How engineering dropout hacked Hyderabad-based PayG and stole Rs 52.9 lakh

Hyderabad: City Crime Police has nabbed 28-year-old youth for stealing Rs.52.9 lakh after hacking the server of PayG payment gateway.

Identified as Vannam Sriram Dinesh Kumar, he was arrested from Vijayawada. Police also nabbed his associate Chintu Nagasai of Hanamakonda, a chartered accountant by profession.

On March 17 an employee of Xsilica Software Solutions, the parent company of PayG complained that their account was hacked on March 15 and 16, and Rs.52.9 lakhs was transferred into other accounts.

Police registered a case under section 66 ( C ), ( D ) of IT Act & 419, 420 of IPC was registered in Cyber Crime police station, Hyderabad.

Police apprehended the accused at Vijayawada on Wednesday and recovered Rs.17.2 lakh from his possession. Another Rs.14 lakh was found in his HDFC bank account. Three Laptops and 12 mobile phones, one tab, 33 credit/debit cards along with some bank documents were also recovered from the accused.

Vannam Sriram Dinesh Kumar is an engineering college dropout who got the idea to hack a payment gateway in 2018. He knew that concession from these apps takes a month and it's very safe to hack. Previously he has also hacked a Gurgaon-based app and transferred 20 lakh into another app. Later he transferred 60 lakh. However, In both cases, he was not caught.

Modus Operandi:

Vannam Sriram Dinesh Kumar created a USER ID in payment gateway PayG by using disposable mail IDs and phone numbers. Then the accused used open-source software tools for evaluating the vulnerabilities of the payment gateway PayG.

Later the accused obtained the user ID of Super Admin of the payment gateway PayG. Using the software he gained access to the main database server utilizing the vulnerabilities existing in the payment gateway software. After entering into the data server, he transferred a total amount of Rs.52.9 lakhs from the nodal account of PayG to three virtual bank accounts existing with Yes Bank, Equitas Bank, and ICICI bank. The total amount was finally transferred to www.bitcoiva.com where he purchased bitcoins from www.bitcoiva.com.

He later transferred these bitcoins into another crypto account at www.remitano.com. Later he sold the bitcoins and encashed the amount. The accused developed a method, wherein, he identifies vulnerabilities in the software of payment gateways and uses these gaps to hack into their core servers and divert money.

Commissioner of Police, Hyderabad, CV Anand said the suspect used VPN IPS to mask his identity which was one of the main challenges.

"The suspect collected Adhaar cards from innocent people and the internet, used them as KYC documents, and thereby created virtual bank accounts to mask identity. He also used fake mobile numbers," said CV Anand.

The commissioner said the payment platform has to build its server as per Reserve Bank of India guidelines. Otherwise, such hackings will continue and consumer money will be at risk.