Social Media Crime: Cyberbullying, Grooming and Stalking

The Indian social media stack is broader than the western Meta-plus-X picture, and the offence pattern follows the platform's affordance: WhatsApp's end-to-end encryption shapes misinformation cases differently from Instagram's image-sharing model or LinkedIn's professional-recruiter context.

Four threat classes recur across these platforms. Account takeover via credential stuffing exploits password reuse from leak databases. OAuth abuse uses third-party 'log in with Google' or 'log in with Facebook' flows to harvest scope-granted data through a malicious app. Fake login pages clone the legitimate authentication flow at a typo-squat domain and capture the credential plus the SMS OTP. Session hijacking lifts the platform cookie from a seized device or via a reverse-proxy phishing kit such as Evilginx2.

The regulator-side anchor for the entire stack is the Intermediary Guidelines 2021. Significant social media intermediaries (more than 50 lakh users) must appoint a Chief Compliance Officer, a Nodal Contact Person available 24x7 and a Resident Grievance Officer, all resident in India. The Grievance Appellate Committee, notified in 2022, hears appeals against grievance-officer decisions and binds the intermediary. The I4C portal at cybercrime.gov.in is the citizen-side complaint channel that often originates the FIR.

Indian prosecution of social media offences runs through a defined set of provisions. Statutory matching, selecting the correct IT Act and BNS heads before drafting the report, is the examiner's primary obligation.

IT Act Section 66A, which previously criminalised 'grossly offensive' or 'menacing' messages sent through a communication device, was struck down as unconstitutional by the Supreme Court in Shreya Singhal v Union of India in March 2015. The provision is dead law. Any FIR that lists Section 66A as a head of charge is defective. The conduct that 66A used to cover has shifted to BNS 351 (criminal intimidation), BNS 75 (sexual harassment) and BNS 78 (stalking).

Defamation on social media now sits under BNS Section 354 (the successor to IPC 499 and 500). The constitutional validity of criminal defamation was upheld in Subramanian Swamy v Union of India (2016), so prosecution under BNS 354 remains available alongside the civil suit. The platform-side angle is takedown: the aggrieved person can serve a Rule 3(1)(d) notice on the intermediary's Resident Grievance Officer; non-compliance lets the complainant approach the Grievance Appellate Committee and, if still unresolved, the courts.

Hate speech and communal incitement have a layered prosecution path. The substantive offence sits in BNS Section 196 (promoting enmity between groups), Section 299 (deliberate insult to religion) and Section 302 (statements conducing to public mischief). The IT Act side adds Section 69A blocking orders (the central government can direct an intermediary to block specific URLs in the interest of sovereignty, public order or decency) and Section 79 takedown on actual knowledge.

The sexual-offence side of social media crime runs through three IT Act sections, the POCSO Act 2012, and BNS sexual-offence provisions. Statutory matching must be precise because penalties differ substantially across the provisions.

Online grooming is the predator behaviour pattern of building trust with a minor through staged contact, sexualised conversation, request for images and eventual coercion or meeting. The 2019 amendment to the POCSO Act explicitly recognised online sexual offences, plugging the gap that earlier required physical proximity. IT Act Section 67B criminalises the production, transmission and possession of material depicting children in a sexually explicit act, plus the cultivation of online relationships with a child for sexual purposes. The two statutes are charged in tandem.

NCII (non-consensual intimate images) is the umbrella for revenge porn, morphed sexual imagery and leaked private content. The leading case is State of West Bengal v Animesh Boxi (2018), in which the Calcutta sessions court convicted the accused under IT Act 67 and 67A read with IPC 354A/C/D for uploading his former partner's intimate images and personal details to multiple sites. The court treated the digital evidence under the then-Section 65B IEA (now BSA Section 63) and accepted screenshots, hashes and the certificate.

Sextortion is the composite offence that stacks grooming, NCII threat and cheating. The pattern: an attacker posing as an attractive contact on Instagram or Facebook initiates contact, persuades the victim into a recorded video call (or supplies one via deepfake), screen-records, then threatens publication unless paid. Prosecution stacks IT Act 67A (sexual material), IT Act 66D (cheating by personation), BNS Section 308 (extortion, was IPC 383) and BNS Section 351 (criminal intimidation). The I4C portal categorises sextortion as its single largest complaint volume in the cyber-financial subcategory for 2024 and 2025.

Identity-side offences on social media fall into three patterns: fake accounts impersonating a real person, identity theft using stolen credentials of a real account, and AI-generated imagery depicting a person without consent.

1. Impersonation by fake account
   Attacker creates @realname_official or @realname.in with the target's photo and bio. Used to solicit money from the target's contacts, post defamatory content or run a romance scam. IT Act Section 66D (cheating by personation) and Section 66C (identity theft) apply; BNS Section 319 (cheating by personation) and Section 318 (cheating) stack on top when property is transferred.
2. Account takeover by credential theft
   Attacker phishes the password and OTP, or stuffs credentials from a leak corpus. Posts from the real handle, sometimes asking contacts for emergency money. IT Act Section 66 (computer-related offences) read with Section 43 (damage to computer, computer system) and BNS Section 318 (cheating) apply.
3. Romance scam / pig butchering
   Phase 1: relationship over weeks on Instagram, Facebook or LinkedIn. Phase 2: introduce a fake trading or crypto platform. Phase 3: drain through repeated deposits the platform refuses to release. Prosecution stacks IT Act 66D, BNS 318, BNS 319 (impersonation) and PMLA when laundering is established. Often international, so MLAT to the host country is part of the workflow.
4. Deepfake or AI-generated imagery
   Stable Diffusion, Sora, ElevenLabs or open-source LoRA models generate a face, voice or sexual imagery of a real person. IT Act Section 66E (privacy violation by image), Section 67A (sexually explicit material) and BNS Section 354 (defamation) apply; in the Rashmika Mandanna case (Delhi Police FIR, November 2023) charges were laid under IT Act 66E, 66C and IPC 465, 469 and the Intermediary Guidelines 2021 takedown obligations.
5. AI voice cloning vishing
   ElevenLabs or similar tools clone a relative's voice from a 30-second WhatsApp audio note. The cloned voice calls the victim claiming distress and asking for an urgent UPI transfer. IT Act 66C (identity theft, voice as a unique identification feature), IT Act 66D (cheating by personation) and BNS 318 apply.

The Rashmika Mandanna case in November 2023 is the reference deepfake prosecution in India. A deepfake video of the actor was posted on X and Instagram. The Delhi Police Special Cell registered an FIR under IT Act Sections 66E (privacy violation) and 66D (cheating by personation) read with BNS Section 354 (defamation). The Intermediary Guidelines 2021 obligations were invoked to require takedown by the platforms within the statutory window. The case prompted the MEITY advisory of November 7, 2023 directing intermediaries to identify and remove deepfake content within 24 hours of a complaint.

Sock puppet operations and coordinated inauthentic behaviour are the platform-side terms for fake-account networks running misinformation. The reference history is the 2016 Macedonian fake-news farms that targeted the US election; the Indian application sits in regional-language misinformation farms that target elections, communal events and corporate reputations. The forensic pivot is the cluster signature: shared registration emails, shared connecting IPs, common timestamps of posting bursts, repeated wording across accounts. Maltego, Hunchly and OSINT Framework are the workhorses for cluster mapping (the evidence collection topic covers the toolset).

The Intermediary Guidelines 2021 (formally the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021) replaced the 2011 rules and set the operational obligations for every intermediary serving users in India. The rules apply across three tiers: ordinary intermediaries, significant social media intermediaries (SSMI, more than 50 lakh users) and digital news / OTT publishers (covered by Part III of the rules, separately litigated).

The traceability rule, Rule 4(2), is the most litigated. It requires significant social media intermediaries that provide messaging services to enable identification of the first originator of information on a competent-authority order under Section 69 of the IT Act or for offences carrying punishment of five years or more. WhatsApp filed WhatsApp LLC v Union of India in the Delhi High Court arguing the rule breaks end-to-end encryption and violates Article 19(1)(a) and Article 21 (privacy after Puttaswamy). The case sits pending; the rule remains in force.

The DPDP Act 2023 (Digital Personal Data Protection Act) overlays the entire stack. Social media intermediaries are 'data fiduciaries' processing personal data of 'data principals'; they must take verifiable parental consent for processing data of users under 18 (Section 9), grant the right to correction and erasure (Section 12), notify breaches to the Data Protection Board (Section 8(6)), and face penalties under the schedule (up to Rs 250 crore for significant violations). The DPDP intersects with social media offence prosecution where a fake account or NCII upload also involves unlawful processing of personal data.

The Section 79 safe harbour interacts with all of the above. The intermediary retains protection from liability for third-party content only if it observes the Intermediary Guidelines due diligence (Rule 3) and removes content on actual knowledge (a court order, a government notification, or after a Rule 3(1)(d) complaint that the intermediary has accepted). The Shreya Singhal judgement read down Section 79(3)(b) to require a court order or notification, narrowing the takedown standard. The 2021 rules expanded the categories of actionable content (Rule 3(1)(d)) while preserving the Shreya Singhal reading-down. The combined result: ordinary takedown notices from a private complainant do not strip the safe harbour; a court order or government notification does.

The cross-link for the substantive evidentiary frame sits with Bharatiya Sakshya Adhiniyam 2023 Section 63, which governs how the social-media record gets admitted at trial once acquired.

The complaint-to-charge-sheet pipeline for an Indian social media offence is broadly standardised across states. The investigating officer must capture evidence promptly, since platform retention windows for metadata vary, and qualify it under BSA Section 63 before trial.

1. Citizen complaint at I4C portal
   The victim files at cybercrime.gov.in. The portal routes to the state nodal cyber cell. For financial fraud, the 1930 helpline triggers a transaction freeze under the citizen financial cyber fraud reporting system.
2. FIR or zero-FIR registration
   The state cyber cell registers the FIR under the matched IT Act and BNS sections. BNSS Section 173 permits zero-FIR registration at any police station regardless of jurisdiction, with subsequent transfer.
3. Immediate preservation request to the platform
   The IO sends a preservation request to the intermediary's Nodal Contact Person (or via the platform's LERS portal for Meta, X, Google). The preservation freezes account data for the statutory window pending a formal production order.
4. Production order under BNSS Section 91
   The IO obtains a Section 91 BNSS order from the jurisdictional magistrate for the production of the account records, login IP logs, message content (where preserved) and subscriber information. For foreign-incorporated platforms the formal channel is MLAT, in parallel with the LERS cooperative request.
5. Acquisition on the victim side
   Screenshots with URLs visible, full-page captures (Hunchly), device-side message export, hash the captured files with SHA-256. Cross-link with the [evidence collection topic](/topics/digital-forensics/social-media-evidence-collection-api-direct-indirect-osint).
6. FSL analysis and Section 63 BSA certificate
   FSL examines metadata, EXIF, header fields and content hashes. The senior analyst signs the BSA Section 63 certificate over the imaged container and the extracted exhibits. The certificate carries the device description, hashing method, working condition statement and the responsible official's signature.
7. Charge sheet under BNSS Section 193
   The charge sheet annexes the FSL report, the Section 63 certificate, the platform-side records and the witness statements. Trial proceeds; expert opinion is led under BSA Section 39 (was Section 45 IEA).

A practical detail that recurs in trial: the FIR's section selection must avoid 66A (struck down) and must distinguish 66C (identity theft) from 66D (cheating by personation). Section 66C punishes the dishonest or fraudulent use of another person's electronic signature, password or unique identification feature. Section 66D punishes cheating by personation by using a computer resource or communication device. The two are often charged together (a fake account that also defrauds), but the distinct elements have to be pleaded separately.

The Rashmika Mandanna FIR template is a useful reference for deepfake charge sheets. The Delhi Police Special Cell registered under IT Act 66E and 66D plus BNS 354. The preservation request to Meta and X was made within 48 hours of the FIR. The platforms' Resident Grievance Officers actioned takedown within the MEITY-advisory 24-hour window. The Section 63 certificate was signed over the preserved video file with SHA-256 hash. The trial is pending but the procedural template held.

The Bharatiya Sakshya Adhiniyam Section 63 cross-link covers the certificate format; the cyber crime taxonomy and IT Act 2000 topic covers the substantive offence catalogue.