From memes featuring politicians singing ‘dohori’ through voice impersonations to manipulated photos of mayors, online defamation, phishing, sophisticated financial fraud, and scams impersonating high-ranking officials—cybercrime in Nepal has been on the rise, fueled by growth in technology.

The Post’s Aarati Ray sat down with Santosh Sigdel, a digital rights advocate and the founding president and executive director of Digital Rights Nepal, to discuss how cybercrimes have evolved, the state of digital rights in the country, and the vital changes needed to address these growing challenges.

How has the nature of cybercrimes evolved in recent years, and what major shifts have you noticed compared, say, to a decade ago?

What’s changed over the years is the deepening digital penetration, growing user base, and gradual ICT adoption by both private and public sectors. Especially since 2019, there’s been a noticeable rise in internet use among children and teenagers. This growth in digital use directly correlates with the trend of cybercrimes in Nepal.

Around 2015, cybercrimes in Nepal were relatively simple: phishing, spam, or website defacement, often done out of curiosity or unknowingly. But over time, they have become much more complex, with criminals now using advanced digital tools and platforms.

According to Nepal Police Cyber Bureau, cybercrime cases have increased sixfold in the past five years. In the fiscal year 2019/20, 2,301 complaints were filed, and in 2024, the number was 1,9730.

These figures likely underrepresent the actual scale, as many crimes, particularly those targeting women and girls, go unreported due to social stigma and hesitation to approach the police.

A decade ago, most cybercrimes in Nepal were limited to social media and content-based offences. Today, there’s a clear rise in more technical cybercrimes, driven by advances in technology and AI.

So would you say the criminals online are getting more sophisticated and thus harder to track down?

Earlier, creating fake content, like editing someone’s face onto another image, required technical skills and software like Photoshop. Now, with AI tools like ChatGPT, such tasks can be done easily through simple prompts, making misinformation and disinformation campaigns more realistic and convincing. Platforms with end-to-end encryption like WhatsApp and Telegram, which didn’t exist then, are now being used to carry out crimes more discreetly.

Today, cybercrimes are more organised and interconnected with fintech, involving coordinated scams, financial fraud, and misinformation campaigns. The 2024 FIU-Nepal Strategic Analysis Report highlights that 70 percent of individuals involved in cyber-enabled frauds are between 19 and 30, indicating the rise of young people being used as ‘money mules’. While lack of awareness still leads some to commit cyber offences, the shift to planned, systematic cybercrimes is evident.

As you mentioned, the 2024 FIU-Nepal report shows that 70 percent of those involved in cyber fraud are between 19 and 30, and children often unknowingly become perpetrators in online abuse cases. What do you think is driving this?

For this, we have to consider whether digital security and literacy are true priorities of the government, civil society, business, and education sectors. From the beginning, the focus seemed to be more on expanding digital access and penetration, while crucial aspects like ethics, accountability, and digital etiquette were overlooked.

Businesses often prioritised growth without responsibility, and ICT education mostly taught how to use computers, ignoring ethics and safe digital practices.

As a result, while internet and social media use grew rapidly, awareness about cybersecurity and etiquettes did not keep pace. Many people committing cybercrimes aren’t even aware they’re breaking the law. For instance, legal professionals looking into the cases of juvenile offenders often find that these youths had no idea their actions were criminal.

From my observation, Nepalis are early adopters of new technology. When ChatGPT was launched in July 2023, Nepal ranked second in driving its growth on Google Search. While this curiosity is positive, it also reflects a lack of seriousness about data privacy, protection, and related risks. As a result, AI is now being used, knowing or unknowingly, for various offences, from minor to major.

AI tools are being used not just professionally but for entertainment too. For example, people have created deepfakes and cheap fakes using free apps. One manipulated photo of Kathmandu’s mayor and deputy mayor circulated widely, and earlier, we saw memes of politicians like Sher Bahadur Deuba, Pushpa Kamal Dahal, and Narendra Modi singing ‘dohori’ with AI-generated voices. These were made for fun, without considering the ethical implications. At the time, there was little public discourse on how such voice impersonation could be misused, especially during elections to create provocative, polarising, or defamatory content.

So the government has been very slow in promoting digital literacy and even now, it is not getting enough attention.

Do you think Nepal’s existing laws and policies are enough to address the growing challenges of cybercrimes and digital offences? What are their key shortcomings?

With the rise of generative AI, deepfakes, and other advanced technologies, the key question now is, are our laws adequate and relevant? The Electronic Transactions Act, introduced 17 years ago, no longer addresses the complexities of today’s digital environment.

Aside from updating laws with time, there has been no proper implementation of existing frameworks. For instance, ETA proposed an IT Tribunal and Appellate Tribunal to handle cybercrime cases, but this was never put into practice.

For years, only the Kathmandu District Court had jurisdiction over cybercrime cases, and it wasn’t until 2023 that all district courts were granted this authority.

Right now, Nepal Police and other law enforcement agencies mostly stick to Section 47 of the Electronic Transaction Act (ETA) for cybercrime cases, often ignoring other relevant laws. For example, while the Muluki Criminal Code addresses insults and defamation, it also states that online offences should carry an additional year of punishment—but this is rarely applied.

The same issue arises in child-related cybercrimes. The ETA doesn’t fully cover cases like online child sexual abuse, and the Act Relating to Children (2018) doesn’t define terms like child pornography, grooming, or sextortion, leaving a lot of confusion and gaps in how these cases are handled. It really shows how important it is to connect digital laws with the broader legal framework we already have.

What’s more, cybercrimes know no boundaries; they are transnational and can happen anywhere. A person in Nepal can be a victim of someone working from a remote corner of the world. For cross-boundary cybercrimes, there should be mutual legal assistance treaties with other countries, but we currently lack such agreements.

Beyond laws and regulations, what else is needed to build a strong digital ecosystem and effectively tackle cybercrimes?

When it comes to cybercrimes, it’s not just about passing a few laws. A big part of the solution lies in having strong regulatory systems and institutions in place.

For example, in 2024, over 19,000 cybercrime cases were filed, but can the Cyber Bureau and Nepal Police effectively handle them? Unfortunately, they don’t have the resources. Being safe online is a basic human right, and if someone files a complaint and doesn’t get a timely investigation or justice, that’s also a violation of their rights.

We often hear about government websites being hacked, cyberattacks on systems like the passport department, and local digital boards being compromised. These incidents highlight the lack of strong cybersecurity protocols, laws, and resources. While a national cybersecurity body has been established, it still lacks the necessary staff and tools.

Do you think there is also a problem with how we see and define cybercrimes?

We focus on rising cybercrime rates, but we also need to address capacity building in the broader digital ecosystem. Cybercrime and the digital ecosystem shouldn’t be seen as separate issues. Weak data protection, limited digital literacy, and inadequate infrastructure directly impact both the exercise of digital rights and the rise in cybercrimes.

Another challenge is the lack of a dedicated bench for cybercrime cases in the courts. The government must assess whether the judiciary has enough resources and training to handle these cases effectively when they reach court. How government agencies, law enforcement, and the judiciary collaborate on these issues is critical for progress.

To address this issue, we must focus on investing in training and developing human resources within Nepal Police, the Cyber Bureau, cyber forensic labs, and the judiciary. It’s essential for the government to invest in and build up the agencies responsible for addressing these crimes, providing them with better tools, training, and support.

With the rollout of the E-Governance Blueprint and AI policy draft, the government finally seems to be stepping up. Do you think these proposals can strengthen digital security and cybersecurity?

We can’t say everything will be fixed. Building a secure digital ecosystem is an ongoing process. It’s not just about having laws in place, but how they’re drafted and implemented.

For instance, as the AI policy develops, it’s necessary to assess whether it can actually address emerging threats, like the use of AI in labour and human trafficking, or technology-facilitated gender-based violence.

Once policies or laws are introduced, creating awareness is just as important as the content itself. Because this isn’t just about individual ministries or departments, it ties into the entire governance system.

For example, if the email of a lower-level staff member in a ministry gets hacked, it can compromise the entire digital infrastructure of that ministry. Similarly, handling a cybercrime case involves many layers of government, so if any link in that chain overlooks the gravity of the issue due to a lack of understanding, the consequences could be ruinous.

Before finalising any law or policy, it’s crucial to ground it in thorough research like examining current cybercrime trends and learning directly from victims and survivors to identify the gaps in existing provisions.

Above all, the policymaking process should be inclusive, bringing together voices from the private sector, civil society, academia, and the tech community. We need an open, consultative approach, not one confined to the closed corridors of Singhadurbar.