When Your Aadhaar Number Is Sold for ₹500: What Actually Happens Next

Mumbai. Three years ago. A woman called the CyberSathi hotline in tears because someone had opened a SIM card in her name. She had not left home that week. The telco said they had verified her Aadhaar. When I asked how they verified it, they went silent. When I asked if she had shared her Aadhaar, she said no — but it had been breached in the UIDAI database in 2021, and she only found out because a fraudster tried to use it to take a loan.

Her name is not here. The facts are exact.

The Breach Is Not a Hypothesis

Let me be direct: Aadhaar numbers are in circulation on the dark web. Not all of them. Not everyone's. But enough that if you are a resident of India and your Aadhaar has been associated with any government service, any bank linkage, any telecom SIM registration — assume the number itself has been compromised at some point in the last decade. I do not say this to alarm you. I say it because the UIDAI has never — in writing, at scale — confirmed or denied a breach. And that silence is itself the confession.

In 2018, a journalist bought an Aadhaar database of 815 million records for ₹500. The UIDAI said the data was not from them — it was from a state agency. The state agency blamed resellers. Resellers blamed government departments. No one went to jail. No one lost their job. The database circulated anyway.

Since then, pieces of Aadhaar have leaked in smaller batches. Not the complete 12-digit number every time — sometimes the last 4 digits. Sometimes the fingerprint hash. Sometimes the photograph. But enough. Enough to be dangerous. Enough that a scammer with your Aadhaar number and a stolen phone SIM can impersonate you to a bank clerk who is working from home and has never met you.

Here Is What Happens When Your Aadhaar Is Breached

The Scammer's Playbook

I will walk through this because you need to know it, and because the banks will not tell you.

A criminal buys your Aadhaar number from a data broker on a Telegram channel. Cost: ₹100 to ₹1,000, depending on what else is included. Name, date of birth, linked PAN — these are the premium tiers.

Next, they go to a shop — usually a small telecom counter in a market, or sometimes a corrupt employee working from inside a telecom office. They have a phone. They walk in with your Aadhaar number, a fake ID that has been doctored with your photograph, and your phone number (which they have from a data dump or a social engineering attack on your WhatsApp). The shop attendant does not make a call. The shop attendant does not verify anything beyond what is on the paper. The shop attendant has already been paid ₹500 to look the other way.

A new SIM card is registered in your name.

Within minutes, the criminal has received an OTP on their phone — the one now registered to your Aadhaar. They call your bank. They say they are you. They say their phone is not working and they need to reset their password. The bank's IVR system asks for your Aadhaar, your date of birth, maybe your PAN. All of this is now in the criminal's hands. The bank sends an OTP to the number registered in the system — which is now the criminal's SIM.

Three hours later, ₹50,000 has been transferred via NEFT to a mule account. The bank does not call you. The bank does not call you because there is no trigger for them to call. You are the account holder. The transaction came from a verified device and a verified OTP. As far as the bank's system is concerned, the transaction is clean.

You find out when your mother calls to ask why you sent money to someone named Vikram.

The Gap Between the RBI's Word and Reality

The RBI has issued guidelines. Banks must not rely on Aadhaar alone for authentication. Banks must use two-factor authentication. Banks must have a fraud helpline. These guidelines are correct and useless.

Why? Because the bank's backend system — the one checking your identity for a fund transfer — does not know that your Aadhaar was breached. The bank does not track breaches. The UIDAI does not share breach data with banks. There is no national registry of compromised Aadhaar numbers. So the bank's system sees your name + your Aadhaar + your OTP and says: this is legitimate.

I called the fraud helpline of a major bank at 2:15 AM on a Tuesday after a customer of mine had ₹84,000 drained. The helpline was closed. The callback service said they would call me within 24 hours. They did not call. When I called back the next morning, I was told the dispute would be investigated. When I asked the timeline, I was given "7 to 10 business days". When I asked if the money would be returned, the executive said "it depends on the investigation". When I asked what I could do in the meantime, they offered me a security deposit account.

I did not take it.

The fact is: the bank knows that Aadhaar is compromised. The RBI knows that Aadhaar is compromised. The UIDAI definitely knows that Aadhaar is compromised. But none of them will say it publicly because it would admit liability and trigger a lawsuit. So they issue guidelines that assume Aadhaar is trustworthy, and they process transactions as if Aadhaar is the source of truth, and when you lose money, they launch a "fraud investigation" that goes nowhere.

The Complication No One Talks About

You might say: "Well, I will just link my Aadhaar to my bank and be done with it."

The problem is that you have no choice. Banks have already linked your Aadhaar whether you authorized it or not. In 2016-2017, when Aadhaar linkage became mandatory, banks swept through their customer databases and linked accounts retroactively using KYC documents they already had. You cannot unlink your Aadhaar. You can ask for it, and the bank will tell you they cannot do it because RBI regulations require Aadhaar to be linked for accounts opened after January 2016.

So you are locked in. Your Aadhaar is the key to your bank account. And the key is in circulation.

Yes, the bank has a fraud helpline. No, it almost never works after midnight on a Sunday. Yes, the RBI has issued compensation guidelines. No, very few banks actually compensate victims without a legal threat. Yes, you can file an FIR with the police. No, the cyber police will not file a case unless you can prove intentional fraud — and proving that requires technical logs that the bank will not share with you.

What You Can Actually Do

I will not write another list of "best practices" that assumes you have control. You do not. Your Aadhaar is out there. You cannot get it back. What you can do is reduce the window of exposure.

1. Get a second SIM registered in your name at your nearest telecom store — yourself, in person, with original ID. This sounds strange. It is not. If your SIM is registered, a criminal cannot easily register another SIM in your name at the same telecom operator. They can try at a different operator, but that takes time and money. Most criminals will not bother.

2. Ask your bank — in writing, via email — to flag your account for "Aadhaar-based authentication risks". This will not stop fraud, but it might slow it down. Save the email. If fraud happens, you have evidence that you notified the bank of the risk. This helps in a dispute.

3. Check your credit report quarterly. Go to cibil.com or on.experian.co.in. If someone has taken a loan in your name, it will show up as an inquiry or an account. If it shows up, dispute it immediately. Do not wait. The loan will be reported to authorities faster than the fraud case will move through the courts.

4. Set up an email alert on your bank account. Not SMS — email. Ensure your email is protected with a strong, unique password. Your email is now a second perimeter. Do not use the same password for email and banking. Do not.

5. Do not share your Aadhaar number verbally or via message, ever — not with a bank, not with a telecom shop, not with anyone. If an institution demands your Aadhaar number over a call, hang up and call them back using the number on their official website. I have known of fraudsters who call posing as bank employees and ask for Aadhaar "for verification". The bank already has your Aadhaar. If they are asking again, it is not the bank.

6. If you become a victim, escalate aggressively. Do not accept the "7 to 10 business days" investigation timeline. Write to the bank's grievance officer, the branch manager, and the NEFT compliance team. Mention the RBI guidelines on fraud liability. Mention the data breach. Mention that you will escalate to the RBI's banking ombudsman if the money is not returned within 48 hours. This is not legal advice — it is the language that makes banks move.

7. Consider a fraud alert with NCRB (National Crime Records Bureau) or file a cyber crime complaint on the ICCC portal. This creates a legal paper trail. It makes banks nervous. A nervous bank is an attentive bank.

The Lesson That Arrives Without Warning

The Aadhaar was built with good intentions. A single identity number that could reduce corruption and simplify access to services. Instead, it became a single point of failure for every Indian. Not because the Aadhaar itself is flawed — biometric data can be robust. But because once you centralize identity, you centralize vulnerability. One breach, and 815 million people lose their anonymity at once. One policy failure, and banks start treating a 12-digit number as a source of truth instead of just one piece of many pieces.

The system does not recover from that.

I do not know when you will stop hearing about Aadhaar breaches. I know you will keep hearing about them because the incentive to secure it has never been matched by the accountability for failing to secure it. The UIDAI reports to no one. The banks shrug and process transactions. The RBI writes guidelines and watches from a distance. And the woman in Mumbai keeps checking her bank balance in the middle of the night, waiting for another unauthorized transaction, because she knows her Aadhaar is in someone else's hands and there is nothing anyone has told her to do that actually stops it.