Hyderabad police spends Rs 58 lakh to probe Mahesh Bank hacking case

More than 100 police officers of Hyderabad travelled across the country for more than two months and the police spent Rs 58 lakh to probe a cyber fraud committed by hacking a bank server.

More than two months after hackers broke into the servers of the A. P Mahesh Co-operative Urban Bank and fraudulently transferred Rs 12.48 crore, the police achieved significant progress in the case with the arrest of 23 accused including four Nigerians.

However, the main hacker still remained elusive. Revealing the details of the case on Wednesday, Hyderabad Police Commissioner C.V. Anand said they will seek the help of Interpol to arrest the main hacker.

He said in view of the increasing number of hacking cases in banks, the police took up this as a challenging case and is determined to take it to a logical conclusion so that people know all the details. He said in days to come, more such cases may be reported.

"Police worked hard for two months to solve this case. More than 100 officers visited almost every state in India as part of the investigations. The police has so far spent Rs 58 lakh on the case. Perhaps this is the highest amount spent on a case," he said.

"We still don't know where the hacker is. Most probably, he may be in Nigeria or London," said the Commissioner while making a powerpoint presentation on the case.

"The main hacker is not in India. Only his handlers are here. We have arrested 23 persons who participated in the conspiracy and they included four Nigerians," he added.

Explaining how the hacker broke into the server, the police chief said on November 4, 10, and 16, he sent about 200 phishing mails to employees of Mahesh Bank. "Two employees clicked the mails which contained the remote access Trojan virus. Through this the hacker was able to establish a connection with their computers. He then used keylogger software and was watching whatever the employees were doing on their systems and had access to their username and password," said Anand.

On January 23, a day before hacking the server, he opened their systems and broke into the master admin and obtained username and password.

The Police Commissioner said Mahesh Bank was careless as it had made 10 staff members as master admins and gave them a common user id and password. The hacker could reach the master admins and enter the bank database and make the transactions.

The hacker transferred Rs 12.48 crores into four bank accounts. The Commissioner stated that the money was again transferred from the four accounts to 115 different accounts and again to another 398 accounts. A part of the money was withdrawn from 938 ATMs from across the country.

Due to the timely action by the police, another Rs 2.08 crore was saved while Rs 1.08 crore was returned to the bank due to incorrect beneficiary details. The fraudsters, who had opened seven accounts with Mahesh Bank last year, siphoned-off around Rs 9.48 crore.

The handlers and the account holders were paid a commission of 10 per cent by the fraudsters, while the remaining amount was sent to foreign countries through hawala and crypto currency.

The police chief said Mahesh Bank lacked intrusion prevention and intrusion detection systems. It did not have phishing detection software. While other banks spend hundreds of crores on cyber security, Mahesh Bank had given a contract to a company called Infra Soft for Rs 10 lakh.

He said police will question officials of Mahesh Bank as part of the investigations as their negligence led to the cyber fraud.

Photo Gallery