
The Bhavnagar District Co-operative Bank headquarters in the Gujarat town’s Sahkar Bhavan was shut over the fourth weekend of February, like any other weekend. But a frenetic activity, which would cost the bank a massive sum of over Rs 7 crore, was afoot in the digital space.
Within minutes, fraudsters, who had exploited gaps in the bank’s core banking system to create a balance of over Rs 7 crore over six months, transferred this sum to over 127 accounts, pulling off a bold heist that would be discovered when the bank reopened on Monday.
A total of six people, including a woman, have been arrested across Ahmedabad, Surat and Mumbai as investigators decode the elaborate plan behind the bank robbery carried out not with weapons, but with clicks.
An overlooked mail, and a patient plan
According to the investigators, the gang allegedly planted malware in the bank’s system through an infected email attachment about six months back. This malware then penetrated the bank’s Core Banking System, the nervous system of any financial institution. The accused then chose one account each at four separate branches of the bank with low balance. They managed to change the phone numbers linked to the four accounts to numbers registered in Northeastern states such as Mizoram. These numbers belonged to them, and the scamsters were now in control of the transactions, said Detective Inspector RB Vihol, the investigation officer in the case.
“They then changed the balance in those four accounts by putting up ghost entries, reflecting a total amount of Rs 7,34,91,682. They then transferred this amount, through real transactions, into 127 different mule bank accounts,” Vihol said. To put it simply, the scamsters gamed the core banking system to create fake balance in four accounts and stole real money through transfers to mule accounts.
Jitendrakumar K Kevadiya, general manager of the bank, told The Indian Express, “They hacked the system and due to deficiencies in the cybersecurity, they were able to make (ghost) entries and then transfer the amount, resulting in fraud. They did it on a weekend when nobody was at the bank. Most of the customers of our bank are farmers.”
An FIR was registered on March 11 by the CID (Crime), Gandhinagar, after the bank probed the matter internally. The case was transferred to the Cyber Centre of Excellence. Based on a complaint by a bank officer, a case was registered under multiple sections of the Bharatiya Nyaya Sanhita. Sections of the Information Technology Act were also invoked.
Story continues below this ad
On April 19, Sushilkumar Vinodkumar Meghwal (32), Rubina (31) and Adnan Usman Shaikh (24) were arrested in Ahmedabad, and Kishor Prabhakar Pardeshi (43) in Mumbai. Three months later, on July 3, Mohammad Khaliq Gulam Hussain (40) and Shoaib Gulamnabi Rana (38), both from Surat, were arrested, taking the number of arrests to six. All the accused are in judicial custody. Police are now investigating their backgrounds and how they came together to plot the heist.
On action taken after the fraud, Kevadiya said, “We shut down the Core Banking System for 8 days while we conducted an internal inquiry and consolidation of accounts. The bank’s mobile application and other online access remained closed for longer as vulnerabilities were addressed. We conducted a banking audit as per government regulations, changed all servers and then resumed operations.”
The changes were made on the advice of Reserve Bank of India (RBI) auditors, experts from CERT-In (Indian Computer Emergency Response Team) of the Union Ministry of Electronics and Information Technology, and the Cyber Centre of Excellence of Gujarat Police.
A ‘Trojan Horse’ invasion
Of the Rs 7.34 crore stolen from the bank, police have managed to save Rs 2.04 crore by freezing accounts. Investigators said a weak core banking system aided the Trojan Horse malware. This malware was planted into the bank’s system through an email sent to an officer’s ID at least six months before the heist. The scammers then made ghost entries into four accounts and transferred actual money to 127 mule accounts.
Story continues below this ad
Details such as the subject of this email and which bank officer it was sent to have not been disclosed as the investigation remains underway. Vivek Bheda, Superintendent of Police in the Gujarat Police’s Cyber Centre of Excellence, told The Indian Express that the gang allegedly sent a third-party phishing mail, meaning it impersonated a business or vendor to ensure the recipient opened the malicious attachment. This email contained the malware that worked in the background and infected the entire Core Banking System, providing the accused access to the bank’s software.
The senior police officer also pointed out that the bank’s Core Banking System had several vulnerabilities because it had not been upgraded for years, and the vendor providing the service to this bank had been blacklisted by several other banks. The scammers exploited these vulnerabilities.
Damage Control
The bank has now decided to migrate to a Core Banking System supported by Tata Consultancy Services. Kevadiya said the bank had signed the contract before the heist and that the system would be revamped by July 10.
The bank will spend an undisclosed amount – in crores – on these upgrades, and its monthly rental for cybersecurity upgrades and new software will cost Rs 30 lakh, said Kevadiya. This comes to about Rs 3.6 crore a year. “That amount is not as important as restoring the reputation of this institution,” he said.
Story continues below this ad
Since the heist, senior bank officials, including the chairman and directors, have met customers in several talukas of Bhavnagar and assured them they will do their best to improve the systems.
View original source — Indian Express ↗



