No Bitcoins & Weak Forensic Evidence: Bengaluru Police May Fail to Nail Sriki

(This is the fourth in The Quint's five-part series on the Bengaluru Bitcoin Scam. The first three can be accessed here, here and here.)

While high-profile hacker Srikrishna Ramesh alias Sriki may have been part of an international bitcoin theft chain, the Bengaluru police has done little to recover the cyber-loot. This is what the scant forensic evidence attached to Central Crime Branch’s (CCB) chargesheet in the drugs case against the 25-year-old, has revealed.

As per forensic evidence submitted by both Unocoin and Group Cyber Id Technologies Pvt Ltd, two of the seven electronic items including phones and hard-disks recovered from Sriki and co-accused Robin Khandelwal, have provided very little evidence of bitcoin theft. This, even as peripheral evidence points to the fact that Sriki had several bitcoin wallets and had access to lakhs of bitcoin addresses.

A bitcoin wallet is a digital wallet used to send and receive bitcoins. A bitcoin address is like a bank account number.

Have the police not dug deep enough?

Case Indicates Big Theft, Yet Little Proof

As per the forensic analysis, which is attached to the chargesheet, Sriki had access to 27 bitcoin wallets. He also had access to 76.13 lakh bitcoin addresses and keys. Apart from the forensic evidence, in his voluntary statement, Sriki had allegedly confessed to having stolen 5,100 bitcoins.

Further, his confession reads, "I also have private keys in my cloud account and if the access to the same is given I would be able to give back all the stolen bitcoins..."

Cybersecurity experts, however, say that neither the confession nor the forensic evidence clearly implicates Sriki.

"The presence of these figures (addresses and keys) in the accused’s hard disk points to the fact that he was certainly party to huge bitcoin thefts. His confession also points to his involvement in cybertheft. But these alone do not provide enough evidence to convict him. For that, cybercrime experts need to recover bitcoins,” said a Bengaluru based cybersecurity expert who spoke to The Quint on the condition of anonymity.

Contradicting Panchnamas

According to the first panchnama, on 8 January 2021, Sriki pointed the police to 31.12 bitcoins which were “in his possession”. This panchnama which has screenshots of the wallet that Sriki had provided is signed by two protocol mandated panch-witnesses.

In the second panchnama, signed on 18 January 2021, the police claim to have recovered 0.086 bitcoins from Robin Khandelwal’s wallet.

But strangely, the third panchnama renders the first recovery null and void. How? On 22 January 2021, in the third panchnama, the police say that the account Sriki provided them on 8 January had 186.811 bitcoins and not 31. It also says that while cybersecurity experts tried to transfer the bitcoins from this wallet, the transaction did not go through because the key which the police had received from Sriki did not work on this wallet.

The police’s conflicting versions, as recorded in their own panchnamas, have kicked up a political storm in Karnataka.

The police have denied these accusations.

However, in the absence of any bitcoin recovery, what should police have ideally gathered in terms of evidence?

"There should be forensic evidence to suggest that Sriki used hacking tools to access bitcoin exchanges, wallets, addresses or private keys," cybersecurity expert Krishna Chaitanya Maduri told The Quint. No such evidence is currently part of the chargesheet. Forensic analysis, however, does show that Sriki used hacking tool sql.injection to hack into two poker websites.

The question is, while the police has gather cyber-forensic evidence of Sriki hacking into poker sites, why have they failed to do the same in the case of his alleged bitcoin theft? Equally worrying is the police's seeming disinterest in tracking the bitcoin transfers that Sriki seems to have confessed to.

So, Where is the Moolah?

In his voluntary statement Sriki allegedly confesses to having provided Robin Khandelwal with Rs 8 crore worth of bitcoins. Sriki further writes in his statement, "I have a log in my skype chats talking to friends about moving around 80,000 Euros from cold wallets in India to Europe." This alone would amount to almost Rs 68 lakh as per current exchange rates.

While the police had asked cybersecurity experts to search for the keyword bitcoin in hard disks seized from Sriki, the chargesheet does not indicate that a forensic search was done for other significant keywords such as USD and Euro.

The money trail in the chargesheet is limited to transactions made by Robin Khandelwal and hotel bills paid by other accused including Sriki. Is the full picture of Sriki's thefts yet to emerge?

Only two chargesheets implicating Sriki have been filed so far. The Congress has been demanding to know why the police has not filed chargesheets in the case related to Sriki's alleged hack of the Karnataka government's e-procurement website, among other cases.

In short, the Central Crime Branch-Bengaluru’s case revolves around circumstantial evidence. For instance, forensic evidence points to the fact that the three accused, Sriki, Robin Khandelwal and Sunish Hedge, had communicated with one another. The forensic analysis reads, “Transaction screenshots and emails established communication between Robin, Sriki and Sunish Hegde.”

According to the chargesheet, the police has evidence for money transactions from Khandelwal’s Axis bank account to Sriki’s account. Beyond this, the police’s case is largely dependent on the so-called 'voluntary' statements given by Sriki, Khandelwal and Sunish Hegde. Such statements have a knack of being 'retracted' by the time a case reaches trial stage.

Meanwhile, what about Sriki? He is currently out on bail.