Hackers duped a retired colonel of Rs 28 lakh without an OTP

TECH

Hackers duped a retired colonel of Rs 28 lakh without an OTP

bySudha Saxena
17 Nov, 2025

Hackers have cyber-scammed a retired colonel, swindling him out of ₹2.8 million. Surprisingly, the hackers didn't collect an OTP, instead sending him an APK file directly, which the colonel downloaded

Cyber security experts often advise against sharing this OTP on your mobile with unknown or suspicious people. Doing so could make you a victim of cyber fraud. However, a retired colonel was duped without even sharing the OTP. The case is a bit surprising, but hackers cleverly duped the retired army officer of Rs 28.87 lakh. They carried out this cyber fraud by simply making him download an APK file. Let's understand how the hackers carried out this fraud and how you can avoid falling prey to such fraud.

Sent the APK file and asked to install it.

The 420 report states that retired Colonel Gopal Canal, who lives in Sector 28, Noida, received a call on November 7th. The caller identified himself as an official with Indraprastha Gas Limited (IGL). He talked about renewing his gas connection. He then sent an APK file on WhatsApp and asked him to open and install it. The Colonel, unsuspecting, opened the file. For the next two days, from November 7th to 9th, there were no suspicious messages, calls, or activity, suggesting everything was fine.

Cheated without OTP

On November 10, the colonel's phone suddenly received 13 bank alerts. Seven of these were IMPS transfers. IMPS stands for Immediate Payment Service. It's a bank service that allows you to send money instantly. The money reaches another account within seconds. It works day and night, even on holidays. An OTP is required for IMPS, but the retired colonel never received one. The fraudsters also used his credit card and exhausted his limit. By the time the colonel realized it, ₹28.87 lakh had been withdrawn.

What did the cyber expert say?

Cyber experts said that the APK file received from WhatsApp contained spyware. This gave the fraudsters control over the phone.
- The fraudsters gained complete admin access to the phone.
- They cloned the SIM card linked to the bank.
- All SMS alerts and OTPs started going to the fraudsters' phones.
- No messages came on the victim's phone.
- The fraudsters gained complete control of internet banking, credit card and other services.

This is how you can save yourself

- Do not install any APK file received on WhatsApp, especially those from unknown sources.
- No government agency or utility service asks for APK verification.
- If SMS alerts suddenly stop or the phone's network goes down for no reason, it could be a sign of SIM cloning.
- Put a biometric lock on all banking apps and change the passwords regularly.
- If the SIM seems to be deactivated for no reason, contact the telecom company immediately.

Image Credit: Freepik