The Bank of Maharashtra (BoM) lost Rs 6.14 crore rupees (approx $950,000) to four hacks in 49 days a bug – the result of a bug in the bank’s UPI app. The breach affected 23 branches in the Pune district and some of the stolen funds were used to invest in bitcoin was invested into bitcoin via three companies in Ahmedabad, Gujarat – a state in Western India.

Police reportedly froze the accounts of the three companies involved in the Bitcoin transactions. The digital currency has yet to be officially recognized as money by the Reserve Bank of India (RBI). Pune police cyber investigators recovered Rs 4.58 crore from the alleged thieves, including Bitcoin worth Rs 1 crore (approx $155,000) .

Alongside the seized Bitcoin, police also seized 40 cellphones and 27 SIM cards from the accused: Jitendra Maruti Rindhe (42), Sandip Ashok Mule (30), Dipak Sarjerao Kharat (26) and Rajesh Janardhan Budkhule alias Soni (48).

The accused, many of whom held their own accounts with BoM, hacked the UPI app to gain access to bank customer accounts. The alleged hackers exploited a bug in the bank’s app, which was developed by Mumbai-based InfrasoftTech. The accused also used real-time gross settlement (RTGS) to send money received into accounts they controlled.

Investigators allege that the 50 accused had developed a chain of account holders at BoM whom the either paid off or exploited. For instance, the accused contacted 15 farmers with accounts at the bank and took their SIM cards, saying they’d pay Rs 5,000 per month.

Cybercrime investigators determined that some misappropriated funds had been transferred to intermediary firms like Zeb IT Services Pvt Ltd, Oracle Retail Pvt Ltd and Milton Medocore Pvt Ltd located in Ahmedabad. At least Zeb IT Services Pvt. Ltd had its accounts frozen by police.

“Rajesh Budkule is the prime accused in this case,” cybercrime cell senior inspector Sunil Pawar told Pune Mirror. “ We have found that the accused had formed a chain-like a multi-level marketing (MLM) system and approached farmers from Narayangoan and Junnar. They took their SIM cards, which were linked with account numbers of BoM on the pretext that they will be provided monthly funds from Pradhan Mantri Jan-Dhan Yojana and Pradhan Mantri Fasal Bima Yojana. In this way, they used the UPI app to commit the offence. Two accused are still absconding.”

The BoM filed a complaint with the appropriate court in which it demanded strict action against, in particularly, the Bitcoin businesses involved.

“The RBI circular in February says it has not given any license or authorisation to any entity or company to operate such schemes or deal with Bitcoin or any virtual currency,” BoM representative Rajas Pingle said. “The government needs to clear India’s position on virtual currencies, especially when there are growing concerns of their use in money laundering or financing terrorism.”

Abhijeet Bidkar, representing Zeb IT Services Pvt Ltd, told Pune Mirror that bitcoin exchange Zebpay is legitimate. “Virtual currencies are legal in several countries, including Japan,” he said. “Users can only do transactions on Zebpay after submitting KYC documents. All purchase and sale happen strictly via bank accounts only and no cash. Hence, all transactions are recorded and easily identifiable. All these users were easily identified and we are helping the local agency to recover the funds.”

The RBI said in February it has not issued any licenses for Bitcoin companies to operate in the country.

Featured iamge from Shutterstock.