Loan App Threatening Family Contacts: How to Stop (2026)

My cousin in Pune borrowed ₹6,000 from a slick app called “RupeeQuick” in March 2026. The app promised “no paperwork, money in 5 minutes.” During install it asked for contacts, gallery, SMS, location. He clicked Allow All because he needed cash for his daughter's school fee.

The app deposited ₹4,200 (after a ₹1,800 “processing fee” he never agreed to). Repayment due in 7 days, not 30. He missed the deadline by 4 days. Then the abuse started.

A WhatsApp group was created with his entire phone book, 487 contacts. His face was morphed onto an obscene image with the caption “This man is a thief, he ran away with ₹50,000.” His daughter's school principal got the picture. His 71-year-old mother got a call at 2 a.m. saying her son had committed suicide and the body was at Sassoon Hospital. His boss was told he had stolen company laptops.

In 38 hours my cousin paid ₹47,000 to make it stop. It did not stop. The next demand was ₹1.2 lakh.

This is not a one-off. The Reserve Bank of India working group on digital lending found over 600 such illegal apps active in India in late 2025. If this is happening to you right now, this guide is the weekend playbook to break the cycle in 72 hours, with the exact statutes, the exact portals, and the exact wording.

Loan app harassment is the use of personal data harvested from a borrower's phone (contacts, photos, call logs, gallery) to coerce repayment by threatening, defaming or sexually intimidating the borrower's family, employer or social network. It is illegal under Indian law regardless of whether you actually owe the money. The Reserve Bank of India in its Digital Lending Guidelines dated 2 September 2022 prohibits regulated entities from accessing borrower contact lists, gallery, or call logs. Apps that violate this are operating outside the regulated ecosystem and have no legal authority to recover anything.

Para 5 of the guidelines (read with Annex II) restricts data access to “only camera, microphone, location or any other facility necessary for the purpose of onboarding/KYC requirements only, with the explicit consent of the borrower.” Contact scraping is expressly forbidden. The full circular is at https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12382. Any app that pulled your contact list during install is operating outside this framework and is, by definition, an unregulated entity.

• §351 BNS (criminal intimidation): threatening injury to person, reputation or property carries up to 7 years imprisonment.
• §296 BNS (obscene acts): publishing morphed obscene images is up to 3 months + ₹1,000, but read with §294 it triggers 2 years for first offence of obscene electronic material.
• §356 BNS (defamation): false statements harming reputation, up to 2 years.
• §318 BNS (cheating): the unilateral processing fee deduction itself is cheating.

Rule 3(1)(b)(ii) and 3(2) require intermediaries (Google Play, WhatsApp, Telegram) to remove morphed obscene content within 24 hours of a complaint by the affected person. The grievance officer details are mandatory and publicly listed.

Even regulated lenders cannot call before 8 a.m. or after 7 p.m., cannot contact relatives unless you have defaulted and they are guarantors, and cannot use abusive language. Unregulated apps have zero recovery rights, the entire interaction is criminal.

You can file an RTI under §6(1) to the RBI Department of Regulation asking whether the entity behind the app is a registered NBFC, and to the Ministry of Electronics and IT asking the status of action against the URL/APK. RTI is your weapon to expose institutional inaction within 30 days.

In Mohd. Bhasheer v. State of Telangana (2023, Telangana HC, Crl.P. 5234/2022) the court refused to quash an FIR against a Chinese-origin loan app director, holding that contact scraping plus morphed image distribution constitutes a continuing offence and that arguments about the borrower's “consent” at install do not survive when the app exceeds RBI's permitted data scope. In Sandeep Kumar v. Union of India (2022, Delhi HC, W.P.(C) 5450/2022) the court directed Google to remove 94 illegal loan apps within 48 hours of identification by the Ministry of Home Affairs.

1. Hour 0 to 2: Document everything. Screenshot every WhatsApp message, every call log, every UPI debit. Use a second phone or a friend's phone to record incoming calls (recording your own incoming call is legal in India per R.M. Malkani v. State of Maharashtra AIR 1973 SC 157). Save the APK file if you can; it is evidence of the data permissions requested.
2. Hour 2 to 4: Cut the data tap. Go to phone Settings, App Permissions, and revoke contacts, storage, SMS, call logs, microphone, camera for the loan app. Do not uninstall yet, the app may have a kill-switch that triggers a final spam blast on uninstall. Revoke first, then uninstall after step 5.
3. Hour 4 to 6: File NCRP complaint. Go to https://cybercrime.gov.in, click “Report Other Cybercrime”, choose “Online Financial Fraud” and sub-category “Digital Lending Harassment”. Upload your screenshots, the APK name, the UPI IDs to which money went, and the morphed image (if any). You will get a complaint number starting with the prefix of your state. This number unlocks bank intervention.
4. Hour 6 to 8: Freeze the UPI rail. Call 1930 (national cyber helpline). Quote your NCRP number. Ask them to flag the receiving UPI VPAs and bank accounts. If you reported within 24 hours of the first transfer, NPCI's reverse-credit window can recover up to 70 percent of recent debits in our experience.
5. Hour 8 to 24: File offline FIR. Walk into the nearest cyber police station with printed screenshots. Cite BNS §351 + §296 + §318 + §356 plus IT Act §66E + §67A. Police are required to register an FIR for cognizable offences under Lalita Kumari v. State of UP (2014) 2 SCC 1; if they refuse, escalate in writing to the Superintendent of Police under §175(3) BNSS.
6. Hour 24 to 48: Notify the contacts list. Send one calm, factual WhatsApp broadcast to your phone book: “You may receive abusive messages or morphed images about me from a fake number. This is a known illegal loan app scam, FIR registered, complaint number XYZ. Please block and ignore.” This single step destroys the social weapon the app is using.
7. Hour 48 to 72: Report the app. Go to Google Play Store, find the app, tap “Flag as inappropriate” and choose “Sexual Content / Harassment”. Then email [email protected] with your NCRP number. Apps removed under this route in 2025 averaged a 36-hour takedown.

• Government photo ID (Aadhaar masked or passport)
• Bank statement showing the loan deposit and any repayment
• Screenshots of every threatening message, call log, morphed image
• The exact APK name, package ID (long-press app, App Info, scroll to bottom)
• UPI transaction IDs of disbursal and repayment
• Loan agreement PDF or screenshot, even partial
• NCRP complaint acknowledgement PDF
• FIR copy (after filing)

• Paying “one final settlement” to make it stop. The app marks you as a paying victim and sells your number to other illegal apps. Demands triple within a week.
• Uninstalling before revoking permissions. Some APKs trigger an auto-blast to all contacts on uninstall, the moment they detect they are losing access.
• Filing only NCRP, skipping FIR. NCRP is a complaint, FIR is a criminal case. You need the FIR for bank reversal beyond the 24-hour window and for any future civil suit.
• Hiding it from family. The app weaponises your shame. The moment you tell your spouse and parents proactively, the threat collapses.
• Replying to the abuser. Every reply confirms the number is active and feeds the next demand. Document and ignore.
• Citing IPC sections. IPC was repealed for new offences from 1 July 2024. Use BNS section numbers in your FIR or the duty officer may delay registration.

Borrower: A 34-year-old delivery rider, Hadapsar, Pune. App: RupeeQuick (Play Store), removed 19 March 2026. Loan asked: ₹6,000. Net received: ₹4,200. Repayment demanded in 7 days: ₹9,400. Total extorted before intervention: ₹47,000 over 38 hours. NCRP filed: 16 March 2026, ack number MH-CYB-26-0394XXX. FIR: 17 March 2026, Hadapsar Police Station, BNS §§351, 296, 318, 356 + IT Act §§66E, 67A. UPI freeze: ₹31,000 of the ₹47,000 reverse-credited within 6 days via NPCI dispute. Outcome: App delisted by Google 19 March, two arrests in Bengaluru on 4 April 2026. Total out-of-pocket loss: ₹16,000 (against ₹4,200 actually received, a 281 percent loss before recovery).

To,
The Central Public Information Officer,
Department of Regulation,
Reserve Bank of India,
Central Office, Mumbai 400 001.

Subject: Request for information under §6(1) of the RTI Act, 2005

Sir/Madam,

Under §6(1) of the Right to Information Act, 2005, I request the
following information for the period 1 January 2025 to 30 April 2026:

1. The total number of complaints received by RBI against the digital
   lending app "[App Name]" / package ID "[com.example.xxx]".
2. Whether the said app is operated by a Regulated Entity (RE) within
   the meaning of the RBI Digital Lending Guidelines dated 2 September
   2022. If yes, the name and CoR number of the RE.
3. Action taken by RBI under §45L and §45MA of the RBI Act, 1934 read
   with the Digital Lending Guidelines, 2022, against the said app.
4. Copy of any advisory issued to scheduled commercial banks regarding
   freezing of merchant UPI VPAs linked to the said app.

I am enclosing the IPO of ₹10 towards application fee. I claim
exemption / fee waiver under §7(5) if applicable as I am a victim of
the harassment that is the subject of this RTI.

Should any portion be claimed exempt under §8, I request severance
under §10. If the information is held by another public authority,
please transfer under §6(3) within 5 days. Reply is due within 30 days
under §7(1). I reserve my right to first appeal under §19(1).

Yours faithfully,
[Name]
[Address]
[Email and phone]
[Date]

• State Cyber Cell: If local police delay beyond 7 days, escalate to your State Cyber Crime Coordinator (every state has one, list at https://cybercrime.gov.in/Webform/Crime_NodalGrivanceList.aspx).
• Banking Ombudsman: If your bank refuses to reverse a fraudulent debit despite NCRP within 24 hours, file at https://cms.rbi.org.in within 30 days under the Integrated Ombudsman Scheme 2021.
• NHRC: If a family member has been driven to attempt suicide or hospitalised, file a §12 complaint to the National Human Rights Commission citing the Sushil Kumar guidelines on debt-driven distress.
• High Court Article 226: For systemic relief (app delisting, UPI freeze across multiple banks), a writ petition is the fastest route. Several state legal services authorities now offer free representation in digital lending cases.

No legal recovery action lies against you for an unregulated lending entity. The amount actually disbursed (not the inflated demand) may be morally repayable, but no court will entertain a recovery suit by an unlicensed lender, and the Maharashtra Money Lending Act, 2014 plus the Karnataka Prohibition of Charging Exorbitant Interest Act, 2004 make the contract void at the borrower's option.

Never. It is a criminal offence under BNS §296 + §356 and IT Act §66E + §67A regardless of any “consent” you clicked at install, because consent under §43A SPDI Rules and Rule 3 of IT Rules 2021 must be specific and informed, and bulk contact extraction fails this test per Justice K.S. Puttaswamy (2017) 10 SCC 1.

A dismissal solely on the basis of an external defamatory message, especially one tied to a registered FIR, is challengeable as victimisation under §25F of the Industrial Disputes Act, 1947 (for workmen) or under contract law. Forward your FIR copy to HR proactively, the moment they see “registered criminal case, identified scam” the calculus flips.

Forward the image to WhatsApp's grievance officer at [email protected] with your FIR number and a §43A IT Act takedown demand. WhatsApp policy commits to action within 36 hours; with an FIR attached, our case studies show 4 to 12 hours.

Even if you owe a regulated NBFC ₹50,000 and have defaulted, contact harassment, morphed images and night calls remain criminal. The debt and the harassment are two separate legal channels. Pay the genuine debt through normal channels, prosecute the harassment regardless.

Yes. Recording a call you are a party to is legal in India per R.M. Malkani v. State of Maharashtra AIR 1973 SC 157, and is admissible as evidence under §63 of the Bharatiya Sakshya Adhiniyam, 2023, provided you can authenticate it with a §63(4) certificate.

Yes. Under §35 of the Companies Act, 2013 and the doctrine of personal criminal liability under BNS, the directors of the operating company are personally liable. The MeitY block-list and Ministry of Corporate Affairs filings give you the names. The Bhasheer judgment confirms personal prosecution survives even when the company is shell-structured offshore.

First-level acknowledgement is instant. Bank-level UPI freeze on a fresh complaint averages 4 to 18 hours. App takedown averages 36 to 96 hours when supported by an FIR. Arrest of operators averages 30 to 90 days.

• RBI Digital Lending Guidelines, 2 September 2022, https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12382
• RBI Master Direction on Outsourcing including Recovery Agent Code, https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx
• Bharatiya Nyaya Sanhita, 2023 (in force 1 July 2024), https://www.indiacode.nic.in
• Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, https://www.meity.gov.in
• RTI Act, 2005, https://rti.gov.in
• National Cyber Crime Reporting Portal, https://cybercrime.gov.in
• Helpline 1930 (national cyber helpline)
• Mohd. Bhasheer v. State of Telangana (Telangana HC, 2023)
• Sandeep Kumar v. Union of India (Delhi HC, 2022)
• Justice K.S. Puttaswamy v. Union of India (2017) 10 SCC 1
• Lalita Kumari v. State of UP (2014) 2 SCC 1

• Fake legal notice from a recovery agent: how to respond
• Recovery agent harassment: full complaint guide
• Bank recovery agent rights and statutory limits
• Education loan harassment and recovery
• Sextortion scam: 24-hour recovery playbook
• Cyberbullying complaint guide
• Weekend problem solver hub
• Citizen crisis response network
• RTI Act 2005 complete guide
• AI RTI Drafter, free