According to a World Bank report, cybersecurity risks are a major impediment to digital transformation. From website defacements and distributed denial-of-service attacks to personal data theft and ransomware, cybersecurity incidents can have significant economic and social consequences, particularly for developing countries. As essential goods and services such as energy, banking, water and healthcare become more reliant on digital technologies, the impact of cybersecurity incidents is increasing sharply. Developing countries are especially vulnerable, as they often lack the institutional capacity and technical know-how to effectively protect the data that fuels their digital transformation, including the personal data of citizens that helps national stakeholders detect and respond to cybersecurity incidents.
A United Nations report on Peace and Security paints a disturbing picture of cybercrime. It notes that in 2024, about 60 percent of the global population was connected to the internet, and this digital sphere is expanding rapidly. This unprecedented connectivity brings immense opportunities, but also increased cybersecurity risks, as threats evolve alongside technological advancements. The UN report estimates that the escalating cost of cybercrime runs into trillions of dollars annually, and calls for urgent, coordinated international effort — such as the UN Cyber Crime Treaty — in addition to the national measures already being put in place by many countries.
The World Economic Forum’s Global Cybersecurity Outlook 2026 explores how accelerating AI adoption, geopolitical fragmentation and widening cyber inequity are reshaping the global risk landscape. As attacks grow faster, more complex and more unevenly distributed, organisations and governments face rising pressure to adapt amid persistent sovereignty challenges and widening capability gaps. The report finds that cybersecurity remains a frontier where collaboration is not only possible but essential— even as AI supercharges the cyber arms race. Three factors are reshaping global risk: AI, cyber-enabled fraud, and geopolitics.
Cybercrime has undoubtedly grown into a thriving and highly profitable industry that threatens governments and businesses as much as ordinary people worldwide. As more of the world’s population comes online, and as the global economy grows more dependent on information and communications technology, everyone is a viable target. Several factors make cybercrime unique compared with traditional crime: it offers anonymity and little physical risk to the perpetrator, it recognises no geographical limit, and its scale and speed allow criminals to target multiple locations simultaneously.
A UN study on cybercrime finds that it is evolving alongside technology on three levels. First, automated tools are being deployed at scale — Phishing has become extremely common through the use of ready-made Phishing Kits, malicious websites and email templates. Second, botnets — networks of malware-infected computers and devices under an attacker’s control — allow criminals to remotely command thousands of machines in unison to spread malware or spam. Other tactics include data breaches for credential stuffing, and money laundering through networks of mule accounts. Third, generative AI, capable of creating original text, images and video on demand, is now used predominantly to produce deepfake videos, fabricated impersonations and simulated human conversations that deceive victims into unwittingly transferring money to fraudsters. The UN report also flags scam-compounds in Southeast Asia and elsewhere that use generative AI to deploy multilingual chatbots, allowing a single scammer to engage many victims simultaneously. AI is further used to create false digital identities, fabricated social media histories and fake online footprints to convince victims that fraudsters are trustworthy, while machine learning helps criminals build malware that is harder to detect. Cybercrime has also professionalised into a “crime-as-a-service” model, in which specialised operators provide cybercrime tools and services to others. This is a particularly dangerous development, since anyone with money — but without technical skill — can now commission cybercrime through intermediary agencies at minimal cost.
Cybercrime today facilitates many forms of criminal activity and puts individual safety, privacy and public trust at stake. These are often transnational crimes: an offence can be committed from one country, its victims can be spread across ten others, and the data and devices involved may be stored in yet another region altogether. This poses a serious challenge for lawmakers and law enforcement agencies seeking to protect national interests while sharing electronic evidence across borders to apprehend and prosecute offenders. It is against this backdrop that the UN Convention against Cybercrime has been so eagerly awaited.
A Global Convention Takes Shape
The need for a global convention against cybercrime has been felt for decades. The United Nations was tasked by a majority of member states with developing the UN Convention against Cybercrime. The United Nations Office on Drugs and Crime (UNODC) steered the process as its secretariat and the convention was adopted by the UN General Assembly on 24 December 2024, via resolution 79/243 — a much awaited multilateral response to the alarming rise in the scale, speed and scope of cybercrime.
The convention, formally titled the “United Nations Convention against Cybercrime: Strengthening International Cooperation for Combating Certain Crimes Committed by Means of Information and Communications Technology Systems and for the Sharing of Evidence in Electronic Form of Serious Crimes”, was opened for signature on 25–26 October 2025 in Hanoi. About 71 states and the European Union signed it at the ceremony. This is the first comprehensive global treaty on the subject, providing states with a range of measures to prevent and combat cybercrime while strengthening international cooperation on the sharing of electronic evidence for serious crimes. Following the Hanoi ceremony, the convention remains open for signature at UN headquarters until 31 December 2026. Under Article 65, it will enter into force on the ninetieth day after the fortieth instrument of ratification, acceptance, approval or accession is deposited.
The convention’s key provisions broadly include criminalising cyber-enabled and cyber-dependent offences, facilitating the cross-border sharing of electronic evidence, and protecting victims. A number of countries, concerned about the implications for domestic data-sharing obligations and national sovereignty, have not yet signed.
Increasingly, the debate is also centred on Cybercrime’s implications for human rights accountability. Cybercrime unmistakably affects individual privacy, security and equality, eroding the very foundations of human rights. It violates human dignity through data breaches and identity theft. Ransomware attacks on critical infrastructure directly endanger the universal right to life and health. The intersection of cybercrime and human rights spans the right to data protection and privacy, freedom of expression, the right to life and health, and — most importantly — the exploitation of vulnerable groups, including children and the elderly. Several UN charter-based human rights mechanisms are now examining cybercrime through this accountability lens.
India: Challenges in the World’s Fastest-Growing Digital Space
The Government of India’s initiatives to curb cybercrime are wide-ranging and continuous. India’s digital scenario differs markedly from that of many other countries: with over 86 percent of households now connected to the internet, its cyberspace is busier than ever, carrying crores of transactions and interactions every day. This connectivity has expanded the digital landscape and put services at citizens’ fingertips, but it has simultaneously opened a vast space for cyber fraud, making cybersecurity a national priority. Cybercrime complaints have surged from 10.29 lakh in 2022 to over 22.68 lakh in 2024, reflecting the unchecked proliferation and growing complexity of digital threats in India, which has recently crossed one billion internet users.
The growth of UPI has been equally dramatic: in 2024 alone, India recorded more than 181 billion digital transactions worth over ₹233 trillion. Securing transactions at this scale rests on a robust system that is continually being strengthened. The Indian Cyber Crime Coordination Centre (I4C) is the nodal agency for combating all forms of cybercrime, coordinating with law enforcement agencies on financial fraud, crimes against women and children, and cyber terrorism. It operates the National Cyber Crime Reporting Portal (NCRP) and the helpline 1930. As of 30 November 2025, more than 8.2 million cybercrime-related complaints had been registered on the portal, of which 184,000 were converted into FIRs. Of 361,000 cyber fraud complaints that resulted in effective action, the government safeguarded ₹8,189 crore — a significant portion of total fraud attempts amounting to roughly ₹20,000 crore.
India has also made remarkable progress in building one of the world’s strongest digital public infrastructure (DPI) systems. National Sample Survey data for January–March 2025 shows that over 85 percent of households now have internet access. This connectivity has delivered enormous advantages across sections of society, but it has also opened new areas of vulnerability. The lifecycle of data — including its storage and movement across complex technical networks — is often too complicated for the ordinary, non-technical citizen to navigate, leaving many at heightened risk and disadvantage.
The Digital Arrest Scam and Human rights
An especially troubling and emerging facet of cybercrime is the “digital arrest” scam, in which criminals impersonate law enforcement or regulatory authorities to unlawfully extract personal information and money from victims through fear, coercion and fabricated legal threats. According to information the Government of India submitted to the Supreme Court in late 2025, cybercriminals have siphoned off approximately ₹3,000 crore using digital arrest tactics alone, disproportionately targeting senior citizens. A paper prepared by the National Human Rights Commission (NHRC) finds that digital arrest scams operate by simulating the coercive authority of the state, creating a condition of psychological confinement in victims. This poses a systemic threat to democratic governance and erodes public trust. The human rights implications of digital arrest scams impose clear and positive obligations on the state: it is not enough to prosecute offenders after the harm is done — the state must prevent foreseeable abuse, protect vulnerable groups, and ensure swift and effective remedies. The scale of this crime shows that the state is locked in a race against technological speed, and it must continue to outpace cybercriminals.
Cybercriminals evolve rapidly to outpace enforcement agencies, which remain bound by statutory procedures and evidentiary standards — a structural imbalance that favours offenders. Criminals also exploit layered transaction chains, multiple digital platforms, and cross-border financial and communication networks. While the Bhartiya Nyaya Sanhita, 2023 and existing cyber laws provide a legal framework, enforcement is constrained by the transnational and technology-driven nature of these crimes. The NHRC has underlined the need to reinforce cooperative federal structures, institutionalise real-time intelligence-sharing among all stakeholders including service providers, and strengthen advanced technological and forensic capabilities across enforcement agencies. It has further argued for considering a statutory, empowered, nationwide specialised cybercrime force operating through an integrated multi-agency framework, to enable swift detection, coordinated inter-state action, and the systemic dismantling of organised cybercriminal networks. The Digital Personal Data Protection Act, 2023 and its 2025 rules address a long-standing legislative gap in privacy protection, and the government has signalled early implementation. Their ultimate success, however, will depend on continuous oversight and the effective functioning of the proposed Data Protection Board to ensure real accountability and meaningful deterrence.
At a recent open-house discussion on safeguarding human rights against digital arrest scams, organised by the NHRC, the Commission’s chairperson noted that Indians have lost about ₹52,976 crore to cyber-enabled fraud over the past six years, with nearly 8 percent of these losses attributed to digital arrest scams as per the data compiled by I4C based on the National Cyber Crime Reporting Portal. He observed that in many reported cases, scamsters coerce victims into transferring money by exploiting their fear of law enforcement, and that victims face significant challenges in recovering even part of the amount lost, as legal and procedural processes prove lengthy, costly and distressing. The chairperson further noted reports of lakhs of mule accounts operating across the country, facilitating the movement of fraudulently obtained funds.
Cybercrime impacts human rights across several critical areas: the right to data protection and privacy, which is compromised by illegal surveillance and the exposure of confidential personal information; the right to dignity, undermined by online harassment and targeted cyberbullying; the right to life and health, threatened when cybercriminals disable hospitals, emergency services or citywide utility systems; and, most importantly, the exploitation of vulnerable groups, including children, elderly and under privileged communities. Global efforts to address these challenges will gain further momentum once the UN Convention against Cybercrime enters into force after December 2026. Even so, these efforts must be carefully calibrated — overarching laws without adequate safeguards for privacy and security carry the risk of being leveraged by states to curtail civil liberties, even as they are framed in the name of national security.
The challenge before India, and indeed the wider international community, is to build a cybersecurity architecture that is simultaneously robust and rights-respecting. This calls for a three-pronged approach. First, institutional capacity must be strengthened at every level — from local police stations equipped to register and investigate cyber complaints, to specialised forensic units capable of tracing cross-border digital trails. Second, public awareness and digital literacy campaigns need to be scaled up dramatically, since the digital arrest scam and similar frauds succeed primarily by exploiting citizens’ unfamiliarity with how genuine law enforcement actually operates. A well-informed citizen is far harder to coerce than a confused one. Third, international cooperation must move from principle to practice, with faster mutual legal assistance mechanisms, real-time intelligence-sharing protocols, and harmonised standards for the admissibility of electronic evidence across jurisdictions.
India’s experience also offers useful lessons for the global conversation. Its Digital Public Infrastructure, built on the twin pillars of near-universal digital identity and interoperable payment rails, has been rightly praised as a model of inclusive digital transformation. Yet the same scale that makes UPI a marvel of financial inclusion also makes it an attractive target for fraud rings operating mule-account networks. The lesson is not that digital public infrastructure should be slowed, but that security, grievance redressal and victim compensation mechanisms must expand in lockstep with adoption — not lag behind it, as they often have.
Ultimately, the fight against cybercrime cannot be won by law enforcement alone, nor by legislation alone. It requires a sustained partnership between governments, technology companies, civil society and citizens themselves, anchored in the recognition that cybersecurity and human rights are not competing priorities but mutually reinforcing ones. A safe digital ecosystem is, at its core, one in which every citizen’s privacy, dignity and security are protected — and it is this understanding that must guide both India’s domestic response and the implementation of the new UN convention in the years ahead.
(Cover Representative Image: AI Generated)
(The writer is Special Rapporteur, NHRC India, and Distinguished Fellow at CRF. Views are personal.)
2023 Cyber Security ActAIArtificial Intelligencecyber attackCyber Crimecyber securityDigital ArrestHuman Rights