As the books close on fiscal year 2024–25, the cybercrime numbers are in with another sobering tally.

A total of 18,926 cybercrime cases were registered at the Cyber Bureau of Nepal Police over the past 12 months, an average of around 52 cases per day.

On paper, the figure is slightly lower than last year’s 19,730. But according to the bureau, the drop in the official number doesn’t necessarily signal improvement. Instead, the dip may reflect underreporting, data lags, or the decentralisation of case management.

“Honestly, I don’t see much improvement from last year. The number of cases recorded in a single fiscal year is still alarmingly high,” said Superintendent of Police Deepak Raj Awasthi, spokesperson and information officer at the Cyber Bureau. “The lower number [registered at the centre] could be due to underreporting, or because districts are now handling some cases on their own.”

Following a 2023 directive from the Ministry of Law, Justice, and Parliamentary Affairs, cyber-related crimes can now be reported and handled by the district police office. That shift has affected the central database’s completeness, says Awasthi. “We only have records of cases they forward to us, not everything.”

He also suggests that data lags might be a factor. Sometimes people email cases, but if details are missing and they’re asked to resend, they don’t, causing those reports to be absent from the data.

What the numbers do show clearly is that cyber fraud is booming.

Financial scams and fraud alone made up 7,723 cases, 40.82 percent of all cybercrimes reported last year. This represents a steep 87.82 percent increase from the previous year’s 4,112 cases, nearly doubling in just one fiscal cycle.

“Cyber-enabled financial scams and fraud cases have sharply increased,” Awasthi said. “That’s also why total male victims outnumber women this year. This kind of fraud often involves men as money mules or primary targets.”

While cyber fraud leads the tally, the bureau logged thousands of other offences–3,503 accounts hacked; 3,067 fake or impersonated accounts created; 1,801 bullying and harassment complaints; 1,026 cases of criminal defamation; and 495 hate speech reports.

Sexual offences included 437 sexting cases; 84 reports of sextortion; and 8 reports of sex crimes or sexual assault. Other concerning cases were 10 related to suicide, 216 involving threats of violence, and 27 involving image morphing, often forms of digital abuse affecting women.

The most common digital media used in these crimes reflect where Nepalis spend their time online.

Facebook and Messenger topped the list with 9,829 incidents, followed by TikTok (3,086), WhatsApp (2,305), Telegram (1,509), and Instagram (1,115).

“Telegram caused significant harm in a short period,” Awasthi noted. “Out of the 1,509 Telegram-related cases, most were online fraud. But the real problem is we didn’t get user data from Telegram in tracking those.”

This lack of cooperation from digital platforms, Awasthi stressed, is one of the major obstacles in prosecuting cybercrimes. “We face serious problems when we can’t access data. For many cases, especially involving scams or hacking, we need cooperation from platforms which don’t always come by.”

The fiscal year also saw an evident increase in cybercrimes targeting minors. There were 351 cases filed by underage boys and 421 by underage girls, both up from 253 and 382, respectively, in 2023-24.

Of the total cases filed, 7,921 came from women, 9,787 from men, and 446 from organisations or institutions.

Men account for the majority of the total victims, according to the data. Bureau says, this is mainly because online fraud and scams account for 40.82 percent of cases, where men are the most targeted.

Women, however, are the majority of victims of harassment, bullying, sextortion, fake impersonation, hate speech, and threats of violence. Cases of digital violence against women could also be majorly underreported or left unaddressed by victims because of societal pressures and various other challenges, adds Awasthi.

While most cybercrimes in Nepal remain cyber-enabled, sophisticated ‘cyber-dependent’ crimes are on the rise too.

Cyber-dependent crimes are offences that can be committed using computers, networks, or other forms of information and communication technology (ICT). Examples include unauthorised server access, data breaches, malware attacks, and website defacements.

According to the bureau, handling these cases was among the biggest challenges last fiscal year. These crimes are more complex, harder to investigate, and often sensitive, requiring international data-sharing and advanced digital forensic tools, which Nepal currently lacks, officials said.

“In such cases, international cooperation becomes essential,” Awasthi said. “But we often can’t obtain user data from abroad, and we face barriers like strict privacy laws and limited technological capacity.”

Tackling these technical crimes requires specialised expertise and stronger infrastructure, both of which remain in short supply.

Adding to the challenge is the lack of legal clarity. Nepal’s governing law for cyber offences, the Electronic Transaction Act (ETA) 2008, struggles to address the varieties of modern cybercrime.

“The ETA lacks a clear, comprehensive definition of cybercrime and fails to cover the full range of online offences,” Awasthi admitted.

This lack of clarity creates a problem for consistent categorisation. A single case might be recorded as both harassment and defamation, or impersonation and fraud, based on interpretation.

Due to the ETA’s limited categorisation, some offences are grouped under broad labels like bullying or harassment. The Bureau acknowledges that such overlaps and manual errors may affect the accuracy of the data.

Despite the slight dip in total reported cases, the broader picture suggests Nepal’s cybercrime environment remains volatile. Fraud is spiking, attacks are more advanced, and victims are increasingly diverse in age and gender.

The data from fiscal year 2024-25 yet again show how urgently overdue a modernised, well-resourced, adequately staffed, and agile cybercrime response is.