Financial inclusion was never the problem. Lack of financial hygiene was. And today, the prime minister’s Jan Dhan Yojana (PMJDY or Jan Dhan), once celebrated as the world’s largest banking inclusion project, is quietly mutating into India’s most vulnerable attack surface for cybercrime.
I say this as someone who has spent years analysing cyber-fraud patterns with law enforcement and financial institutions: the Jan Dhan account ecosystem is no longer a 'risk.' It is a full-blown cybercrime infrastructure.
It is time I say it plainly. The scheme, in its current avatar, must be shut down and re-architected before it sinks more victims and more trust in our banking rails.
Where Good Intentions Created a Monster
Jan Dhan was designed to give every Indian a bank account. A doorway to dignity. A gateway to the economy. But cybercriminals don’t care about social missions. They care about attack surfaces and a zero-balance account with minimal KYC (know-your-customer) checks is a dream playground.
Recent investigations across states, from Jharkhand to Assam to Maharashtra reveal how thousands of idle PMJDY accounts have morphed into mule accounts, moving crores of cyber-fraud money across the country in minutes.
This is not an outlier. This is the new normal. The shockingly simple playbook of abuse! A recent police investigation uncovers the frightening ease with which fraudsters weaponised the PMJDY ecosystem.
1. Zero-balance → Zero-friction → Zero-accountability
Most Jan Dhan accounts lie dormant. Cybercriminals activate them at scale using compromised Aadhaar copies, leaked KYC documents, or fake credentials.
2. Bank Insider Involvement - The Silent Force Multiplier
The police have many times confirmed the involvement of an ad hoc bank employee who opens the gates from inside. His tasks read like a cybercrime starter kit:
- Changing the registered mobile numbers of dormant account-holders
- Issuing fresh ATM cards without customer verification
- Activating mobile and internet banking
- And most chilling, enabling access even to accounts of deceased customers
That is not just fraud. That is institutional fragility. The Reserve Bank of India (RBI) needs to get rid of such employees, not just temporary suspension; these bank employees should be barred from individual banking options too.
The Money Trail: A Highway of Cybercrime
The funds traced through these Jan Dhan mule accounts are not petty sums from local scams. They’re linked to:
• Cryptocurrency investment frauds
Victims are lured into fake crypto apps, their money siphoned, then scattered across dozens of Jan Dhan accounts to break the chain.
• Fake Customer-care Call Centres
The 'remote access' gangs that pretend to be Amazon, Flipkart, or banks funnel their loot into these accounts to cash out quickly.
• Classic Phishing Ecosystems
UPI OTP (one-time-passcode) thefts, refund scams, KYC expiry frauds - all of them use Jan Dhan accounts as the first hop before routing to digital wallets or crypto exchanges.
These accounts have become high-volume laundering tunnels, with each hop designed to erase forensic traces.
Why Jan Dhan Accounts Are the Perfect Mule Accounts
Let's be blunt: The design itself makes cybercrime frictionless.
Minimal KYC - Easy To Fake
The Jan Dhan Yojana's laudable goal of universal financial inclusion came with a compromise: simplified know your customer (KYC) requirements that prioritised speed of enrollment over verification rigor. While Aadhaar-based e-KYC was intended to strengthen authentication, the reality on the ground reveals significant gaps. Documents can be fabricated, biometric systems can be spoofed or bypassed through complicit agents, and the pressure on banking correspondents to meet account-opening targets creates perverse incentives to overlook irregularities. Cybercriminals exploit this by purchasing or creating accounts in bulk using stolen or fabricated identity documents, knowing that cursory verification will rarely catch sophisticated forgeries. The regulatory framework under the Prevention of Money Laundering Act (PMLA) requires "beneficial ownership" identification, but in practice, the minimal KYC infrastructure makes this requirement nearly unenforceable, creating compliance theatre that criminals navigate with ease.
Minimal Balance - No Alerts or Bank Scrutiny
The zero-balance feature that makes Jan Dhan accounts accessible to the poor also makes them invisible to fraud detection systems. Banks typically configure their transaction monitoring algorithms to flag unusual activity based on account history, balance patterns, and customer profiles. However, accounts maintaining near-zero balances for extended periods, then suddenly receiving and disbursing large sums, often fall below automated alert thresholds because absolute amounts remain relatively small compared to commercial accounts. Financial institutions allocate compliance resources based on risk-weighted assessments, and Jan Dhan accounts designed for small-value welfare transfers are systematically deprioritised. This creates a regulatory blind spot that sophisticated money launderers exploit through 'smurfing,' where large criminal proceeds are broken into smaller transactions across thousands of low-scrutiny accounts, operating beneath the radar until significant damage has occurred.
High Volume of Dormant Accounts - Perfect for Takeover
With over 500 million Jan Dhan accounts opened and approximately 30%-35% showing zero transactions over extended periods, India has inadvertently created the world's largest inventory of dormant financial identities ripe for criminal exploitation. Dormant accounts are particularly vulnerable because their legitimate owners are disengaged, unlikely to check statements, and may not even remember account credentials. Cybercriminals acquire access through data breaches, phishing campaigns targeting vulnerable populations, or outright purchase from corrupt banking correspondents who retain customer credentials. Once compromised, these accounts are reactivated with fraudulent transactions that go unnoticed by legitimate account holders, sometimes for months. The accounts become 'zombie identities' legally belonging to real individuals but operationally controlled by criminal networks, with no mandatory periodic re-verification or automated suspension mechanisms when suspicious reactivation patterns emerge.
Low Digital Literacy - Easy Manipulation
The very population that Jan Dhan Yojana aims to serve rural citizens, urban poor, elderly individuals with limited education represents a vulnerable demographic with minimal cybersecurity awareness. These account-holders often don't understand OTP security, phishing, social engineering, or the irreversibility of digital transactions. Criminals exploit this through 'vishing' campaigns where callers impersonating bank officials or government authorities convince victims to share credentials, approve transactions, or download malicious applications granting remote device access. This creates complex questions of culpability: while the account holder may be the nominal participant in fraud, their informed consent is questionable, potentially making them victims rather than accomplices. The government's failure to pair financial inclusion with comprehensive digital literacy programmes represents a policy dereliction, creating a legislative-reality disconnect that criminals exploit systematically.
Weak Monitoring - No Red Flags until Money Is Gone
The transaction monitoring infrastructure for Jan Dhan accounts is fundamentally inadequate for the threat landscape they face. Most banks employ rule-based systems that flag transactions based on fixed thresholds, but sophisticated money laundering networks have mapped these thresholds and structure operations to remain just below detection levels. Furthermore, monitoring systems often lack real-time capabilities, with suspicious activity reports filed days or weeks after fraudulent transactions, by which time funds have been layered through multiple accounts and withdrawn. The financial intelligence unit-India (FIU)receives these delayed reports, but the sheer volume millions annually, overwhelms analytical capacity, meaning only a fraction receive meaningful investigation. Banks treat Jan Dhan accounts as low-priority from a security investment standpoint, allocating minimal resources to advanced fraud analytics or artificial intelligence (AI)-based anomaly detection, resulting in reactive rather than proactive security posture.
Fragmented Oversight - No Unified Fraud-intelligence Mechanism
Perhaps the most critical policy failure is the absence of a centralised, real-time fraud intelligence system connecting banks, law enforcement, telecom operators and payment platforms. Currently, fraud data remains siloed within individual institutions. When one bank identifies a mule account network, that intelligence may not reach other banks where associated accounts operate. The national cyber-crime reporting portal collects complaints, but there's no systematic mechanism for feeding this intelligence back to banks for immediate account freezing or pattern analysis across institutions. International frameworks like the UK's joint money laundering intelligence taskforce demonstrate that effective fraud prevention requires cross-sector intelligence sharing, yet India lacks equivalent infrastructure despite having technological capability. This fragmentation is exacerbated by jurisdictional ambiguities; cyber fraud is a state subject under the Indian Penal Code, but financial regulation is federal, creating coordination challenges that criminals exploit.
In the cybersecurity world, such a structure is not just vulnerable; it is a systemic threat. The combination of these factors transforms Jan Dhan accounts from a financial inclusion success story into critical infrastructure for organised cybercrime, with legal remedies for victims often illusory and policy reform urgently needed.
Should We Really Shut Down PMJDY?
Yes! But strategically, not politically. This is not a commentary on the intention of the scheme. It is a commentary on its cyber-resilience, or lack of it.
A banking architecture where millions of accounts can be hijacked with:
A Forged Aadhaar
Aadhaar forgery has become a cottage industry, with sophisticated criminal networks producing fake cards complete with forged holograms, QR codes and biometric data that can bypass superficial verification checks. The ease with which these documents are accepted at account-opening stages— often by undertrained banking correspondents working under time pressure means that a ₹500-₹1,000 forged document can unlock access to the entire financial system. The UIDAI's (Unique Identification Authority of India's) verification infrastructure exists, but its actual use at the point of account creation is inconsistent, creating a vulnerability that transforms India's biometric identity backbone into a paper tiger that criminals routinely defeat.
An Insider's Help
Banking correspondents, customer service points and even bank employees facing low wages and high targets represent the human vulnerability in the system. A corrupt customer service point agent with legitimate access to account creation systems can open dozens of mule accounts using real or fake documents, retaining credentials for later sale to cybercrime networks. Internal fraud is notoriously difficult to detect because these insiders know exactly how to circumvent monitoring systems, what transaction patterns trigger alerts, and how to structure activities to appear legitimate. The absence of robust background checks, inadequate compensation structures, and weak internal audit mechanisms mean that the insider threat remains one of the most exploited attack vectors in Jan Dhan account compromise.
A SIM Swap
Telecom security remains the Achilles heel of India's digital banking infrastructure, where a fraudulent SIM swap accomplished through social engineering, fake documents at telecom stores, or complicity of telecom employees instantly transfers control of OTP-based authentication to criminals. Once the attacker controls the victim's phone number, they can reset banking passwords, authorise transactions, and drain accounts within minutes, all while the legitimate user is locked out. The lack of mandatory multi-factor authentication beyond SMS OTPs, the ease of executing SIM swaps without biometric verification, and the delayed coordination between telecom operators and banks mean that by the time a victim realises their number is compromised, their account has already been emptied and funds dispersed across multiple mule accounts.
A ₹50 Bribe to a CSP Agent
Perhaps the most damning indictment of the system is how cheaply it can be compromised. Investigative reports and court testimonies reveal instances where customer service point agents have sold account credentials, assisted in fraudulent transactions, or looked the other way during suspicious activities for sums as trivial as ₹50-₹500 per transaction. This reflects the fundamental economic reality: when frontline banking agents earn ₹3,000-₹8,000 monthly and handle high-value transactions daily, the temptation and opportunity for petty corruption becomes systemic rather than exceptional. The lack of direct employment by banks, minimal supervision, absence of surveillance at CSP locations, and near-zero consequences for complicity mean these agents operate in a regulatory vacuum where ethical banking practices are optional rather than enforced.
Inherently Unsafe
When multiple independent vulnerabilities—technical, human, procedural, and regulatory—converge in a single financial product, it ceases to be merely 'at risk' and becomes fundamentally compromised architecture. Each of these attack vectors alone would be concerning; together, they create a system where account compromise is not a sophisticated hack requiring advanced technical skills, but rather a routine criminal operation achievable by low-level fraudsters with minimal resources and connections.
Any private bank running such a high-risk product would have been penalised out of existence by now.
RBI has historically taken stern action against private sector banks for far less egregious security lapses levying penalties, restricting business growth, mandating costly remediation, and in extreme cases, superseding management. If a private bank had 500 million accounts with the vulnerability profile of Jan Dhan accounts and the documented fraud rates, it would face existential regulatory action including restrictions on new customer acquisition, mandatory forensic audits, and potentially license revocation. The double standard is glaring: public sector banks operating Jan Dhan accounts face minimal consequences for systemic security failures that would trigger a draconian regulatory response if found in private institutions.
It is time for the Indian government to take the same hard view.
Financial inclusion cannot come at the cost of financial security - the two objectives must be reconciled through better design, not traded off through negligence. The government must make a strategic choice: either fundamentally re-architect the Jan Dhan system with genuine KYC enforcement, real-time fraud monitoring, enhanced digital literacy programmes, proper compensation for frontline staff to reduce corruption incentives, and unified fraud intelligence infrastructure or acknowledge that the current model is a national security vulnerability masquerading as social welfare. Shutting down or significantly restricting Jan Dhan accounts until proper cyber-resilience measures are implemented would be painful politically but necessary strategically, because every day the system operates in its current form, it facilitates organised crime, victimises the vulnerable populations it claims to serve, and undermines trust in India's digital financial ecosystem.
What Should Replace Jan Dhan? A New Model for ‘Secure Inclusion’
Shutting down the scheme doesn't mean shutting out the people. We need a V2.0: secure inclusion banking stack, with three uncompromising pillars:
1. Tiered KYC with Dynamic Risk Scoring
Dormant or low-KYC accounts must trigger alerts, limits, and mandatory re-verification every 12 months.
The new model must implement a graduated KYC framework where account privileges scale with verification depth. Basic accounts with simplified KYC can receive government transfers but face strict transaction limits (₹10,000 monthly) and cannot be used for peer-to-peer transfers until upgraded to full KYC status. Dynamic risk scoring algorithms must continuously assess account behaviour: sudden reactivation after six months of dormancy, transactions to high-risk merchant categories, or patterns matching known mule account signatures should automatically downgrade account privileges and trigger mandatory re-verification. Annual biometric re-authentication should be non-negotiable for all accounts, conducted through Aadhaar-enabled banking correspondents with live liveness detection to prevent spoofing, with accounts automatically frozen if verification isn't completed within 30 days of the anniversary date. This creates friction for criminals while remaining manageable for legitimate users who simply need to visit their local banking point once yearly, a reasonable security trade-off that balances inclusion with protection.
2. Digital-first, Fraud-proof Operations
Biometric re-authentication for number changes.
Any modification to registered mobile numbers must require in-person biometric verification at a bank branch or verified banking correspondent location, with the process generating an immutable blockchain or distributed ledger entry that law enforcement can audit. The current system, where SIM swaps instantly compromise accounts, must be replaced with a 72-hour cooling period after number changes, during which no high-value transactions are permitted and the old number receives SMS alerts about the modification, giving legitimate account-holders time to report unauthorised changes before damage occurs.
Mandatory Video-KYC for ATM Re-issuance
Lost or damaged debit card replacement must involve live video-KYC sessions where trained bank personnel verify the account-holder's identity through real-time interaction, asking knowledge-based authentication questions about recent transactions, checking government ID against facial recognition, and recording the entire session for forensic purposes. This prevents the common fraud vector where criminals who have obtained account credentials order replacement cards to addresses they control. The video-KYC requirement ensures that only the legitimate account-holder, who can answer personal questions and show their face, can obtain physical access instruments.
No Mobile Banking Activation without In-person or Biometric Verification
Mobile and internet banking facilities should be opt-in rather than default, requiring explicit in-person activation at a bank branch with biometric verification and mandatory digital literacy counseling where customers are educated about OTP security, phishing recognition, and safe banking practices. Account holders must demonstrate basic digital competency by completing a simple 10-question security awareness test before mobile banking is enabled, ensuring they understand the risks and responsibilities. This dramatically reduces the attack surface by ensuring that only digitally aware customers have remote account access, while those with limited digital literacy continue using the account for government transfers and in-person transactions at banking correspondents, protected from remote compromise vectors.
Immutable Audit Trails Accessible to Cyber Police
Every account action—logins, beneficiary additions, transaction requests, failed authentication attempts—must be logged in tamper-proof distributed ledgers with law enforcement granted API (application programming interface) access for real-time investigation without requiring cumbersome court orders for each data request. Smart contracts should automatically flag and freeze accounts exhibiting suspicious patterns, with transaction reversals possible within a 1-hour window for high-risk transactions flagged by AI systems, giving police a fighting chance to intercept funds before they're dispersed and withdrawn. The current opacity where banks treat transaction data as proprietary and release it only after lengthy legal processes must be replaced with mandatory, standardised cyber police integration that treats financial crime with the urgency it deserves.
3. Central Fraud Intelligence Hub
A 24×7 real-time fraud-monitoring layer, similar to NPCI's RFM system, dedicated exclusively to PMJDY risk patterns.
India needs a dedicated financial inclusion fraud intelligence unit (FIFIU) that operates as a public-private partnership, bringing together RBI, banks, payment platforms, telecom operators, and law enforcement in a secure data-sharing environment powered by advanced AI and machine learning. This hub would ingest transaction data across all Jan Dhan successor accounts in real-time, applying pattern recognition algorithms to identify mule account networks before they can disperse funds. When account A receives a fraudulent transfer and immediately forwards 90% to account B, which does the same to account C, the system should automatically freeze the entire chain within seconds, not days. The FIFIU must have legal authority to instantly suspend suspicious accounts without prior notice, with post-facto judicial review to protect civil liberties while enabling rapid response that currently doesn't exist. International fraud intelligence feeds from Interpol, FBI (federal bureau of investigation) and equivalent agencies should be integrated to flag accounts linked to global cybercrime networks, creating a defensive perimeter that moves beyond India's borders. Critically, the hub must feed intelligence back to banks through standardised APIs, creating closed-loop learning where fraud patterns discovered in one institution immediately update risk models across the entire banking sector, eliminating the siloed approach that currently allows criminals to exploit the same vulnerabilities at multiple banks sequentially.
Financial inclusion without cyber-safety is like building a hospital without infection control. You cure people in the morning and kill them by nightfall.
This metaphor captures the fundamental contradiction of current policy: we've given hundreds of millions of Indians access to formal banking, which is genuinely transformative, but we've simultaneously exposed them to cyber-threats they don't understand and can't defend against, with inadequate institutional protection. The result is that the very scheme meant to economically empower the vulnerable has become the primary mechanism for their financial victimisation—government welfare transfers arrive safely, only to be stolen hours later through account compromise that the banking system fails to prevent or detect. A secure inclusion banking stack isn't about making banking harder for the poor; it's about making fraud harder for criminals while equipping users with the knowledge, tools, and institutional backing to safely participate in the digital economy. Until we build this infrastructure, financial inclusion remains a Pyrrhic victory that creates more harm than benefit for too many of its intended beneficiaries.
A Tough Truth for Policy-makers
Jan Dhan may have lifted millions into the financial system. But today, its loopholes are draining millions out of the system. The scheme did its job, spectacularly so. Now, its weaknesses are doing the opposite, dangerously so. Every cybercrime FIR referencing a Jan Dhan mule account is a warning bell. Every bank insider caught assisting criminals is a fire alarm. Every victim who loses their life savings is a reminder that digital trust is national security. Jan Dhan must evolve, or it must end. And sometimes, the bravest policy decision is to shut down what no longer serves the nation’s safety.
(Advocate (Dr) Prashant Mali is an internationally renowned Cyber & Privacy lawyer with a Master's in Computer Science and Law, and holds a Ph.D. in Cyberwarfare & International Cyberlaw. He is a sought-after expert who has represented Fortune 500 companies, celebrities, and governmental agencies. An author of six books and numerous research papers, one of his books serves as an official textbook in prestigious academic institutions. Beyond law, he is actively involved in charitable activities and cyber education initiatives to support underprivileged communities.)
