India's Delhi High Court Sets a Template for Tackling Phishing-as-a-Service
Free Platform as a Service Providers, Vercel (Defendant No. 2) and Netlify (Defendant No. 4), that turn source code into live, accessible websites — were each directed to take down specific clusters of infringing URLs within 36 hours. A new interim order against IndiaMART impersonators shows how judicial systems can hold modern web infrastructure accountable — and what regulators elsewhere should take note of
New Delhi, India
In a quietly significant order dated 26 May 2026, the Delhi High Court granted IndiaMART Intermesh Limited, India's largest B2B marketplace, a sweeping ex parte interim injunction against a network of "John Doe" fraudsters running phishing operations that impersonated the company to hijack its sellers' accounts. The order in IndiaMART Intermesh Limited v. Ashok Kumar & Ors. (CS(COMM) 600/2026) deserves attention well beyond India, because Justice Jyoti Singh's reasoning maps the modern phishing supply chain onto the right set of intermediaries and assigns each a concrete, time-bound obligation.
For public policy specialists, brand-protection teams, and tech-policy watchers, this is a case study in how a court can operate at the speed and structure of the internet itself.
Account takeover through phishing as a service
The mechanics described in the order are worth understanding because they are increasingly common. Fraudsters cloned IndiaMART's website "look and feel," then contacted the company's verified sellers via email and WhatsApp with links to fake URLs. When a seller entered their registered phone number on the spoofed page, the attacker simultaneously entered it into the genuine IndiaMART login page. The real platform dutifully sent a one-time password to the seller's phone; the seller, believing the fake site to be authentic, typed that OTP into the phishing page, handing the attacker live credentials and full account access before the page conspicuously "hung."
This is real-time OTP relay phishing: the legitimate platform's own security flow is weaponized against its users. No amount of OTP hardening fixes it, because the victim is voluntarily relaying the code. That makes the infrastructure the only viable point of intervention, which is precisely where the court focused.
The intermediary map: the order's real innovation
What sets this order apart is its granular treatment of the web infrastructure stack. Rather than lumping all "platforms" together, the court identified each layer's distinct function and tailored its directions accordingly:
Deployment and hosting platforms. Vercel (Defendant No. 2) and Netlify (Defendant No. 4), both Platform-as-a-Service providers that turn source code into live, accessible websites, were each directed to take down specific clusters of infringing URLs within 36 hours. The order even split the takedown list between them: Vercel for serial numbers 1–7 of Annexure-A, Netlify for 8–15.
Code repositories. GitHub (Defendant No. 3) was ordered to disable the repository storing the phishing site's source code and templates, recognizing that the repo is the upstream "primary storage environment" feeding the deployment pipeline.
Communication and financial rails. WhatsApp (Defendant No. 5) was directed to block the offending accounts and, critically, disclose Basic Subscriber Information. Punjab National Bank (Defendant No. 6) must surrender KYC details for a specified mule account; Bharti Airtel (Defendant No. 8) must suspend a flagged number and reveal its registrant.
The state and the network layer. Defendants included BSNL, MTNL, the Department of Telecommunications, and MeitY (the IT Ministry), with DoT and MeitY directed to issue notifications to all telecom and internet service providers to block the relevant domains and numbers.
The court also ordered the PaaS providers to preserve logs, IP records, deployment data, and payment information, and to identify the operators behind the URLs, and prohibited reactivation of the sites under any "colourable, mirror, alphanumeric, deceptive variants." That forward-looking clause matters: phishers typically just spin up the next subdomain. Annexure-A itself reads like a catalogue of throwaway hosting (india-mart-black.vercel.app, realindiamart.netlify.app, indiamart-clone-masai.netlify.app), the kind of free-tier deployments that can be created in minutes.
Why the layered approach is the right one
There is an important, often-overlooked principle embedded here, and it aligns with how blocking should ideally work technically: intervene at the most precise layer available, and treat ISP-level blocking as a last resort.
Ordering a SaaS or hosting provider to remove a specific malicious deployment is surgical, it removes the offending content without collateral damage. Ordering ISPs to null-route a domain is blunter, affects the whole network path, and is easier to circumvent. The Delhi order leads with takedowns directed at the hosting platforms and the repository (the layers that can remove the actual content), and reserves the broad TSP/ISP notification mechanism as the backstop. That sequencing is good internet hygiene as much as good law.
This is also where the safe-harbour bargain becomes visible. Intermediaries like Vercel, GitHub, and Netlify are not accused of wrongdoing; they are treated as neutral conduits whose protection is contingent on acting expeditiously once put on notice. The order operationalizes exactly that: clear identification of specific infringing material, a defined actor, and a tight compliance window. This is the model intermediary-liability frameworks are supposed to produce, neither blanket immunity nor blanket liability, but a duty to act on specific, court-validated notice.
What the world can learn
India's higher judiciary, and the Delhi High Court's IP division in particular, has built genuine institutional muscle in this area, and this order showcases several transferable lessons:
1. Speed is a feature. The court granted urgent relief, expressly invoking Supreme Court precedent (Yamini Manohar v. T.K.D. Keerthi) to waive pre-litigation mediation where genuine urgency exists. A 36-hour compliance clock acknowledges that in phishing, every hour of uptime equals more victims. Many jurisdictions still measure takedown timelines in weeks.
2. "John Doe" / "Ashok Kumar" orders work. By allowing suits against unidentified defendants and then compelling intermediaries to unmask them through KYC, subscriber data, and IP logs, the court solves the attribution problem that usually lets anonymous fraudsters run indefinitely. The injunction binds the conduct and the infrastructure even before the human is named.
3. Map the actual supply chain. The order's most exportable idea is its refusal to treat "the internet" as a monolith. Code host, deployment platform, CDN, messaging app, bank, telecom carrier, and the ISP layer each got a role-appropriate directive. Regulators and courts elsewhere often issue one-size-fits-all blocking orders; precision produces both effectiveness and proportionality.
4. Preservation and disclosure, not just blocking. Blocking a site ends one attack; preserving logs and compelling disclosure of operators enables prosecution and dismantles the network. The dual mandate, remove and retain and reveal, is what turns a defensive measure into an offensive one.
5. Anti-circumvention baked in. Extending the injunction to future mirror and variant domains recognizes the whack-a-mole reality of brand abuse and reduces the need to return to court for every new clone.
A note of balance
None of this is without tension. Ex parte orders, granted without hearing the other side, concentrate significant power in a single rights-holder's hands, and the same machinery that dismantles a phishing ring can, if applied carelessly, sweep up legitimate code repositories, parody, or competing services. The presence of "deceptive variant" language is efficient but broad, and its application will bear watching. Robust judicial oversight, narrow targeting via specific URLs (as the Annexures here provide), and meaningful opportunities for affected intermediaries and users to seek modification are what keep such tools proportionate. The lesson for other jurisdictions is to copy the structure and the precision, not to import the speed without the safeguards.
The takeaway
For brand-monitoring professionals, this order is a reminder that the battleground has moved from typosquatted domains to free-tier PaaS deployments and encrypted messaging, and that the legal remedies are finally catching up. For policy experts, it is a working demonstration that intermediary-liability regimes can be made operational, fast, and layer-aware without collapsing into either impunity or censorship.
India's courts have shown that a legal system can speak the language of deployment pipelines, repositories, and subscriber logs. As phishing-as-a-service scales globally, that fluency is no longer optional. The Delhi High Court has handed the rest of the world a usable blueprint.
This article is based on the publicly available interim order in CS(COMM) 600/2026 (Delhi High Court, 26 May 2026). As an interim, ex parte order, its findings are prima facie and subject to revision after the defendants are heard.