Bengaluru, July 25, 2025 — CloudSEK has exposed a well-organized counterfeit currency network flourishing openly on social media platforms. In a first-of-its-kind investigation, CloudSEK’s STRIKE team has not only quantified the spread—₹17.5 crore worth of fake Indian currency in just six months—but also attributed key individuals behind the operation using facial recognition, GPS data, and digital forensics.
Social Media Is the New Dark Market
What was once confined to the dark web and underground print shops has now emerged in broad daylight—on Facebook and Instagram. CloudSEK’s XVigil platform was the key enabler in detecting, correlating, and mapping the full threat landscape. By configuring watchwords like “second series” or “A1 notes,” the platform monitored open-source environments and flagged:
- 4,500+ posts promoting counterfeit currency
- 750+ accounts/pages facilitating the sale
- 410+ unique phone numbers linked to sellers
These campaigns utilized codewords like “second currency” and “A1 note” and ran paid promotions through Meta Ads, openly soliciting buyers. Some sellers even demonstrated the legitimacy of their counterfeit products using videos, handwritten notes, and video calls—creating a dangerously trust-based black market in plain sight.
Not Just a Threat, But Named and Located Accused
Using advanced Open Source Intelligence (OSINT) and Human Intelligence (HUMINT) techniques powered by CloudSEK’s proprietary platform XVigil, the researchers were able to:
- Unmask group administrators and sellers promoting fake currency on Facebook and Instagram.
- Retrieve facial images, phone numbers, exact GPS locations, and social media handles of the key suspects.
- Correlate seller profiles across Facebook, Instagram, Telegram, and YouTube.
- Attribute multiple accounts operating under aliases like Vivek Kumar, Karan Pawar, and Sachin Deeva, along with geolocated evidence pinpointing activity in Jamade Village (Dhule district, Maharashtra) and Pune.
“This is the first time that a cyber investigation has offered such precise attribution of counterfeit actors operating in public digital spaces. We didn’t just find content—we identified the key perpetrators,” said Sourajeet Majumder, security researcher at CloudSEK
Tactics, Techniques, and Procedures (TTPs): How the Network Operates
The report highlights a sophisticated yet surprisingly open modus operandi:
- Promotion: Counterfeit notes advertised through Facebook groups, Meta Ads, Instagram Reels, and YouTube Shorts using hashtags like #fakecurrency and #A1notes.
- Engagement: Sellers build trust through WhatsApp chats, sharing “proof” images with contact numbers on fake notes, and even offering live video calls to show stacks of fake cash.
- Production: High-quality replicas produced using Adobe Photoshop, industrial-grade printers, and paper embedded with Mahatma Gandhi watermarks and green security threads.
- Payment & Delivery: Deals often made in person, with options for COD or courier. Some transactions escalate to threats or robbery, revealing a dangerous criminal undercurrent.
- Operational Security: Use of burner phones, fake IDs, and pseudonyms to mask identities and evade law enforcement. (For More Information, Read Full Report)
This systematic breakdown, supported by visuals and digital evidence in the report, reveals a blueprint for how counterfeit money is produced, marketed, and distributed across the country—all via social platforms that were never designed to deal with such threats.
Economic and National Security Risk
CloudSEK’s report warns of severe consequences:
- Economic destabilization via inflation and erosion of monetary trust
- Direct financial losses to individuals and small businesses
- National security threats, with possible links to organized crime or cross-border elements
- Law enforcement overload, diverting crucial resources
Recommendations for Law Enforcement and Platforms
The report offers actionable recommendations for LEAs and social platforms:
- Use AI-powered threat intelligence tools like CloudSEK XVigil for proactive monitoring
- Launch investigations in Maharashtra’s Dhule district
- Monitor Meta Ad libraries and remove finance-related scams
- Takedown of identified sellers and groups using the attributed phone numbers and facial profiles
As part of CloudSEK’s commitment to responsible disclosure and aiding ongoing investigations, the findings from this counterfeit currency operation have been formally shared with relevant law enforcement agencies at both the state and national levels.
This includes comprehensive intelligence such as threat actor profiles, phone numbers, GPS locations, and digital evidence collected during the investigation. By proactively collaborating with investigative authorities, CloudSEK aims to assist in the timely disruption of this criminal network and contribute to safeguarding the country’s financial stability and national security.