The Contact
A seller posts on OLX. Within minutes — not hours, minutes — a WhatsApp message arrives from an unknown number. "Location send me." The seller shares their Google Maps location. Ninety seconds later, two images arrive in sequence: first, a UPI QR code labeled "Received Money ₹1.00"; second, a Paytm Business POS terminal showing a processing screen with a Visa card inserted.
The exchange is sparse. No product questions. No price negotiation. No name. The operation appears routine. That is by design.
Zarelva's analysis of this interaction produced a device fingerprint, network assessment, full payment mechanism breakdown, and three viable attribution paths — from a 581-byte text file and two JPEG images totaling 67KB.
The QR code labeled "Received Money ₹1.00" is not a payment receipt. It is a UPI Collect Request — scanning it opens a payment from the victim's account, not a credit to it. The label is the deception. The ₹1 amount is deliberate calibration: it conditions the victim to enter their UPI PIN for a trivial amount before the real extraction begins.
The Evidence Set
WhatsApp strips EXIF metadata — GPS coordinates, device model, capture timestamp — from all images before transmission. There is no direct device data in this evidence set. What remains is what can be derived: compression signatures, aspect ratios, pixel distributions, timing sequences, and behavioral patterns encoded in the interaction itself.
Finding 01 — The JPEG Fingerprint
WhatsApp applies a device-consistent compression profile when processing uploaded images. The quantization tables embedded in a JPEG carry a measurable record of how much compression was applied during upload — and this value correlates with the sending device's configuration.
Analysis of both images returned an identical average JPEG quantization value of 35.6. One image was a screenshot. One was a camera photograph taken indoors. Different capture methods, different content — same quantization signature.
Identical quantization signatures across two differently-sourced images confirms both transited the same WhatsApp account on the same physical device. If either image had been received from a different device and forwarded, the compression signature would deviate. The POS terminal photograph was taken on the operator's own primary phone — this is not a shared fraud kit asset being relayed. It is live operational media from the operator's own camera.
Finding 02 — The Status Bar Crop
Image 1 — the UPI QR screenshot — has a post-transmission aspect ratio of 0.807. Standard smartphone screen aspect ratios in the Indian market: 16:9 (0.5625), 18:9 (0.555), 19.5:9 (0.461), 20:9 (0.45). None approach 0.807. The screenshot was deliberately cropped before sending.
An Android status bar carries: device manufacturer and model, network carrier name, connection type (4G/5G), signal strength, battery percentage, and system clock. All of these are passive device fingerprinting signals. The bottom navigation bar, also removed, would expose the app package context in developer mode.
This is not accidental cropping. The status bar removal is a trained behavior — the operator has been instructed in basic counter-forensics. Lone actors rarely know to do this. Organized cells train it explicitly. This is one of several signals pointing toward a structured operation rather than an opportunistic individual.
Finding 03 — The Timestamp Anomaly
The WhatsApp export contains a temporal inversion: the location-request message carries a timestamp of 20:24:03, while the preceding system encryption notice carries 20:24:09 — placing the second message six seconds before the first in absolute time.
This is a documented WhatsApp delivery artifact. The message was composed while the device was briefly offline, queued locally, and delivered when connectivity was re-established. The operator experienced a brief data dropout at the moment of initiating contact.
The dropout pattern is inconsistent with stable home or enterprise WiFi, which does not produce message-queue artifacts at this timescale. It is consistent with 4G connectivity on a congested or geographically marginal tower — the network profile of fraud cells in Rajasthan, Jharkhand, and Haryana, which operate predominantly on mobile data to avoid fixed-line attribution.
Finding 04 — The Timing Cadence
The target's location was received at 20:25:23. Image 1 arrived at 20:25:56 — 33 seconds later. Image 2 arrived at 20:27:08 — 72 seconds after Image 1.
Thirty-three seconds is at the boundary of human speed for the manual sequence: open gallery, locate image, attach, send. It is fully consistent with a pre-selected asset in a quick-access location, triggered immediately on location receipt. The 72-second gap before Image 2 is not browsing time. It is deliberate hold time, scripted to allow the target to examine the first image before the second prop arrives.
"The 72-second gap is not hesitation. It is the script breathing."
This is not fully automated — a human operator is present and responsive. Nor is it purely manual — the image delivery cadence is too consistent and deliberate. Most probable setup: a human operator managing 5–15 simultaneous WhatsApp conversations with fraud media assets pre-staged in a rapid-access location, and scripted timing intervals between sends. One operator, one device, multiple concurrent victims.
Finding 05 — The POS Terminal as Attribution Asset
Image 2 is a physical photograph of a Paytm Business POS device — a handheld Android terminal with integrated thermal printer and chip-and-swipe card reader. The device was deployed as a visual trust prop: signaling the operator is a legitimate business buyer mid-transaction. It plays no functional role in the payment mechanism of this fraud variant.
Every Paytm Business PoS device carries a permanent Terminal ID (TID) registered in Paytm's backend and bound to a Merchant ID (MID). The MID is linked to a full KYC record: PAN, Aadhaar, GSTIN, registered business address, and bank settlement account. Every transaction on this device is logged.
A single law enforcement production order to One97 Communications (Paytm) with this image and the approximate date range de-anonymizes the complete merchant identity chain — regardless of how many SIM cards have been discarded. SIM cards are disposable. Hardware KYC is not.
The Payment Mechanism
The Indian UPI ecosystem contains a structural ambiguity this fraud exploits precisely: both send and receive flows involve QR codes. The operator captures a screenshot of their own PhonePe "Receive Money" screen — which encodes their own UPI VPA — and transmits it as apparent proof that ₹1 has been sent to the target.
When the target scans the code, their UPI app opens a payment-to interface directed at the operator's account. The script instructs: "Enter your PIN to confirm receipt." The target, believing they are confirming a credit, completes a debit. The ₹1 amount is calibration — it establishes the PIN-entry reflex before escalation.
The escalation loop follows: technical error fees, GST verification charges, bank hold release payments. Each step is a new collect request. Documented victim losses in this variant range from ₹30,000 to ₹5,00,000 in a single session.
The OLX Monitoring Infrastructure
Contact within minutes of listing publication is not organic. Two mechanisms are assessed at high probability: automated scraping bots polling OLX's listing endpoints every 30–120 seconds, distributing leads to private Telegram channels where operators compete for first-claim; and OLX's own buyer-alert notification system exploited through hundreds of registered accounts with persistent saved searches across every city and category.
The scraping infrastructure is operationally accessible: a Python script on a ₹500/month VPS, rotating residential proxies, monitoring 50+ cities simultaneously. The Telegram distribution creates a competitive race for each lead — explaining sub-5-minute contact times.
This is not a scam. It is a system.
The scraper runs continuously. The Telegram channel distributes leads in real time. The operator follows a script. The mule account drains within 10 minutes. Each role is replaceable — the operator can be arrested and the infrastructure runs the next day with a different SIM, a different name, the same playbook. Detection designed around the system — scraping patterns, lead distribution velocity, mule account behaviour, POS device registry — produces structural disruption. Targeting individual actors alone does not.
Device Profile — Reconstructed
Combining the forensic signals: Android operating system (confirmed by chat export format, WhatsApp Business behavior, and status bar crop necessity); mid-range device ₹8,000–₹20,000 (image sensor patch variance of 180 in indoor conditions rules out sub-₹6K hardware); WhatsApp Business with display name override; likely dual-SIM; Rajasthan telecom circle (787xx prefix); mobile 4G with intermittent connectivity. The sophistication in this operation is in the playbook and infrastructure — not the hardware.
Attribution Paths
Three paths exist with meaningful probability of successful attribution, ranked by expected return:
| Path | Method | What It Yields | Access |
|---|---|---|---|
| 01 | Paytm PoS TID subpoena | PAN, Aadhaar, GSTIN, bank account of registered merchant | LEA only |
| 02 | UPI VPA decode + NPCI complaint | PhonePe account holder KYC, linked bank account | Now |
| 03 | Telecom CDR subpoena | SIM registration KYC + tower location ~500m radius | LEA only |
The QR code in Image 1 encodes the operator's PhonePe UPI VPA directly. Scanning it with any standard QR reader app yields the VPA string. Submitting this to NPCI and PhonePe via their fraud reporting channel initiates account freeze and KYC disclosure proceedings — no court order required for the initial filing.
Implications for Platforms and Banks
The detection signals in this case exist at platform level and are actionable without compromising the user experience. OLX can implement contact-velocity scoring — flagging new buyer accounts messaging freshly posted listings within minutes. Cross-state telecom circle contact patterns are matchable against known fraud geography clusters. First-message NLP classification on phrases like "location send me" — which contain zero product-interest signal — is achievable with basic tooling.
On the payment side: UPI apps can render prominent warnings on collect requests from new payees. Banks can flag zero-balance accounts receiving their first-ever collect requests from multiple unique users within 24 hours. The highest-leverage single intervention is a UPI app UI change: a prominent "YOU ARE SENDING MONEY" warning on the collect confirmation screen before PIN entry. One design decision structurally breaks this attack vector.
Fraud is not random. It is engineered.
This case started with a single message. It ended with a full reconstruction of device, infrastructure, and payment flow — from 67KB of evidence.
Zarelva builds fraud detection systems that understand the attack, not just block the outcome. Transaction monitoring architecture, merchant risk design, AML/KYC review, and intelligence-grade case analysis for fintechs, NBFCs, PSPs, and marketplaces.