India Drops the Hammer on Firebase: 113 Google-Hosted Malware Servers Killed in 8 Days
The Indian Cybercrime Coordination Centre (I4C) of Ministry of Home Affairs just turned Google's own infrastructure into a crime scene — and gave the search giant three hours to clean it up.
June 16, 2026 | New Delhi
In a blistering one-week stretch in June 2026, India's Indian Cybercrime Coordination Centre (I4C), operating under the Ministry of Home Affairs, fired off two takedown orders to Google demanding the removal of 113 Firebase Realtime Database endpoints allegedly powering a sprawling Android banking-malware operation. The clock on each: 180 minutes.
The Numbers
- 82 Firebase URLs flagged in Notice No. 11062601011000 (issued 02 June 2026)
- 31 Firebase URLs flagged in Notice No. 11062601011054 (issued 09 June 2026)
- 113 malicious endpoints total, all hosted on Google's firebaseio.com and firebasedatabase.app domains
- 3-hour mandatory takedown window per order
- 2 statutes, 7 sections invoked across the IT Act and the new Bharatiya Nyaya Sanhita
The Scam Factory
The playbook is grimly efficient. I4C's Threat Analysis Unit (NCTAU) found Firebase projects being used as command-and-control (C2) servers for Android malware impersonating Indian banks and government schemes. The lures are textbook social engineering: fake new credit cards, reward redemptions, credit-limit upgrades, and bogus PM-Kisan government-payout portals.
The naming tells the whole story. Among the flagged endpoints: sbi-30, boi-51, bob-1, hsbc-crdit-card, csb-bank-2, plus a parade of rto- (Regional Transport Office) and pm-kishan/pm-kisan clones. Once installed, the malware exfiltrates SMS messages, harvesting the OTPs that guard every bank transaction, and siphons credit-card and personal data straight into the attacker-controlled databases for unauthorized transactions.
Why the Law Has Teeth
This is where India's regulatory architecture genuinely shines. The orders ride on Section 79(3)(b) of the IT Act, 2000, read with Rule 3(1)(d) of the IT Rules, 2021, a combination that strips an intermediary of its safe-harbor immunity the moment it receives "actual knowledge" of unlawful content and fails to act.
The masterstroke is the three-hour deadline. Most global takedown regimes move at the speed of legal review, days, weeks, sometimes never. India compresses that to a single business afternoon. Miss it, and Rule 7 kicks in: Google forfeits its Section 79(1) protection entirely and becomes liable under the IT Act and the Bhartiya Nyaya Sanhita. The cited offences are serious, IT Act Sections 66, 66C and 43 (identity theft, computer fraud) alongside BNS Sections 61, 316(2), 318(4) and 340(2) (criminal conspiracy, breach of trust, cheating, forgery).
It's a rare example of a legal instrument actually matching the tempo of cybercrime. Malware infrastructure is ephemeral; a notice that takes a week is a notice that arrives after the money's gone. A three-hour SLA, backed by personal liability for the platform, flips the incentive structure hard.
The Google Problem
There's an uncomfortable subtext here for Mountain View. Every one of these 113 endpoints lives on Google's Firebase, a free, frictionless, instantly-provisioned backend that scammers love precisely because it's Google-grade reliable and trivially anonymous to spin up. The same qualities that make Firebase a developer darling make it a fraudster's dream C2 host.
India isn't asking an ISP to block traffic at the network edge, it's going straight to the source, ordering the platform to delete the resource it created. That's the cleanest possible enforcement: kill the database, and every infected phone calling home hits a dead line simultaneously, without vitiating the evidence.
The Bigger Picture
Both orders were signed by Director Sh. Manoj Kumar Meena and issued as system-generated notices under I4C's nodal-officer authority. Two notices, eight days apart, 113 endpoints, this isn't a one-off. It's an operational rhythm, and it signals that India intends to treat platform-hosted malware infrastructure as a standing enforcement target rather than an occasional fire drill.
For the global tech-policy crowd, the takeaway is stark: India has built a takedown regime that is fast, specific, and personally consequential for the intermediary. Whether other jurisdictions can stomach a three-hour clock is another question, but as a model for outpacing financially-motivated malware, it's hard to argue with the design.
Source: Both takedown notices are archived on Lumen Database, the Harvard-hosted public repository of online content-removal requests, holding 67 million-plus notices referencing over 10 billion URLs, which brings transparency to who is asking for what to be taken offline, and why.