya Nyaya Sanhita, 2023 (Act 45 of ’23); it became the new law effective July 1, 2024 and has replaced the Indian Penal Code of 1860 as the body of law regarding the criminal justice system in India. The BNS does not create a separate chapter concerning cybercrime. Instead it expands the applicability of general types of crimes to the interaction of humans through electronics devices, digital media, smart phones, computers or the internet. More importantly, many of the cybercrime charges brought under the BNS and the IT Act are often brought against the same defendant under both laws.[12]

4.1 Key BNS Provisions Relevant to Cybercrime

(a) Section 318 – Cheating and Online Fraud: Section 318 is the primary provision under the BNS governing cheating, which encompasses online financial fraud including UPI fraud, phishing, and e-commerce deception. It prescribes punishment of imprisonment up to three years and a fine, or both.[13]

(b) Section 351 – Criminal Intimidation: Threatening another person through electronic means , such as through messages on WhatsApp, email, or social media , to cause alarm or to compel a person to do any act which they are not legally bound to do attracts punishment under this section.[14]

(c) Section 353 – Statements Conducing to Public Mischief: This provision targets the spread of misinformation and disinformation by penalising the making of false or misleading statements, rumours, or reports through electronic means that are likely to cause panic, public mischief, or apprehension. As confirmed by the Government of India in a statement before Parliament, this section covers AI-generated synthetic media and deepfakes as well.[15]

(d) Sections 75, 77, and 78 – Offences against Women Online: Section 75 addresses sexual harassment committed through electronic communications or the showing of pornographic material. Section 77 criminalises voyeurism, including digital voyeurism. Section 78 specifically includes monitoring of a woman’s use of the internet, email, or any form of electronic communication as part of the offence of stalking.[16]

(e) Section 111 – Organised Crime Involving Cybercrime: The BNS expressly uses the term “cybercrime” within the framework of organised crime under Section 111. Acts of cybercrime committed as part of the activity of a crime syndicate , including coordinated phishing scams, card skimming, or ransomware attacks , can be prosecuted under this provision. Deepfake-related organised cybercrime is also prosecutable under this section.[17]

(f) Section 152 – Acts Endangering Sovereignty, Unity, and Integrity: While this section primarily targets offline acts, it is broad enough to encompass cybercrime that threatens national security, including cyber warfare, espionage conducted through electronic means, and propaganda or disinformation campaigns targeting the constitutional order of India.[18]

V. Landmark Judicial Pronouncements on Cybercrime

5.1 State of Tamil Nadu v. Suhas Katti (2004)

The aforementioned case distinguishes itself as the first conviction obtained in India using the Information Technology Act of 2000.[19] The accused published indecent, defamatory, and threatening messages belonging to a divorced woman through an internet message board on Yahoo as well as developed an email address that was fictitious in name only wherein he made sexually explicit solicitations to persons that used the internet. The victim was also consequently inundated with harassment calls from many users of the internet. A first information report (FIR) was lodged with the Chennai Cyber Crime Cell (the “Cyber Cell”), and a chargesheet was submitted shortly thereafter. The accused was convicted by the Metropolitan Magistrates Court of Egmore, Chennai (C.C. No. 4680 of 2004) under Section 67 of the IT Act 2000 and Sections 469 and 509 of the Indian Penal Code[20] and sentenced to three years of rigorous imprisonment and a monetary penalty of Rs. 4,000 (an Indian currency in which they issue currency in rupees), with each sentence running concurrently.

This ruling created an important precedent for the enforcement of cyber law in India and demonstrated that the cyber cells are effective at investigating and prosecuting online crimes. This ruling established a benchmark for the treatment of future instances of cyber-stalking and harassment online, especially with regard to women.

5.2 Shreya Singhal v. Union of India (2015)

This landmark constitutional ruling happened when a two-judge bench of the Supreme Court of India unanimously struck down Section 66A of the Information Technology Act, 2000[21] for being penalised for sending “offensive” or “menacing” messages via electronic communication services. The Court found that Section 66A was unconstitutionally vague, overbroad and therefore a violation of Article 19(1)(a) of the Constitution (freely express one’s views).[22]

Accordingly, the Court made an important distinction regarding “discussion”, “advocacy” and “incitement” mere discussion or advocacy of an idea (even if it is an unpopular idea) cannot be criminalised as an offence.[23]

The significance of this judgment for cybercrime law is threefold. First, it affirmed that the right to freedom of expression extends to the digital sphere. Second, it held that restrictions on online speech must satisfy the test of reasonable restrictions under Article 19(2) of the Constitution. Third, it served as a check on arbitrary and politically motivated prosecutions under the garb of cyber law enforcement. The Court, however, clarified that other provisions of the IPC (and now the BNS) continue to apply to online speech that falls within recognised categories of prohibited expression, such as criminal intimidation, defamation, and incitement to violence.

5.3 Justice K.S. Puttaswamy (Retd.) v. Union of India (2017)

In what is considered the most significant constitutional judgment of the 21st century in India, a nine-judge bench of the Supreme Court unanimously held that the right to privacy is a fundamental right guaranteed under Articles 14, 19, and 21 of the Constitution of India.[24] The bench declared that the right to privacy is an intrinsic part of the right to life and personal liberty under Article 21 and that informational privacy , the right of individuals to control the collection, storage, and dissemination of their personal data , is an integral component of this right.[25]

This judgment has profound implications for cybercrime law. It provided the constitutional foundation for subsequent data protection legislation, including the Digital Personal Data Protection Act, 2023. It also established the principle that surveillance by the State and private actors through digital means must satisfy the tests of legality, necessity, and proportionality.[26] The judgment provides a constitutional lens through which provisions of both the IT Act and the BNS pertaining to data collection, interception, and monitoring must be interpreted.

VI. Key Challenges in Combating Cybercrime

6.1 Jurisdictional Complexities

Cybercrime is inherently cross-border in nature. A fraudster operating from a foreign country can target victims in India, while the servers hosting the malicious activity may be located in a third jurisdiction entirely. The IT Act, 2000 contains extra-territorial provisions,[27] but effective prosecution of foreign perpetrators remains dependent on bilateral mutual legal assistance treaties and international cooperation mechanisms, which are often slow and inadequately utilised. The lack of a dedicated international cybercrime treaty further aggravates this challenge.

6.2 Low Conviction Rates

Despite the increase in registered cases, the conviction rate for cybercrime in India remains very low. NCRB data for 2023 indicates that only 22 per cent of cybercrime cases were charge sheeted, and conviction at trial remained below 3 per cent.[28] This is attributable to inadequate digital forensic infrastructure, challenges in preserving and admitting electronic evidence, a shortage of trained cyber prosecutors, and the technical complexity of cybercrime investigations. Many cases are further delayed due to pendency in courts , over 1.2 lakh cybercrime cases were pending investigation in 2024.[29]

6.3 Digital Evidence and Forensic Challenges

The admissibility and evidentiary weight of digital evidence remain contested areas. The Bharatiya Sakshya Adhiniyam, 2023[30] (which replaced the Indian Evidence Act, 1872) addresses electronic records and expert opinions, but challenges persist in establishing the chain of custody for digital evidence, ensuring the integrity of seized devices, and authenticating electronic records in a manner that satisfies judicial scrutiny. Courts have struggled with the presentation and evaluation of digital evidence such as log files, encrypted communications, metadata, and blockchain records.

6.4 Legislative Gaps and Emerging Threats

Several contemporary forms of cybercrime, such as ransomware attacks on critical infrastructure, cryptocurrency crimes, dark web crimes, deepfake identity theft and artificially generated disinformation (at mass), are not yet covered by either the IT Act 2000 or the BNS 2023. The Digital Personal Data Protection Act 2023[31] does put certain conditions in place to help protect individuals’ data; however, as far as legislation is concerned for the full scope of these existing threats (which are evolving rapidly), there is still much work to be done.

6.5 Underreporting and Awareness Deficit

A significant proportion of cybercrime in India goes unreported. A considerable number of victims of digital fraud and online harassment do not approach law enforcement authorities due to factors such as lack of awareness, perceived inadequacy of remedies, fear of social stigma, and limited confidence in the effectiveness of the criminal justice system. While the Government of India has established the National Cyber Crime Reporting Portal (cybercrime.gov.in) and the dedicated helpline number 1930 to facilitate reporting,[32] awareness of these mechanisms, particularly among rural and elderly populations, remains limited.

VII. Institutional Framework and Government Initiatives

The Government of India has established a multi-tiered institutional framework to address cybercrime. The Indian Cyber Crime Coordination Centre (I4C), functioning under the Ministry of Home Affairs, serves as the nodal body for coordination among law enforcement agencies.[33] The Indian Computer Emergency Response Team (CERT-In), under the Ministry of Electronics and Information Technology (MeitY), issues advisories on cybersecurity threats and vulnerabilities.[34] The National Critical Information Infrastructure Protection Centre (NCIIPC) is responsible for the protection of critical information infrastructure.[35]

The National Cyber Crime Reporting Portal (cybercrime.gov.in), launched by the Ministry of Home Affairs, enables citizens to report cybercrimes online, with a specific focus on offences against women and children, including CSAM.[36] MeitY also observes the National Cyber Security Awareness Month (NCSAM) in October each year, and observes Cyber Jagrookta Diwas (Cyber Awareness Day) on the first Wednesday of each month,[37] to promote digital literacy and cyber hygiene among the public.

VIII. Conclusion and Recommendations

The rise of cybercrime in India reflects a global trend of criminal activity migrating to digital platforms, driven by increasing internet penetration, the proliferation of smartphones, and the relative anonymity afforded by digital technologies. The legislative framework constituted by the Information Technology Act, 2000 and the Bharatiya Nyaya Sanhita, 2023 provides a reasonably robust statutory foundation for the prosecution of a wide range of cyber offences. Judicial pronouncements, particularly in Suhas Katti, Shreya Singhal, and Puttaswamy, have clarified the constitutional and evidentiary dimensions of cybercrime law.

However, significant challenges persist. Low conviction rates, evidentiary difficulties, legislative gaps with respect to emerging threats, jurisdictional complexity, and widespread underreporting continue to undermine the effectiveness of India’s cybercrime regime. The following recommendations are offered to strengthen this framework:

First, a dedicated Cybercrime Amendment Act or a standalone Cybercrime Codification Act should be considered to bring together all cyber-related offences under a single, updated statute that addresses modern threats including ransomware, AI-generated crime, and cryptocurrency fraud.

Second, investment in specialised cyber forensic laboratories, training of cybercrime investigators, and a cadre of digitally literate public prosecutors is essential to improving conviction rates.

Third, India should actively pursue and ratify a binding international instrument on cybercrime, and expand its network of bilateral mutual legal assistance treaties with countries that serve as hubs for cybercriminal activity.

Fourth, public awareness campaigns regarding cybercrime reporting mechanisms should be expanded, with particular focus on rural populations, the elderly, and economically vulnerable communities, who are disproportionately targeted by online fraudsters.

Ultimately, combating cybercrime in India requires not merely stronger laws but a concerted effort combining legislative clarity, institutional capacity, judicial expertise, and public awareness , only then can India realise the full promise of its digital future while protecting its citizens from the harms of the digital age.


[1] Ministry of Electronics and Information Technology, Annual Report 2023–24 (Government of India 2024).

[2] Information Technology Act 2000 (Act No 21 of 2000); Bharatiya Nyaya Sanhita 2023 (Act No 45 of 2023).

[3] Telecom Regulatory Authority of India, The Indian Telecom Services Performance Indicators (TRAI 2024).

[4] Information Technology Act 2000 (Act No 21 of 2000) ss 43, 66C, 66D, 67.

[5] Information Technology Act 2000 (Act No 21 of 2000).

[6] Bharatiya Nyaya Sanhita 2023 (Act No 45 of 2023).

[7] National Crime Records Bureau, Crime in India 2023 (Ministry of Home Affairs 2024).

[8] National Crime Records Bureau, Crime in India 2024 (Ministry of Home Affairs, Government of India 2025).

[9] ibid.

[10] ibid.

[11] Information Technology Act 2000 (Act No 21 of 2000) s 66F (inserted by Information Technology (Amendment) Act 2008 (Act No 10 of 2009)).

[12] Bharatiya Nyaya Sanhita 2023 (Act No 45 of 2023) s 1(2).

[13] Bharatiya Nyaya Sanhita 2023 (Act No 45 of 2023) s 318.

[14] ibid s 351.

[15] ibid s 353; Press Information Bureau, Ministry of Home Affairs, ‘India Well Equipped to Tackle Evolving Online Harms and Cyber Crimes’ (8 August 2025) https://www.pib.gov.in/PressReleasePage.aspx?PRID=2154268 accessed 23 June 2026.

[16] Bharatiya Nyaya Sanhita 2023 (Act No 45 of 2023) ss 75, 77, 78.

[17] ibid s 111.

[18] ibid s 152.

[19] State of Tamil Nadu v Suhas Katti CC No 4680 of 2004 (Metropolitan Magistrate, Egmore, Chennai, 5 November 2004).

[20] Information Technology Act 2000 (Act No 21 of 2000) s 67; Indian Penal Code 1860 (Act No 45 of 1860) ss 469, 509.

[21] Shreya Singhal v Union of India (2015) 5 SCC 1.

[22] ibid [91]-[93].

[23] ibid [65].

[24] Justice KS Puttaswamy (Retd) v Union of India (2017) 10 SCC 1 [248].

[25] ibid [180].

[26] ibid [310].

[27] Information Technology Act 2000 (Act No 21 of 2000) s 75.

[28] National Crime Records Bureau, Crime in India 2023 (Ministry of Home Affairs 2024).

[29] National Crime Records Bureau, Crime in India 2024 (Ministry of Home Affairs 2025).

[30] Bharatiya Sakshya Adhiniyam 2023 (Act No 47 of 2023).

[31] Digital Personal Data Protection Act 2023 (Act No 22 of 2023).

[32] Ministry of Home Affairs, Government of India, National Cyber Crime Reporting Portal https://cybercrime.gov.in accessed 23 June 2026.

[33] Ministry of Home Affairs, Government of India, Indian Cyber Crime Coordination Centre (I4C) https://www.mha.gov.in/en/divisionofmha/cyber-and-information-security-cis-division accessed 23 June 2026.

[34] Indian Computer Emergency Response Team, About CERT-In https://www.cert-in.org.in accessed 23 June 2026.

[35] National Critical Information Infrastructure Protection Centre, About NCIIPC https://nciipc.gov.in accessed 23 June 2026.

[36] Ministry of Home Affairs, Government of India, National Cyber Crime Reporting Portal (n 31).

[37] Press Information Bureau, Ministry of Home Affairs, ‘India Well Equipped to Tackle Evolving Online Harms and Cyber Crimes’ (8 August 2025) https://www.pib.gov.in/PressReleasePage.aspx?PRID=2154268 accessed 23 June 2026.

Image placeholder

Lorem ipsum amet elit morbi dolor tortor. Vivamus eget mollis nostra ullam corper. Pharetra torquent auctor metus felis nibh velit. Natoque tellus semper taciti nostra. Semper pharetra montes habitant congue integer magnis.

Leave a Comment