The Bank of Maharashtra lodged a complaint against 22 residents of Bhayander on Friday, accusing them of hacking its central server in Mumbai and allegedly exploiting a bug in the Centre’s United Payments Interface (UPI) app to siphon off Rs 1.42 crore. Between December 26, 2016, and January 18, 2017, the accused allegedly made 142 “request money” transactions using the UPI, the police said. The fraud came to light in January after which the bank froze the accounts in which the money had been deposited and approached the police when the account holders failed to respond to notices ordering them to return the money.

The Navghar police station has booked Bhayander residents Jaswant Damania, his sons Raj and Pritesh, Prateek Poojary and Bharat Gawale, an Aurangabad resident identified only as Deepak, apart from 16 others, for cheating, forgery and criminal conspiracy and identity theft. According to the police, Bharat Gawale and Deepak allegedly hacked the bank’s central server in south Mumbai last year.

“All the accused had accounts in the bank and downloaded the UPI app and linked their bank accounts to it,” said inspector S. V. Shetye, of Navghar police station. UPI, launched by the National Payments Corporation of India, allows people to transfer money using their phones. The app allows transactions of up to Rs 1 lakh, provided there is sufficient balance.

“The accused took advantage of a bug in the app to carry out the transactions. They did not have sufficient balance in their accounts but the bug ensured multiple transactions of Rs 1 lakh were successful,” said a police officer. The account holders are being questioned.

📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines

For all the latest Mumbai News, download Indian Express App.