On 19 May 2026, the Supreme Court of India made history — quietly.A three-judge bench led by Chief Justice Surya Kant, with Justices Joymalya Bagchi and Vipul M Pancholi, heard a Writ Petition (Criminal) filed under Article 32 of the Constitution. The petitioner argued that 80 million Indian citizens' complete biometric identity profiles — Aadhaar numbers, PAN cards, facial biometrics, SMS records, bank balances, family names, home addresses — have been systematically stolen, exported to Chinese servers, and are being weaponised in real time against the very citizens they were taken from.

The court acknowledged the gravity. It directed the Ministry of Electronics and Information Technology (MeitY) to treat the petition as a formal representation and consider it. PTI wire carried the story. Nine confirmed outlets published it within hours.

The story the headlines couldn't fit — because no headline is long enough — is what's inside the petition.

THE NAMED PRINCIPAL: CHEN WEI +13 Chinese Citizen

Between 2017 and 2022, a network of Chinese-controlled entities operated in India under the cover of digital lending. The ecosystem had three documented layers:

LAYER 1 — PREDATORY LOAN APPS: Between 400 and 600 Chinese-backed Android applications harvested contacts, SMS records, location data, photographs, and bank transaction data through device permissions that had no legitimate lending purpose. Named apps active in this period include CashBean, RupeeLend, CashMama, ZipLoan, Quick Rupee, MiCredit, and LoanZone.

LAYER 2 — SHELL NBFC KYC FUNNELS: Shell entities — including Cred Fintech Pvt Ltd, Acemoney India Ltd, Transerve Technologies, and HiWe Finance — were not genuine lenders. They were KYC data collection fronts. Every loan applicant submitted their complete identity — Aadhaar, PAN, face scan, bank account — and that data was transmitted directly to Chinese-controlled server clusters. No data destruction order has ever been issued. The data remains.

LAYER 3 — ADTECH SURVEILLANCE (NEVER INVESTIGATED): The InMobi SDK (subject of FTC Consent Order 2016, Case C-4530) conducted covert WiFi geolocation tracking on 100 million devices including children's, even when GPS was OFF. The Silverpush SDK (subject of FTC Warning Letters 2016) deployed ultrasonic audio beacons to trigger device microphone access for cross-device tracking. Both were embedded in hundreds of Indian consumer applications — not just loan apps. MeitY has not opened a single inquiry under Section 43A of the IT Act 2000 against either company, eight years after the FTC publicly documented their covert surveillance of Indian users.

The principal Chinese architect of this operation is known as Jeffrey Zhu — Zhu Wei. He departed India before a Look Out Circular was issued. He carried the master database. Other named operators include Liu Yang, Zhuang Wei, Wang Xin, and Chen Wei, who began systematic batch export of aggregated data to Shenzhen and Hong Kong servers during the COVID-19 lockdown period in 2020 — when app installs multiplied fourfold and oversight was minimal.

Six Chinese nationals were arrested at a Hyderabad call centre in 2021. All six were deported. None were prosecuted.

Jeffrey Zhu, as of March 2026, has never faced any court in any jurisdiction. His confirmed location is unknown. India has filed zero extradition requests against him — or against any named Chinese national in this ecosystem.THE LEGAL BRIDGE THAT WAS NEVER CROSSEDThe government's consistent explanation for not pursuing extradition of Chinese accused persons is the absence of a bilateral extradition treaty with China. This explanation is legally incorrect. It has been legally incorrect since 1993.Section 3(4) of the Extradition Act 1962, inserted by Act 66 of 1993 (effective 18 December 1993), explicitly provides that where no bilateral treaty exists, the Central Government MAY TREAT ANY MULTILATERAL CONVENTION to which both India and the foreign state are parties as the legal basis for extradition.

India ratified the United Nations Convention Against Corruption (UNCAC) in 2011. China ratified UNCAC in 2006. UNCAC Article 44 specifically permits use of the Convention as the extradition basis between State Parties with no bilateral treaty.

India also ratified the United Nations Convention Against Transnational Organized Crime (UNTOC) in 2011. China has ratified UNTOC.

Two legal bridges. Both available since 2011. Neither has ever been used to file even one extradition request against any named Chinese accused in this ecosystem. The Enforcement Directorate — the very agency that arrested 103 Indian nationals and attached ₹800 crore — has a dedicated page on its own official website explaining UNCAC and India's obligations under it.

The agency knows UNCAC exists. It has simply never used it.

─────────────────────────────────────────────THE SCALE: WHAT 80 MILLION STOLEN RECORDS ACTUALLY MEANS─────────────────────────────────────────────

The petition places the following before the Supreme Court, sourced from official MHA/I4C data presented to Parliament:

— 105 Indian citizens per hour are subjected to digital arrest — a form of coercive psychological detention without legal basis, enabled entirely by stolen biometric data. That is a violation of Article 21 occurring 2,520 times per day.

— Each stolen KYC record can generate 100 mule financial accounts and unlimited AI-personalised fraud scripts. 80 million records = 8 billion potential fraudulent operations.

— ₹1.5 lakh crore in documented financial losses to digital fraud through 2026.

— 83+ deaths by suicide documented as linked to digital arrest harassment.

— Five years of PMLA enforcement produced ₹800 crore in attached funds — a finite, one-time result. Five years of ignoring the data has produced 80 million permanently compromised digital identities — an infinite, self-regenerating source of harm.

The asymmetry is the constitutional argument. Money is reversible. An Aadhaar number on a Chinese server is not.

─────────────────────────────────────────────THE ADTECH LAYER — THE SECOND BODY OF THE CRIME─────────────────────────────────────────────

The petition identifies a dimension of this ecosystem that has never been placed before any Indian court: real-time victim profiling via the adtech surveillance layer.

When a digital arrest victim receives a call, the fraudster knows the victim's Aadhaar-linked address, family members' names, approximate bank balance — and, in documented cases — that the victim is ALONE AT HOME, has a SIGNIFICANT BANK BALANCE, and has NOT RECEIVED CALLS FROM FAMILY for several hours. This precision cannot come from a static stolen database. It requires an active surveillance layer operating at the time of the crime.

The InMobi SDK and Silverpush SDK were collecting this real-time behavioural data from hundreds of Indian consumer applications. No Indian agency has ever investigated whether this adtech data pipeline contributed to the targeting precision that makes Generation 4 and 5 digital arrest operations possible.─────────────────────────────────────────────WHAT THE SUPREME COURT HAS NOW DONE─────────────────────────────────────────────On 19 May 2026, the Supreme Court directed MeitY to examine the petition as a formal representation. The bench quoted verbatim in national media:

"The issue being highly technical in nature, it seems to us that an effective course will be to approach the Ministry of Electronics and IT. Let this plea be given as a supplementary representation. They shall consider it."— CJI Surya Kant, 19 May 2026

The petitioner, arguing the case personally before the bench, stated:

"If we cannot bring the data back, we can at least restructure and save it."

MeitY is now formally obligated — by a direction of a three-judge Supreme Court bench led by the Chief Justice of India — to examine this petition. The petition is on record. The names are on record. The legal tools available are on record. The failure to use them is on record.

─────────────────────────────────────────────THE CONSTITUTIONAL ARGUMENT─────────────────────────────────────────────

This petition raises three constitutional questions that have never been litigated before any Indian court:

1. Whether the systematic collection of a citizen's complete digital identity through consent obtained by fraudulent concealment of purpose, followed by permanent transfer of that identity to a foreign criminal infrastructure, constitutes a violation of the basic structure of the Constitution through destruction of the digital constitutional personhood of 80 million Indian citizens under Article 21 as extended by Puttaswamy (2017).

2. Whether the State's five-year decision to investigate only the financial dimension — money, call centre workers — while completely ignoring the data dimension, the 80 million stolen biometric records, the named Chinese architects, and the adtech surveillance infrastructure, constitutes a single investigative mischaracterisation that converted a remediable harm into a permanent and irreversible constitutional injury.

3. Whether India's failure for 14 years to invoke Section 3(4) of the Extradition Act 1962 read with UNCAC Article 44 and UNTOC against any named Chinese principal architect of this ecosystem constitutes an arbitrary abdication of available legal power that violates Article 14.

─────────────────────────────────────────────WHAT NEEDS TO HAPPEN NOW─────────────────────────────────────────────

1. MeitY must respond to the Supreme Court-directed representation with a time-bound action plan.

2. Parliament's Standing Committee on Information Technology must urgently examine the non-operationalisation of the DPDPA 2023 — in force since August 2023, still not operationalised, Data Protection Board not yet constituted.

3. The Central Government must file at least one extradition request under Section 3(4) of the Extradition Act read with UNCAC Article 44 against Jeffrey Zhu (Zhu Wei) — a legal tool available since 2011 that has never been used.

4. CERT-In must publish a public threat assessment specifically addressing biometric data held on foreign servers.

5. A court-directed forensic investigation must be initiated specifically targeting the data pipeline and backend server infrastructure as distinct from money flows.

─────────────────────────────────────────────MEDIA COVERAGE — CONFIRMED AS OF 20 MAY 2026─────────────────────────────────────────────

The Supreme Court order of 19 May 2026 has been reported by:

1. NewsDrum (PTI wire — primary source) PTI Wire

SC asks MeitY to examine PIL seeking recovery or destruction of stolen personal data of citizens Byline: PTI 19 May 2026