Researchers Expose Massive Online Fake Currency Operation in India

Cybersecurity researchers at CloudSEK’s STRIKE team used facial recognition and GPS data to expose a massive, over $2 million, fake currency operation in India. This report details the exposure of individuals and their activities on Facebook and Instagram.

A large-scale counterfeit currency operation is reportedly circulating fake notes worth millions of dollars, which has been brought to light by cybersecurity firm CloudSEK. Its investigation, shared with Hackread.com, CloudSEK’s STRIKE team has not only calculated the vast spread of this illicit trade, estimated at ₹17.5 crore (over $2 million) in fake Indian currency over just six months (December 26, 2024, to June 26, 2025), but has also managed to identify and pinpoint key individuals behind it.

The unique aspect of this exposé lies in the direct attribution of culprits. Using digital forensics, GPS data, and facial recognition technology, CloudSEK has identified and located major players across the Indian state of Maharashtra.

According to Sourajeet Majumder, a security researcher at CloudSEK, “This is the first time that a cyber investigation has offered such precise attribution of counterfeit actors operating in public digital spaces. We didn’t just find content, we identified the key perpetrators.”

Reportedly, bad actors are using popular social media platforms like Facebook and Instagram in this campaign. CloudSEK’s XVigil platform played a crucial role in its detection by monitoring open-source environments for specific terms like “second series” or “A1 notes,” which are codewords used by sellers.

The investigation revealed over 4,500 posts promoting counterfeit currency and more than 750 accounts or pages involved in selling these fake notes. Furthermore, over 410 unique phone numbers were found to be connected to sellers. These groups even used Meta Ads for paid promotions, openly reaching out to potential buyers. Some sellers went as far as sharing videos, handwritten notes, and even video calls to show the supposed quality of their fake currency, creating a dangerous “trust-based” black market out in the open.

CloudSEK’s researchers combined advanced Open Source Intelligence (OSINT) and Human Intelligence (HUMINT) techniques to unmask group administrators and sellers. They collected facial images, phone numbers, exact GPS locations, and social media profiles of the main suspects.

The researchers also identified several accounts operating under aliases such as Vivek Kumar, Karan Pawar, and Sachin Deeva. Geolocation evidence pointed to activity in Jamade Village (Dhule district, Maharashtra) and Pune, strongly suggesting a coordinated syndicate primarily based in Maharashtra, with Dhule being the potential hotspot.

Further probing revealed that the counterfeiters advertise their fake notes through various social media channels using hashtags like #fakecurrency. To gain trust, they engage with buyers via WhatsApp, sharing “proof” images and even offering live video calls. The production involves professional tools like Adobe Photoshop, industrial-grade printers, and paper that sometimes mimics security features like Mahatma Gandhi watermarks and green security threads.

CloudSEK has shared its findings with relevant law enforcement agencies at both the state and national levels, providing detailed intelligence to aid in disrupting this criminal network and protecting the country’s financial stability.