International hacker Srikrishna Ramesh alias Sriki (26) is the face of the alleged multi-crore Bitcoin scam that is rocking the chief minister’s chair in Karnataka. But Sriki, a habitual offender who claims to have hacked online gaming portals, foreign company portals and the state government’s e-procurement portal, was arrested by the CCB police in a drug procurement case. But intriguingly, he managed to walk out a free man more than twice on bail.
The alleged scam is now rattling not just the BJP government in Karnataka, but also the Karnataka Congress. Days after AICC spokesperson Randeep Singh Surjewala demanded a Supreme Court-monitored SIT probe into the scam, demanding to know the “role” of the incumbent chief minister when he was the Home Minister and alleging senior BJP leaders, their family members and senior officers were involved in the scam, Bommai launched a direct attack on the Siddaramaiah government for failing to arrest Srikrishna.
Sriki is also accused in the Farzi Cafe pub brawl case in 2018, when Mohammad Nalapad, son of Congress MLA N.A. Haris was arrested for assaulting Vidwat Lokanath, the great-grandson of the late Dewan K. Sheshadri Iyer. According to police, Sriki was not arrested as he evaded arrest till he managed to secure an anticipatory bail.
The BJP has now linked Siddaramaiah’s late son Rakesh Siddaramaiah by posting a picture of Rakesh with Hemant Muddappa and Suneesh Hegde, who are known to have links with the kingpin Sriki. The Congress party has a lot to worry about as both Sriki and his associate Robin Kahndelwal’s statements establish their links with Mohammaed Nalapad and his brother Omar Nalappad.
What is the ‘scam’?
On November 4, 2020, Bengaluru’s Central Crime Branch police arrested hacker Srikrishna under the Narcotic Drugs and Psychotropic Substances Act for allegedly procuring drugs using bitcoins via the darknet and peddling it to high-profile clients. On interrogation, the CCB found that Sriki was involved in illegal hacking including that of the Karnataka government’s e-procurement portal.
In his voluntary statement to the CCB police, Sriki said he had hacked the Bitfinex exchange twice. “Bitfinex was my first big Bitcoin exchange hack. I was the first person to do so. The second instance was a simple spear-phishing attack that led to two Israeli hackers working for the army getting access to the computers of one of the employees, which gave them access to the AWS cloud account. I exploited a bug in the data centre which gave me KVM (Kernel-based virtual machine) access to the server. I rebooted the server into GRUB mode, reset the root password, logged in, and reset the withdrawal server passwords and routed the money via bitcoin to my bitcoin address,” stated the accused in his statement adding that he had made a profit of around 20,008 BTC (bitcoin), but saved nothing as he spent them on his lavish lifestyle [including alcohol and hotel stays].
Sriki also admitted he had hacked into the Karnataka government’s e-procurement portal in 2019 and had made three separate transfers. “Two of the accounts were given to me by one Hemanth Mudappa to transfer Rs 18 crore and Rs 28 crore. Hemanth claimed he collected Rs 2 crore from one Ayub, whom I do not know. However, the CID claims that Rs 11 crore was collected by Hemanth Mudappa. The second transfer of Rs 28 crore was refunded as the government learnt about the dubious nature of the transaction,” added Sriki.
The Congress party which outlined the scam during a press meet stated that Sriki, who was arrested in the drug case along with his associate Robin Khandelwal, was kept in police custody for more than 100 days by repeatedly extending his custody by slapping different cases. He was released on bail on April 17, 2021. But despite the accused claiming to have been involved in international hacking before the Metropolitan Magistrate in Bengaluru in December 2020, the Karnataka government did not inform Interpol for over five months and the Bengaluru police commissioner wrote to the Interpol Liaison Officer (CBI) asking to inform Interpol and other agencies only on April 24, 2021.
“The BJP government did not inform the ED, CBI and SFIO too. The current chief minister Basavaraj Bommai, who was the in-charge Home Minister between August 20, 2019, and July 28, 2021,” charged Surjewala.
Besides, the voluntary statements of the accused in the charge sheet reveal the modus operandi of hacking, the network and the lifestyle of all the accused.
According to the charge sheet, Sriki introduced Robin to his friends Akeeb, Sonu, Soumya, Mohammed Nalapad and Nafi Mohammed Nasser, when Robin was staying at ITC Gardenia Hotel in Bengaluru.
Khandelwal, who hails from Kolkata is a BCom graduate from Goenka College of Commerce (2008) who had started a Bitcoin trading service in 2016 called Robin Online Services. He contacted investors through various portals. His Bitcoin trading account was Robin KDL and he made Rs 50 crore through this service by way of a 1-2 per cent commission. Robin met Sriki through bitcoin.com while selling Bitcoins in 2017. Sriki introduced himself under the pseudonym “Dariel Herman” and offered to sell 900 Bitcoins worth Rs 1.3 lakh to Rs 4 lakh each. Robin agreed and sold the coins in phases and transferred the amount to accounts specified by Sriki. Robin made close to Rs 4-6 crore through their partnership. In 2017, Shriki asked Robin to sell Ethereum tokens, and in turn, they made 30 BTC as a profit. Sriki took 20 coins and gave Robin 10 as a commission. The following year, both met face to face. In January 2018, Sriki asked Robin to come to Bengaluru and when he stayed at ITC Gardenia for three days, he learnt Sriki was an international hacker. Srikrishna hacked the Bitcoin exchange databases and showed how he had hacked into the Unocoin database and took away many Bitcoins and tokens. Sriki and Robin stayed in touch via Wickr.
One day Sriki messaged Robin, saying he was coming to Kolkata by road with his friend and would stay at Robin’s place. Robin learnt that Sriki was involved in the pub brawl case.
Mohammad Nalapad was in jail. Sriki stayed with Robin for five days and paid for their expenses with bitcoin. They went to Mumbai by car and stayed at ITC Maratha where Omar Nalapad, the younger brother of Mohammed Nalappad, met them. They were joined by Suhail Rehman. After Omat left, they left for Rishikesh and stayed for 10 days at a hotel and Sriki’s girlfriend Soumya and another friend, Jaggi, joined them.
They all travelled the Himalayas and then shift to Manali. Robin returned to Kolkata due to kidney stone problems. A month later Robin travels with the gang to Shimla, Chandigarh and then finally to Delhi. They stay at the Shangri-La where Omar Nalapad is also staying. They had booked a private jet to fly them to Mumbai but since Sriki had no ID, they cancelled it. Sriki and a few others decided to head to Andhra Pradesh for a while. In August 2018, Robin was asked by Sriki to deposit 30 BTC in his electronic wallet as he needed money. Robin then travelled to Bengaluru in December and stayed with Gary AKA Akash Vinod. Robin was introduced to the other accused—Suneesh Hedge, Prasidh Shetty and Sujay Raj by Sriki, and they headed to Goa via Manipal and spent time at the Taj. Suneesh paid for these expenses.
While his friends played poker, Sriki hacked games to help them win money. They stayed in Goa for 10 days and then Robin went back to Kolkata. In 2019, Sriki again called Robin to come over to Goa and said that he had hacked into Coineal Etherium coin exchange and sent 450 coins and 60,000 worth of USDT to Robin’s wallet. On August 13, 2020, Robin along with Suneesh Hedge, Prasidh Shetty, Suresh, Sujay Raj and Sriki stayed at the Prestige Golfshire in Bengaluru for 30 days. Sriki then hacked the GGPoker gaming site and the entire group took part in this crime. But when Sriki did not agree to share the booty, the friends hatched a plot to get the money. But Sriki escaped.
According to the charge sheet, Sriki sent 130 BTC to Robin from 2017 till December 20, 2020, which Robin sold and transferred Rs 3.48 crore to multiple accounts given to him by Sriki. Abishek Jain from Hyderabad had converted the Bitcoins for Sriki into cash and sent Rs 1.5 crore via the hawala route.
Suneesh Hegde, a civil engineer and class-1 contractor with the BBMP (alumni of Ramaiah College) in his statement said he had come in contact with Sriki in 2016-17 and Robin handled everything for Sriki, from his food and lodging to his Bitcoin dealings.
He said Sriki and the other accused lived in luxury hotels. Sriki claimed to have hacked and stolen several Bitcoins and promised to give them to Suresh, who spent over Rs 2 crore to foot Sriki’s bills.
Prasidh Shetty, yet another accused in the case and a relative of Suneesh, had purchased 500 grams of ‘Hydro Ganja’ on the dark web. He presented himself under the identity of Arnav Gowda. The money was paid through Bitcoins. To be safe, he asked the sellers to pack the drugs with coffee powder. He further asked them to put an organic coffee sticker on the box to avoid being caught. As the package travelled, Prasidh Shetty along with Suneesh, Hemanth and Sujay Raj, now all accused in the case, went to the Bengaluru Foreign Post Office, Chamarajpet to collect the parcel and the CCB caught them.
Even as the Congress upped its ante against the chief minister, Surjewala demanded to know who were the “actors” in the scam. “Were the stolen bitcoins transferred from the wallet of alleged hacker Sri Krishna? How many bitcoins and of what value? How does the Bengaluru police then suggest (in its third Panchnama dated 22nd January 2021) that the 31 and 186 Bitcoins allegedly transferred to [a] police wallet were lost or were found to be fake transactions?,” asked Surjewala, who also cited a Twitter handle named “Whale Alert” that showed the transfer of the 14,682 stolen Bitfinex bitcoins valued at Rs. 5,240 crores on December 1, 2020, and April 14, 2021—the dates when Sri Krishna was in police custody.
Sriki’s statement to police indicated he has been involved in hacking crimes even in 2016. Sriki has admitted to hacking Bitcoin and cryptocurrency exchanges and websites. He claimed to have hacked a cryptocurrency exchange in August 2016—that of Bitfinex, which was registered in the British Virgin Islands. It was reportedly hacked on August 2, 2016, when 1,20,000 bitcoins were stolen). Sriki claims to have taken 2,000 Bitcoins. He also stole 3,000 bitcoins after hacking cryptocurrency exchange BTC-e (a Russian portal that was shut down in 2017). Besides this, he said he hacked Bitstamp (a Luxembourg based bitcoin exchange), Bit-Central (a cryptocurrency portal), Slushpool (a Bitcoin mining pool), ESL (a cryptocurrency coin), Paytiz and Mpex (both cryptocurrency exchanges), but did not disclose the quantity stolen. He also reportedly hacked various Bitcoin stock trading platforms—Havelock Investments and Bitcoin Exchange BTC2PM.me—as well as websites and companies like RuneScape, Tip.It, Sythe, GGPoker, CCI Panama, Pokerbazi (Indian entity) to earn millions of dollars illegally.
Surprisingly, Bengaluru police commissioner Kamal Pant also issued a clarification denying the “distorted” versions being reported in the media.
Pant put on record that Srikrishna was one of the 10 accused arrested by the CCB police, who had secured one person on November 4, 2020, in connection with a drug consignment procured through Darknet. The police had seized 500 gm of Hydro ganja and a case was registered at K.G. Nagar police station under Cr No 91/2020 U/s 20(b) NDPS Act. During interrogation, Srikrishna had confessed before the investigation officer about his involvement in the alleged hacking of many cryptocurrency websites and a complaint was registered in Cottonpet police station Cr No 153/2020.
“No bitcoin was transferred from hacker Srikrishna’s account…For the purpose of investigation, following a government order (dated December 8, 2020) a bitcoin account was obtained. The accused had showed a BTC wallet with 31.8 BTC and the wallet password was changed in the presence of cyber experts and panchas and the recording of the process was submitted to the court. But after the court granted permission to transfer the bitcoins to the police wallet , the police found just 186.81 Bitcoins. The cyber experts told us the account claimed by the accused as his personal account was in fact a live wallet of an exchange and the accused charge sheet did not have the private key for it. So, the account was left untouched. The charge sheet has the above facts and is now subjudice,” stated Pant.
“The matter was informed to the CBI Interpol on April 28, 2021 and to the ED March 3, 2021,” added Pant.
The top cop of Bengaluru also admitted that Srikrishna had submitted before the court that he had consumed Alprazolam drug while in police custody. The court asked the IO to collect the blood and urine samples of the accused at Victoria Hospital. On January 12, 2021, the IO had brought the accused to Victoria hospital but as the tests could not be done there, the court redirected him to Bowring hospital where the sample was collected and sent to FSL for scientific examination. The FSL report says there was no presence of drugs in the sample.
Two other cases have been filed against Srikrishna—one by Pacific Gaming Pvt Ltd about the hacking of its online gaming apps (Cyber Crime police station Cr No 45/2020 U/s 66(c), 66(d) IT Act) and the other by a complainant alleging the accused had cheated him of Rs 28 lakh after promising to give him bitcoins (Ashoknagar police station—Cr No 287/2020 U/s 46, 420 of IPC). Charge sheets have been filed in these two cases which are now pending before the court.
Meanwhile, Srikrishna’s father Gopal Ramesh has filed a writ petition on February 5, 2021 before the Karnataka High Court seeking transfer of all the cases against his son to the CBI, alleging the CCB investigation has been “tainted” and done with “malafide intention”.
In his appeal, Gopal Ramesh alleged his son had been administered excessive “mind-altering drugs” specifically Alprazolam, a prohibited drug, while he was in custody and sought cognizance to be taken against all officials under the NDPS Act. He also sought the examination of the blood and urine samples of his son for traces of Benzodiazepine.
Sriki’s father had appealed that his son had been drugged in custody and Sriki had admitted to have consumed drugs while in custody before the magistrate. Now, the police (government) should explain the five-day delay in carrying out Sriki’s urine and blood test results. The Bangalore Medical College and Research Institute which was directed to conduct the tests carried out a stomach wash to rule out poisoning, before testing the samples for traces of drugs, which was uncalled for,” alleged Congress MLA Priyank Kharge, who produced documents to substantiate his claim.
The BJP now fear the alleged scam will bring disrepute not only to the party and but could also dent Prime Minister Modi’s image globally.
Who is Sriki?
Sri Krishna Ramesh (Sriki), known online as AP. He was born on March 30, 1995 to Gopal Ramesh and Kausalya Ramesh and studied in Kumarans School, Bengaluru. During his schooling, he picked up technical skills and in Class 4, he learnt the basics of web exploitation, Java, Reverse engineering and wrote his first bot for the Massively Multiplayer Online Role-Playing Game RuneScape. This was his first attempt at reverse engineering obfuscated games and binary exploitation. He used to hack his school’s online attendance and marks portal in order to give his friend’s attendance and marks. He would also book IPL tickets, take part in parties, go to movies and the like using vouchers but with no monetary benefit.
During his schooling, he joined an IRC channel of a group of Blackhat hackers who taught him hacking and exploitation and he picked up skills slowly as a script kiddie, learning the basics of databases, SQL injections, Local File Inclusions, remote file inclusions, remote code executions, shells, web application exploitation, Source code analysis.
“h4cky0u”, a community of 50,000 members split into two groups during a communal feud which led to the creation of two separate forums: h4cky0u and h4ck-y0u•.org. While he was in Class 8 and 9, he was promoted to a moderator of the forum and an administrator of the IRC network by his mentor, who is an anonymous entity named ‘Rose’/BigB0ss. While running the IRC network, made several internet friends who changed his life by mentoring him on various other aspects of crime, specifically financial, yet not unethical.
He and his friend ‘Shane Duffy’ (From Sydney, Australia) alias ‘ShaneSigex3’/’Sigex’ used to dump databases and wrote a script for checking PayPal account which he used to find usernames and passwords. With this PayPal account checker, they bought RuneScape accounts on an illegal gaming forum called sythe, where people used to play classic RuneScape (now known as OSRS or OldSchool RuneScape). He used to trade in-game gold or coins for real-life money. This was known as RWT (real-world trading). One million gold on Runescape sold for around $3-5 depending on market fluctuations.
They made several thousand dollars from the game by staking, RWT, writing bots (reflection-based Java bots) and also colour-oriented Al bots which automated tasks in the game and sold the accounts generated by botting and blew it up on our luxurious lifestyle.
While pursuing PUC (PCMB) at Jain College, V.V. Puram, he took to smoking cigarettes drinking alcohol and consuming various other narcotic substances—marijuana, cocaine, MDMA, LSD, DMT, 5-MeO-DMT, salvia divinorum, kanna, Ritalin, ayahuasca.
Over the course of two years, he learnt about a cryptocurrency called Bitcoin, which was then priced at $100. Taking advantage of the pseudo-anonymous nature of bitcoin, a person by the name of “Ross Ulbricht” made the first darknet market from which he initially imported drugs to India. This market was the infamous “Silk Road”. He ordered several packages in two years which all successfully cleared customs. Addicted to the lifestyle of drugs and crime, he picked up the habit of dropping acid at rave parties.
He escaped to the Himalayas at 17 with his friend Rithvik and ended up in Badrinath. A case was registered at Siddapura police station (missing persons) and Tilaknagar police station (by Rithvik’s mother). Eventually, due to a technical folly, the Tilaknagar Police found them in Mathura, at ISKCON, and brought them back to Bangalore. Sriki joined B.Sc. in Computer in Bangalore and went to Amsterdam after dropping out of engineering. He expanded his network to a web of bitcoin traders in AMS, and along with Tim Kamer and Edu Driessen started a bitcoin exchange called satos.nl which was the only regally authorized exchange to deal in cash following KYC norms by ABN Amro bank’s AML head. During his stint in TU Eindhoven, he met a driver named Walid Attadloui who helped him deal in cash exchanges. The daily turnover was around €50-100,000 on which the margin was 3-5 per cent.
One day, the driver entered Sriki’s house illegally and stole his passport, his brother’s passport, 2 laptops, cash in Euros, a hard drive and two cameras. Walid was arrested and produced before the court in NL but Sriki did not receive his laptop back, which had around $3 million in BTC.
Broke, he started from scratch by further expanding the network of friends to Italy, Switzerland, Sweden, France, and Germany. This network of bitcoin traders quickly allowed him to recuperate from the losses (by marginalized trading) after a hack of an exchange (Bitfinex). In 2015, Sriki returned to India and became friends with Nalpad through one Mahish DK, a classmate of Omar Nalpad. He separated from Nalapad after the pub brawl and he became close to Suneesh Hegde and the gang introduced by Prasiddh Shetty in 2018.
Hacking the source
- Recently, a cryptocurrency exchange based in Japan was hacked into and 97 million worth of bitcoins were stolen by hackers.
- In 2016, Bitfinex lost 1.20 lakh Bitcoins after its server was hacked into.
- Prajith (name changed) invested Rs 10 lakh in a Bitcoin portal named “Coin Global” after he came across a Whatsapp group where people were trading on the site. He realised he has been conned as he could not pull out the money from the portal.
- Nitin (name changed) invested Rs 12 lakh of his hard-earned money to buy a cryptocurrency. He soon realised he had been conned as the website turned out to be a fake cryptocurrency exchange.
Sriki’s marathon illegal hacking is just the tip of the iceberg, say cyber experts. Even as the Modi government has announced it plans to bring in legislation to regulate the market for digital currency, which the Centre suspects will become an avenue for money laundering and terror financing, cyber experts caution that investor protection and regulation of trading exchanges should be the way forward.
“Cryptocurrency exchange hacking is common since 2012. But the Indian government can do little as the Bitfinex exchange is located in Hong Kong. Such hacking happens due to poor audits of crypto exchange services. While there are no 100 per cent secure exchanges in the world, an audit once in three months [could] check their security vulnerabilities,” says ethical hacker Benild Joseph, who gets many requests to help recover their money lost to frauds.
Says Sudin Baraokar, global IT and innovation advisor, “What we need is binary legislation that will ensure investor security as the cryptocurrency business does not adhere to any regulatory framework in India. The anonymity offered by the cryptocurrency ecosystem will be conducive for bad state actors to operate too. The unethical hacking involves foreign exchange and any complacency of the regulatory authorities and investigating agencies can prove to be detrimental to our economy.”
“The Security Posture Management ensures you align to all the standards to tackle any threats. A multi-layer authentication, a team to study threats, threat vectors and search intelligence is needed and in case of a security breach, the forensic teams could be helpful to insulate from future incidents of account takeover,” adds Baraokar.
The crypto space is riddled with loopholes and anonymity. The origination of payment and the target beneficiary remains anonymous. There is no traceability or audit and we never come to know who is involved in the transactions. The crypto network does not allow finding out the IP address, the path or directory, say experts.
“A Bitcoin account has a public key and a private key to access the wallet. A hacker can skim out the money if he can hack the private key. The hackers take advantage of the vulnerabilities to scam out the money. It is best for users of crypto to study the risk and avoid investing in it, till there are regulations and security measures in place. The user is helpless if the Bitcoin exchange gets hacked. Sometimes, the entire system might not be hacked, but the individual accounts can be hacked,” says Joseph.
Challenges facing the crypto-landscape in India
Even as the government is drafting a bill on cryptocurrency, around five million people are already using it. But you cannot regulate people holding the cryptocurrency as the system works on blockchain technology, which provides privacy to its users. The government can regulate the trading exchanges or platforms.
In India, Bitcoins are not a legal tender and are not accepted for payment. There are however websites where you can redeem the cryptocurrencies for vouchers from Amazon, Flipkart or other leading brands. It is only an investment that the people are holding.
In India, if you want to buy a Bitcoin, you cannot use your net banking, credit card or debit card facility. You can buy from Centralised or Decentralised Exchanges. In centralised you can use the Indian rupees (via credit or debit card) to fund the Bitcoin trading account and buy any cryptocurrency. You can deposit and withdraw in INR. In Decentralised Exchanges, no Indian cards can be used to deposit or withdraw Bitcoins.
But if you have Bitcoins in your account they can be swapped for other cryptocurrencies. So, no government can control or regulate them.
“There are almost 20,000 cryptocurrencies in the world and Bitcoin is just one of them. Every day, 10 new cryptos are introduced, but it takes a few years to be listed in the trading platforms. Many fly-by-night MLMs are coming up with their own crypto coins,” warns Joseph.
The government’s move to introduce GST for crypto trading through the bill would impact the investor and not help curb hacking, say experts.
“A hacker indulging in malicious activity would do it on Darknet. And there are some Telegram groups where you can buy credit card dumps (Card number, CVV, and expiry date) and the database is put up for sale on the Darknet. A barter system also works and hackers can buy bitcoins using the credit card balance of unsuspecting victims (card users),” points out Joseph.
The ethical hacker’s community is also keen that India have a hacker-friendly ecosystem.
“India is coming up with a new vulnerability disclosure policy. If you are a security researcher, hacker or whistleblower, you can report the vulnerabilities to the Computer Emergency Response Team. But unlike the corporates like Zomato, Amazon and Flipkart, who have a “Bug Bounty” programme, where they reward you for reporting a vulnerability, the government does not acknowledge or appreciate the effort. Last year, a Gujarat-based hacker had reported a vulnerability on Air India website and also booked a ticket for Re One. But the organisation did not even acknowledge the effort. After the media broke the news, the government noticed it. Similarly, the Mobikwik hack was reported but got no response. Now, how do you expect people to report? The hackers end up selling all the vulnerabilities on the Darknet,” warns Joseph.
While the alleged Bitcoin scam in Karnataka is creating waves with the Opposition Congress accusing the BJP leaders and officers of siphoning off Bitcoins from Sriki’s account, very few people understand how a Bitcoin, which is not a legal tender can be cashed out.
Bitcoins can be cashed out in many ways. Blockchain Technology (BCT) is the future of cryptocurrency. There are 21 billion Bitcoins in the world with 18 billion currently in supply, with the largest hoarders being Nigeria and China (despite banning it). BMW, CISCO, Infosys are introducing cryptos (utility tokens).
How to cash out Bitcoin in India
Here are three options to cash out bitcoin or a cryptocurrency in India
1. You create an account with a centralised exchange in India (like Uno Coin) and link your bank account (PAN and Aadhar Card details). The Bitcoins in your wallet can be transferred to the Centralised Exchange account and withdrawn in INR to the bank account. There would be a record of this transaction.
2. You can cash out Bitcoins abroad. The US has 40,000 Bitcoin ATM counters, where you can liquidate to US dollars. KFCs and Starbucks accept Bitcoins.
3. You can give cryptocurrency and buy vouchers for leading brands or recharge your mobile phones. A website, Travelia, allows you to book hotels across the world and Bengaluru alone has 200 hotels that accept payment through Bitcoins.