Cyber Crime Taxonomy and the IT Act 2000

Your journey to becoming a forensic professional starts here.

Practice with national-level exam (FACT, FACT Plus, NET, CUET, etc.) mocks, learn from structured notes, and get your doubts solved in one place.

Start Free Mock Test Create Your Account

Cyber Crime Taxonomy and the IT Act 2000 | ForensicSpot

A cyber crime is any offence where a computer, network, mobile device or data resource is the target of the act, the instrument of the act, or the storage medium for the evidence of the act. The Indian statute that gives this category its working definition is the Information Technology Act 2000, amended substantively by the Information Technology (Amendment) Act 2008 (often called ITAA 2008 or ITAA 2009 by the year of notification). The 2008 amendment is what created Sections 66A through 66F, broadened Section 67 to cover sexually explicit and child sexual material, gave statutory force to electronic signatures, and turned the original Section 79 into the modern intermediary safe harbour. Most cyber FIRs you will read in India sit on a combination of IT Act sections plus BNS 2023 provisions, and the Indian Cyber Crime Coordination Centre (I4C) at cybercrime.gov.in is the single window where most victim complaints originate.

The thing most candidates miss is that "cyber crime" is not one offence with one section number. It is a forensic taxonomy that police, prosecutors and FSL examiners use to decide which provisions to charge, which artifacts to seize, and which CERT-In or I4C workflow to invoke. Two cases with the same harm (your money is gone, your photographs are leaked) can sit under completely different sections depending on whether the offender accessed your account, impersonated you, or coerced you into transferring funds. Knowing the taxonomy is how you read a chargesheet and know what evidence the IO will need to produce.

Key terms

IT Act 2000: The Information Technology Act 2000, the parent Indian statute on computer offences, electronic records and digital signatures. Came into force on 17 October 2000.
ITAA 2008: The Information Technology (Amendment) Act 2008, notified in October 2009. Inserted Sections 66A to 66F and 67A to 67B, expanded Section 69, and rewrote Section 79.
I4C: Indian Cyber Crime Coordination Centre, operating cybercrime.gov.in and the 1930 helpline. The first port of call for most retail cyber crime complaints in India.
CERT-In: Indian Computer Emergency Response Team. Statutory body under Section 70B IT Act; mandatory reporting of qualifying incidents within 6 hours under the April 2022 directions.
Intermediary safe harbour: The conditional immunity under Section 79 IT Act read with the IT Rules 2021. Lost when due diligence and grievance officer obligations are not met.
DPDP Act 2023: Digital Personal Data Protection Act 2023. Defines data principal rights, data fiduciary obligations, and the Data Protection Board of India. Read alongside IT Act in privacy-related cyber cases.

What counts as a cyber crime, and how India structures the taxonomy

Three target classes, one statute, one coordination centre.

The working Indian classification splits cyber offences into three target classes by who the harm falls on. Crimes against persons cover offences where the human victim is the primary target: cyberstalking, online grooming, harassment, identity theft, online financial fraud aimed at a retail account holder, sextortion, and romance scams. Crimes against property cover offences where the asset is the target: hacking of corporate systems, website defacement, IPR violations, ATM and UPI fraud, ransomware against businesses. Crimes against government and society cover cyber terrorism, espionage, and large-scale malware deployment that threatens public infrastructure. This three-way split is the one used in NCRB's annual Crime in India volumes and in the cybercrime.gov.in complaint categories.

Target class	Common offences	Lead IT Act sections	Primary investigating agency
Against persons	Stalking, grooming, identity theft, sextortion, romance scams, OTP fraud	66C, 66D, 66E, 67, 67A	State cyber cell, district cyber unit, I4C intake
Against property	Hacking, defacement, ransomware, ATM and UPI fraud, IPR theft	43, 65, 66, 66B	State cyber cell, CBI in cross-border, CERT-In for incident response
Against government and society

The IT Act 2000 sections every examiner must recite

One line per section, one artifact per section.

The IT Act has been built up in layers. The 2000 original gave India its first computer-offence statute. The 2008 amendment, notified in October 2009, did the real work: it created the modern catalogue of offences from Sections 66A through 66F and 67A through 67B, broadened interception and blocking powers under Sections 69 and 69A, and rewrote Section 79 as the modern intermediary safe harbour with conditional immunity. The 2021 IT Rules added grievance officer, traceability and content takedown obligations on top.

Section 43
Civil penalty for unauthorised access, downloading, virus introduction, denial of service or data theft. Compensation up to the harm proved before the Adjudicating Officer.
Section 65
Tampering with computer source code. Three years and Rs 2 lakh. Used where source is required to be kept by law and is altered or destroyed.
Section 66
Computer-related offences with the dishonest or fraudulent element from Section 43. Three years and Rs 5 lakh. The general hacking provision.

Shreya Singhal and what the constitutional frame leaves standing

One judgment reshaped how cyber speech is policed in India.

Shreya Singhal v Union of India (2015) is the most important Indian cyber law judgment a forensic candidate will be asked to summarise. A two-judge bench of the Supreme Court struck down Section 66A in entirety as violative of Article 19(1)(a). The reasoning was that the section's "grossly offensive" and "menacing" language was vague to the point of arbitrariness, and that the chilling effect on lawful speech was disproportionate. The bench upheld Section 69A and the Blocking Rules with a reading-down, and read into Section 79 a requirement that takedown be on the basis of a court order or a government notification rather than private complaints alone.

The practical consequence for an examiner is that any FIR that still cites Section 66A is procedurally infirm. State cyber cells have been directed to stop using the section; the data still surfaces in some district FIR forms because legacy templates have not been updated. When a chargesheet relies on Section 66A, the standard defence move is to seek quashing under Section 528 BNSS (formerly Section 482 CrPC) on the Shreya Singhal authority.

Provision	Status post Shreya Singhal	What survived
Section 66A	Struck down in entirety	Nothing. FIRs citing 66A are liable to quashing.

The retail cyber crime ladder in India

The same techniques, repackaged by quarter.

If you read state cyber cell dashboards across 2024 to 2026, a small set of typologies dominates the complaint volume. Phishing (deceptive email or SMS), vishing (voice call impersonating bank, courier, customs or police), and smishing (SMS link to a credential-harvesting page) are the entry typologies. SIM swap is the escalation where the offender ports the victim's mobile number to a new SIM to intercept OTPs. OTP fraud is the broad bucket of any social-engineering attack that results in the victim disclosing or approving an OTP. Mule accounts are bank accounts opened with stolen or rented KYC and used as the first hop in laundering. Fake job scams collect fees, training payments or KYC data from job seekers. Pig-butchering (also called fake-investment scam or romance-investment scam) is a long-running confidence script that pairs a romantic or social pretext with a fake investment platform.

The retail cyber fraud ladder in India. Phishing, vishing and smishing harvest the credential or the OTP. SIM swap or OTP coercion converts the credential into payment authority. Funds are routed through mule accounts and exchanged into crypto or moved across UPI VPAs. State cyber cells call this the 'first-mile to laundering' problem and most CERT-In and I4C escalations target the second box, where the money first leaves the victim's bank.

DPDP Act 2023 and how the privacy frame folds in

Personal data is now a regulated asset, not just collateral.

The Digital Personal Data Protection Act 2023 was notified on 11 August 2023 and is being rolled out in stages through the DPDP Rules. The Act applies to processing of digital personal data within India, and to processing outside India where it is connected to offering goods or services to data principals in India. For a digital forensic examiner, three operational consequences matter. First, every business that holds personal data is now a "data fiduciary" with statutory obligations on notice, consent, purpose limitation, security safeguards and breach notification. Second, the data principal (the individual whose data is processed) has enumerated rights including access, correction, erasure and grievance. Third, the Data Protection Board of India is the adjudicatory body for breach penalties, with monetary penalties up to Rs 250 crore per offence depending on category.

Concept	DPDP Act 2023 reference	Operational meaning for a forensic examiner
Data fiduciary	Section 2(i) and Section 8	The entity that determines purpose and means of processing; bears security and breach-notification obligations.
Data principal	Section 2(j) and Section 11	The individual whose data is processed; can complain to the Board and exercise correction or erasure rights.
Personal data breach	Section 8(6)	Any unauthorised processing, accidental loss or alteration of personal data. Notification to the Board and to affected principals is mandatory.

Attack patterns the examiner must recognise

The threats behind the section numbers.

The IT Act sections are the legal handles; the underlying technical events are what the examiner actually investigates. Six classes recur often enough that a forensic candidate should be able to identify each from a fact pattern and name the artifact.

Insider threat. A current or former employee with legitimate credentials exfiltrates, destroys or alters data. Detected from authentication logs, USB and cloud upload telemetry, badge logs, and email archive review. Section 43 read with Section 66 and BNS 314 criminal breach of trust.
Social engineering. Manipulation of a human user into disclosing credentials, approving access, or transferring funds. Phishing, vishing, smishing, business email compromise. Section 66D is the workhorse provision.
Email scam. Spoofed sender, look-alike domain, or compromised account used to redirect payments or extract information. Header analysis (Received-chain, SPF/DKIM/DMARC verdicts), payment trail, and the recipient mailbox audit log are the standard artifact triad.
Packet sniffing. Passive capture of network traffic on an unsecured Wi-Fi or a compromised LAN segment. Tools like Wireshark and tcpdump generate the captures; the offence sits under Section 66 read with Section 43.
Spoofing. ARP spoofing, DNS spoofing, IP spoofing, caller-ID spoofing. The technical attack underlying many social-engineering chains. The forensic artifact is the ARP table state, the DNS resolver log, or the carrier-side CLI record.
Man-in-the-middle. Interception and possible modification of traffic between two parties who believe they are communicating directly. Sits under Section 66 read with Section 72A unauthorised disclosure if confidential information is intercepted in the course of providing services.

Practice

Question 1 of 5· 0 answered

Which IT Act section is the workhorse provision for phishing and vishing cases in India?

Frequently asked questions

What is a cyber crime under Indian law?

A cyber crime is any offence where a computer, network, mobile device or data resource is the target, the instrument, or the storage medium of the act. The IT Act 2000 (as amended by ITAA 2008) gives the category its working definition. Most cyber FIRs combine IT Act sections with BNS 2023 provisions and are routed through the I4C portal at cybercrime.gov.in.

What did the ITAA 2008 amendment actually change?

It created the modern catalogue of offences from Sections 66A through 66F and 67A through 67B, expanded interception under Section 69 and blocking under Section 69A, rewrote Section 79 as the conditional intermediary safe harbour, gave statutory force to electronic signatures, and added Section 70A and 70B (NCIIPC and CERT-In). The amendment was passed in 2008 and notified in October 2009.

Which IT Act section applies to identity theft?

Section 66C IT Act covers fraudulent or dishonest use of another person's password, electronic signature or unique identification feature. The penalty is up to three years and Rs 1 lakh. Where the offender also impersonates the victim in a communication with a third party (typical phishing pattern), Section 66D is added.

What is the role of I4C and CERT-In in a cyber crime investigation?

I4C runs cybercrime.gov.in and the 1930 helpline; it is the intake and routing layer for retail complaints, particularly online financial fraud and offences against women and children. CERT-In is the statutory CSIRT under Section 70B and runs incident response, advisories and the 6-hour reporting regime under the April 2022 directions. The two agencies operate in parallel; many cases trigger both.