Scammers steal Rs8.5 million from citizen’s account using duplicate SIM

In a major financial fraud, scammers illegally obtained a duplicate SIM card in a citizen’s name and withdrew Rs8.5 million from his bank account linked to his phone number.

According to details, the National Cyber Crime Investigation Agency (NCCIA) has initiated an inquiry after receiving a complaint from a citizen named Sunny Kumar.

Kumar stated that on September 29, 2025, between 7 and 8 p.m., while he was in Karachi, his mobile SIM card suddenly stopped working. The following day, he visited the mobile company’s business center in Karachi, where he was informed that a duplicate SIM had been issued in his name from Hyderabad — without his biometric verification. The same number, he said, was linked to his bank account.

When Kumar checked his bank account, he discovered that Rs8.5 million had been illegally withdrawn overnight through over 100 transactions, with the money transferred to multiple other accounts.

NCCIA officials said that the complainant provided relevant evidence, after which the agency requested records from both the private bank and the mobile network company involved. However, officials said that neither institution provided complete information as requested.

The agency summoned the branch manager of the concerned bank along with all relevant records. Instead, a relationship manager appeared and submitted only the complainant’s bank statement and partial transaction history. She was instructed to submit the remaining documents, but the bank has yet to provide the full record.

Similarly, the head of compliance at the mobile company was asked to furnish relevant records. Despite multiple reminders, the company submitted vague and unsatisfactory responses. Later, the Manager of Franchise Services and Governance and the Senior Executive of GR and Regulatory Affairs appeared before investigators and provided partial data.

According to NCCIA officials, the company representatives were asked 48 questions regarding SIM issuance, security protocols, accountability measures, device location tagging, and BVS (Biometric Verification System) SOPs, but they refused to respond, seeking additional time to submit written answers with supporting documents.

Investigators said the transaction pattern indicates a planned cyber-financial fraud, involving unauthorized access to the complainant’s digital banking account after a SIM-swap scam.

The officials further noted that criminal negligence in reissuing the SIM card directly enabled access to the victim’s bank account, while the bank also failed to exercise due diligence in monitoring suspicious transactions.