Skip to main content

IndiaMart Phishing Case and the Delhi High Court 2026 IP Interim Order

Introduction

A seller registered on IndiaMart would receive an email or a WhatsApp message. The message contained a URL that looked legitimate. The seller clicked. A website loaded, one that looked, for all practical purposes, like IndiaMart. Same layout, same icons, same categories, and same "call now" and "get better price" prompts. The seller was asked to enter their registered phone number. They did.

What happened next is where the attack becomes technically interesting. The fake website did not store the phone number. It immediately entered it into the genuine IndiaMart website's seller login page. IndiaMart's own system then automatically dispatched a real OTP to the seller's registered number. The fake website now asked the seller to enter this OTP. The seller, still believing they were on IndiaMart, complied. The perpetrator captured the OTP, gained access to the seller's genuine account, and the fake website simply hung. The seller stared at a loading screen. By the time they understood what had happened, the account was already compromised.

This is a textbook OTP relay attack. Cybersecurity professionals call it a real-time phishing proxy. The fake site acts as a man-in-the-middle, relaying credentials between the victim and the legitimate platform in real time. No credentials are stored and no time for the user to catch on. So, IndiaMart approached the Delhi High Court.

Why There Were Thirteen Defendants? 

The suit is not against a single infringing party. It is against an entire infrastructure of fraud, which is why reading the defendant list is itself an exercise in understanding how modern digital infringement actually operates:

  • Defendant No. 1: The unidentified operators behind the fake websites. The use of "Ashok Kumar(s)" acknowledges that the actual identity of the perpetrators is unknown. This is a classic John Doe arrangement in a cyber fraud context, extended to reach whoever is ultimately responsible.
  • Defendant No. 2: A US-based cloud infrastructure company. Vercel provides what the order describes as a "Frontend Cloud" platform, essentially a deployment pipeline that takes source code and makes it publicly accessible as a functional website. URLs 1 to 7 in Annexure-A were hosted on Vercel's infrastructure. The Court treated Vercel's hosting services as essential developmental infrastructure enabling the fraud.
  • Defendant No. 3: Github Inc, another US company. The perpetrators stored the source code and templates for the fake websites on GitHub repositories. A specific repository was identified. GitHub was directed to take it down within 36 hours.
  • Defendant No. 4: Netlify, Inc. which is a third US company, providing PaaS services similar to Vercel. URLs 8 to 15 in Annexure-A were hosted on Netlify's infrastructure. Netlify was given the same 36-hour takedown direction as Vercel.
  • Defendant No. 5: WhatsApp, as the phishing messages were sent through WhatsApp. Five numbers were identified across four countries (UK, India, Australia, USA, and Malaysia, listed in Annexure-B), pointing to what appears to be an organized, internationally coordinated operation.
  • Defendant No. 6: Punjab National Bank. A specific PNB account was identified as being used in connection with the fraud. PNB was directed to disclose KYC details within three weeks.
  • Defendant No. 7 onwards: ISPs and Telecom Companies who were directed to block access to all 15 rogue URLs within 36 hours.
  • Defendant Nos. 12 and 13: Department of Telecommunications (DoT) and Ministry of Electronics and Information Technology (MeitY) and this is where the order takes on a systemic dimension. DoT and MeitY were directed to issue blanket notifications to all TSPs and ISPs to block access to the relevant websites, domain names, telephone numbers, and social media accounts. The Court leveraged these ministries as force multipliers for the blocking order.

Trademark and Copyright Infringement of IndiaMart's IP

IndiaMart Intermesh Limited coined and adopted the mark INDIAMART in the year 1996. Its domain was registered on 8 March 1996. The company holds 49 trademark registrations for the INDIAMART mark in India: word marks in capital letters spanning Classes 6, 9, 11, 13, 15, 21, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 39, 40, 41, and 42; word marks in small letters in Classes 35 and 42; device marks in multiple iterations; and the INTERMESH mark in Classes 35 and 36. It also holds 28+ registered domain names incorporating the INDIAMART mark across TLDs covering India, the UK, New Zealand, Singapore, Japan, China, Philippines, Taiwan, Australia, the USA, Austria, and others.

The Court accepted IndiaMart's claim that INDIAMART, being a coined word, is entitled to the highest degree of protection against infringement. (To know more about trademark classes, click here

IndiaMart also asserted a copyright claim under Section 2(c) of the Copyright Act, 1957 in its website's original artistic work: specifically the unique website layout, the arrangement and presentation of features, the proprietary icons, the search bar placement at the landing page, the search result display, and UI elements like "call now" and "get better price." The fake websites had slavishly copied this entire visual presentation, including the trade dress and Graphical User Interface.

This copyright claim is different from trademark claim as trademark law only protects a mark's use in commerce. Copyright in website GUI protects the visual architecture of the platform itself. The combination of both was critical to the breadth of the injunction the Court granted.

The scale of the platform being protected as of 30 March 2026, IndiaMart had 219 million registered buyers, a catalogue of 124 million+ products, 8.6 million registered suppliers, 1 crore+ app downloads, and a global website rank of 686. This is a platform deeply rooted in India's SME commerce infrastructure and fake versions of it are a systemic commercial threat to lakhs of small businesses.

Ad-Interim Order by the Court

The ad-interim ex parte injunction operates until the next date of hearing on 10 September 2026. The relief granted is notable for being not merely to stop the infringement, it is also to expose who is behind such infringement.

  1. Against Defendant No. 1: Restrained from operating through fake URLs, WhatsApp accounts, and bank accounts using IndiaMart's marks or any deceptive variant. Also restrained from reproducing IndiaMart's copyrighted works: website content, mobile app content, unique website layout, arrangement/placement of features/icons, trade dress, GUI, stylized logo, colour combination, and original promotional/advertising content.
  2. Against Defendant No. 2 (Vercel) and Defendant No. 4 (Netlify): Takedown of specifically named URLs within 36 hours. Preservation of all records, logs, deployment data, access logs, IP logs, account details, metadata, linked repositories, payment information, and device identifiers. Disclosure of complete particulars of the operators/controllers within three weeks. Also, the prohibition on reactivation or redeployment of any of the 15 URLs or any colourable/mirror/alphanumeric/deceptive variants using IndiaMart marks.
  3. Against Defendant No. 3 (GitHub): Takedown of the specific repository within 36 hours. Additionally, the disclosure of operator particulars within three weeks.
  4. Against Defendant No. 5 (WhatsApp): Block all five identified WhatsApp numbers/groups within 36 hours, and to disclose basic Subscriber Information on these numbers within three weeks.
  5. Against Defendant No. 6 (PNB): Disclose KYC details of the fraudulent bank account within three weeks.
  6. Against Defendant No. 8 (Bharti Airtel): Suspend the identified mobile number used and disclose KYC details of the registrant.
  7. Against Defendants No. 7-11 (ISPs/TSPs): Block access to all 15 rogue URLs and the GitHub repository within 36 hours.
  8. Against Defendants No. 12 (DoT) and 13 (MeitY): Issue blanket notifications to all TSPs and ISPs under their jurisdiction to block/delete/remove access to the concerned telephone numbers, websites, domain names, social media accounts, and messaging platforms.

Findings by the Court in the IndiaMart case

  • Prima facie case: The Court found IndiaMart had established a prima facie case on both trademark infringement and copyright infringement. On trademark, the fake websites used IndiaMart's registered marks and device marks without authorisation. On copyright, the fake websites had slavishly copied the website layout, GUI, and trade dress (the original artistic works in which IndiaMart holds copyright under Section 2(c) of the Copyright Act).
  • Balance of convenience: The balance clearly favoured IndiaMart. Millions of registered sellers depend on the platform's integrity. Ongoing phishing attacks compromised not just IndiaMart's brand reputation but the actual commercial security of its seller base.
  • Irreparable harm: Once an OTP phishing attack compromises a seller's account, the harm is immediate, and this includes financial fraud, data theft, and a direct erosion of trust in the platform. This cannot be compensated by damages ex post facto.
  • Section 12A exemption (Commercial Courts Act, 2015): An exemption from pre-institution mediation was granted on the strength of two authorities: Yamini Manohar v. T.K.D. Keerthi, (2024) 5 SCC 815 (Supreme Court), and the Division Bench of the Delhi High Court in Chandra Kishore Chaurasia v. RA Perfumery Works Private Ltd., 2022 SCC OnLine Del 3529. Both establish that urgent IP suits with imminent harm do not require pre-litigation mediation as a precondition.
  • Section 80 CPC: An exemption was granted from issuing advance notice to the government defendants (BSNL, MTNL, DoT, MeitY) under Section 80 CPC (ordinarily requires two months' notice before suits against government entities).

Five Important Directions from this Case

  1. Cloud hosting providers are now defendants in Indian IP suits. Vercel and Netlify are US companies that had no intent to facilitate fraud; they are general-purpose PaaS providers. The Court's approach treats them as instrumental enablers once their infrastructure is knowingly used to host infringing content. The 36-hour compliance timeline leaves no room for bureaucratic delay. This will be closely watched by the cloud hosting industry.
  2. GitHub is held responsible for code repositories used to power fake websites. The source code of the fake websites was stored on GitHub. The Court ordered the repository taken down, treating it as an instrument of infringement equivalent to the fake websites themselves. This addresses the reproduction layer of the attack, not just its deployment layer.
  3. Copyright in website GUI is now clearly actionable in India. The IndiaMart website layout (the arrangement of a search bar, product categories, icons, and interactive UI elements) was treated as original artistic work deserving copyright protection under Section 2(c). The fake websites' replication of this layout was independently actionable as copyright infringement, separate from the trademark claim. Businesses that have invested in distinctive digital interfaces should take note.
  4. Banks and telecom companies are pulled into IP enforcement. PNB was directed to freeze and disclose KYC data on a specific account. Airtel was directed to suspend a specific mobile number and disclose subscriber data. DoT and MeitY were directed to issue blanket TSP/ISP notifications. This order treats the financial system and telecom infrastructure as legitimate enforcement levers in IP-adjacent fraud cases.
  5. The WhatsApp numbers reveal an international operation. The five numbers span the UK (+44), India (+91), Australia (+61), the USA/Florida (+1-786), and Malaysia (+60). The Court's direction to WhatsApp to disclose Basic Subscriber Information on each number is the first step toward unmasking whoever is actually behind this.

A Note on Intermediary Liability

Indian intermediary liability law under the Information Technology Act, 2000 and the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 gives platforms a safe harbour from third-party content, subject to compliance with takedown notices. What this order does differently is route the obligation through the court directly, bypassing the notice-and-takedown mechanism.

Whether Vercel, Netlify, and GitHub can invoke their IT Act safe harbour protections when served with a court order rather than a user notice is a question the suit will eventually have to address on merits. At the interim stage, the Court has treated the urgency as overriding. When these defendants enter appearance, this will be the central legal battleground.

Must read: Alkem v. Numen Pharma Trademarks case

Conclusion

This order is simultaneously an IP case, a consumer protection case, and a cybercrime enforcement action. IndiaMart's sellers are SMEs: small traders, manufacturers, and service providers who depend on the platform for their livelihoods. Compromising their accounts through OTP relay attacks is not merely infringement. It is fraud against India's small business sector using a trusted brand as the vehicle. Whether the 13 defendants (in particular the three US-incorporated tech companies) comply within the 36-hour window will be the first real test of this order's enforceability.

Note: This is an ex-parte ad-interim order. The suit is at its threshold. Defendants have not yet entered appearance on the merits, and the findings here are prima facie. The matter returns before the Court on 10 September 2026.

Also read: Can restaurants play copyrighted music?

~ Adv. Koushik Chittella
© All Rights Reserved

Disclaimer: None of the contents of this post constitute legal advice.

Like what you are reading? Subscribe for free & Get IP law updates regularly: