# PCL Rohtak aka MoneyEarn24 Thanks for taking some time to visit this page and read about this MLM scam. ## Update They got busted: 1. https://www.amarujala.com/haryana/rohtak/cheating-of-rs-30-crore-from-three-thousand-people-busted-in-rohtak-rohtak-news-c-17-roh1020-549874-2024-11-23 2. https://www.amarujala.com/haryana/rohtak/30-crore-fraud-case-fraud-business-flourished-in-rohtak-under-the-nose-of-police-rohtak-news-c-17-roh1020-549923-2024-11-23?src=story-related-auto&position=1 ## Update 2 Court case is still going on, you can visit https://services.ecourts.gov.in, select Case Status: * State: Haryana * District: Panchkula * Court Complex: District Court Then select to search by FIR Number, then: * Police Station: Cyber Crime Haryana, Mansa Devi Complex Sec 5 * FIR Number: 44 * Year: 2024 Enter the (real) captcha, and you will see a list of court orders. ## Introduction [PCL Rohtak](https://pclrohtak.com/) is a company located in Rohtak, Haryana. They claim to be an IT company, which may be true, but they are also involved in scams. The scam they are currently running is their platform/site called [MoneyEarn24](https://moneyearn24.com/). They had plans to launch a new app on November 17, 2024, but that has not occurred yet. Probably because of the videos posted by a YouTuber, [@AjeyTalks](https://www.youtube.com/@AjeyTalks), [who created videos](https://www.youtube.com/playlist?list=PLiKGhosdI6lOdPSKzr1se1o0RTK_qohUG) exposing their fraudulent activities to his audience. On the day of the "app launch," they held a meeting and shared a [video](https://youtu.be/Fn7qHzTlVUg) update on a channel run by one of their supporters: ![image](https://hackmd.io/_uploads/r1aJblFfJl.png) You can access their official Telegram channel [here](https://t.me/s/pclgroup_24). They might disable public previews, which is why I included the screenshot. ### Lies The company claims to have been operating for the last five years, but the domain has only been (re)activated since December of last year (https://web.archive.org/web/20240226164555/https://moneyearn24.com/). They now assert that they provided other tasks before, but if they used the same domain, you can easily check that their previous hosting was suspended: https://web.archive.org/web/*/https://moneyearn24.com/ ![image](https://hackmd.io/_uploads/H1mNl_7Mkl.png) The domain's WHOIS record can be accessed here: https://mxtoolbox.com/SuperTool.aspx?action=whois:moneyearn24.com And here is a review where they claim to be either working or providing work for at least 3 years: ![image](https://hackmd.io/_uploads/B1ct-X9f1x.png) Link to this review: https://g.co/kgs/GZz2qWx On the homepage, they claim to have more than 1.4 lakh members. However, the truth is that they do not have that many members. They have inflated the registration count by over 60,000, and many members have multiple registrations that the company counts as separate members. To get the actual number of registrations, take whatever figure they have mentioned and subtract 67,088 from it. This is yet another major red flag, although many people are unaware of it: ![image](https://hackmd.io/_uploads/ByXoGvmfyx.png) *I am sure the PCL Team would recognize this code*. Anyway, let me start by answering a few basic questions. ### What is the job/task that they provide? They offer captcha filling jobs. Yes, you read that right. You have to join their platform by paying ₹5,000, and then you can start filling captchas they provide every day (except Sunday). I have covered more about this in a later section. ### How do they claim to make money? According to several meeting videos available on YouTube, they claim to make money by either selling these captchas to US-based companies or by filling in captchas that they receive via some API from US servers (which they don't, shhh). ### How do they bring people? They simply rely on referrals to attract people to join their website. Some small YouTubers also run their campaigns and take advantage of referral points. ### Why would members bring more people? There are several benefits: * Each referral counts towards how much money a member makes for filling each captcha. The figures mentioned on their homepage aren't accurate; let me share the accurate ones (directly from their codebase): | Referrals | Per Captcha Earning | | --------- | ------------------- | | < 49 | ₹1 | | < 99 | ₹2 | | < 149 | ₹3 | | < 199 | ₹4 | | < 249 | ₹5 | | < 999999 | ₹5 | Each member can fill 93 captchas in a day, so if you can bring in 199 people, you'd make 93 × ₹5 = ₹465 per day. * Members are supposed to receive referral points. This company has not clarified the value for each referral point, but at the time of publishing this, the maximum points in the system are 8. I haven't found out how they allocate these points; perhaps I have missed some details. ### Data They Collected - Aadhaar Card - PAN Card - Bank Passbook / Check - UPI IDs (which were disabled later) - Mobile numbers and emails - Physical address ## Joining Fee As mentioned earlier, not everyone can start "working" for them. To join, you must pay them ₹5,000. ![image](https://hackmd.io/_uploads/SJIjK47zke.png) High resolution: https://hackmd.io/_uploads/rJ3f_VXzyx.png I was able to download many screenshots (uploaded by users after successful UPI payments) from the server (details provided later). ### Lack of Payment Gateway You may have noticed in the above screenshot that you are instructed to make the payment to a UPI ID. They are not using any payment gateway, which is a major red flag. Why? Because all the money is being transferred directly to their bank accounts. Payment gateways provide a layer of protection for both businesses and customers. However, they avoid this protection because they fear that their funds could be frozen if people started reporting them or if they were flagged by the payment gateway's fraud detection systems. Additionally, they rotate these UPI IDs; members only see one ID at a time, but they have multiple IDs—71 to be precise (as far as I am aware)—that they use. ## Captcha Work If you were or are a member who actively "works" on the site, you would be familiar with this interface: ![image](https://hackmd.io/_uploads/rkAdbDmMkx.png) High resolution: https://hackmd.io/_uploads/SJ9h-v7Gkx.png This is the captcha they claim to be obtaining from US-based companies, either magically or through some APIs. ### Magical Source / API Let me share their magical source with you. There are two files that they use for this: 1. **captcha.php**: This file generates the image output you can see in the above screenshot. 2. **captcha_work.php**: This file generates the random text for the captcha, displays the form, and passes the captcha text as an encrypted value to the captcha.php file. This is the same file used to generate the output shown in the previous screenshot (https://hackmd.io/_uploads/SJ9h-v7Gkx.png). Based on their code, I can easily generate any captcha image that I want: - "PCL IS": https://moneyearn24.com/user/captcha.php?captcha=SzlYQmt6dm43T2R3Zy81NXpkVUxaZz09Ojp%2FH0EYwPc2ZVBsqLGfkKNe - "A SCAM": https://moneyearn24.com/user/captcha.php?captcha=TUlYV2dpQm1WaTk1aTJMblhxakVpUT09OjoTmH%2FnoiMyZcjTZaWfhXLG They may change the encryption key because this was shown in the videos, which is why I have recorded a video to demonstrate this. You can access the video here: https://oshi.at/vvDm/generating-custom-captcha.mp4 ### Captcha Submissions As you now know about their magical source, you guessed it right—you can easily fool them using your own little magic. You can either keep submitting the same captcha repeatedly or read the actual captcha text from the page! Yes, they claim to sell filled captchas, but they are already aware of the captcha contents! Here is another video demonstrating this: https://oshi.at/nxNr/magical-submissions.mp4 This is the data that they store about submissions: ![image](https://hackmd.io/_uploads/BkwOS_QGJg.png) Yes, they are logging submissions in a public directory, under `user/captcha_data/data_{$user_id}.json`. Here are some files that you can access yourself: - https://moneyearn24.com/user/captcha_data/data_52632.json - https://moneyearn24.com/user/captcha_data/data_110884.json - https://moneyearn24.com/user/captcha_data/data_110885.json - https://moneyearn24.com/user/captcha_data/data_110886.json Here is a video demonstrating this in case they restrict access: https://oshi.at/ZbJt/stored-submissions.mp4 Once you know an ID, you can easily increment or decrement to find other IDs. I know their supporters would claim that they store this information in some database, but I know for a fact that they don't. This is the data that is stored in their database: ![image](https://hackmd.io/_uploads/HylMvu7M1g.png) Here is the PHP code that handles captcha submissions: ![image](https://hackmd.io/_uploads/SJAQYOmMyg.png) ```PHP! if (isset($_POST['captcha']) && ($_POST['captcha'] != "")) { // Validate entered captcha code with generated captcha code $fillcaptcha = $_POST['captcha']; if ($randomValue === $fillcaptcha) { $status = "<div class='alert alert-success' role='alert'>Your captcha code is matched! </div> <script> $(document).ready(function() { $('#SuccessModal').modal('show'); }); </script>"; // Update JSON data for correct captcha $row['entered_captcha'] = (int)$row['entered_captcha'] + 1; $row['available'] = (int)$row['available'] - 1; // Write the updated data back to the JSON file file_put_contents($jsonFilePath, json_encode($jsonData, JSON_PRETTY_PRINT)); } else { $status = "<div class='alert alert-danger' role='alert'>Entered captcha code does not match!</div> <script> $(document).ready(function() { $('#FailedModal').modal('show'); }); </script>"; // Update JSON data for wrong captcha $row['wrong_captcha'] = (int)$row['wrong_captcha'] + 1; $row['available'] = (int)$row['available'] - 1; // Write the updated data back to the JSON file file_put_contents($jsonFilePath, json_encode($jsonData, JSON_PRETTY_PRINT)); } } ``` ## Refunds The company claims to refund the initial joining fee of ₹5,000 if you are not satisfied with their offering. However, the reality is that they have only refunded a handful of people due to recent issues faced by their "loyal" members (those promoting them and making the most money). They had a refund page on the website, but it only displayed a timer: ![image](https://hackmd.io/_uploads/HJ9-4BXMyl.png) High resolution: https://hackmd.io/_uploads/BJWQNH7Myx.png This timer depended on your system's current date and time at the moment of your registration. Nothing was supposed to happen once it expired. Here is the JS code for those familiar with JavaScript: ![image](https://hackmd.io/_uploads/ry3jxL7M1x.png) Code: ```javascript (function () { const second = 1000, minute = second * 60, hour = minute * 60, day = hour * 24; var timer = document.getElementById("timers").value; console.log(timer); const countDownDate = new Date(timer); countDownDate.setDate(countDownDate.getDate() + 330); // Adding 330 days to the countdown date console.log(countDownDate); const x = setInterval(function() { const now = new Date().getTime(); const distance = countDownDate - now; document.getElementById("days").innerText = Math.floor(distance / day); document.getElementById("hours").innerText = Math.floor((distance % day) / hour); document.getElementById("minutes").innerText = Math.floor((distance % hour) / minute); document.getElementById("seconds").innerText = Math.floor((distance % minute) / second); // When the countdown is over if (distance < 0) { document.getElementById("minutes").innerText = 0; document.getElementById("seconds").innerText = 0; clearInterval(x); } }, 1000); // Update the timer every 1 second }()); ``` `#timers` is just a hidden field: ```htmlembedded! <input type="hidden" id="timers" value="2024-05-06 05:23:00" /> ``` ![image](https://hackmd.io/_uploads/r1vPQPmz1e.png) Here, they read the value from the database. ![image](https://hackmd.io/_uploads/SJmtXwQMyl.png) The registration date and time is then used for the hidden field. Previously, the actual process to claim a refund was quite tricky. According to many YouTube comments, members were instructed to visit their local branch/franchise to obtain refunds. This poses a significant problem, as people have joined from various states, and traveling just to get a refund of ₹5,000 could result in travel expenses exceeding that amount. Additionally, there is uncertainty about whether they will actually provide a refund, along with the risk of verbal and physical harassment. After @AjeyTalk's videos, they have now added a new refund form to the website and are asking people to re-upload KYC documents (more on that later). Only time will tell if they actually process these refunds. Here is a screenshot showing one such application (they require you to download a PDF and e-sign it): ![image](https://hackmd.io/_uploads/HylVgbKG1l.png) High resolution: https://hackmd.io/_uploads/SkBHlWKfkg.png ## Mobile App In a recent video update, they informed their members that they will be sharing APK links for the app, possibly because they couldn't get approved on the Play Store, though I'm not sure. They have attempted this in the past with a "wallet" app, which turned out to be just window dressing. The APK hosted by them can be found [here](https://drive.proton.me/urls/Y377G8YGMM#Zb09QIIPn264), and the TotalVirus scan report is available [here](https://www.virustotal.com/gui/file/84ed97eb4b865f824be125e93f02e7b849f60d82ae972f20da21cc707ab55252/details). I haven't reviewed the app code, but based on the VirusTotal report, it seems to be a wrapper for their website only. The code related to the "wallet" can be found [here](https://drive.proton.me/urls/WZRB531D84#UZt06yQvYdBp) (PHP files). Based on the app package name and a mobile number used on the admin login page, it appears that another company may be involved or they are too incompetent to recognize the obvious scam: ![image](https://hackmd.io/_uploads/HkYC5eYMJg.png) ![image](https://hackmd.io/_uploads/BkLk6eYzke.png) ![image](https://hackmd.io/_uploads/HJVWaxKGke.png) Yes, they are also from Rohtak. ## Data I Downloaded I managed to download some data from their servers while they were occupied with "fixing" various issues: 1. KYC documents: Pictures of Aadhaar and PAN cards (only downloaded unique ones based on a quick file hash) 2. Bank details: Account numbers, IFSC codes, UPI IDs 3. Emails they managed (anchal@, support@, support1@, support2@, support3@, and noreply@) 4. Payment screenshots uploaded by members 5. Website code and database backup (dated November 7, 2024) The compressed size of the downloaded data, excluding code and the database, is 65.2GB, with the following breakdown: - Emails: 14.2GB - KYC Documents: 44.3GB (19,875 files, including some duplicates where different pictures were taken instead of uploading from the gallery). The details aren't readable, but I have still blurred them: ![image](https://hackmd.io/_uploads/r1s2fzKzke.png) - Payment screenshots: 6.7GB **Folks, please keep your documents safe and NEVER upload them to such unreliable sites.** The only reason I am sharing this information is to make people aware how easily your documents could get leaked. ### Update I have now deleted the KYC documents copy, but still have payment screenshots, code, and database dump. Why? Because company got raided (see Updates section at the top), and few arrests have been made. ## Data Deleted I have deleted the following data from their servers, and they may not have backups since they haven't restored it. This could explain why they are requesting members to reupload KYC documents in order to claim refunds. The screenshot below was taken when I successfully uploaded a PHP script to list directories and their sizes: ![image](https://hackmd.io/_uploads/H1wVmWYM1l.png) Directories: - **demo_uploads**: They previously offered a "demo" for ₹299 ![image](https://hackmd.io/_uploads/SkoUyMYMkl.png) - **google_review**: They incentivized users to leave Google reviews, requiring members to upload screenshots. Here’s an example: https://g.co/kgs/juo3Vjw - **kyc**: Contains Aadhaar and PAN cards - **captcha_data**: This folder holds JSON files, with screenshots already shown above. The files are dynamically generated and modified, so they still exist today. In addition to these directories, I have deleted all the emails they had received. The emails included sensitive information such as Aadhar, PAN, bank passbooks, checks, and I even came across a debit card in one instance. To be honest, I've only reviewed one mailbox so far, so there could be interesting content in the others. Here are some test emails that were still in the inbox: Here are some test mails that were still present in the inbox: ![image](https://hackmd.io/_uploads/S140EMtM1l.png) ![image](https://hackmd.io/_uploads/ByE1HftGJe.png) ## UPI IDs The table below lists the UPI IDs along with the corresponding amounts deposited to each ID, based on their own data: | Amount | UPI ID | |--------------|---------| | ₹ 115,000 | 7302366588-2@ybl | | ₹ 15,000 | 7302366588@ybl | | ₹ 155,000 | 7549041263-2@ybl | | ₹ 175,000 | 7549041263-4@ybl | | ₹ 210,000 | 7670057006-2@axl | | ₹ 605,000 | 7670057006-3@axl | | ₹ 95,000 | 7670057006@axl | | ₹ 145,000 | 8059513410@idfcfirst | | ₹ 370,000 | 9034938737-2@axl | | ₹ 110,000 | 9034938737@axl | | ₹ 305,000 | 9034938737@ibl | | ₹ 1,770,000 | 9138382070-1@ybl | | ₹ 20,000 | 9138382070-3@ybl | | ₹ 5,000 | 9138382070@paytm | | ₹ 70,000 | 9138382070@ptyes | | ₹ 145,000 | 9541991822@ybl | | ₹ 225,000 | chughsujal@ibl | | ₹ 170,000 | dilwaleraushan550@okicici | | ₹ 1,010,000 | jonipcl@ybl | | ₹ 40,000 | jonysingroha2024@axl | | ₹ 275,000 | jonysingroha2024@ibl | | ₹ 1,025,000 | jonysingroha2024@ybl | | ₹ 225,000 | kumarashok571991@axl | | ₹ 420,000 | malik4875@kvb | | ₹ 19,775,000 | merchant1526820.augp@aubank | | ₹ 36,070,000 | merchant1526835.augp@aubank | | ₹ 1,880,000 | merchant1526843.augp@aubank | | ₹ 30,220,000 | merchant1526850.augp@aubank | | ₹ 35,000 | merchant156820.augp@aubank | | ₹ 5,000 | merchant156835.augp@aubank | | ₹ 30,000 | merchant156843.augp@aubank | | ₹ 55,000 | nikkugulia53-1@okicici | | ₹ 310,000 | pclamar@ybl | | ₹ 485,000 | pcljoni@ybl | | ₹ 465,000 | pclpatna-4@ybl | | ₹ 40,000 | pclrohtak@indianbank | | ₹ 150,000 | pclrohtak05@ybl | | ₹ 5,000 | pclrohtak10@ybl | | ₹ 235,000 | pclsonam@ybl | | ₹ 115,000 | rohitmalik4875-1@okhdfcbank | | ₹ 475,000 | rohitmalik4875-1@oksbi | | ₹ 60,000 | rohitmalik4875-4@okaxis | | ₹ 275,000 | rohitmalik4875-4@oksbi | | ₹ 290,000 | rohitmalik4875-5@okicici | | ₹ 330,000 | rohitmalik4875-5@oksbi | | ₹ 110,000 | rohitmalik4875-6@oksbi | | ₹ 25,000 | someshwaraapcl-1@okicici | | ₹ 30,000 | someshwaraapcl-1@oksbi | | ₹ 290,000 | someshwaraapclinfotech-1@oksbi | | ₹ 105,000 | someshwaraapclinfotech-2@okaxis | | ₹ 30,000 | someshwaraapclinfotech-3@okhdfcbank | These were directly exported from their database. ## Reporting I have attempted to reach out to the cyber cell authorities via email, but I haven't received any responses yet. Our legal system requires victims to come forward and file reports, and I'm unsure if anyone has begun reporting incidents following those YouTube videos. I have already shared the following (via emails) with the authorities: - UPI IDs - Database dump - Entire PHP code - Screenshots showing e-mails, KYC documents (which they are again collecting, and leaking at the same time) I'm willing to share the mailbox dumps, actual KYC documents, and payment screenshots that were uploaded to the site, up until the point I was able to download the data.