The Dark World of Deepfaked Debt
India’s online loan sharks are blackmailing borrowers with fake images.
MAY 30, 2023
Hariharan’s closest friend won’t talk to him anymore. Settling into a new job last year, the marketing professional was struggling with additional expenses that came with moving to Chennai and having a second child. His credit score was so low he couldn’t think of applying for a bank loan. That’s when he came across an app that offered a one-click loan, to be repaid within 60 days. He downloaded the app from the Google Play Store and filled out his details, including the desired amount of 15,000 Indian rupees ($180). Within minutes, he received 9,000 rupees in his bank account. The missing 6,000 rupees were tagged as a processing fee. Hariharan was grateful for the cash and aimed to pay it back when his next salary rolled in. He did not know then that his time was running out.
“On the sixth day, I had a text message from an unknown number saying, ‘You need to pay 15,000 rupees now,’” he told me over the phone. The sender then texted a link for an online money transfer, following up with a phone call to stress the urgency. Hariharan had already begun collecting the funds when further threats came in. “I reminded him that my due date [for repayment] was next month,” Hariharan said. “Since he refused to listen to me, I requested him to give me two more days.” Instead of responding to his request, the recovery agent sent him an image file over WhatsApp.
Hariharan couldn’t believe what he saw: “It was a photo of me in a sexually intimate position with a woman I didn’t know.” Zooming in, he saw his face had been pasted on another man’s body. It was the same mug shot the app had recorded after he gave it access to his phone’s camera in order to secure the loan. “Below the morphed image, they had written a defamatory post about me,” he said, referring to the recovery agents. Before he knew what to do, the image went out via WhatsApp to key contacts in his phone book from an unknown number. “To my wife, my colleagues, my close friends,” he said.
✺
Over the past two years, thousands of borrowers have suffered extreme consequences after availing themselves of quick loans from dubious apps that have flooded the Indian market. According to data from the National Crime Reporting Portal in India, complaints related to suspicious loan apps increased from 61 in 2021 to 900 in 2022.
Few of these apps have functional websites, and the emails and phone numbers provided on the Play Store are mostly unreachable or nonexistent. Many of the harmful apps have one thing in common: a link to China, whether they’re owned by companies registered in China, hosted on servers located in China or routing money to bank accounts opened in China.
Many Indians depend on debt from one source or the other, from local moneylenders to financial institutions. The pandemic-led economic crisis deepened the levels of indebtedness, especially among lower-income households in cities. Millions of people lost their jobs; few social services kept them afloat. With access to neither a bank loan — which requires paperwork, such as proof of address and income, that is often unattainable to migrant workers — nor the networks of familiarity that fuel private moneylending, more of them are turning to their mobile phones to bail them out.
At least 14 percent of Indian citizens had used an app to take out an instant loan in the last two years, according to a 2022 survey by LocalCircles, a social network that focuses on civic engagement, which polled 27,500 people across 409 districts.
Victims have said that a request for a one-click loan can be approved in only five minutes. But something crucial happens in that brief time. The app asks the user for permission to access their mobile phone’s data and features — contact list, location, camera, microphone, files, image gallery and text messages. Saying no is not an option, as doing so prevents the user from proceeding to the next step of the application process. The user then chooses a loan amount and uploads their government-issued personal and financial identification cards. To complete the customer verification, they either allow the app to capture a mug shot or record a selfie video. The app has full access to this data, explicitly laid out in the terms-and-conditions document that most people sign without reading.
In December 2020, a 28-year-old software engineer in Hyderabad who had lost his job in the pandemic, died by suicide after loan recovery agents shamed him in a WhatsApp group they had created by picking close contacts from his phone book.
As many as 54 percent of those surveyed by LocalCircles said they or someone in their family or household had faced extortion from a loan app, often through misuse of personal data.
In December 2020, a 28-year-old software engineer in Hyderabad who had lost his job in the pandemic, died by suicide after loan recovery agents shamed him in a WhatsApp group they had created by picking close contacts from his phone book. Since then, over 60 people have killed themselves after facing humiliation from lending apps. Some of them posted video testimonies on social media before ending their lives. As the harassment continues unabated, the victims have started to mobilize against the recovery methods used by digital lenders.
Two days after he received the deepfaked pornographic image of himself, Hariharan registered a complaint at his local police station reporting the app and the phone numbers used by its recovery agents. “The calls stopped after that,” he said. But his fear and anxiety wouldn’t subside. “That’s when a friend who had taken loans from 150 apps since the initial days of the pandemic told me about a support group for victims of app harassment,” he said. That same day, Hariharan contacted SaveThem India Foundation, a nongovernmental organization campaigning for data privacy and protection, to record his testimony and apply for justice.
Pravin Kalaiselvan, a social entrepreneur, started the organization in 2020 after experiencing the same form of predatory lending. “On March 10, I took a 15,000 rupee loan from CashBean, and I was going to repay it on time,” he said. But before the due date, his father received a call about recovery.
SaveThem India Foundation has evolved from a Twitter hashtag to a full-fledged operation that works against the extortionary tactics used by loan apps. Today its 80 volunteers carry out a variety of roles, such as managing phone and email hotlines, liaising with local law enforcement, running cybersecurity investigations and lobbying policymakers. They have helped police officers trace perpetrators and have addressed students at multiple college campuses about data privacy laws and prevention measures. The hotlines receive between 400 and 500 complaints every month, Kalaiselvan told me.
These complaints have given Kalaiselvan a good sense of the average profile of the loan app user. “They are aged 22 to 50,” he said. “Most of them are in low-salary jobs.” Given that more than 65 percent of India’s blue-collar employees earn a monthly salary of less than 15,000 rupees ($180), their numbers would be substantial. Most of them discover lending apps while searching the internet for how to get a quick loan. “They typically seek a loan on the 20th or 21st of a month, when they have run out of their salaries,” he said.
The harassment doesn’t always stop once a user has repaid. Victims have complained that in some instances, the apps extorted money from them even afterward.
The exploitation starts with the arbitrary processing fees that eat up a big chunk of the loan. It continues a week later, when loan apps ask borrowers to repay the full amount after only a few days. “The harassment starts on the sixth day, then the penalties kick in,” Kalaiselvan said.
Those who can’t repay the loan in full by the seventh day are sucked into a cycle of abuse and blackmail that can go on for months, if not longer. The harassment doesn’t always stop once a user has repaid. Victims have complained that in some instances, the apps extorted money from them even afterward.
With a user’s entire phone book at their fingertips, the agents can search by keywords — didi (sister), papa, boss, dost (friend) — for contacts who will be the first to receive the defamatory message. The message often contains a pornographic deepfake featuring the borrower. The sleazy image is accompanied by sordid text denouncing the borrower for sexual deviancy. The men are often accused of incest; the women are literally slut-shamed.
One morning in March 2022, some friends and family members of a woman named Hillary, a marketing executive in the western city of Pune who declined to use her full name, received an image over WhatsApp from an unknown number. Across a scan of her financial identification card, which showed her face, someone had typed in red letters. “It said I was available to make porn videos, and gave out my mobile number at the bottom,” Hillary told me over the phone. She had taken out a cumulative loan of 100,000 rupees from a mix of apps on the Play Store, to manage expenses related to her pregnancy. After her compromised photo was leaked, Hillary regretted handing over her phone permissions and personal documents to the apps. Her in-laws cut off ties with her after the image was shared with them. Her husband left her shortly afterward.
She has had to explain herself to people she didn’t know were even in her phone book: “A friend called me after receiving that photo who I hadn’t spoken to since graduating school.” When she went to the cyber police department, she said, she was asked to shrug off the incident: “‘Just ignore it, ma’am,’ I was told.” Since her ordeal, other women have approached the cyber police in Pune to report that loan app representatives circulated false images among friends and relatives. Most of these women are dealing with long-term damage to their relationships and reputation. Hillary said she would have ended her life if not for her responsibility for her children.
She came across an interview with Kalaiselvan and decided to join the cause. As a volunteer with SaveThem India Foundation, she has helped victims file police complaints, secure their personal data and stand up to abusive recovery agents. Many of the people she counsels come from within her own social circle. “My own cousin reached out to me the other day to share that her morphed photo was leaked to her contacts,” she said. “In this case, they wrote a defamatory post about her to accompany her photo and made it look like it was shared as an update on Facebook, complete with the logo and the notification tab.”
Victims also face invasion of their mobile phone photos. K.V.M. Prasad, an assistant commissioner of police in Hyderabad, said the alteration of app users’ private images is becoming malicious digital lenders’ weapon of choice. “Some would manipulate a man’s photo to show him in a compromising position with another woman,” he said. “Others will find the wife’s photo in his gallery and show her in a compromising position with another man.” In September 2022, a couple in rural Telangana died by suicide after the husband, who had taken loans from two apps, was blackmailed with an altered photo of his wife.
Because most lending apps available in India look and sound alike, a change of name hardly means losing clients. To operate in India, a foreign lending app must start a local company with an Indian director and partner with a financial entity that is licensed to issue loans. Scores of Chinese loan apps have skirted these regulations by floating shell companies, hiring dummy directors and bribing nonbanking financial companies into partnerships, according to police officers and security agencies. Following a deadly faceoff at a disputed border with China in May 2020, India banned hundreds of Chinese apps in retaliation. This led to a spike in the levels of secrecy deployed by suspicious apps regarding their ownership and other identifying details, to remain on the Play Store without attracting the attention of Indian authorities, cyber police said.
As a result, victims’ complaints often lead to investigators staring at ghost buildings or demanding answers from nonentities. “When we ask Google to provide us with details of a company, they will give us the phone number of, say, a motor mechanic who took 15,000 rupees from someone to become a dummy director,” Prasad explained. Following the money trail isn’t fruitful either because the repayments go not to a company’s bank account but to virtual accounts hosted on payment wallets. “The best we can do is ask the payment wallet to freeze those accounts,” Prasad said. In 2021, Razorpay, a financial technology company, blocked 400 lending apps from using its payment channels.
Whether Indian or foreign in origin, most of the apps hire domestic call centers to recover the loans. The presence of third-party recovery centers in every region is, in fact, a key indicator of the fast rate at which the instant loan market is growing. While joblessness soars — urban unemployment climbed to a record high of 10 percent last December — openings for loan recovery agents are abundant, calling out to job seekers who have no professional skills or experience. “Their recovery methods being illegal, you have Delhi agents calling up borrowers [across state lines] in Tamil Nadu and vice versa, to escape being caught,” Kalaiselvan said.
Only in extraordinary circumstances do police officers in India go out of their jurisdiction to investigate a case. Lately, however, police forces in many cities — Delhi, Gurugram, Mumbai, Chennai, Bangalore — have been raiding loan recovery call centers in a critical effort to tackle rising complaints. Still, chasing the recovery agents is hard. Callers may use masking technologies such as VPNs and call-spoofing apps to communicate with borrowers, according to interviews with police officers. A complaint by a woman in Hyderabad took Prasad to an individual agent in a village in Bihar, 1,450 kilometers away.
Google has purged harmful loan apps from the Indian Play Store based on user feedback for violating its policies as well as rules set by the Reserve Bank of India and law enforcement agencies. “In the past years, we have consistently worked towards combating fraud by personal loan apps on Google Play by updating our policies and review processes,” a Google representative said in a statement. “In India, in 2022, we have reviewed and taken necessary enforcement action, including removal of apps, on more than 3,500 personal loan apps for violations of the Play policy requirements.” But activists argue that the apps will come back with another name and logo. “They buy ready-made software,” Kalaiselvan said. “When you download an app — be it Wonder Loan, Lightning Loan or Fortune Loan — you will see the same CRM [Customer Relationship Management] portal and the same interface.”
In Chennai, Hariharan said he still breaks into a cold sweat every time his phone rings. He has deleted the app and reset his phone, but the trauma lingers. “I have to live with it.”
On April 5, Google announced an update to its policy on personal loans, severing the apps’ access to sensitive user data in India as well as Indonesia, Nigeria, Kenya and the Philippines, where borrowers complain of similar harassment tactics. “Apps that provide personal loans, or have the primary purpose of facilitating access to personal loans (i.e., lead generators or facilitators), are prohibited from accessing sensitive data, such as photos and contacts,” the company announced. Videos, precise location, call logs and external storage will also become out of bounds once the policy takes effect on May 31.
Lawmakers, too, are responding to the urgency of the problem. In September, Indian Finance Minister Nirmala Sitharaman advised the central bank to prepare a “whitelist” of apps that should be allowed to be listed on app stores. All others would be blocked.
Users and activists welcome the move, but not without apprehension about rogue apps outpacing regulators. Kalaiselvan pointed out the new trend of loan apps sending download links directly to potential customers via text message or WhatsApp to bypass the Play Store. The companies behind these apps buy databases of people who have previously taken small loans, he said. They don’t even need users to apply to them for a loan: “You only have to click on the link and download the app. Once an app has the user’s permissions, their agents will directly blackmail them for an online payment, via another link.”
In Chennai, Hariharan said he still breaks into a cold sweat every time his phone rings. He has deleted the app and reset his phone, but the trauma lingers. “I have to live with it.”