India’s digital payments revolution has made everyday transactions faster and easier. From paying utility bills to sending money instantly, UPI (Unified Payments Interface) has become one of the most widely used digital payment systems in the country.
However, the rapid growth of digital payments has also attracted cybercriminals looking for new ways to exploit vulnerabilities.
A recent investigation by cybersecurity firm CloudSEK has revealed a new fraud toolkit known as “Digital Lutera”, which enables attackers to bypass certain UPI security protections.
What Is the Digital Lutera Toolkit?
A recent investigation by cybersecurity firm CloudSEK has revealed a new fraud toolkit known as “Digital Lutera”, which enables attackers to bypass certain UPI security protections.
The toolkit is reportedly being shared through underground Telegram groups, where cybercriminals exchange hacking tools and coordinate fraudulent activities.
CloudSEK identified at least 20 Telegram groups with more than 100 members each discussing or distributing the toolkit. In one such group, investigators observed fraudulent transactions worth ₹25–30 lakh within just two days, suggesting that the technique is already being used in active cyber fraud operations.
How This New UPI Fraud Works
Unlike earlier UPI scams that used fake apps or phishing links, the Digital Lutera toolkit targets the Android operating system instead of the banking app, allowing it to bypass security checks.
The attack begins when users install a malicious app disguised as files like traffic challans, wedding invites, or delivery alerts, which then gains SMS access to intercept banking messages and OTPs.
Traffic challan notifications
Wedding invitation files
Courier delivery updates
Government notices
Once the app is installed, the malware requests access to SMS permissions on the device.
With access to SMS messages, attackers then use specialized Android framework tools to manipulate system-level identity and messaging functions.
OTP Interception and Account Takeover
The attack intercepts one-time passwords (OTPs) sent by banks during verification and secretly forwards them to Telegram channels controlled by attackers.
Using these OTPs, cybercriminals can register the victim’s UPI account on another device, even while the victim’s SIM remains in their phone. This bypasses the SIM-binding security system, and since the banking app itself is not altered, traditional security checks may fail to detect the fraud.
What Authorities and Banks Are Doing
CloudSEK has shared its findings with regulators, financial institutions, and cybersecurity authorities as part of responsible disclosure. Experts are urging payment platforms and banks to adopt stronger safeguards to prevent such attacks.
Some recommended measures include:
Hardware-backed device verification
Advanced fraud detection systems
Improved backend authentication processes
Experts also caution that relying solely on SMS-based SIM verification may no longer be sufficient, especially as cybercriminals develop more advanced techniques.
How Users Can Stay Safe
While authorities and financial institutions work on strengthening security, users also play an important role in protecting themselves from UPI fraud and digital payment scams.
Here are a few important precautions:
Avoid installing apps received through unknown links or messages
Download applications only from trusted sources like official app stores
Carefully check app permissions before installing
Keep your smartphone’s operating system updated with the latest security patches
Never share OTPs, banking details, or UPI PINs with anyone
The Growing Challenge of Digital Payment Security
India’s digital payments ecosystem continues to grow rapidly, with billions of UPI transactions processed every month. While this growth has made financial services more accessible, it has also increased the need for stronger cybersecurity measures.
The emergence of the Digital Lutera toolkit serves as a reminder that cyber threats are constantly evolving. As digital payment systems become more advanced, maintaining trust in these platforms will require ongoing cooperation between technology companies, financial institutions, regulators, and users.
Staying informed and following safe digital practices can go a long way in preventing cyber fraud and protecting personal financial data.