Cyber Crime Taxonomy and the IT Act 2000

The working Indian classification splits cyber offences into three target classes by who the harm falls on. Crimes against persons cover offences where the human victim is the primary target: cyberstalking, online grooming, harassment, identity theft, online financial fraud aimed at a retail account holder, sextortion, and romance scams. Crimes against property cover offences where the asset is the target: hacking of corporate systems, website defacement, IPR violations, ATM and UPI fraud, ransomware against businesses. Crimes against government and society cover cyber terrorism, espionage, and large-scale malware deployment that threatens public infrastructure. This three-way split is the one used in NCRB's annual Crime in India volumes and in the cybercrime.gov.in complaint categories.

The I4C portal at cybercrime.gov.in routes complaints into one of these categories and then into a state's nodal cyber cell. Maharashtra, Telangana, Karnataka and Delhi have well-developed cyber cells with dedicated cyber police stations; smaller states route through the district SP's office. NCRB's Crime in India 2023 volume reported cyber crime cases rising by approximately 31 percent year over year (from 65,893 cases in 2022 to 86,420 cases in 2023), dominated by online financial fraud and offences against women and children, a pattern that has held since the 2020 lockdown push to digital payments. The hardware the IO seizes from each of these scenes is the starting point of Computer Hardware Fundamentals for Forensic Examiners, and the OS-level boot evidence that lives on those devices is in Operating Systems, Boot Process and File Systems.

The IT Act has been built up in layers. The 2000 original gave India its first computer-offence statute. The 2008 amendment, notified in October 2009, did the real work: it created the modern catalogue of offences from Sections 66A through 66F and 67A through 67B, broadened interception and blocking powers under Sections 69 and 69A, and rewrote Section 79 as the modern intermediary safe harbour with conditional immunity. The 2021 IT Rules added grievance officer, traceability and content takedown obligations on top.

1. Section 43
   Civil penalty for unauthorised access, downloading, virus introduction, denial of service or data theft. Compensation up to the harm proved before the Adjudicating Officer.
2. Section 65
   Tampering with computer source code. Three years and Rs 2 lakh. Used where source is required to be kept by law and is altered or destroyed.
3. Section 66
   Computer-related offences with the dishonest or fraudulent element from Section 43. Three years and Rs 5 lakh. The general hacking provision.
4. Section 66B
   Dishonestly receiving a stolen computer or communication device. Three years and Rs 1 lakh.
5. Section 66C
   Identity theft. Fraudulent or dishonest use of another person's password, electronic signature or unique identification feature. Three years and Rs 1 lakh.
6. Section 66D
   Cheating by personation using a computer resource. Three years and Rs 1 lakh. The phishing, vishing and impersonation workhorse.
7. Section 66E
   Violation of privacy. Capture, publication or transmission of an image of a private area of any person without consent. Three years or Rs 2 lakh.
8. Section 66F
   Cyber terrorism. Acts threatening unity, integrity, security or sovereignty of India through computer resources. Life imprisonment.
9. Section 67
   Publishing or transmitting obscene material in electronic form. Three years on first conviction, five years on subsequent.
10. Section 67A
    Sexually explicit material in electronic form. Five years on first conviction.
11. Section 67B
    Child sexual exploitation material. Five years on first conviction. Read alongside POCSO 2012.
12. Section 69
    Interception, monitoring or decryption of any information through any computer resource, on grounds in sub-section (1). Procedure under the 2009 Rules.
13. Section 69A
    Blocking access to information in the interest of sovereignty, integrity, defence, security or public order. Procedure under the 2009 Blocking Rules.
14. Section 70
    Protected systems and Critical Information Infrastructure. NCIIPC is the nodal agency for CII under Section 70A.
15. Section 72
    Breach of confidentiality and privacy by a person who has secured access under powers conferred by the Act. Two years or Rs 1 lakh.
16. Section 79
    Conditional safe harbour for intermediaries that observe due diligence under the IT Rules 2021. Lost on actual knowledge or failure to take down on lawful order.

The artifact pattern an examiner should associate with each section is what makes the section list useful. Section 43 and 66 cases need access logs, authentication records and a forensic image of the target system. Section 66C needs the impersonating credential and the path it travelled (SIM swap records, phishing kit hosting). Section 66D needs the call recordings, payment trail and the IP-to-subscriber mapping for the deceptive resource. Section 66F needs network capture and command-and-control attribution. Section 67 family needs hash-matched content and a 65B/63 BSA certificate for every copy produced.

Shreya Singhal v Union of India (2015) is the most important Indian cyber law judgment a forensic candidate will be asked to summarise. A two-judge bench of the Supreme Court struck down Section 66A in entirety as violative of Article 19(1)(a). The reasoning was that the section's "grossly offensive" and "menacing" language was vague to the point of arbitrariness, and that the chilling effect on lawful speech was disproportionate. The bench upheld Section 69A and the Blocking Rules with a reading-down, and read into Section 79 a requirement that takedown be on the basis of a court order or a government notification rather than private complaints alone.

The practical consequence for an examiner is that any FIR that still cites Section 66A is procedurally infirm. State cyber cells have been directed to stop using the section; the data still surfaces in some district FIR forms because legacy templates have not been updated. When a chargesheet relies on Section 66A, the standard defence move is to seek quashing under Section 528 BNSS (formerly Section 482 CrPC) on the Shreya Singhal authority.

Across state cyber cell dashboards from 2024 to 2026, a small set of typologies dominates the complaint volume. Phishing (deceptive email or SMS), vishing (voice call impersonating bank, courier, customs or police), and smishing (SMS link to a credential-harvesting page) are the entry typologies. SIM swap is the escalation where the offender ports the victim's mobile number to a new SIM to intercept OTPs. OTP fraud is the broad bucket of any social-engineering attack that results in the victim disclosing or approving an OTP. Mule accounts are bank accounts opened with stolen or rented KYC and used as the first hop in laundering. Fake job scams collect fees, training payments or KYC data from job seekers. Pig-butchering (also called fake-investment scam or romance-investment scam) is a long-running confidence script that pairs a romantic or social pretext with a fake investment platform.

The forensic implication of the ladder is that a single complaint often produces a chargesheet citing two or three IT Act sections plus BNS provisions. A pig-butchering case typically pulls in Section 66D (cheating by personation through computer resource), Section 66C if the offender used the victim's credentials anywhere in the chain, and BNS Section 318 for the general offence of cheating. The investigator's evidence list will include WhatsApp chat exports, screen recordings of the fake investment dashboard, UPI transaction history, mule account KYC, telecom CDR, and the I4C escalation acknowledgement.

The Digital Personal Data Protection Act 2023 was notified on 11 August 2023 and is being implemented in stages through the DPDP Rules. The Act applies to processing of digital personal data within India, and to processing outside India where it is connected to offering goods or services to data principals in India. For a digital forensic examiner, three operational consequences matter. First, every business that holds personal data is now a "data fiduciary" with statutory obligations on notice, consent, purpose limitation, security safeguards and breach notification. Second, the data principal (the individual whose data is processed) has enumerated rights including access, correction, erasure and grievance. Third, the Data Protection Board of India is the adjudicatory body for breach penalties, with monetary penalties up to Rs 250 crore per offence depending on category.

For a cyber forensic case, the DPDP frame creates parallel duties on top of the IT Act and BNS charges. A ransomware incident at a hospital, for instance, is simultaneously a Section 66 IT Act offence, potentially a Section 66F cyber terrorism question if critical care systems are downed, a CERT-In reportable incident under the April 2022 directions, and a DPDP breach with notification to the Data Protection Board and the affected patients. The examiner's report needs to capture timestamps and IOCs with enough fidelity that all four workflows can be supported from the same artifact set.

The cross-link here is to BNS 2023 Cyber Provisions and BSA 2023 Electronic Evidence, which covers the BSA Section 63 certificate workflow that the same digital artifacts will need at trial, and to Digital First Responder: Volatility, Seizure, Imaging for the acquisition discipline that supports the chain of custody.

The IT Act sections are the legal handles; the underlying technical events are what the examiner investigates. Six classes recur often enough that an examiner must be able to identify each from a fact pattern and name the corresponding artifact.

• Insider threat. A current or former employee with legitimate credentials exfiltrates, destroys or alters data. Detected from authentication logs, USB and cloud upload telemetry, badge logs, and email archive review. Section 43 read with Section 66 and BNS 314 criminal breach of trust.
• Social engineering. Manipulation of a human user into disclosing credentials, approving access, or transferring funds. Phishing, vishing, smishing, business email compromise. Section 66D is the workhorse provision.
• Email scam. Spoofed sender, look-alike domain, or compromised account used to redirect payments or extract information. Header analysis (Received-chain, SPF/DKIM/DMARC verdicts), payment trail, and the recipient mailbox audit log are the standard artifact triad.
• Packet sniffing. Passive capture of network traffic on an unsecured Wi-Fi or a compromised LAN segment. Tools like Wireshark and tcpdump generate the captures; the offence sits under Section 66 read with Section 43.
• Spoofing. ARP spoofing, DNS spoofing, IP spoofing, caller-ID spoofing. The technical attack underlying many social-engineering chains. The forensic artifact is the ARP table state, the DNS resolver log, or the carrier-side CLI record.
• Man-in-the-middle. Interception and possible modification of traffic between two parties who believe they are communicating directly. Sits under Section 66 read with Section 72A unauthorised disclosure if confidential information is intercepted in the course of providing services.

The standard forensic artifact map for these patterns is: authentication and access logs (insider, spoofing, MITM), email server logs and headers (email scam, social engineering), packet captures and NetFlow (sniffing, MITM, network reconnaissance), endpoint EDR telemetry (malware deployment), and mobile and SIM provisioning records (SIM swap, OTP fraud).