#FactCheck- Viral Video Misattributed to Lt Gen Rajiv Kiran Sahni Is False and Misleading

Introduction

A zero-click cyber attack solely relies on software and hardware flaws, bypassing any human factor to infect a device and take control over its data. It is almost impossible to discover the attack and know that the device is hacked unless someone on your side is closely monitoring your network traffic data.

At Kaspersky, security analysts used their SIEM solution KUMA to monitor their corporate WiFi network traffic and discovered this mysterious attack. They took necessary actions to investigate it and even went a step further to dive right into the action and uncover the entire attack chain.

A few months ago, Kaspersky shared their findings about this attack on iOS devices. They shared how these zero-click vulnerabilities were being exploited by the attackers and called this attack ‘Operation Triangulation’.

A zero-click exploit in the network

Kaspersky detected a zero-click attack on the iPhones of their colleagues while monitoring their corporate WiFi network traffic. They managed to get detailed information on all the stages of the attack by simply identifying a pattern in the domain names flowing through their network. Although the attackers were quite experienced, their mistakes helped Kaspersky detect critical vulnerabilities in all iOS devices.

The name-pattern

These previously unsuspected domains had a similar name-style which consisted of two names and ended with ‘.com’, such as ‘backuprabbit.com’ and ‘cloudsponcer.com’. They were used in pairs, one for an exportation process and the other served as a command and control server. These domains showed high outbound traffic, they were registered with NameCheap and protected with Cloudflare.

The network pattern

Each time a connection to these suspicious domains was made, it was preceded by an iMessage connection which indicated these domains are being accessed by iOS devices. It was observed that the devices connected to these domains, downloaded attachments, performed a few requests to a first level domain which was an exploitation framework server, then made regular connections with the second level domain which was a command and control server controlled by the attackers.

Getting more information

To get more information about the attack all the infected devices were collected and backed up after carefully informing the device owners. Although the attackers had managed to clean their artefacts, the backed up data was used to perform digital forensic procedures and find traces of the attacks. This helped Kaspersky to figure out how the infection might be taking place.

The attacker’s mistakes

The attackers deleted all the attachment files and exploits but did not delete the modified SMS attachment folder. That folder had no files left inside it. The attackers removed evidence from other databases as well, like the ‘SMS.db’ database, however another database called ‘datausage.sqlite’ was not sanitised.

The ‘datausage.sqlite’ database is the most important database when it comes to iOS forensics as its contents can be used to track applications and network usage. Upon examination of this database, a process logged as ‘BackupAgent’ was found to be making network connections at the same time the device was making connections to the suspicious domains.

The indicator of compromise

‘BackupAgent’ stood out in this scenario because although it is a legitimate binary, it has been deprecated since iOS4 and it should not have been making any network connections. This identified the ‘BackupAgent’ process as the first solid indicator of compromise in Operation Triangulation. The indicator is termed as- ‘Data usage by process BackupAgent’, and was used to determine if any specific device was infected.

Taking it a step ahead

The team at Kaspersky successfully identified the indicator of compromise and determined which devices were infected, but as the attackers were experienced enough to delete their payloads, they decided to set a trap and perform a man-in-the-middle attack. When they did, the attackers were unable to detect it.

The man-in the-middle attack

Kaspersky prepared a server with ‘WireGuard’ and ‘mitmproxy’. They installed root certificates on devices that could be used as targets for the attackers and routed all the network traffic to that server. They also developed a ‘Telegram’ bot to notify them about new infections as they decrypted the network traffic.

Setting up a bot proved to be an effective way of real time monitoring while modifying all the network packets on-the-fly with ‘mitmproxy’, this gave them unlimited power! Their trap was successful in capturing a payload sent by the attackers and it was analysed in detail.

The name was in the payload

The payload was an HTML page with obfuscator javascript which performed various code checks and canvas footprinting. It rendered a yellow triangle and calculated its hash value. This is why the operation was named Operation Triangulation.

The team at Kaspersky started cracking various layers of asymmetric cryptography with regular expressions. They patched the stages one-by-one on the fly to move the logic from each stage to ‘mitmproxy’ and finally implemented a 400 line ‘mitmproxy’ add-on. This add-on decrypted all the validators, exploits, spyware and additional modules.

The mystery 

It is remarkable how Kaspersky detected the attack and identified multiple vulnerabilities, set up a trap to capture a payload and decrypted it completely. They shared all their findings with the device manufacturer and Apple responded by sending out a security patch update addressing four zero-day vulnerabilities. 

A zero-click vulnerability

Traditionally any spyware relies on the user to to click on a compromised link or file to initiate the infection. However a zero-click vulnerability is a specific flaw in the device software or hardware that the attacker can use to infect the device without the need for a click or tap from the user.

The vulnerabilities identified

1. Tricky Font Flaw (CVE-2023-41990): A clandestine method involving the manipulation of font rendering on iPhones, akin to a secret code deciphered by the attackers.Apple swiftly addressed this vulnerability in versions iOS 15.7.8 and iOS 16.3.

2. Kernel Trick (CVE-2023-32434): Exploiting a hidden language understood only by the iPhone's core, the attackers successfully compromised the kernel's integrity.Apple responded with fixes implemented in iOS 15.7.7, iOS 15.8, and iOS 16.5.1.

3. Web Sneakiness (CVE-2023-32435): Leveraging a clever ploy in the interpretation of web content by iPhones, the attackers manipulated the device's behaviour.Apple addressed this vulnerability in iOS 15.7.7 and iOS 16.5.1.

4. Kernel Key (CVE-2023-38606): The pinnacle of the operation, the attackers discovered a covert method to tamper with the iPhone's core, the kernel.Apple responded with a fix introduced in iOS 16.6, thwarting the intrusion into the most secure facets of the iPhone

Still, how these attackers were able to find this critical vulnerability in a device which stands out for it’s security features is still unknown.

CyberPeace Advisory

Zero-click attacks are a real threat, but you can defend yourself. Being aware of the risks and taking proactive steps can significantly reduce vulnerability. Regularly installing the latest updates for your operating system, apps, and firmware helps patch vulnerabilities before attackers can exploit them.

• Keep your software updated as they contain crucial security patches that plug vulnerabilities before attackers can exploit them.
• Use security software to actively scan for suspicious activity and malicious code, acting as a first line of defence against zero-click intrusions.
• Be cautious with unsolicited messages if the offer seems too good to be true or the link appears suspicious as it can contain malware that can infect your device.
• Disable automatic previews as it can potentially trigger malicious code hidden within the content.
• Be mindful of what you install and avoid unverified apps and pirated software, as they can be Trojan horses laden with malware.
• Stay informed about the latest threats and updates by following reliable news sources and security blogs to stay ahead of the curve, recognize potential zero-click scams and adjust your behaviour accordingly.

Check out our (advisory report)[add report link] to get in depth information.

Conclusion

Operation Triangulation stands as a testament to the continuous cat-and-mouse game between cybercriminals and tech giants. While the covert spy mission showcased the vulnerabilities present in earlier iPhone versions, Apple's prompt response underscores the commitment to user security. As the digital landscape evolves, vigilance, timely updates, and collaborative efforts remain essential in safeguarding against unforeseen cyber threats.

References:

1. Operation Triangulation: iOS devices targeted with previously unknown malware | Securelist, 1 June, 2023
2. Operation Triangulation: The last (hardware) mystery | Securelist, 27 December, 2023.
3. 37C3 - Operation Triangulation: What You Get When Attack iPhones of Researchers (youtube.com), 29 December,2023

Introduction

‍

The trajectory of India's digital economy is growing at an unprecedented rate, and so is India's cybercrime ecosystem. Parliamentary data tabled before the Rajya Sabha in May 2024 by the MHA suggests an overwhelming 900% growth in cybercrime complaints from 2021 to '25, while annual losses crossed 22,800 crore in 2024. The structural issues like the low victim restitution rate, the lack of forensic infrastructure, issues of jurisdiction related to offshore fraud factories targeting Indian citizens, and the huge disparity in awareness levels amongst India's youngest online citizens continue to exist. This brief brings out the clear trends in cybercrime, the role of institutional mechanisms in its prevention and response, failure points, and recommends appropriate policy interventions from the perspective of CyberPeace.

‍

The Data Imperative

‍

Since its operationalisation in 2019 by the Indian Cyber Crime Coordination Centre (I4C), the NCRP serves as India's most significant institutional apparatus for cybercrime reporting and response. Data placed before the Rajya Sabha by the Ministry of Home Affairs on 30 July 2025 show that, with almost no exception, complaints of cybercrime have increased far more quickly than most traditional indicators of public safety. Between 2021 and June 2025, the NCRP received 6.59 million complaints, evidence of both a sustained and escalating expansion of India's cyber threat profile. Complaints per year more than quadrupled from 4.52 lakh in 2021 to 19.18 lakh in 2024 (324% over the period); by 2025, the NCRP had received 28.15 lakh complaints, a 523 percent rise compared with the 2021 baseline:

Clearly, cyber-enabled crime is no longer an occasional crisis but a systemic governance issue requiring consistent regulation and institution-building.

The financial fallout has also accelerated dramatically. Figures indicate that reported financial losses due to cybercrime jumped from 2,290 crore in 2022 to 22,812 crore in 2024 a 895% leap in two years:

‍

‍

Though response mechanisms such as the Citizen Financial Cyber Fraud Reporting and Management System (CFCFRMS) successfully blocked or recovered close to 8,690 crore as of January 2026, victims appear to get back only about 2.18 percent of the losses they report. 

In most areas, reporting and response have expanded greatly, but both the rate and scale of cyber-enabled financial fraud continue to outstrip India's remediation and law enforcement capacity. 

‍

Threat Typology of India’s Fraud Ecosystem

‍

The nature of cyber crime in India has evolved from an opportunistic volume-based activity to a layered transnational criminal environment. I4C intelligence as tabled in Parliament reveals investment scams as the biggest threat: they accounted for 76% of the financial fraud lost in 2025 (although only 35% of complaints were filed, thus, a very high value per case was lost).

‍

‍

Digital arrest frauds, which tap on citizens' unawareness that "digital arrest" is not permissible under Indian law, rose from 39,925 cases (91 crore) in 2022 to 123,672 cases (1,935crore) in 2024.

‍

‍

The fast rise in the number of incidents as well as in the volume of fraud clearly points out that digital arrest fraud has moved away from the phase of novel scam typology to a formidable cyber-extortion landscape. The main orchestrators of investment, trading, dating, and digital arrest scams targeting Indian citizens were recently identified by the I4C CEO Rajesh Kumar as transnational criminal scam networks in Cambodia, Myanmar, and Laos. Hence, this issue does not only fall within the domain of domestic law enforcement but constitutes a transnational cybercrime requiring parallel financial intelligence, diplomatic initiative, platform responsibility, and international investigative collaboration.

‍

‍

‍

Geographic Concentration
‍

Maharashtra and UP register the highest volumes in total complaints at 3.03 lakh and 3.01 lakh, owing to them being the financial capital and most populous state, respectively. Karnataka, Gujarat, Delhi, WB, Telangana, TN, Rajasthan, and Haryana register above 1 lakh complaints each. However, the critical information that is being missed is that while complaint rate growth is the fastest in Tier 2 and 3 geographies (Haryana leads per-capita complaint rate with 381/100k people in 2023; Telangana (261); Uttarakhand (243)), this signifies rural digital growth as a risk multiplier.
‍

Institutional Architecture: Mechanisms and Performances
‍

India's institutional response to cybercrime, led by the Ministry of Home Affairs' Indian Cyber Crime Coordination Centre (I4C), is one of the world's largest real-time fraud detection and prevention ecosystems. The backbone of this is the Citizen Financial Cyber Fraud Reporting and Management System (CFCFRMS), which has onboarded over 700 banks, payment service providers, e-commerce portals, digital wallets, and, since the Standard Operating Procedure was issued on 2nd January 2026, virtual asset service providers and crypto exchanges. This interconnected network allows for prompt freezing of funds and timely fraud intervention during the 'golden hour' of a cybercrime report. 

‍

Institutional capacity is robust, with approximately 8,690 crore saved via the CFCFRMS since its inception for over 24.65 lakh complaints. The national cybercrime helpline (1930) receives close to 10,000 calls daily, while the Suspect Registry has enabled the rejection of 9,519 crore via the detection of 23.05 lakh suspect entities and 27.37 lakh mule accounts. In parallel, the CyTrain platform has expanded training by registering 151,081 police and judicial officers and issuing 142,025 certificates. Cyberforensic labs in all 33 States and Union Territories have received central assistance totalling 132.93 crore, and data-driven interstate crime analytics and offender linkages through the Samanvaya and Pratibimb platforms have led to 21,857 arrests.
‍

Ecosystem Gaps
‍

Through I4C, CFCFRMS, CyTrain, and the establishment of forensic infrastructure in states, India’s cybercrime ecosystem has greatly grown. But due to the rapid proliferation of cybercrime, systemic shortcomings are revealed regarding the restoration of victims, investigation, forensic capacity, cross-border enforcement, awareness, and stakeholder coordination:

• Victim Restitution Deficit: Although the total of ₹ 8,690 crore frozen has increased, the refund for victim compensation is limited to only ₹ 167 crore (2.18%) due to lengthy restoration processes relying on court orders.
• Forensic Capacity Limitations: 2 national, state-level, unevenly equipped cyber forensic labs can’t match the needs of over 10 million cybercrime complaints per year.
• Low conviction rate: The investigations of cybercrimes suffer from evidence collection and criminal proceedings, leading to limited conviction rates.
• Cross-border enforcement challenges: Many of the investment and digital arrest scams, in fact, are originating from Cambodia, Myanmar, and Laos, rendering the cybercrime response mechanisms of India helpless.
• Lack of Awareness: First-time digital users are quite prone to online scams and fraud, and many of the victims continue not reporting due to social stigma and lack of confidence.
• Partial Stakeholder Integration: Banks and small financial institutions, small companies, and emerging virtual asset providers not yet on board allow the money to slip through without being tracked.

CyberPeace Insights: Strategic Way Forward
‍

India has already built a relatively mature response structure for cybercrime with I4C, CFCFRMS, and CyTrain and is coordinating the financial sector on it. The way ahead lies in outcome-oriented improvements and not just in the ability to report and intercept more. Here are the priority interventions that address the most important institutional shortcomings identified in the current ecosystem:

• Fast-track victim restoration: Introduce time-bound victim restoration mechanisms for low-value incidents through simplified processes and mandate national-level roll-out of successful Lok Adalat-based settlement mechanisms.
• District-level cyber forensics: Establish cyber forensic support units at the district level and enhance access to mobile, cloud, and blockchain forensic capabilities.
• AI-powered fraud prevention: Mandate deep-fake and voice-clone detection mechanisms across all financial institutions and telecom networks; embed predictive risk analytics into transaction screening frameworks.
• Cyber Suraksha Gram initiative: Increase digital fraud awareness across all common service centres, Jan Dhan enrollment schemes, and rural banking channels, and tackle the awareness asymmetry.
• Regional cybercrime coordination: Establish real-time, operational intelligence-sharing mechanisms with Southeast Asian economies, which have become home to large scam networks preying on Indian citizens.
• Specialised cyber prosecution ecosystem: Develop exclusive cyber courts, standardise digital evidence procedures, and broaden the scope of CyTrain to include the development of specialised cadres of investigators and prosecutors capable of handling increasingly complex cybercrime cases.

Conclusion
‍

The 22,812 crore lost due to cybercrime in 2024 was more than a mere figure; it signifies a serious concern regarding citizen trust, economic security, and digital inclusion. Though India's institutional response to cybercrime is one of the largest, with an operational I4C and a CFCFRMS functioning in real time, the victim compensation and prosecution mechanism falls short. It's time for implementation: faster recovery of resources, increased enforcement, a larger scale of awareness, and finally, translating the institutional innovations into concrete justice for victims nationwide.

References
‍

1. https://sansad.in/getFile/annex/270/AU1341_tmaxdx.pdf?source=pqars
2. https://www.mha.gov.in/MHA1/Par2017/pdfs/par2025-pdfs/LS02122025/452.pdf
3. https://www.pib.gov.in/PressReleasePage.aspx?PRID=2244504&reg=3&lang=2
4. https://static.pib.gov.in/WriteReadData/specificdocs/documents/2025/oct/doc2025107659501.pdf
5. https://www.medianama.com/2025/08/223-india-cybercrime-500-percent-increase-2021-2024/
6. https://theprint.in/india/cybercrime-saw-24-spike-in-2025-indians-lost-rs-22495-crore-mainly-in-investment-scams/2859930/

‍

‍

Introduction 

The world has been witnessing various advancements in cyberspace, and one of the major changes is the speed with which we gain and share information. Cyberspace has been declared as the fifth dimension of warfare, and hence, the influence of technology will go a long way in safeguarding ourselves and our nation. Information plays a vital role in this scenario, and due to the easy access to information, the instances of misinformation and disinformation have been rampant across the globe. In the recent Russia-Ukraine crisis, it was clearly seen how instances of misinformation can lead to major loss and harm to a nation and its subjects. All nations and global leaders are deliberating upon this aspect and efficient sharing of information among friendly nations and inter-government organisations. 

‍

What is IW? 

IW, also known as Information warfare, is a critical aspect of defending our cyberspace. Information Warfare, in its broadest sense, is a struggle over the information and communications process, a struggle that began with the advent of human communication and conflict. Over the past few decades, the rapid rise in information and communication technologies and their increasing prevalence in our society has revolutionised the communications process and, with it, the significance and implications of information warfare. Information warfare is the application of destructive force on a large scale against information assets and systems, against the computers and networks that support the four critical infrastructures (the power grid, communications, financial, and transportation). However, protecting against computer intrusion, even on a smaller scale, is in the national security interests of the country and is important in the current discussion about information warfare.

‍

IW in India 

The aspects of misinformation have been recently seen in India in the form of the violence in Manipur and Nuh, which resulted in a massive loss of property and even human lives. A lot of miscreants or anti-national elements often seed misinformation in our daily news feed, and this is often magnified by social media platforms such as Instagram or X (formerly known as Twitter) and OTT-based messaging applications like WhatsApp or Telegram during the pandemic. It was seen nearly every week that some or the other new ways to treat COVID-19 were shared on Social media, which were false and inaccurate, especially in regard to the vaccination drive. A lot of posts and messages highlighted that the Vaccine is not safe, but a lot of this was a part of misinformation propaganda. Most of the time, the speed of spread of such episodes of misinformation is rapid and is often spread by the use of social media platforms and OTT messaging applications. 

‍

IW and Indian Army

Former Meta employees have recently come up with allegations that the Chinar Corp of the Indian Army had approached the social media giant to suppress some pages and channels which propagated content that may be objectionable. It is alleged that the formation made such a request to propagate its counterintelligence operations against Pakistan. The Chinar Corps is one of the most prestigious formations of the Indian Army and has the operational area of Kashmir Valley. The instances of online grooming and brainwashing have been common from the anti-national elements of Pakistan, as a faction of youth has been engaged in terrorist activities directly or indirectly. Various messaging and social media apps are used by the bad actors to lure in innocent youth on the fake and fabricated pretext of religion or any other social issue. The Indian Army had launched an anti-misinformation campaign in Kashmir, which aimed to protect Kashmiris from the propaganda of fake news and misinformation, which often led to radicalisation or even riots or attacks on defence forces. The aspect of net neutrality is often misused by bad actors in areas which are sociological, critical or unstable. The Indian Army has created special offices focusing on IW at all levels of formations, and the same is also used to eradicate all or any fake news or fake propaganda against the Indian Army. 

‍

Conclusion

Information has always been a source of power since the days of the Roman Empire. Control, dissemination, moderation and mode of sharing of information plays a vital role for any nation both in term of safety from external threats and to maintain National Security. Information Warfare is part of the 5th dimension of warfare, i.e., Cyberwar and is a growing concern for developed as well as developing nations. Information warfare is a critical aspect which needs to be incorporated in terms of basic training for defence personnel and law enforcement agencies. The anti-misinformation operation in Kashmir was primarily focused towards eradicating the bad elements after repealing Article 377,  from cyberspace and ensuring harmony, peace, stability and prosperity in the state.    

‍

References 

• https://irp.fas.org/eprint/snyder/infowarfare.htm
• https://www.thehindu.com/news/national/metas-india-team-delayed-action-against-army-led-misinfo-op-in-kashmir-us-news-report/article67352470.ece
• https://www.indiatoday.in/india/story/facebook-instagram-block-handles-of-chinar-corps-no-response-from-company-over-a-week-says-officials-1910445-2022-02-08

‍