On April 29, 2026, Attorney General R. Venkataramani filed a status report before a Supreme Court bench headed by Chief Justice Surya Kant disclosing that WhatsApp had banned over 9,400 accounts linked to 'digital arrest' impersonation scams in India in a single 12-week window starting January 2026. Most of those accounts traced back to scam compounds in Cambodia. Crucially, government agencies had referred only about 3,800 of them — the rest were caught by WhatsApp's own internal classifiers, which now include a logo-matching system to detect misuse of police and CBI insignia, account-age visibility for unknown senders, suppressed profile photos in high-risk chats, and a large language model trained on evolving scam patterns.
The disclosure is being treated as a procedural update in the suo motu proceedings on digital arrest fraud. It deserves more attention than that. It is the first hard data point in India on whether platform-level enforcement, working at the metadata and behavioural layer, can meaningfully blunt a transnational scam industry — without forcing intermediaries to break end-to-end encryption or surveil message contents.
The scale of the problem is real
The steelman for stronger intervention writes itself. According to a March 14, 2025 written reply to the Rajya Sabha by Minister of State for Home Affairs Bandi Sanjay Kumar, Indians lost ₹1,935.51 crore to digital arrest scams in 2024 across 1.23 lakh complaints filed with the National Cyber Crime Reporting Portal. The first two months of 2025 alone saw 17,718 fresh incidents and ₹210.21 crore drained. Individual victims have been wiped out — one Delhi case involved a ₹22.92 crore loss. The Indian Cyber Crime Coordination Centre (I4C) had already blocked over 83,000 WhatsApp accounts and 7.81 lakh SIMs by February 2025, and the curve was still bending the wrong way.
Against that backdrop, regulators reaching for blunt instruments — traceability of message originators under Rule 4(2) of the IT Rules 2021, mandatory age verification, KYC-bound messaging IDs — is not irrational. It is what happens when a crisis outruns conventional enforcement.
What the 9,400 number actually shows
But the WhatsApp data cuts against the maximalist reading. Of the 9,400 accounts taken down, roughly 60 per cent were surfaced by the platform's own systems, not by government referral. That is exactly the inverse of what proponents of mandatory traceability have long argued: that intermediaries cannot or will not act without being legally compelled to identify users. The platform identified, clustered, and removed the bulk of the network using signals that do not require reading any encrypted message — display names matching 'Delhi Police' or 'CBI', reused profile imagery, account-creation patterns, reported abuse, and clustered cross-group activity.
This is the same architectural point the Electronic Frontier Foundation reiterated on May 20, 2026 when it celebrated the rollout of cross-platform encrypted RCS between iOS and Android: end-to-end encryption is not in tension with abuse moderation. Platforms have enormous quantities of behavioural metadata they can act on without ever decrypting a single message body. WhatsApp's filing is concrete proof of that thesis.
It is also a vindication of the line Indian courts and intermediaries have repeatedly drawn against the originator-traceability mandate. The traceability rule, currently challenged by WhatsApp and Facebook in writ petitions before the Karnataka and Delhi High Courts, would require WhatsApp to either undo end-to-end encryption or build a parallel hash-chain system that fundamentally compromises forward secrecy. Neither would have caught a single one of the Cambodia-run accounts faster than the logo-detection classifier already does.
The leverage is offshore, not in the app
The binding constraint on digital arrest enforcement is not Indian intermediary law. It is the existence of large, well-capitalised, and politically protected scam infrastructure across the Mekong subregion. The UNODC's April 2025 Inflection Point report documents an industry generating just under US$40 billion in annual profits, with roughly 74 per cent of identified compounds concentrated in Cambodia, Myanmar and Laos, and an estimated workforce of several hundred thousand trafficked or coerced operators. No quantity of Indian intermediary rules will move that needle. What will move it is bilateral and FATF-level pressure on host states, sanctions on identified compound operators, financial-intelligence cooperation to break the underground banking layer the UNODC report flags, and faster mutual legal assistance for evidence preservation under Rule 3(1)(h) of the IT Rules — which already requires 180-day retention of removed account data for investigators.
What proportionate looks like
The Court's status report contains three useful asks that fit this picture: SIM-binding for messaging accounts, faster carrier blocking of suspicious SIMs (the Department of Telecommunications has been pushed to a 2–3 hour window), and a standardised takedown channel between I4C and intermediaries. None of these require breaking encryption. None require new sweeping intermediary liability. They make the existing platform-level pipeline faster and more accountable.
What the government should now resist — and what the WhatsApp filing gives it cover to resist — is the temptation to bolt a traceability or content-scanning mandate onto a problem that platform-side metadata enforcement plus offshore disruption is already containing. India has spent four years arguing in court that Rule 4(2) is compatible with encryption. The data now suggests it does not need it. The 9,400 figure is small comfort to the victims who collectively lost over ₹2,000 crore in 2024. It is, however, the first credible evidence that the architecture India is being asked to break is the architecture that is doing most of the work.