Karnataka CID probe reveals hacker used hotel IP address to steal Rs 11.5 cr from govt portal

A 26-year-old hacker, who managed to gain access to funds of the Karnataka government’s e-procurement cell in July 2019 to steal Rs 11.5 crore, used the internet connection of a five star-hotel he was staying at the time to carry out the hack, a probe by the Criminal Investigation Department of the Karnataka police has revealed.

In a chargesheet filed on December 15 into the July 2019 hacking at the e-procurement cell, the CID has linked the 26-year-old hacker Srikrishna Ramesh alias Sriki to the crime by showing that an Internet Protocol address allocated to a hotel in Bengaluru where the hacker was staying between May and July 2019 was used to access the e-procurement portal.

In key evidence placed in the chargesheet to link Srikrishna alias Sriki to the theft of Rs 11.5 crore of funds from the e-procurement cell, the CID has cited an e-mail communication of October 18, 2019, from the internet service provider D-Vois Communications Pvt Ltd stating that an IP address 1.186.34.100 was allotted to the hotel Gokulam Grand and Spa in Bengaluru.

The CID also provided an email of October 19, 2019, from the IT manager at the hotel, providing a list of persons who used the hotel IP address for accessing the Internet during the period when the hacking incident occurred at the government portal.

The hotel list showed that the hacker Sriki, who was a guest in room number 407 of the hotel between May 4, 2019, and July 29, 2019, used the Bengaluru hotel IP address to access the Internet.

The CID probe found that after succeeding in stealing Rs 11.5 crore from the e-procurement cell, the hacker and his associates fled to a resort in Himachal Pradesh to splurge the stolen funds and also attempted to rob the e-procurement cell again of nearly Rs 28 crore – which was prevented by authorities who were by then aware of the heists.

The CID included email correspondence with the Dehradun internet service provider e-Net Solutions confirming that an IP address 103.230.154.212 was allotted to the resort Ananda in the Himalayas where the hacker and associates were staying after the initial robbery.

In a voluntary statement given to the CID, Sriki, the hacker, has stated that he carried out the hacking at the e-procurement cell initially to help a contractor associate Sunish Hegde obtain inside information on government tenders and later hacked the cell for funds to help his contractor friend solve a problem with a “gambling debt.”

In August 2019, officials at the e-procurement cell of the Karnataka government filed a complaint with the cyber-crime unit of the Criminal Investigation Department of the state police saying unknown persons had stolen Rs 11.5 crore of earnest money deposits from the e-procurement cell, and that officials were able to stop the theft of Rs 7.37 crore.

The hacking of the e-procurement cell of the Karnataka government was discovered on July 30, 2019, by a financial consultant at the cell S K Shylaja, during a check of the approved list of refunds of earnest money deposits (EMD) made against bids for tenders.

The consultant found that an unauthorized instruction was issued for the unique registration number used by the Karnataka government for online banking to transfer Rs 7.37 crore as an EMD payment despite the state government not approving the refund. The transfer of the Rs 7.37 crore funds was stopped by the state e-procurement cell before it could be executed.

However, further analysis of the approved list of EMD fund transfers by the e-procurement cell revealed that on July 1, 2019, unauthorized instructions were issued for the transfer of Rs.1.05 crores of funds to the account of a soft drink and chips distribution firm in Bulandshahr, UP called Nimmi Enterprises.

A police complaint was initially lodged on August 7, 2019, by the financial consultant S K Shailaja over the missing Rs 1.05 crore of EMD funds.

A few days later, it was discovered that another similar “unauthorized EMD refund instruction” of Rs 10.50 crores had occurred on July 9, 2019, in which the funds were fraudulently transferred to an ICICI bank account of an NGO Udaya Grama Vikas Samstha in Nagpur. This discovery of the cyber theft of Rs 10.50 crores was reported to the police by state officials on August 25, 2019. Investigations by the cyber-crime unit of the Karnataka CID police initially focused on the computer forensics of how the e-procurement cell was hacked and the money trail.

The role of Sriki in the hacking at the procurement portal was pinpointed after he was arrested in November 2020 in a case of buying drugs on the dark web using Bitcoins by the City Crime Branch unit of the Bengaluru police.

The CID probe has found that the Rs 11.5 crore of stolen funds were laundered through an elaborate money-laundering system – including hawala transactions – set up by the hacker’s associates through friends and acquaintances located in Bulandshahr, Delhi, Nagpur, and other places in the country.

An investigation by the Enforcement Directorate into the money laundering aspect of the crime has resulted in the seizure of Rs 1.49 crore of the stolen Rs 11.5 crore funds. The hacker and his associates have claimed to have received only Rs two crore from the crime and claim to have paid those who helped in laundering the funds the remaining amount.

A separate investigation by the Bengaluru City Crime branch into the illegal activities of the hacker – where a charge sheet was filed in February 2021 – where six hard disks recovered from the hacker were analyzed has revealed data for the hack at the e-procurement cell.

The analysis of hard disks from laptops seized from the hacker and an associate Robin Khandelwal, following their arrest in Bengaluru in November 2020, was carried out by a private cyber forensics firm Group Cyber ID Technology Pvt Ltd earlier at the instance of the Bengaluru police in a case of hacking of two Pacific Gaming Pvt Ltd poker sites.

According to the cyber forensics report, one hard disk `marked 01′ recovered from a Macbook belonging to the hacker “does contain the hacking data” for the hacking of the eproc.karnataka.gov. site of the e-governance cell of the state government and other sites.

“From May-July of 2019, I hacked the e-procurement website after getting to know about it..” from two associates.

“They initially told me to decrypt bids for certain tenders for which they were bidding and during the course of my time investigating the e-procurement network I obtained access credentials to the Corbys ICICI bank EMD refund API. I tested this multiple times and did a transaction of Rs 1.5 crore to an entity I met on a forum…” the hacker has stated in a voluntary statement given to the CID on how he began toying with the e-procurement cell.

There are as many as six cases of hacking filed against Sriki in Bengaluru. The investigations against the hacker and his associates have been surrounded by controversy in Karnataka with allegations of police, government officials collecting bribes through bitcoins stolen by the hacker swirling around the investigations of the multiple cases.