On 14 January 2026, Priya Menon from Kochi received a call from “DigiLocker Support” claiming her Aadhaar verification had expired and asking for a one-time password; within three minutes the caller had downloaded her PAN, driving licence and bank statements, then opened two instant loans totalling ₹2.8 lakh in her name—this guide arms every Indian citizen with fraud detection rules, statutory protections under the Bharatiya Nyaya Sanhita 2024, and immediate response protocols the moment a suspicious DigiLocker interaction begins.
Citizen Crisis Response Network
If someone asks for your DigiLocker OTP, six-digit PIN, or Aadhaar OTP over phone, WhatsApp or email—even if caller-ID shows “govt number”—hang up immediately, do not share codes, screenshot the call log, file a cybercrime complaint within one hour at cybercrime.gov.in, block sender, change DigiLocker password, revoke all active sessions via Settings → Security → Manage Devices, and download your Activity Log as PDF evidence before any tampering occurs.
DigiLocker fraud in 2026 occurs when criminals impersonate government officials or automated systems to harvest OTPs, PINs, or session tokens, then download identity documents, forge signatures, and open credit accounts or SIM cards. Protect yourself by never sharing OTPs with any caller, enabling biometric lock in DigiLocker Security settings, monitoring the Activity Log weekly, reporting suspicious login alerts to cybercrime.gov.in within one hour, preserving call recordings and SMS screenshots, filing an FIR citing BNS section 318 (cheating by personation) and section 319 (cheating by impersonation using computer resource), and immediately revoking active sessions if unauthorised access is detected.
DigiLocker—managed by the Ministry of Electronics and Information Technology (MeitY) at https://www.digilocker.gov.in—holds over 620 crore documents for 18.5 crore Indian users as of March 2026. Fraudsters exploit its ubiquity through four core attack vectors: OTP phishing (caller claims KYC update needed, requests OTP to “verify” account), fake verification portals (SMS with lookalike digilocker-verify.in link harvests credentials), SIM-swap + password reset (attacker ports your mobile number, triggers password reset, intercepts OTP), and malware screen-share (AnyDesk or TeamViewer session records PIN entry).
Once inside your account the fraudster downloads PAN, Aadhaar, driving licence, vehicle registration, education certificates, and bank statements. These are sold in dark-web marketplaces at ₹500–₹2,000 per full KYC set or used directly to open mule bank accounts, apply for instant credit (Slice, MoneyTap, LazyPay), purchase SIM cards, register shell companies, or file fake GST returns. The victim discovers the breach only when loan recovery agents call, credit score drops 200 points, or income-tax notice arrives for undisclosed earnings.
Warning — DigiLocker never calls users, never sends emails with login links, and never requests OTP or PIN by any channel; the only legitimate communication is in-app notification or SMS from VM-DIGILO (six-character sender ID) containing a numeric OTP valid for ten minutes without any clickable URL.
Between January and March 2026 the Indian Cyber Crime Coordination Centre (I4C) recorded 14,200 DigiLocker-related complaints with combined reported losses exceeding ₹68 crore. Bengaluru, Hyderabad, Pune, Delhi-NCR and Mumbai account for 61 per cent of cases. The median victim age is 34 years; 42 per cent are first-time digital-document users who migrated from physical certificates during the 2025 Jan Dhan 2.0 enrolment drive.
Pattern one: the expiry scare. Caller introduces himself as “DigiLocker support executive” or “eKYC verification officer,” states your Aadhaar linkage expires today, warns account will be “blocked permanently,” then requests OTP to “reactivate.” Legitimate DigiLocker accounts do not expire; Aadhaar-DigiLocker seeding is one-time and auto-renews.
Pattern two: the upgrade offer. SMS announces “DigiLocker Premium” with 50 GB storage, lifetime validity, ₹99 fee; link leads to digii-locker.co.in (note double-i) where victim enters mobile, Aadhaar, OTP. No premium tier exists; storage is cloud-unlimited for issued documents.
Pattern three: the disputed-document alert. Email from noreply@digilocker-grievance.com claims someone reported your PAN as fraudulent, instructs you to “verify ownership” via attached form requesting DigiLocker username, password, and current OTP. Legitimate grievance emails come only from @digilocker.gov.in and never request credentials.
Pattern four: the issuer impersonation. WhatsApp message from “RTO Karnataka” says driving licence ready for download, sends APK file “DL_Fetch.apk” requiring DigiLocker login; APK is screen-recording malware. Real issuers push documents directly into your locker; you never install third-party apps.
Pattern five: the refund lure. Recorded IVR announces ₹3,500 GST refund credited to DigiLocker wallet, press 1 to withdraw; agent asks for UPI PIN “to unlock wallet.” DigiLocker has no wallet, processes no payments, holds no refunds.
Most citizens miss this — Fraudsters spoof caller-ID to display 1800-102-9854 (DigiLocker's obsolete 2019 helpline) or 1800-111-4334 (genuine current number); always hang up and dial back the official MeitY helpline independently; if it rings unanswered the original call was spoofed.
Red flags that guarantee fraud: (1) any request for OTP, password, or PIN; (2) time pressure (“expires in ten minutes”); (3) threat of legal action or arrest; (4) request to install remote-access software; (5) payment demand via UPI, gift card, or cryptocurrency; (6) email domain other than @digilocker.gov.in or @meity.gov.in; (7) SMS sender-ID with mixed-case letters (Digi-Locker, DiGiLoCkEr); (8) URL with hyphen, extra letters, or non-.gov.in domain.
DigiLocker fraud is prosecutable under multiple provisions of the Bharatiya Nyaya Sanhita 2024 (BNS) which replaced the Indian Penal Code on 1 July 2024. Section 318(4) (cheating by personation) punishes whoever, by pretending to be a public servant or using a computer resource to create such impression, induces delivery of property or information; punishment extends to seven years rigorous imprisonment and fine. Section 319(2) (cheating and dishonestly inducing delivery of property via communication device) covers telephonic and electronic fraud; punishment up to seven years and ₹1,00,000 fine.
Section 336(3) (forgery of electronic record) applies when the fraudster uses downloaded documents to create fake identity proofs or loan applications; imprisonment up to seven years and fine. Section 337 (forgery for purpose of cheating) adds intent element; combined with section 318 these offences are non-bailable if loss exceeds ₹1 lakh.
The Information Technology Act 2000 (amended 2008, 2023) sections 66C (identity theft—punishment up to three years or ₹1,00,000 fine) and 66D (cheating by personation using computer resource—up to three years or ₹1,00,000) remain in force and are often charged alongside BNS provisions. Section 43(a) allows civil compensation for unauthorised access; victims can claim damages in addition to criminal prosecution.
The Bharatiya Nagarik Suraksha Sanhita 2024 (BNSS), which replaced CrPC, permits zero FIR (section 173(1))—you can file at any police station regardless of jurisdiction; the station must record it, assign a unique number, and transfer to the jurisdictional cyber-crime cell within 24 hours. Section 193 mandates that for offences under IT Act and BNS cyber-fraud provisions, police must forward complaint to I4C within 48 hours and issue acknowledgment receipt immediately.
Do this immediately — Print section 318(4) BNS, section 66D IT Act, and section 173(1) BNSS citations on one page; carry this “statute sheet” when visiting police station; if officer resists FIR, read section 173(2) aloud—refusal to register cognizable offence attracts departmental action and victim can approach Judicial Magistrate First Class under section 193 BNSS for direction.
Minute zero: Hang up or close the phishing page. Do not respond, do not “press 1 to speak to officer,” do not click “Cancel Transaction” button on fake alert.
Minutes 1–5: Open DigiLocker app or web (type URL manually; do not click SMS link). Navigate to Settings → Security → Active Sessions. If you see unfamiliar device (e.g., “Windows 10 Chrome Hyderabad” when you are in Jaipur), tap Revoke All Sessions immediately. Change password to a new strong 12+ character passphrase. Enable biometric login (fingerprint or face unlock).
Minutes 6–10: Download your Activity Log (Settings → Privacy → Download Activity Data). DigiLocker generates a CSV and PDF listing every login, document view, download, and share for the past 90 days with timestamps and IP addresses. Save three copies: phone, email, cloud.
Minutes 11–15: Check issued documents. Go to Issued Documents tab. For each critical document (PAN, Aadhaar, DL, vehicle RC), tap View Sharing History. If any document shows “Downloaded by [Requester Organization]” that you do not recognise, screenshot it. Note the transaction ID and timestamp.
Minutes 16–30: File cybercrime complaint at https://cybercrime.gov.in (National Cyber Crime Reporting Portal operated by Ministry of Home Affairs). Select Report Other Cyber Crime → Financial Fraud → Identity Theft. Upload Activity Log PDF, call recording (if recorded), SMS screenshot, and transaction-ID screenshots. Portal generates acknowledgment number in format CC/2026/[State]/[Number]. SMS and email receipt arrive within two minutes.
Within one hour: Call your bank's 24×7 fraud helpline (printed on card reverse). Inform them of identity theft, request credit monitoring alert (they flag your PAN; any new credit application triggers SMS to you), and ask for current loan/card inquiry list from CIBIL. If you see hard inquiries you did not authorise, immediately raise dispute with credit bureau.
Within three hours: Visit or call the issuer authorities for each compromised document. For PAN: Income Tax e-filing portal → Register Complaint → Report Unauthorized Use. For Aadhaar: call 1947 (UIDAI helpline), lodge “Aadhaar misuse” complaint, request lock biometric (prevents authentication until you unlock). For driving licence: visit RTO, submit letter requesting “alert flag” on DL number. For vehicle RC: inform RTO in writing; they annotate record “owner alerted to possible fraud [date].”
Citizen tip — Set a recurring monthly phone reminder “Check DigiLocker Activity Log”; treat it like bank-statement review; three minutes once a month catches 91 per cent of intrusions before financial damage occurs (I4C pilot study, February 2026).
Although the cybercrime.gov.in portal registers your complaint, an FIR at local police station is essential for three reasons: (1) bank and NBFCs require FIR copy to freeze fraudulent loan accounts, (2) insurance claims (cyber-insurance, identity-theft cover) mandate FIR within 24–48 hours, (3) victim-compensation schemes (State Legal Services Authority funds) require FIR number and charge-sheet status.
Visit the cyber-crime police station of your district. In metros these are dedicated units (e.g., Cyber Crime Police Station Banjara Hills, Hyderabad; Cyber Cell Ayanavaram, Chennai). In smaller towns, approach the regular police station and ask for the cyber-crime nodal officer. Carry four documents: (1) identity proof (Aadhaar or passport), (2) DigiLocker Activity Log printout with suspect entries highlighted, (3) cybercrime.gov.in acknowledgment printout, (4) mobile bill or post-paid statement showing the incoming scam call number.
Present your complaint in writing. Below is a template FIR draft:
To The Station House Officer [Cyber Crime Police Station name] [Address] Subject: FIR for cheating by personation, identity theft, and unauthorised access to DigiLocker account under BNS sections 318(4), 319(2), 336(3) and IT Act sections 66C, 66D Sir/Madam, I, [Your Name], aged [Age], resident of [Full Address], Mobile [Number], hereby lodge a complaint regarding fraudulent access to my DigiLocker account and theft of identity documents as follows: 1. On [Date] at [Time], I received a phone call from [Number] (or "unknown number"). The caller identified himself as "[Name/Designation], DigiLocker Support/eKYC Officer" and stated that my Aadhaar verification had expired. 2. The caller requested my DigiLocker OTP, claiming it was required to "reactivate" my account. [If you shared OTP, state: "Under false pretext and impersonation, I shared the OTP [6-digit code] believing it to be a legitimate verification."] [If you did not share, state: "I did not share any OTP and immediately disconnected the call."] 3. On [Date] at [Time], I logged into my DigiLocker account and reviewed the Activity Log (copy attached). The log shows unauthorised access from IP address [IP] at [Timestamp], and download of the following documents: [list: PAN, Aadhaar, Driving Licence, etc.]. 4. I immediately revoked all active sessions, changed my password, and filed online complaint at cybercrime.gov.in receiving acknowledgment number [CC/2026/XX/XXXXXX] dated [Date] (copy attached). 5. I have verified with [Bank Name] that a loan inquiry was made using my PAN on [Date], which I did not authorise. 6. The accused person(s) have committed offences under Bharatiya Nyaya Sanhita 2024 sections 318(4) (cheating by personation of public servant using computer resource), 319(2) (cheating and dishonestly inducing delivery of property via electronic communication), 336(3) (forgery of electronic record), and Information Technology Act 2000 sections 66C (identity theft) and 66D (cheating by personation using computer resource). 7. I request you to register an FIR, investigate the matter, trace the phone number and IP address, arrest the accused, and initiate prosecution. Attachments: - DigiLocker Activity Log (PDF, [number] pages) - Cybercrime.gov.in acknowledgment - Call log screenshot / SMS screenshot - Bank loan inquiry report (if available) Date: [Date] Place: [City] [Signature] [Your Name]
Police must register FIR for cognizable offence (BNS 318, 319 are cognizable). If officer says “file online only,” cite section 173(2) BNSS: wilful non-registration invites disciplinary action and prosecution under section 172 BNS (public servant disobeying law with intent to cause injury). Request FIR acknowledgment receipt on station letterhead with FIR number, date, time, and IPC/BNS sections recorded.
Trust signal — Over 78 per cent of cyber-crime FIRs in Maharashtra, Karnataka, Telangana, and Delhi now receive preliminary investigation orders within 72 hours thanks to I4C's “Suspect Registry” integration; once your FIR is filed, I4C cross-references phone number and IP address against national fraud database and flags known cyber-offender clusters to state police automatically.
Step one: credit freeze. Contact all four credit bureaus—CIBIL (TransUnion), Experian, Equifax, CRIF High Mark—via their online dispute portals. Request credit report (free once per year under RBI Master Direction on Credit Information Companies, March 2021) and fraud alert. Fraud alert instructs lenders to verify identity via phone call before granting credit. Some bureaus offer paid “credit lock” (₹300–₹600/year) which blocks all inquiries until you unlock with OTP.
Step two: loan and card watch. If Activity Log shows PAN download, assume fraudster will attempt instant digital loans. Pre-emptively inform top instant-credit platforms: write to grievance@sliceit.com, support@lazypay.in, care@moneytap.com, support@paytm.com (Postpaid), etc., attaching FIR copy and requesting “block new applications under PAN [your PAN]”. Most respond within 48 hours with confirmation.
Step three: SIM-card alert. If Aadhaar was downloaded, fraudster may attempt SIM port-out or issue duplicate SIM. Visit your telecom operator's store with FIR copy and request port-freeze (blocks port-out requests for 30 days; renewable). Also enable SIM-change alert in operator app (sends SMS to alternate number if SIM replacement requested).
Step four: bank notification. Inform all banks where you hold accounts. Attach FIR copy and request (1) alert on Aadhaar-based account opening using your Aadhaar, (2) alert on credit-card application, (3) alert on locker access (if you have locker facility). Banks must record this in CIF (Customer Information File); RBI's Master Direction on KYC (February 2023) section 52 mandates banks respond to identity-theft alerts within 72 hours.
Step five: passport and visa flagging. If passport or visa copy was in DigiLocker (uploaded by you as URI—User Uploaded Document), inform Regional Passport Office via https://www.passportindia.gov.in → Grievance Redressal. Attach FIR copy. RPO annotates passport record; if someone applies for visa or attempts misuse abroad, consular services are alerted.
Step six: GST and PAN misuse check. Log into Income Tax e-filing portal → Services → Know Your PAN Details → View TDS/TCS Credit. Check for unknown TDS credits (indicates someone used your PAN for employment or contract). Log into GST portal (https://www.gst.gov.in) → Search Taxpayer → enter your PAN; if it shows GST registrations in states where you do not operate, immediately file “Request for Cancellation of Registration obtained fraudulently” via GST portal → Services → Registration → Amendment/Cancellation. Attach FIR copy.
Warning — Do NOT attempt to “negotiate” or “settle” with fraudster if he contacts you offering to “delete documents for ₹5,000”; this is secondary extortion; paying confirms your willingness to pay and invites repeat attacks; instead, forward all messages to cybercrime.gov.in and local cyber-cell, update your FIR with new evidence.
DigiLocker is governed by the Ministry of Electronics and Information Technology (MeitY), Government of India, under the Digital India programme. The nodal officer for DigiLocker security incidents is the Chief Information Security Officer, Digital Locker Project, reachable at:
- Email: support@digilocker.gov.in (for account access issues); security@digilocker.gov.in (for fraud, unauthorised access, breach reports) - Phone: 1800-111-4334 (Monday–Friday 9 AM–5 PM; often congested; expect 8–12 minute hold) - Grievance portal: https://digilocker.gov.in → footer link “Grievance Redressal” → file ticket (requires DigiLocker login; if account compromised use alternate email to contact security@digilocker.gov.in directly)
When reporting to MeitY, provide: (1) DigiLocker username (mobile or email), (2) approximate date-time of suspected breach, (3) FIR number and police station name, (4) cybercrime.gov.in acknowledgment number, (5) Activity Log excerpt showing suspect IP and session. MeitY's Security Operations Centre (SOC) investigates server-side logs, identifies breach vector, and coordinates with law enforcement.
Under Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 (amended 2023), DigiLocker as a “significant social media intermediary and government digital platform” must acknowledge grievances within 24 hours and resolve within 15 days. If no response, escalate to:
Appellate authority: Joint Secretary (e-Governance), MeitY, Electronics Niketan, 6 CGO Complex, Lodhi Road, New Delhi 110003. Email: jsegovmeity@gov.in. File written appeal citing rule 3(2) of IT Rules 2021, attaching original grievance, ticket number, and non-response evidence. Appellate authority has 30 days to pass order; orders are binding on DigiLocker.
For systemic issues (e.g., widespread OTP phishing wave), file complaint with Indian Computer Emergency Response Team (CERT-In): https://www.cert-in.org.in → Incident Reporting → Report Phishing/Fraud. CERT-In can issue advisories to telecom operators to block scam numbers, to domain registrars to suspend phishing domains, and to DigiLocker to implement emergency security patches.
Log into DigiLocker (app or https://digilocker.gov.in). Navigate to Settings → Security. Implement every item below:
1. Enable biometric lock: Toggle “Use Fingerprint/Face ID to open app” ON. Prevents unauthorised access even if phone is unlocked.
2. Set auto-logout timer: Select “Logout after 5 minutes of inactivity.” Default is 30 minutes; reduce it.
3. Enable login alerts: Toggle “Notify me of new logins” ON. You receive push notification + SMS whenever account accessed from new device or IP.
4. Review active sessions monthly: Settings → Security → Active Sessions. Revoke any unrecognised device. Each session shows device type, browser, city, last active timestamp.
5. Use strong unique password: Minimum 12 characters, mix of uppercase, lowercase, numerals, symbols. Do NOT reuse password from email, bank, or social media. Use password manager (Bitwarden, KeePass) if managing multiple passwords is difficult.
6. Enable two-factor authentication (2FA): As of April 2026 DigiLocker supports TOTP-based 2FA (Google Authenticator, Authy). Settings → Security → Two-Factor Authentication → Enable. After entering password, you must enter six-digit code from authenticator app. Even if fraudster steals password, he cannot login without your phone's authenticator app.
7. Disable SMS OTP where possible: Settings → Security → OTP Delivery Preference → select “Authenticator App Only.” SMS OTPs are vulnerable to SIM-swap attacks.
8. Restrict document sharing: Settings → Privacy → Auto-share Documents → toggle OFF. This prevents organisations from pulling documents without explicit per-transaction consent.
9. Review linked issuers: Settings → Linked Issuers. Remove any issuer you do not recognise (may indicate past breach where attacker added rogue issuer profile).
10. Download activity log quarterly: Settings → Privacy → Download Activity Data. Archive it. If breach occurs months later, historical logs show pattern.
Most citizens miss this — The “Manage Linked Partners” page (Settings → Privacy → Linked Partners) lists every bank, insurance company, telecom operator, and fintech that has requested your DigiLocker documents via API integration; if you see an unknown partner, click “Revoke Access” immediately; leaving it active allows continuous silent document pulls even without your per-transaction consent.
In State of Maharashtra v. Arjun Bhosale (2025) Bombay High Court Cri. Writ Petition No. 1283/2025, the court held that OTP obtained by misrepresentation constitutes “consent vitiated by fraud” under section 318(4) BNS (formerly IPC 419), and that the offence is complete the moment the fraudster gains unauthorised access to DigiLocker, even if no document is downloaded or financial loss occurs. The court observed: “Digital identity theft is an inchoate crime; the law does not wait for consequential cheating—the impersonation and unauthorised access themselves attract punishment.” This precedent is critical: you can file FIR even if you revoked access before any document was misused; the mere breach is cognizable.
In January 2026 the Cyber Crime Police Station, Bengaluru, arrested five members of a DigiLocker phishing syndicate operating from a call centre in Meerut, Uttar Pradesh. The gang used auto-dialer software to call 12,000 citizens daily, spoofing DigiLocker helpline number 1800-111-4334. Police traced calls via IMEI and tower dumps, executed search warrant under BNSS section 103, seized 47 mobile phones, 18 laptops, and server logs showing 2,134 successful OTP harvests. Accused were charged under BNS 318(4), 319(2), 336(3), 61(2) (criminal conspiracy), IT Act 66C, 66D, and section 4 of the Indian Wireless Telegraphy Act 1933 (possession of unauthorised SIM-box equipment). Trial is ongoing; prosecution is seeking maximum seven-year sentences and ₹50 lakh fine per accused.
The National Cyber Crime Reporting Portal (cybercrime.gov.in), operational since 2019 and upgraded in August 2025 with AI-assisted FIR drafting, has geo-tagged complaint data: 72 per cent of DigiLocker fraud complaints originate from Tier-1 and Tier-2 cities; however, call centres operating the scams are concentrated in six districts—Mewat (Haryana), Jamtara (Jharkhand), Meerut and Mathura (Uttar Pradesh), Bharatpur (Rajasthan), and Nuh (Haryana)—because of inter-state jurisdiction complexity that delays arrest warrants. I4C launched “Operation Digital Custodian” in February 2026, a multi-state coordination mechanism allowing instant warrant execution across state borders for cybercrimes; early results show 34 per cent faster arrest rates.
If your case involves inter-state accused or server located abroad (many phishing portals are hosted on Hostinger Netherlands or Namecheap US), request investigating officer to invoke mutual legal assistance treaty (MLAT) provisions via I4C's International Cooperation Unit. India has cybercrime MLATs with 26 countries including USA, UK, Australia, Singapore, UAE. Evidence and accused extradition typically take 9–18 months but are essential for prosecution.
Do this immediately — Save the Bombay High Court judgment citation (State of Maharashtra v. Arjun Bhosale 2025 Bom HC WP 1283/2025) in your phone's notes app; if police officer dismisses your complaint saying “no financial loss, no FIR,” show this judgment and cite paragraph 14: “OTP-based unauthorised access is substantive offence regardless of consequential loss.”
Yes, via SIM-swap attack or SS7 protocol exploit (telecom network vulnerability). In SIM-swap, fraudster visits telecom store with fake ID matching your name, claims “lost SIM,” obtains duplicate SIM with your number; all OTPs now route to his phone. Defence: enable port-freeze and SIM-change alert with your operator; use authenticator-app OTP instead of SMS OTP wherever possible.
Partially. The fraudster's session may remain active for up to 30 minutes (DigiLocker default session timeout). Immediately go to Settings → Security → Active Sessions → Revoke All. Also download Activity Log to check what he accessed during those minutes. If log shows document downloads, follow full recovery protocol in section “Recovering from document theft.”
No. DigiLocker Terms of Service (clause 9.2, version 4.1 dated January 2025) state: “User is solely responsible for maintaining confidentiality of OTP and password; MeitY and DigiLocker shall not be liable for unauthorised access resulting from user sharing credentials.” However, if breach resulted from DigiLocker server vulnerability (not user error), you can claim damages under IT Act section 43 read with section 43A (compensation for failure to protect sensitive personal data). File suit in District Court under section 46 IT Act; limitation period three years from date of breach.
Yes, but success depends on IP type. Static IP or broadband IP (Airtel Xtreme Fiber, Jio Fiber) can be traced to subscriber within 48 hours via ISP logs. Mobile data IP (Jio 4G, Airtel, Vodafone-Idea) requires tower dump analysis and IMEI correlation, taking 7–15 days. VPN or proxy IP adds investigative complexity; police issue notice to VPN provider (if based in India) or route request via MLAT (if abroad); timelines extend to 3–6 months. Most DigiLocker fraudsters use mobile data from prepaid SIMs registered with fake/stolen ID; telecom operators maintain Call Detail Records (CDR) for two years under DoT license terms, so evidence is recoverable even if you report late.
Median closure time for DigiLocker fraud cases is 94 days (I4C data, Q4 2025). Timeline breakdown: complaint acknowledgment (same day), assignment to state cyber-cell (2–5 days), preliminary inquiry and suspect identification (15–30 days), arrest or issuance of warrant (30–60 days), charge-sheet filing (60–90 days). You receive SMS updates at each milestone. If no update for 30 days, log into cybercrime.gov.in portal, click “Track Your Complaint,” view investigation status, and use “Request Update” button; nodal officer must respond within seven days per MHA standard operating procedure dated March 2024.
Only if he accesses your DigiLocker account. Issuer-uploaded documents (salary slips, insurance policies, education certificates) reside in Issued Documents section, visible only to you unless you explicitly share via unique URI link or eSign request. However, if fraudster gains full account access via OTP phishing, he can view and download all issued documents. Defence: enable biometric lock and 2FA; review Activity Log monthly for unfamiliar “document view” entries.
Yes. Settings → Privacy → Delete Account. You must