Google Pay’s merchant KYC bypassed to build nationwide mule networks, Indian police investigation reveals loopholes in customer onboarding

Gorakhpur, June 20, 2026, In a major breakthrough against organized cybercrime, the Gorakhpur Police has dismantled a sophisticated fraud network that allegedly converted "mule" bank accounts into merchant accounts using forged documents, enabling cyber criminals to launder money through fake QR code boxes. Three accused have been arrested, including the alleged mastermind, and a massive cache of 1,308 GPay SoundPods, 866 QR scanners, 13 mobile phones, and 5 SIM cards has been recovered.

The Mastermind and His Network

Investigators revealed that the alleged mastermind, Sanket Rai, was no amateur. He had previously worked with BharatPe, a leading fintech company, where he gained insider knowledge of the merchant onboarding process, QR code distribution, and commission structures. During his tenure, he reportedly earned ₹140 per sound box sold.

To scale operations, Rai enlisted Tauheed Alam and Raj Singh, who assisted in the fabrication and distribution process. The gang charged approximately ₹2,500 per QR box from cyber criminals. For each operation, they spent around ₹50 to procure mobile numbers and ₹200 for email IDs needed to register the fraudulent accounts. The accused were reportedly earning up to ₹1 lakh per day at the peak of their operations.

How Google Pay’s onboarding process was bypassed: step-by-step

Investigation revealed how the onboarding process of GPay was bypassed by the accused.

1. Initial account creation Criminals installed the Google Pay for Business app and signed in with any Gmail account. They selected “set up or join a business” and completed mobile OTP verification.

• System vulnerability exploited: Onboarding began with only basic email and phone verification. No device fingerprinting, IP analysis, or linkage to existing personal Google Pay accounts was sufficient to flag suspicious new merchant registrations at this stage.

1. Business details and the turnover loophole They entered a business name and owner details (usually the mule account holder’s name). At the turnover screen, they deliberately selected “less than ₹20 lakh” for the previous financial year.

• System vulnerability exploited: This single declaration made GSTN registration optional and placed the application into a lighter verification track intended for micro-enterprises. The investigation found that the system did not require any proof of actual turnover or cross-check against bank flows at onboarding. Criminals could therefore claim micro-business status with zero real economic activity, bypassing a layer of identity and business verification that larger merchants face.

1. Business category and identity document selection Business type and category were chosen arbitrarily. For PAN verification, GSTN was skipped due to the low-turnover selection. For supporting identity proof, criminals specifically chose Voter ID card.

• System vulnerability exploited: The document upload process accepted Voter ID as valid proof. Because Voter ID details are publicly searchable on the Election Commission’s ECINET portal, criminals could obtain real or plausible voter numbers and generate matching fake cards using widely available “fake ID maker” mobile apps. The system performed basic number format validation but lacked robust document integrity checks, metadata analysis, or real-time verification against the issuing authority’s database. No video KYC or biometric linkage was mandated for this category of merchant.

1. PAN harvesting and forgery For the PAN field, criminals visited the public GSTN taxpayer search portal (services.gst.gov.in). They collected real GSTIN numbers and extracted the embedded 10-digit PAN by removing the first two digits (state code) and last three digits (entity code + Z + checksum). They then used fake ID generator apps to create PAN card images showing the mule holder’s name, a random photograph and signature, while using a harvested or format-matched PAN number.

• System vulnerability exploited: PAN verification appears to have relied primarily on format and database matching of the number rather than holistic validation of the uploaded physical document against the declared name and photo. The public availability of GSTIN data allowed bulk, low-cost harvesting of authentic PAN structures, making forged cards more likely to pass superficial checks.

1. Bank details, submission and QR issuance Real mule bank account details (account number, IFSC and holder name) were entered. After final review, the application was submitted. A verification QR was generated and scanned by a Google Pay agent before the merchant account went live.

• System vulnerability exploited: The final agent verification step did not detect the use of forged supporting documents. Once approved, the account received an official-looking merchant QR code that carried implicit legitimacy for victims. Daily limits of ₹40,000 (or ₹2 lakh monthly) without hardware, and significantly higher with a SoundPod device, became available immediately, providing high throughput for fraud proceeds with minimal friction.

The document forgery pipeline

The investigation showed that the entire document set required for onboarding, PAN card and Voter ID, could be produced at low cost using:

• Publically available data &
• Consumer-grade fake ID generator applications available on Android

WhatsApp groups acted as the operational layer, supplying pre-made mule bank details, fake documents and scripts for successful onboarding.

Accused

The arrested individuals have been identified as Sanket Rai (resident of Basdila Gunakar, Tamkuhi Raj, Kushinagar), Tauheed Alam alias Golu (resident of Shaheed Abdullah Nagar, Gorakhnath, Gorakhpur), and Raj Singh (resident of Awas Vikas Colony, Shahpur, Gorakhpur). They were apprehended following a joint operation by the Cyber Commando, the District Anti-Theft Team, and Kotwali Police Station personnel, acting on a tip-off from an informer.

While presenting the accused at the Police Lines, Assistant Superintendent of Police (City) Nishith Patel praised the coordinated efforts of the Cyber Commando Unit and the District Anti-Theft Team. "This arrest exposes a critical link in the cyber fraud supply chain. By converting mule accounts into merchant accounts, these criminals provided a veneer of legitimacy to illicit financial flows. We are committed to tracing the full network and ensuring all accomplices are brought to justice," he said.

Based on the arrest and recovery, Case Crime No. 119/2026 has been registered at Kotwali Police Station under:

• Sections 318(4), 340(2), 336(3), and 3(5) of the Bharatiya Nyaya Sanhita (BNS)
• Section 66D of the Information Technology (IT) Act

Cyber Commando (Specialized in cyber security - trained by I4C, under the Ministry of Home Affairs) Sub-Inspector Upendra Singh, who led the technical investigation, stated that Sanket Rai had been running the operation for several months. "So far, our investigation indicates that more than 2,000 mule accounts were converted into merchant accounts by this gang. Transactions of cyber fraud money have been found in almost all of them. Complaints have been registered in multiple districts where these bank accounts were operated," he said.

Arrest Team:

1. SI Upendra Kumar Singh, Cyber Commando, Gorakhpur Zone Gorakhpur
2. SI Aditya Kumar Pandey, Chowki Prabhari Bakshipur, PS Kotwali Gorakhpur
3. SI Saurabh Maurya, PS Kotwali Gorakhpur (Nodal Cyber Officer)
4. SI Harsha Kumar Shukla, PS Kotwali Gorakhpur
5. SI Sanya Maurya, PS Kotwali Gorakhpur
6. Head Constable Amarendra Pratap Singh, PS Kotwali Gorakhpur
7. Constable Rakesh Kumar, PS Kotwali Gorakhpur
8. Constable Nitish Kumar, PS Kotwali Gorakhpur
9. Constable Sanjeet Yadav, PS Kotwali Gorakhpur
10. Constable Awanish Kumar Pandey, PS Kotwali Gorakhpur
11. Head Constable Mohammad Mohsin Khan, District Anti-Theft Team Gorakhpur
12. Head Constable Dharmendra Nath Tiwari, District Anti-Theft Team Gorakhpur
13. Constable Ankit Singh, District Anti-Theft Team Gorakhpur
14. Constable Amit Yadav, District Anti-Theft Team Gorakhpur

Implications

The investigation concludes that the combination of simplified onboarding rules, weak document authentication and insufficient real-time risk monitoring turned merchant channel into an efficient rail for moving fraud proceeds under the appearance of legitimate business activity.

The findings underscore the need for payment platforms to apply consistent, higher-assurance verification to all merchant accounts and to integrate complaint and fraud intelligence directly into onboarding and ongoing monitoring systems.

Police have appealed to the public to remain vigilant against offers to open bank accounts or share KYC documents in exchange for money, as these are commonly exploited by cyber fraud networks.

Further updates will follow as the investigation progresses.