Background and Timeline: Cybercrooks in Ahmedabad have introduced a high-pressure “accident alert” theme to target rural and semi-urban populations in late January 2026. A specific case in Kheda district involved a farmer receiving a panic-inducing call on Saturday, January 31, claiming a close relative was involved in a life-threatening mishap. This tactic deliberately exploits immediate emotional vulnerability to bypass the standard security caution usually exercised during digital interactions.

Modus Operandi: The fraudsters utilized a “Panic-then-Infect” strategy, calling the victim to announce the fake accident and promising to send “proof” images of the injured relative via WhatsApp. Instead of a genuine photo, they sent a malicious file disguised as a jpeg which, when clicked, opened a scanner-like interface on the device. This hidden Remote Access Trojan (RAT) exploited accessibility permissions to run in the background and monitor the victim’s banking applications in real-time.

Victims and Financial Impact: The primary victim in Kheda discovered that nearly ₹50,000 had been siphoned from his account through a UPI-based transfer just hours after he viewed the malicious image. The scam is particularly dangerous because it does not require victims to share OTPs, PINs, or sensitive links, as the RAT handles transaction initiation autonomously. Authorities are monitoring dozens of similar reports across Gujarat where panic was used as a catalyst for silent device compromise.

Investigation and Agencies Involved: The Ahmedabad Cybercrime Cell and local police in Kheda are leading the investigation, focusing on the origin of the malicious “image” files. Technical teams are analyzing the command-and-control server used to manage the RAT and coordinating with telecom providers to identify the owners of the numbers used for the initial panic calls. Investigators have advised citizens that the malware continues to function even if the file is deleted after the initial click.

Arrests and Suspects: No immediate arrests have been made in the Kheda case as of Saturday morning, but several digital signatures of the malware have been linked to a known syndicate in northern India. Police are currently profiling the technical developers who specialized in disguising RAT payloads within common image formats to evade basic mobile antivirus detection. Authorities have requested banks to provide the KYC details of the beneficiary UPI handles that received the ₹50,000.

Broader Implications and Trends: This incident marks a shift toward “zero-interaction” financial theft where social engineering is used only to trigger a technical infection rather than to extract an OTP. It highlights a growing trend of “Administrative Smishing” where criminals impersonate emergency services or police to create a state of high urgency. Officials have warned that the only way to avoid such traps is to verify emergency claims through independent, trusted channels before clicking any media files.