A B.Tech student known for finding bugs in major company applications has been arrested for using his skills to carry out a large fraud. The Ghaziabad Cyber Police said the 24 year old student manipulated the payment system of a fantasy gaming application. He would deposit one rupee but make the app show wallet credits between two thousand and one lakh rupees. This activity went on for many months and caused the company a loss of more than one crore rupees.
Police have seized his devices and begun a forensic investigation.
The issue came to light when a representative of the Real eleven fantasy gaming application, Amit Yadav, filed a complaint in November 2024. The firm’s audit showed fraudulent transactions worth one crore one lakh rupees between July and November twenty twenty four. These transactions did not match any real payments from users.
Police had earlier arrested three people in April twenty twenty five. They were Deshraj, Abhishek and Aakash. Their questioning led police to the main planner. He is Utsav Mandal, a final year Computer Science student at Siliguri Institute of Technology. He is originally from East Bardhaman in West Bengal and had recently been staying in Bijnor. Police arrested him on Saturday in the Ghantaghar Kotwali area of Ghaziabad.
During questioning, student said he had solved several bug bounty challenges. While testing app weaknesses, he found gaps in the Real eleven application. Investigators said Mandal installed the app and reverse engineered its application programming interface. He found a weakness in the payment system and changed the data sent between the gateway and the mobile app. This allowed him to make the system show that he had deposited one rupee while the wallet showed a much higher value between two thousand and one lakh rupees. He later moved the inflated wallet balances to his bank accounts. Police described the method as “technically advanced, far beyond ordinary digital fraud techniques.”
Student said he created twenty user accounts to run the fraud. He used documents belonging to his mother, father, wife, friends and acquaintances. He told his family that the money was “project payments” to avoid suspicion. Through these accounts, he carried out more than one hundred fraudulent refund transactions and moved more than one crore rupees across several wallets. He slowly transferred the money to different bank accounts.
Police have recovered twenty five lakh rupees so far. They are checking more bank and UPI accounts, digital wallets, transaction logs, and data from his devices and cloud accounts. A detailed audit is ongoing.
The cyber police have advised app developers to improve API and payment security. Officials said that new forms of cybercrime depend on weak validation checks. They urged stronger API security, better payment gateway logs, and improved backend monitoring systems.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
