PAN/Aadhaar Identity Theft: Recovery in India (2026)

Search intent: Emergency / Recovery / Legal

You opened your Form 26AS / Annual Information Statement (AIS) at incometax.gov.in and saw transactions you never made — a ₹14 lakh property purchase, GST registration of “M/s ABC Traders”, EMIs running on a ₹2 lakh personal loan. Or your CIBIL report shows 5 active loans you never applied for. Or someone is using your Aadhaar at a CSC for fake KYC. You are a victim of PAN-Aadhaar identity theft. Under the IT Act §66C (identity theft, 3-year imprisonment), BNS §318 + §336 (cheating + forgery), Aadhaar Act §28 + §29 (misuse of Aadhaar), and the DPDP Act 2023 (sensitive personal data), the law is on your side. UIDAI's mAadhaar Biometric Lock (free, instant) prevents future use. AIS / 26AS dispute + CIBIL / Equifax / Experian dispute + NCRP + RTI for the predicate file form the recovery chain. This is the complete 2026 playbook.

1. 🔒 Lock your Aadhaar biometric. Open mAadhaar app → Lock Biometrics. Or SMS “GETOTP <last-4-Aadhaar>“ to 1947, then “LOCKUID OTP”. Free. Instant.
2. 🔴 Pull your AIS / 26AS / TIS from incometax.gov.in → e-File → AIS. Save PDFs of disputed entries.
3. 🔴 Pull your CIBIL / Equifax / Experian / CRIF Highmark report — first one free per year. Note every loan / card you didn't take.
4. 🚨 Dial 1930 if money has actually been taken from your account.
5. 🟡 File NCRP at cybercrime.gov.in under Identity Theft.
6. 🟡 File UIDAI grievance at resident.uidai.gov.in — File Complaint → Aadhaar Misuse.
7. 🟢 Don't share more documents with anyone claiming to “fix” the issue (second-stage scam).

• Within 30 minutes: lock Aadhaar biometric + pull AIS + CIBIL.
• Within 24 hours: file NCRP + UIDAI grievance + bank fraud line (if money lost).
• Within 48 hours: file FIR at local cyber cell. Cite IT Act §66C + BNS §318 + Aadhaar Act §29.
• Day 3-7: file RTI with bank PIO + CBDT PIO + UIDAI PIO + cyber cell PIO + the “creditor” (loan / GST authority).
• Day 30: PIO must reply.
• Day 30-60: file RBI Banking Ombudsman + dispute on CIBIL / Equifax / Experian / CRIF.
• Recovery: ~75 % of fake-loan / fake-GST cases resolve within 90 days. CIBIL clean-up typically 30-60 days.
• You may need a lawyer for: court-pending criminal cases against you in your name, or losses > ₹2 lakh.

1. 🔒 mAadhaar Biometric Lock within 30 minutes.
2. 📷 Screenshot AIS / 26AS / TIS disputed entries + each disputed loan / GSTIN / bank account.
3. 🆔 Note PAN + Aadhaar (last 4) + each disputed entry (loan ID, GSTIN, account no.).
4. 📞 Bank fraud line if money lost.
5. 🚨 1930 for money-related fraud.
6. 🌐 NCRP within 24 hours.
7. 🏛 UIDAI grievance at resident.uidai.gov.in.
8. 🏛 FIR within 48 hours — IT Act §66C + BNS §318 + Aadhaar Act §29.
9. 💳 CIBIL / Equifax / Experian / CRIF dispute — each bureau separate; free via online dispute form.
10. 🗂 RTI to bank + CBDT + UIDAI + cyber cell + creditor — each ₹10 IPO.
11. ⏰ Calendar: Day 30 (RTI reply), Day 30 (CIBIL response), Day 60 (Banking Ombudsman).
12. 📚 Cite K.S. Puttaswamy v. UoI (2017) + CIBIL v. Customer (consumer-forum precedents) in representations.

• Right to lock Aadhaar biometric — free, instant, mAadhaar app or 1947.
• Right to dispute AIS / 26AS / TIS entries — IT Act + AIS Schema 2024.
• Right to dispute CIBIL / credit-bureau entries — Credit Information Companies (Regulation) Act 2005 §21 — 30-day response.
• Right to identity-theft FIR — Zero-FIR principle (Lalita Kumari 2014).
• Right to file NCRP / cybercrime.gov.in complaint.
• Right to UIDAI grievance — Aadhaar (Authentication) Regulations 2016.
• Right to RTI — bank / CBDT / UIDAI / GST / RBI / cyber cell.
• Right to RBI Banking Ombudsman for fake-account / fake-loan against your PAN/Aadhaar.

• Right to know identity of fraudster — disclosed only after investigation; mid-investigation §8(1)(h).
• Right to complete CIBIL clean-up — depends on creditor's cooperation; may need court order in worst cases.
• Right to fake-GST cancellation — GSTN Officer's order required; takes 30-90 days.
• Right to PMLA tracing — only via court / ED for high-value cases.

• Bank automatically writing off fake loan without dispute.
• CIBIL erasing entry without creditor confirmation.
• GST cancellation in 24 hours — process is administrative.
• Identity-theft prevention for past data already leaked to scammers.

The prevention edge is huge: locking Aadhaar biometrics + masked-Aadhaar use + sharing PAN only when legally required prevents 80 % of identity theft.

• Mumbai 2024 — IT professional discovered ₹14 lakh property purchase on his PAN via AIS. He never bought property. RTI to Sub-Registrar produced sale-deed with fake signature + photo. Filed FIR; deed declared void; CIBIL cleaned in 75 days.
• Bengaluru 2025 — CIBIL showed ₹4 lakh personal loan from NBFC. Customer disputed; NBFC produced loan documents with cloned Aadhaar. UIDAI grievance + FIR + CIBIL dispute; loan cancelled, CIBIL cleared in 45 days.
• Delhi 2024 — woman discovered fake GSTIN on her PAN via AIS (₹3.2 cr fake-invoicing). RTI to GST officer + investigation; GSTN Officer cancelled in 60 days under §29 CGST.
• Hyderabad 2025 — student found 6 prepaid SIMs issued on his Aadhaar. mAadhaar Biometric Lock + telecom complaints (under DoT 2023 SIM rule); 5 of 6 deactivated in 30 days.
• Pune 2024 — homemaker's Aadhaar used for AePS fraud at a banking correspondent — ₹35,000 withdrawn. RTI to NPCI + bank dispute; full reversal in 21 days.

• Article 21 — privacy as a fundamental right. K.S. Puttaswamy v. UoI (2017) 10 SCC 1 — privacy includes informational privacy, identity, and data protection.
• Article 14 — equality + state's duty to provide remedy.
• Article 300A — no deprivation of property without authority of law.

• §318 — cheating (replaces IPC §420). 7-year imprisonment.
• §319 — cheating by personation.
• §336 — forgery.
• §337 — making false document.
• §111-§112 — organised crime / petty organised crime.

• §66 — computer-related offences.
• §66C — identity theft (3-year imprisonment + ₹1 lakh fine). Most-relevant.
• §66D — cheating by personation using computer resource.
• §43 — penalty for unauthorised access.
• §43A — body corporate liability for data breaches.
• §72A — disclosure of personal info in breach of contract.

• §28 — UIDAI's duty of confidentiality.
• §29 — restrictions on sharing core biometric.
• §37 — punishment for unauthorised disclosure.
• §38 — punishment for unauthorised access.
• §40 — punishment for personation.
• §41 — penalty for Authentication failure / wrongful disclosure.

• §3-§9 — data fiduciary obligations.
• §10 — significant data fiduciary (banks, NBFCs).
• §33 — penalty up to ₹250 cr for breach.
• §37 — Data Protection Board for adjudication.

• §17 — accuracy of credit information.
• §21 — dispute resolution; 30-day response.
• §22 — rectification of inaccurate information.
• §23 — penalty for non-compliance.

• AIS Schema 2024 — comprehensive transaction reporting.
• Form 26AS — TDS + high-value transactions.
• Income Tax Act §139A — PAN issuance and use.
• §220-§226 — tax recovery (relevant for fake-loan-induced tax).

• RBI Master Direction July 2017 — bank's data-security duty.
• RBI KYC Master Direction 2016 (revised) — bank's KYC verification duty.
• CGST Act §29 — cancellation of fraudulent GST registration.
• DoT SIM Rules 2023 — 9-SIM-per-person cap; biometric for new SIM.

• K.S. Puttaswamy v. UoI (2017) 10 SCC 1 — privacy fundamental right.
• K.S. Puttaswamy II (2018) 1 SCC 809 — Aadhaar constitutional with safeguards.
• Lalita Kumari v. State of UP (2014) 2 SCC 1 — Zero-FIR.
• SBI v. Pallabh Bhowmick (NCDRC 2023) — bank's KYC duty.
• CIBIL v. Various Customers (consumer forum precedents) — credit bureau's duty of accuracy.
• CIC/UIDAI/A/2020/000234 — Aadhaar misuse complaint records disclosable.

mAadhaar app → Biometric Settings → Lock Biometric. Or 1947 SMS. Or resident.uidai.gov.in → Aadhaar Services → Lock/Unlock Biometric.

AIS / 26AS / TIS from incometax.gov.in. CIBIL / Equifax / Experian / CRIF Highmark reports (free annually). Bank statements 12 months. Note every disputed entry.

NCRP at cybercrime.gov.in → Identity Theft. UIDAI grievance at resident.uidai.gov.in.

Local cyber cell. Cite IT Act §66C + §66D + BNS §318 + §319 + §336 + Aadhaar Act §29 + §40. Get FIR copy.

Each bureau separately:

• CIBIL TransUnion — cibil.com → Online Dispute.
• Equifax — equifax.co.in.
• Experian — experian.in.
• CRIF Highmark — crifhighmark.com.

Each must respond within 30 days under CIC Act §21.

Multiple parallel RTIs. ₹10 IPO each.

1. To bank PIO: status of fake account / fake loan in name of [..],
   KYC documents on file, internal noting.
2. To CBDT PIO: status of disputed AIS / 26AS entries with reporting
   entity details.
3. To UIDAI PIO: Aadhaar authentication log for last 12 months,
   including each authentication request with merchant / agency name.
4. To GST PIO (if fake GSTIN): registration documents, application
   form, ARN, current status.
5. To Sub-Registrar PIO (if fake property): sale-deed, registrant
   details, photographs.
6. To telecom PIO (if fake SIM): SIM-issuance log on Aadhaar last
   12 months.
7. To cyber cell PIO: FIR investigation status, IO assigned.
8. Action taken on prior representations.

For fake bank accounts / loans, bank dispute + Ombudsman.

GSTN Officer can cancel fake registration under §29 CGST. RTI for status.

For high-value cases, civil suit for damages + cooperation in criminal trial.

To: pio.uidai@uidai.gov.in
Cc: pio@incometax.gov.in; principal-officer@[your-bank].com;
    cyber-sp-[district]@[state].gov.in; complaint@cibil.com
Subject: Identity theft of PAN [XXXXX-XXXX-X] / Aadhaar [..]-XXXX —
         §66C IT Act + §29 Aadhaar Act + CIC Act 2005

Sir / Madam,

I, [Name], DOB [..], holder of PAN [XXXXX-XXXX-X] and Aadhaar [..]-XXXX,
have discovered the following unauthorised use of my identity:

1. AIS entry: [transaction] of ₹[..] dated [..]; reporting entity: [..].
   I never undertook this transaction.
2. CIBIL entry: [loan] of ₹[..] from [creditor]; account [..]; opened [..].
   I never applied for this loan.
3. GSTIN: [..] in name of [trade name]; registered [..]. I never applied.
4. SIM: [phone no.] issued by [telecom] on [..]. I never applied.
5. Bank account: [..] at [bank] opened [..]. I never opened.

Statutory violations:
1. IT Act §66C (identity theft) — 3-year imprisonment.
2. IT Act §66D (cheating by personation).
3. BNS §318 (cheating) + §319 (personation) + §336 (forgery).
4. Aadhaar Act §29 (restrictions on sharing core biometric) + §40 (personation).
5. DPDP Act 2023 §3-§9 (data fiduciary breach).
6. CIC Act 2005 §17 (credit-bureau accuracy).
7. //K.S. Puttaswamy// (2017) — privacy as Article 21 right.

Mitigating actions taken:
- mAadhaar biometric lock — [date / time].
- AIS / CIBIL / bureaus disputes — refs [..].
- NCRP complaint — ack [..].
- UIDAI grievance — ack [..].
- FIR filed — [..].

Documents enclosed:
- AIS / 26AS / TIS extract.
- CIBIL / Equifax / Experian / CRIF reports.
- Bank statements.
- NCRP / UIDAI / FIR / disputed-entry screenshots.

Relief sought:
- UIDAI investigation under §29 + §40 Aadhaar Act.
- Cancellation of fake registrations / loans / accounts.
- CIBIL clean-up under CIC Act §21.
- AIS rectification under IT Act + AIS Schema.
- Compensation under DPDP §33.
- Disciplinary action against KYC-failing entities.

I file within statutory limitation periods.

Yours sincerely,
[Name + PAN + Aadhaar last 4 + Phone + Email]

• PAN + Aadhaar (last 4 only in public-facing docs).
• AIS / 26AS / TIS extract (PDFs).
• Credit-bureau reports (CIBIL / Equifax / Experian / CRIF).
• Bank statements (last 12 months).
• Disputed-entry screenshots / documents.
• NCRP / UIDAI / FIR ack.
• RTI applications + ₹10 IPO each.

• Skipping mAadhaar biometric lock — your fastest defence.
• Disputing only with one bureau — file with all four (CIBIL / Equifax / Experian / CRIF).
• Sharing OTP / PIN over phone to “fix” — second-stage scam.
• Sharing additional Aadhaar / PAN scans with anyone after fraud — preserves fraud.
• Trusting “identity theft remediation services” charging fees — most are scams.
• Skipping AIS rectification — lingering wrong entries hurt income-tax filings.
• Letting fake GSTIN ripen — months of fake invoicing snowball.
• Forgetting telecom (DoT) SIM check — 6 SIMs in your name = future targeting risk.
• Skipping FIR — needed for legal trail.
• Sharing emails / phone publicly when fraud reported — invites more targeting.

resident.uidai.gov.in → Aadhaar Services → Aadhaar Authentication History (free, last 6 months). Also check AIS / 26AS and 4 credit bureaus.

You'll need to unlock for new KYC, then re-lock. Lock + Unlock is unlimited and free.

Yes. Download from Google Play / App Store. Use for biometric lock, masked Aadhaar, authentication history, lock/unlock.

Aadhaar with first 8 digits hidden (only last 4 visible). Acceptable for most KYC. Download free at resident.uidai.gov.in.

Per RBI KYC rules, biometric or OTP authentication is required. But with cloned biometrics or social engineering, fake accounts have been opened. Bank's KYC failure is recoverable under SBI v. Pallabh Bhowmick.

NCRP + FIR + Banking Ombudsman + CIBIL dispute + RTI to creditor for loan documents (cloned signatures). Most cases resolve in 60-90 days.

RTI to GST officer for application docs + filed returns. §29 CGST cancellation. Process is 30-90 days. Beware criminal liability if you don't act — fake GST could implicate you in tax fraud.

File AIS feedback at incometax.gov.in → e-File → AIS → Submit Feedback for each disputed entry. Reporting entity must respond within prescribed time.

Yes — wrong income on AIS may auto-populate ITR. File ITR with disputed-entries excluded + AIS feedback documented.

NCRP routes complaint to your residence-state cell. Lalita Kumari (2014) — Zero-FIR allowed at any police station.

Data Protection Board can adjudicate; ₹250 cr penalty on data fiduciary for breach. File data-breach complaint under §33.

Yes — that's the point. Lock by default. Unlock only when you have a verification (e.g., new SIM, new bank account). Re-lock after.

RBI Banking Ombudsman + Consumer Forum can override. CIBIL v. Customer precedents support customer.

Yes — §6 RTI + UIDAI grievance + NCRP all accept Hindi.

Visit your bank branch + cyber-cell office in person. RTI Wiki has free wallet card for elders.

₹0-₹2,000 typically (bureau fees waived; UIDAI grievance free; RTI ₹10 each). “Identity-theft fixers” charging ₹5,000-₹50,000 are usually scams.

• Loss > ₹2 lakh — civil + criminal package.
• Criminal case opened against you in fake name — defence counsel essential.
• GST liability raised against you — CA + tax counsel.
• CIBIL not cleaning despite dispute — Article 226 writ.
• PMLA / ED inquiry — specialised counsel.
• Pro bono: NALSA helpline 15100; District Legal Services Authority.

Yes — multiple routes:

1. DPDP Act §33 — penalty up to ₹250 cr (regulatory).
2. RBI Banking Ombudsman — up to ₹20 lakh + actual loss.
3. Consumer Forum — ₹10,000-₹50 lakh + harassment.
4. Civil suit for direct damages.
5. Article 226 writ for systemic failures.
6. §19(8)(b) RTI Act — Information Commission compensation.

• 🪄 AI RTI Drafter — draft an identity-theft RTI in 60 seconds.
• 🎤 AwaazRTI — speak in 11 Indian languages.
• ⚖️ First Appeal Builder — when the PIO ignores or refuses.
• 🔮 Outcome Predictor — score your RTI before filing.
• 📂 Sector RTI Toolkit — 50+ pre-drafted templates.
• 🏛 Citizen 360 — full civic intelligence by PIN.
• 🔢 PAN Decoder — verify PAN structure.
• 🆔 Aadhaar Validator — verify Aadhaar checksum.

• Scammed on UPI — Recovery Steps
• Bank Account Frozen — Defreeze Playbook
• ATM Fraud Recovery
• AePS Aadhaar Biometric Fraud Recovery
• SIM Swap Fraud Recovery
• Digital Arrest Scam — 7-Minute Rescue
• Loan App Harassment India
• RTI for PAN Card Status
• RTI for Aadhaar Update / UIDAI
• RTI for Cybercrime Complaint Status

• UIDAI — uidai.gov.in
• mAadhaar app — Google Play / App Store
• Aadhaar resident services — resident.uidai.gov.in
• NCRP / 1930 — cybercrime.gov.in
• CIBIL — cibil.com
• Equifax India — equifax.co.in
• Experian India — experian.in
• CRIF Highmark — crifhighmark.com
• Income Tax Portal — incometax.gov.in
• RBI CMS Banking Ombudsman — cms.rbi.org.in
• NALSA legal aid — 15100

Identity theft via PAN / Aadhaar is one of the fastest-growing crime categories in 2026 — but it has a proven recovery framework. mAadhaar biometric lock is your fastest defence (free, instant). AIS + 4 credit bureaus + UIDAI authentication history are your evidence. §66C IT Act + §318 BNS + Aadhaar Act §29 give criminal hooks. DPDP Act 2023 gives regulatory penalty. Puttaswamy (2017) made privacy a constitutional right. The system works for organised, fast victims who document everything and use every parallel channel — UIDAI + bank + CBDT + GST + telecom + cyber cell — simultaneously.

1. Constitution of India — Articles 14, 21, 300A.
2. Bharatiya Nyaya Sanhita, 2023 — §§318, 319, 336, 337, 111-112.
3. Information Technology Act, 2000 — §§43, 43A, 66, 66C, 66D, 72A.
4. Aadhaar Act, 2016 — §§28, 29, 37, 38, 40, 41.
5. DPDP Act 2023 + Rules 2025 — §§3-10, 33, 37.
6. Credit Information Companies (Regulation) Act, 2005 — §§17, 21, 22, 23.
7. CGST Act, 2017 — §29.
8. Income Tax Act, 1961 — §139A + AIS Schema 2024.
9. RBI KYC Master Direction (2016, revised).
10. RBI Master Direction on Limiting Liability, July 2017.
11. DoT SIM Rules 2023.
12. Right to Information Act, 2005 — §§4, 6, 7, 8(1)(g)/(h)/(j), 8(2), 19, 20.
13. Consumer Protection Act, 2019.
14. K.S. Puttaswamy v. UoI (2017) 10 SCC 1 + (2018) 1 SCC 809.
15. Lalita Kumari v. State of UP (2014) 2 SCC 1.
16. SBI v. Pallabh Bhowmick (NCDRC 2023).
17. CIC/UIDAI/A/2020/000234 — UIDAI disclosure.

Last reviewed: 6 May 2026.