Six people were arrested and two illegal call centres dismantled on May 28, 2025, after Microsoft’s Digital Crimes Unit (DCU) fed critical threat telemetry to law enforcement agencies in Japan and India. The coordinated raids—part of India’s Operation Chakra V—hit 19 locations, seizing computers, storage devices, phones, and financial records tied to a sophisticated tech-support scam that preyed primarily on elderly residents in Japan. This cross-border takedown, a joint effort between the Japan Cybercrime Control Center (JC3), Japan’s National Police Agency (NPA), India’s Central Bureau of Investigation (CBI), and Microsoft, showcases a maturing public-private partnership model that converts corporate intelligence into on-the-ground arrests.

The operation disrupted a criminal enterprise that used malicious browser pop‑ups, cold calls, and remote‑access tools to convince victims their devices were compromised. Operators impersonated well‑known technology companies, then charged victims for bogus repairs. Payments were laundered through a network of money mules, cryptocurrency wallets, and gift cards. By tracing pop‑up signatures and domain registrations, Microsoft’s DCU and the Microsoft Threat Intelligence Center (MSTIC) mapped the scam’s infrastructure, enabling Indian authorities to isolate physical call centre locations and follow the money trail.

This bust doesn’t just undercut one scam ring—it reveals how fraud networks operate like modular businesses. Pop‑up creators, search‑engine optimizers, call‑centre operators, and payment processors all play distinct roles. The resilience of that ecosystem means takedowns must target the full stack, and this cooperation between nonprofits, law enforcement, and tech companies offers a blueprint for future disruption.

Anatomy of the Scam: Fake Alerts to Financial Theft

The fraud began with a weaponized pop‑up. Victims browsing the web suddenly saw a full‑screen warning, often localized in Japanese, claiming their PC was “compromised” and urging them to call a displayed number immediately. Microsoft’s investigation confirmed these pop‑ups were generated by automated scripts, capable of spawning endless variants to evade blocklists.

Once a victim called, a trained operator launched a social‑engineering sequence:

  • Establishing trust. Callers posed as technicians from Microsoft or other well‑known vendors, using jargon and showing fake diagnostic screens.
  • Gaining remote control. Victims were coaxed into installing legitimate remote‑access tools like TeamViewer or AnyDesk, which the attacker then misused.
  • Fabricating threats. The operator ran harmless commands in a terminal window and presented the output as evidence of malware or hacking.
  • Extorting payment. Victims were told their device would be “locked” or data lost unless they paid for immediate repair. Fees often ran into hundreds of dollars.
  • Laundering money. Payments were demanded via bank transfer, cryptocurrency, or prepaid gift cards. Funds moved through a chain of mule accounts, making recovery difficult.

This social‑engineering pipeline exploited a universal vulnerability: human trust. No operating system patch could stop a victim from voluntarily granting access. That’s why telemetry‑driven takedowns—identifying the human operators behind the scams—prove so essential.

Microsoft’s Role: From Telemetry to Takedown

Microsoft’s DCU has moved from chasing individual incidents to systematically dismantling entire criminal ecosystems. For this operation, DCU and MSTIC analysts correlated months of telemetry from Windows Defender and browser‑based signals to fingerprint the malicious pop‑ups. They linked those fingerprints to domains and hosting infrastructure, then mapped out operational patterns: what hours call centres were active, how scripts were revised, and which payment processors were being used.

That intelligence was shared with the JC3, which had already been collecting victim reports, and with law enforcement in both countries. The DCU’s data helped Indian authorities pinpoint addresses in Delhi and surrounding areas, leading to synchronized raids on May 28. Investigators also traced the flow of payments, identifying bank accounts and crypto wallets tied to the ring.

This is consistent with the DCU’s broader playbook: combine legal instruments (domain seizures, civil litigation) with technical takedowns and then arm law enforcement with admissible evidence. By targeting the enablers—hosting providers, domain registrars, and payment platforms—the unit raises the cost of doing business for fraudsters long after the physical call centre is gone.

What Was Seized and Why It Matters

Indian raid teams recovered a trove of evidence:

  • Call‑centre hardware: Workstations, DVRs (digital video recorders used to monitor calls), and telephony equipment.
  • Operational logs: Scripts, call logs, and screen‑recording footage that document how victims were manipulated.
  • Financial records: Bank statements, cryptocurrency wallet addresses, and records of wire transfers that could unmask financiers and money mule networks.

Physical seizure of these assets disrupts ongoing operations immediately and preserves a clear chain of custody for criminal prosecution. The CBI has indicated that forensic analysis of the seized devices may expose other collaborators and spin‑off scam operations. Moreover, by holding physical evidence, authorities prevent the ring from simply spinning up new cloud infrastructure and resuming business.

Why the Operation Matters: Wins and Takeaways

1. A Working Model for Public‑Private Action
This case demonstrates that when a tech giant’s telemetry is funneled into law‑enforcement workflows—with proper warrants and local operational capacity—tangible results follow. Arrests and infrastructure seizures happened within months of intelligence‑sharing. It’s a template other countries can replicate, especially as scam centres proliferate across Southeast Asia and beyond.

2. Nonprofits Fill Critical Gaps
The Japan Cybercrime Control Center provided victim‑facing identifiers that pure telemetry can’t capture. Its reports included details of the pop‑up messages, caller accents, and payment mechanics—ground truth that helped Microsoft pinpoint the specific variants being used. This highlights the indispensable role civil‑society groups play in cybersecurity.

3. Tactical Disruption Buys Time
Seizing domains, servers, and physical call centres doesn’t end the scam economy, but it creates a costly, friction‑filled recovery period for criminal groups. During that window, user‑education campaigns and improved cloud‑defense rollouts can further shrink the attack surface.

Blind Spots and Long‑Term Challenges

The Fraud Economy Is Modular and Resilient
Scam groups specialize. One crew generates pop‑ups; another handles translations; a third processes payments. Removing a call centre is like deleting a cell in a spreadsheet—the formula recalculates. Microsoft’s DCU has had to escalate from targeting individual centres to going after the entire enabling ecosystem, including payment rails and bulletproof hosting.

AI Supercharges Scale
Investigators confirmed that generative AI tools were used to create pop‑up copy, translate scripts into flawless Japanese, and even adjust calling‑time patterns to match peak browsing hours of the elderly. That means future scams can multiply faster and morph quicker than manual methods allowed. Defenders must adopt AI‑assisted detection and automated takedown protocols to keep pace.

Jurisdictional Friction Remains
Even with strong bilateral ties, cross‑border evidence collection and extradition are slow, legalistic processes. Private companies can provide leads, but only sovereign law enforcement can execute warrants. If domestic agencies lack resources or political will, disruptions stall. International legal frameworks need to be streamlined, and capacity‑building in countries that host scam centres is urgent.

Transparency and Civil Liberties
When a private company feeds intelligence that leads to raids, questions of oversight arise. Who audits the evidence? What happens if a legitimate service gets caught up in a domain seizure? Microsoft’s DCU operates under a carefully‑constructed legal framework, but as these partnerships grow, clear accountability mechanisms and judicial checks must be institutionalized.

Azure Integrated HSM: A Parallel but Separate Battle

While the Japan‑India raid unfolded, Microsoft continued rolling out its Azure Integrated Hardware Security Module (HSM)—a tamper‑resistant chip designed to meet FIPS 140‑3 Level 3 standards and protect cryptographic keys at the node level. Accelerated deployment across Azure’s server fleet strengthens cloud‑level defenses against attacks that try to steal keys or compromise hardware.

However, an HSM can’t stop a pop‑up. Tech‑support scams bypass infrastructure entirely by exploiting human psychology. That’s why Microsoft’s Secure Future Initiative combines hardware hardening with aggressive fraud‑fighting operations. The lesson for enterprises is clear: invest in both platform security and user awareness; the strongest lock won’t help if someone opens the door.

What Victims and Businesses Should Do Now

  • Never call numbers from pop‑ups. Contact vendors only through official support pages or documentation.
  • Deny remote access to strangers. Legitimate technicians will never demand control over your personal device without a verified support ticket.
  • Enable multi‑factor authentication everywhere, use strong unique passwords, and limit admin privileges.
  • Keep software updated. Apply browser and OS patches promptly, and use endpoint protection that blocks malicious domains and pop‑ups.
  • Report scams. Notify local police and Microsoft’s security reporting channels (e.g., report.microsoft.com). Each report refines the telemetry that powers future takedowns.

Policy Implications: What Comes Next

The Japan‑India bust reinforces several policy priorities:

  • Accelerate cross‑border legal instruments. Fast‑track mutual legal assistance treaties and standardize evidence‑preservation rules so that intelligence doesn’t go stale.
  • Build audit rules for private intelligence. Ensure that data from corporate sources is admissible in court while protecting individuals from false positives.
  • Pressure payment rails. Crypto exchanges, fintech apps, and gift‑card issuers must do more to detect and block laundering flows tied to scams.
  • Invest in source‑country capacity. Nations where call centres operate need resources, training, and legal frameworks to prosecute operators domestically.
  • Expand victim outreach. Tailored campaigns for the elderly, non‑native speakers, and other high‑risk groups can blunt the scammers’ edge.

A Data Point, Not a Trend

Some reports have cited a global cybercrime cost of $10.5 trillion, but that figure comes from industry forecasts like Cybersecurity Ventures and should be treated as a directional estimate, not a precise balance‑sheet number. Similarly, a few AI‑generated news aggregators that circulated this story carried disclaimers that their content may not be fully fact‑checked. The core facts—six arrests, 19 raids, two call centres dismantled, and Microsoft DCU’s pivotal role—are verified by multiple independent sources, including Microsoft’s own blog and the Hindustan Times.

Conclusion

The May 28 operation is a milestone in the fight against tech‑support fraud. It proves that when a company’s threat intelligence is paired with determined law enforcement and victim‑centric nonprofit work, the result can be swift, precise, and disruptive. Yet the scam ecosystem’s modular nature and its embrace of AI mean that no single bust will end the threat.

Microsoft’s DCU will need to keep feeding leads, pressing payment platforms, and pursuing enablers long after the press releases fade. For Windows users, the best defense remains a healthy skepticism of unsolicited pop‑ups and a commitment to reporting scams early. Technology can only win this fight if it’s backed by international cooperation, transparent processes, and an informed public.