Criminal Behaviour on the Internet (Cyber-Profiling)

John Suler, then at Rider University, published The Online Disinhibition Effect in CyberPsychology and Behavior in 2004. The core claim is that people say and do things online that they would not say or do face-to-face, and that this loosening is driven by six interacting factors.

A short tour of each factor:

• Dissociative anonymity. "You don't know me." The offender can compartmentalise the online self from the offline self.
• Invisibility. "You can't see me." Even with a known username, the offender does not see the target's facial reactions, and the target does not see theirs.
• Asynchronicity. "I don't have to deal with your reaction now." A delay of hours or days breaks the emotional feedback that face-to-face conversation forces.
• Solipsistic introjection. "You sound like a voice in my head." Without facial and vocal cues, the offender imagines the target as a character, and that character takes on the offender's projections.
• Dissociative imagination. "This is a game, not real life." The online space feels separate, hypothetical, consequence-free.
• Minimisation of authority. "We're all peers here." Status markers like uniform, age, professional title get stripped out, and the offender no longer feels constrained by social hierarchy.

Suler also drew a distinction between benign disinhibition (people open up about painful experiences they'd never share offline) and toxic disinhibition (people send threats, abuse and predatory messages they would never send face-to-face). Profiling work cares about the toxic side.

Online predator grooming is the most studied behavioural pattern in cyber-profiling. The five-phase model has been validated across multiple studies of convicted offenders, including the seminal qualitative work of Suzanne Ost and the policing-oriented breakdowns used by the UK CEOP Command and India's I4C training material.

The phases are not bright lines; they overlap. But the transitions are forensically meaningful. The first sexual reference, the first request for an explicit image, the first threat, the first move from a public platform to a private channel: each of these is a discrete event with a timestamp, and each is the kind of thing a charge sheet under POCSO section 11 (sexual harassment of a child) or IT Act section 67B (electronic child sexual abuse material) is built around.

Most non-trivial cyber-criminal activity runs on at least two personas. The operational persona, used for the offence (the vendor handle on a darknet marketplace, the Telegram account that posts fake-job lures, the burner Instagram that does sextortion), and the personal persona, used for everyday life (the real WhatsApp, the cricket-team group, the UPI-linked phone). Cyber-profiling work is, more than anything else, about finding the seam where the two personas leak into each other.

The classic case study is Ross Ulbricht, founder of Silk Road, arrested by FBI agents in San Francisco's Glen Park Library in October 2013. Investigators didn't break Tor and didn't break Bitcoin. They linked Ulbricht's operational handle "Dread Pirate Roberts" to him because, years earlier, a user named "altoid" had posted on a Bitcoin forum advertising Silk Road, and the same "altoid" had separately posted asking for help with code, signing the post with the email rossulbricht@gmail.com. One slip, made before OPSEC discipline had hardened, was enough.

The Indian analogues are less famous and rarely written up. They have the same pattern though. Sextortion rings in Jharkhand and Rajasthan have been broken because operational SIMs got recharged from the same wallet that paid a personal Zomato order. Darknet drug vendors operating in Bengaluru have been identified through reused profile photos and reused linguistic tics. The cyber cell investigator's job, sitting in front of a chat archive and a metadata dump, is to find the slip.

Indian cyber-profiling is not coherent without the statute book and the institutional map laid out together.

1. IT Act 2000, the spine
   Section 66 (computer-related offences), 67 (publication of obscene material in electronic form), 67A (sexually explicit material), 67B (child sexual abuse material), 69 (interception powers), 79 (intermediary safe harbour). The 2008 amendment added most of the offences you actually charge today.
2. BNS 2023, the general criminal code
   Replaces IPC. Cheating (section 318), criminal intimidation (section 351), forgery (section 336 onward), and the new computer-touching provisions sit alongside the IT Act, not instead of it. Cyber-fraud charge sheets typically run BNS plus IT Act together.
3. BNSS 2023, the procedural code
   Section 105 mandates videography of search and seizure, which now covers seizure of devices in cyber cases. Hash discipline at seizure has become a real expectation.
4. POCSO 2012, for minors
   Sections 11, 12 (sexual harassment) and 13 to 15 (using a child for pornographic purposes, storage) run alongside IT Act 67B for any child-victim case.
5. I4C, the central node
   Indian Cybercrime Coordination Centre, MHA, launched 2018 to 2020. Runs the cybercrime.gov.in National Cybercrime Reporting Portal, the 1930 helpline for live financial-fraud reporting, and coordinates state cyber cells through seven verticals including a Threat Analytics Unit.
6. State cyber cells
   Each state police force runs cyber cells, increasingly at the district level rather than only at the state HQ. Maharashtra, Karnataka, Telangana, Tamil Nadu, Delhi and Gujarat are the more mature ones in 2026.

For evidentiary and chain-of-custody discipline once devices are seized, the upstream topics matter: chain of custody and digital imaging, 3D scanning and videography.

Strip the marketing language away and a working cyber-profile contributes three things to an investigation.

• Attribution. Linking a set of online accounts and behaviours to a single human, then to a specific named human. This is where the OPSEC-seam work lives.
• Linkage across cases. Connecting two apparently separate complaints (a sextortion victim in Pune and one in Lucknow, say) by showing the same operational persona is behind both. Linkage builds a series, and a series justifies the larger investigative resource.
• Escalation prediction. Reading the trajectory of an offender's behaviour and forecasting the next step. A groomer who has just moved from public DMs to Telegram is days, not weeks, from requesting explicit content. A sextortionist who has just made a first threat is hours from a second.

What it does not do in honest practice:

• It does not reliably tell you the offender's psychological "type" from chat logs alone. The temptation to back-fill a personality profile from a few hundred messages is enormous, and the evidence-base for those inferences is shaky. The disciplined cyber-profiler attaches behavioural inferences only to what the messages directly support.
• It does not survive a competent offender's OPSEC. VPNs, burner phones, prepaid SIMs registered to fake addresses, end-to-end encrypted apps with disappearing-messages, mixers and tumblers on the crypto side, all of these degrade attribution. Most offenders fail somewhere; the rare disciplined ones don't, and cyber-profiling cannot conjure attribution out of clean OPSEC.

For the upstream behavioural and motivational lenses that cyber-profiling sits inside, see behavioural evidence analysis and criminal motivation and typologies.

The short summary of where cyber-profiling fails:

• VPN + Tor + clean OPSEC. Attribution stalls entirely.
• Burner devices and prepaid SIMs. The phone and the SIM both die before any pattern can be built.
• Encrypted disappearing messages. Signal, WhatsApp disappearing mode, Telegram secret chats. Recovery is partial at best.
• Cross-border infrastructure. Servers in jurisdictions that don't respond to mutual legal assistance requests. I4C has been pushing for faster MLAT-bypass mechanisms; the operational reality is still slow.
• Linkage errors. Two unrelated handles get fused into one offender, the resulting "profile" describes nobody, and the investigation chases a ghost.
• Over-claimed psychological inference. Defence counsel get the "personality profile" thrown out and use the same cross-examination to undermine the rest of the analyst's testimony.

A working answer to a long-form question asks you to balance these. The technique has a real positive contribution. It also has clear failure modes, and the cyber-cell SOP increasingly treats it as one input among several rather than the spine of the case.