The phone call comes at 7:42 in the evening. A constable from a city you have never visited says someone in his town has lost forty-seven thousand rupees, and the money was sent to your UPI handle, from your account. You have not sent anyone forty-seven thousand rupees. You have not even opened your banking app today. You stammer something. He says be at the cyber cell on Monday. He hangs up. You sit on the edge of the bed, and the first thing your mind does is replay every login alert you ignored last week — the one from a city in Maharashtra, the one at three in the morning, the one your bank sent you that you thought was spam.

This is the moment you go from being a hack victim to looking like a fraud accused. You are not the only person this has happened to. Indian cyber-fraud rings run their money through the accounts of innocent people every day. The good news is that Indian law clearly distinguishes the hacker from the account holder, and the path to clearing your name is well-laid. It needs speed, and it needs evidence, and this article walks you through both.

What Has Actually Happened to You?

Two crimes have happened. First, your account was hacked — a stranger gained access without your permission. Second, that stranger used your hacked account to defraud someone else. The law treats these as separate wrongs with separate offenders. You are the victim of the first. You are not the offender of the second, even though your name is on the account.

The IT Act, 2000 spells out unauthorised access in Section 43. The provision says that if any person, without permission of the owner, "accesses or secures access to" a computer, computer system or computer network — or downloads, copies, damages, or disrupts data — that person is liable to pay compensation. The owner of the account in this scenario is you. The person who accessed it without permission is the hacker. Section 43 makes the hacker liable to compensate you, not the other way round.

The fraud committed against the third party is a different offence — typically Section 66D of the IT Act (cheating by personation using a computer resource), and IPC Section 420 (cheating). For both, the law requires dishonest or fraudulent intent on the part of the accused. That dishonest intent belonged to the hacker, not to you.

Why the Law Does Not Treat You as the Criminal

Indian criminal law has a foundational rule: actus non facit reum nisi mens sit rea — an act alone does not make a person guilty unless the mind is also guilty. For computer-related offences, the IT Act follows this rule strictly. Section 66 only punishes a person who "dishonestly or fraudulently" does any act referred to in Section 43.

"If any person, dishonestly or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both."

The Explanation to Section 66 borrows the meaning of "dishonestly" and "fraudulently" from Sections 24 and 25 of the IPC. Section 24 IPC says a person acts dishonestly when the intention is to cause wrongful gain to one or wrongful loss to another. Section 25 IPC says a person acts fraudulently when the act is done with intent to defraud — and the Supreme Court in Dr Vimla v. Delhi Administration (AIR 1963 SC 1572) held that "defraud" needs both deceit and injury.

The Supreme Court in Shreya Singhal v. Union of India (AIR 2015 SC 1523) emphasised this exact point — that under Section 66, "dishonestly" and "fraudulently" are defined with specificity, mens rea is essential, and the section is therefore narrow and constitutionally sound. So a hack victim whose account was misused without their knowledge does not satisfy the mental element of Section 66 or 66D — full stop.

Section 43 vs Section 66 — Civil and Criminal Lines

Many account holders confuse these two sections. Understanding the difference is what flips your role from suspect to victim on paper.

Section 43 is civil. It does not require dishonest intent. Anyone who accesses a computer or copies data without permission is liable to pay compensation. Even careless or accidental access creates Section 43 liability. The cap was originally Rs 1 crore; under Section 46(1A) the State Adjudicating Officer now hears claims up to Rs 5 crore, and bigger claims go to the competent civil court. Section 47 lays down the factors for quantum — the gain to the wrongdoer, the loss to the victim, and any repetitive nature of the default.

Section 66 is criminal. It punishes the same acts only when done dishonestly or fraudulently. Punishment is up to three years imprisonment or up to Rs 5 lakh fine, or both.

So when an FIR is registered against the account holder of a hacked account, the legally honest path is for the FIR to name "unknown person who used the account fraudulently" — not the account holder. Once the police gather IP logs and trace the hacker, the chargesheet is filed against that person. You become a witness, not an accused. A skilled lawyer's intervention early in the case keeps this trajectory on track.

The Missing Element — Dishonest or Fraudulent Intent

Whether the FIR is under Section 66, Section 66D, IPC Section 420, or Section 416 IPC (cheating by personation), every one of them needs the prosecution to prove dishonest intent at the time of the act. The Supreme Court has reiterated this in cheating cases too. In Hridaya Ranjan Pd. Verma v. State of Bihar (AIR 2000 SC 2341), the Court held that to constitute cheating, the dishonest intention must exist at the inception of the transaction, not later. In Inder Mohan Goswami v. State of Uttaranchal (2007), the Court repeated that mere failure to keep a promise cannot be converted into criminal cheating without proof of original dishonest intent.

For a hack victim, the mental element is on the wrong side of the case. You did not plan a fraud. You did not enrich yourself. The money flowed in and immediately flowed out — to an account or wallet under the hacker's control. Your bank statements show no gain. Your devices show no fraudulent activity at the relevant timestamps. This is not weakness; this is your defence.

The Evidence That Will Save You

The case is won or lost on the strength of digital evidence. The earlier you preserve it, the better. Eight categories of evidence matter most:

  • Login alerts and security notifications from the platform showing unusual sign-ins.
  • IP addresses and device IDs from the platform's account-activity log — these will not match your home network or your devices.
  • Geolocation records showing the fraud was executed from a city or device that is not yours.
  • Your physical alibi — CCTV from your office, society gate, or a shop receipt at the relevant time.
  • Bank SMS alerts for the unauthorised transactions, especially the timestamps before, during and after.
  • Prior complaint records — if you noticed the breach early and complained to the platform, the bank, or the cyber helpline 1930, those reference numbers are gold.
  • Your devices' login logs showing no activity at the relevant time.
  • Any screenshots of suspicious messages, OTPs, or phishing emails that preceded the breach.

Each of these is an electronic record. Each must be preserved without alteration. Save originals. Do not crop, mark up, or edit anything before printing. Your lawyer will then arrange a Section 65B certificate for each.

How to Make Your Digital Evidence Court-Ready

Indian courts are willing to act on digital evidence — but only if it is presented under Section 65B of the Evidence Act (now mirrored in Section 63 of the Bharatiya Sakshya Adhiniyam). The provision requires a certificate, signed by a person responsible for the device that produced the printout, identifying the device, its working condition, and the manner of production.

The Supreme Court in Anvar P.V. v. P.K. Basheer (2014) made the certificate mandatory for secondary electronic evidence. Without it, your screenshot of the rogue login is just paper. With it, that same screenshot is admissible proof.

For a hack-fraud accused, the practical drill is: collect the data; do not edit it; ask the platform formally for a copy of activity logs; have your lawyer prepare a Section 65B certificate signed by the IT-savvy person responsible for the device that printed the record. Where the platform itself is the source, an officer of the platform's grievance team can issue a corresponding certificate via lawyer-driven correspondence. Strong preservation is the difference between a clean closure report and a chargesheet that drags on for years.

What the Police Are Supposed to Do

Once an FIR is registered, the investigating officer's job under BNSS Section 173 (corresponding to Section 154 CrPC) is to investigate impartially. For a cyber-fraud case that means writing to the platform under BNSS Section 175 (Section 91 CrPC) for IP logs, login times, device fingerprints and registration data of the suspect; tracing the chain of money through bank records; and only then naming a person as accused.

Where a victim's name is wrongly added merely because of account ownership, your lawyer's correspondence to the investigating officer — attaching your prior hack complaint, the platform's anomalous-login record, and your alibi — typically forces the officer to look beyond the surface. If the officer ignores it, an application under BNSS Section 175(3) (Section 156(3) CrPC) before the Magistrate can direct further investigation. The Supreme Court in Sakiri Vasu v. State of U.P. (AIR 2008 SC 907) has affirmed that magistrates have implied power to monitor police investigation when there is a real grievance.

The investigation also has to consider intermediary liability. Section 79 of the IT Act gives platforms a safe harbour, but in Avnish Bajaj v. State (NCT of Delhi) the Delhi High Court engaged with intermediary responsibility where unlawful content was hosted, and the Supreme Court in Shreya Singhal v. Union of India read down Section 79(3)(b) to require actual knowledge through court order or government notice. So platforms are not invisible — they are part of the trail.

Anticipatory Bail and Quashing the FIR

If the FIR includes Section 420 IPC or other non-bailable provisions, anticipatory bail is the immediate priority. The application is filed under Section 438 CrPC (now BNSS Section 482) before the Sessions Court, with a copy to the public prosecutor. The court typically considers the nature of allegations, the role attributed to you, and the likelihood that custody is even necessary. The Supreme Court in Arnesh Kumar v. State of Bihar (2014) has restrained casual arrest in offences punishable up to seven years — magistrates must scrutinise the police's reasons for arrest, not rubber-stamp them.

Quashing the FIR under Section 482 CrPC (now BNSS Section 528) is the next-level remedy. The High Court has inherent power to quash any criminal proceeding that is an abuse of the process of court. Where the documents on record — platform logs, your prior hack complaint, IP traces — make conviction impossible, the High Court can intervene at the threshold. The principle was set out by the Supreme Court in State of Haryana v. Bhajan Lal (1992), which lays down categories where the High Court will quash. A hack-victim accused fits cleanly into the category where the FIR does not disclose the essential ingredients of the offence — particularly the mental element.

For account holders facing FIRs in distant cities, where your lawyer can also explore FIR-related remedies in detail, including transfer applications and parallel writ petitions, the strategy depends on the exact mix of sections and facts.

What Should I Actually Do Now?

  1. Do not visit the police station alone. Note officer name, station, FIR number and the sections cited; then call a cyber lawyer the same day.
  2. Within 24 hours, file your own complaint about the hack — at the platform (Google, Meta, your bank), at cybercrime.gov.in, and at the local cyber cell. Keep all reference numbers.
  3. Call the cyber helpline 1930 for any unauthorised debit. Banks can sometimes freeze or reverse the transferred sum if reported in the first hours.
  4. Preserve every login alert, every SMS, every email — do not delete, do not edit, do not even open more than once. Take dated screenshots of the source view.
  5. Pull your account-activity log from the platform. Save it as a PDF. Note the IP addresses and timestamps of suspicious logins.
  6. Build your alibi for the time of the fraud — CCTV from office, metro card swipes, neighbours, family members. A timeline document drafted with your lawyer becomes your defence backbone.
  7. If there is risk of arrest, instruct your lawyer to file an anticipatory bail application under BNSS Section 482 / Section 438 CrPC immediately.
  8. Cooperate with the investigating officer in writing, never orally without your lawyer present. Submit a written representation attaching your hack-complaint records and platform logs.
  9. If the investigating officer ignores the documents, file an application before the Magistrate under BNSS Section 175(3) for monitored investigation, citing Sakiri Vasu.
  10. Once the case is unsupportable on its face, instruct counsel to file a quashing petition under BNSS Section 528 / Section 482 CrPC before the High Court.

If you are facing this situation right now, do not try to handle the FIR alone — particularly when the FIR is registered in another state. A focused cyber-defence lawyer reading the FIR on day one usually saves weeks of confusion. Pinaka Legal in Delhi handles cyber-fraud defence matters end-to-end — anticipatory bail, evidence preservation, representations to the investigating officer, and quashing petitions in the High Court.

A Final Word — You Are Not Alone in This

The first reaction to a fraud FIR is fear. The second is the urge to delete everything that looks suspicious. Both reactions hurt your case. Indian cyber law is built on the idea that the dishonest mind is what creates criminal liability — not just the account on which the act was performed. Section 66 needs mens rea. Section 420 needs dishonest intent at inception. Section 66D needs personation. None of these match a person whose account was breached and who reported the breach.

What you need is speed, calm, and the right paperwork. If you act in the first 48 hours, document carefully, complain about the hack first, and let your lawyer drive the conversation with the police, the case rarely survives the investigation stage. The cyber rings count on innocent account holders being too embarrassed or too tired to fight back. They are wrong about that, and the law agrees.

Get legal help from Pinaka Legal — Cyber Crime experts in Delhi

Frequently Asked Questions

My account was hacked and used to cheat someone. Am I criminally liable?

Not if you can show you did not act dishonestly or fraudulently. Section 66 of the IT Act punishes only acts done with that mental element, and Sections 24 and 25 of the IPC define those terms as wrongful gain or wrongful loss. If your account was actually hacked, the dishonest mind belonged to the hacker, not to you. Your job is to produce evidence — IP logs, login alerts, prior complaint to the platform, a police complaint about the hack — that shows you are the victim too. Most well-investigated cases end as a closure report against the actual hacker.

What is the very first thing I should do when police call me about fraud done from my account?

Do not panic and do not start arguing on the phone. Politely note the officer's name, station, FIR number and section. Do not visit the police station alone. Speak to a cyber lawyer the same day. Before going anywhere, file your own complaint about the hack — at the platform (Google, Meta, bank), at cybercrime.gov.in, and at the local cyber cell. This builds the record that you were the first victim, not the offender. The contemporaneous record is often what tilts the case in your favour.

How do IP logs and login records help prove my innocence?

They place the suspect device, IP address, city and time of the fraudulent activity on record. Most platforms store login IP, device fingerprint, and access timestamps. If those logs show the fraudulent transaction came from a city where you were not, or a device you do not own, that is a powerful exculpatory record. The defence lawyer requests these logs through the investigating officer, and where needed through a magistrate, and produces them along with a Section 65B certificate so they are court-admissible.

What is Section 65B of the Evidence Act and why do I need it?

Section 65B of the Evidence Act governs admissibility of electronic records — the printout of an email, a screenshot, a server log. The law requires a certificate identifying the device that produced the printout and confirming the device was working properly. The Supreme Court in Anvar P.V. v. P.K. Basheer made this certificate mandatory. Without it, your screenshot is just paper. With it, your IP logs become court-ready proof. This applies under the new Bharatiya Sakshya Adhiniyam too, in Section 63.

Should I apply for anticipatory bail before police arrest me?

Yes, if the FIR cites Section 420 IPC or non-bailable provisions. Section 66D is bailable, but a layered FIR usually adds non-bailable IPC sections. Anticipatory bail under Section 438 CrPC (now BNSS Section 482) protects you from arrest while the investigation continues. The application is filed before the Sessions Court or High Court. Take prior printouts of platform login alerts, your hack complaint, and the FIR copy so the court sees the full picture from day one. Courts are often willing to grant relief at this stage in account-takeover cases.

Can I get the FIR quashed if I am clearly innocent?

Yes, in the right facts. The High Court has inherent powers under Section 482 CrPC, now BNSS Section 528, to quash any criminal proceeding that is an abuse of process. If the FIR on its face does not disclose dishonest intention against you, or the documents (platform records, your prior hack complaint, IP logs) make conviction impossible, the High Court can stop the case at the threshold. The principles were laid down in State of Haryana v. Bhajan Lal. The application is technical; lawyer assistance is essential.

What if money was actually transferred from my bank account?

Call the cyber helpline 1930 immediately and report the unauthorised debit — the bank can sometimes reverse or freeze the transferred amount in the first hours. RBI rules on limited customer liability protect you when the breach was not your fault and you reported promptly. File a written complaint with the bank within three working days for zero or limited liability. Keep every screenshot, every SMS, every app notification. The fact that you raised the alarm yourself is your strongest defence in the criminal case as well.

Is the platform — Google, Meta, the bank — also liable for the fraud?

Section 79 of the IT Act gives intermediaries a safe harbour, but the Supreme Court in Shreya Singhal v. Union of India read it down — protection applies only when the intermediary acts on actual knowledge or court order. Independently, Section 43 of the IT Act makes the person who actually accessed your account liable for compensation. Tracing that person is the police's job; pressing the platform for IP logs and account data is your lawyer's job. Banks have separate RBI-mandated obligations on suspicious transactions.

How long does the investigation take, and what happens during it?

Cyber investigation under BNSS Section 173 onwards typically takes weeks to months. The investigating officer writes to the platform for IP logs, sends notices under BNSS Section 175 to obtain documents, examines witnesses, and seeks call-data records. As an accused who is in fact a victim, you cooperate fully but on lawyer's advice — produce documents in writing, never make oral statements without your lawyer, and ensure your version goes on record as a written reply to every notice. The chargesheet finally goes against the actual hacker if the trail is properly followed.

What evidence shows I was not logged in at the time of the fraud?

Geo-location and device records held by the platform; CCTV from your office or housing society at the relevant time; toll plaza, metro card or boarding pass logs putting you elsewhere; your own phone's location history exported with a Section 65B certificate; and witness statements from people you were with. A skilled cyber lawyer stitches these into a single timeline that shows you were physically and digitally absent from the act. The more independent the record, the harder it is for the prosecution to argue otherwise.

Will I be arrested in this case?

Not necessarily. Many cyber-fraud FIRs name account holders without proving dishonest intent. Anticipatory bail neutralises the immediate arrest risk. The Supreme Court in Arnesh Kumar v. State of Bihar limits arrest in offences punishable up to seven years — police must record reasons, and the magistrate must scrutinise them. A timely lawyer's intervention often converts a likely arrest into a notice for appearance and a clean closure report. For deeper guidance on accused-side procedural rights, see the accused defence cluster.

Can I sue the actual hacker once they are caught?

Yes. Section 43 of the IT Act lets the victim — that is, you — claim damages by way of compensation from anyone who accessed your computer or account without permission, downloaded your data, or damaged anything. Section 46(1A) gives the State Adjudicating Officer jurisdiction up to Rs 5 crore. So once the police identify the hacker through IP logs, the same evidence supports your civil compensation claim, parallel to the criminal trial. Section 47 lays down factors the Adjudicating Officer considers when fixing the amount.

Related Reads

For more articles on Indian law, visit the Pinaka Legal Blog. Written by the Pinaka Legal Editorial Team. For queries, call +91 8595704798 or email info@pinakalegal.com.