(This story is the second in The Quint's five-part series on the Bengaluru Bitcoin Scam. The first can be read here.)
At 25 years of age, Srikrishna Ramesh alias Sriki could be the most wanted cybercriminal in the country, with four different investigation agencies – Central Crime Branch-Bengaluru, Crime Investigation Department-Karnataka, Enforcement Directorate and CBI-Interpol – probing bitcoin hacking and money laundering charges against him.
What should interest cybersecurity analysts in Sriki’s case, is the fact that he could be the first Indian, so deeply embedded in transnational cybercrime, to be investigated by Indian law enforcement agencies.
From an Indian perspective, it is important to try to understand the flaws – not just technical but also operational – that seem to have enabled Sriki’s crime spree. Sriki’s career as a cybercriminal stands out primarily due to the elaborate nature of the operations he allegedly ran. His case is especially significant considering the awareness it has generated around cybercrime, and the insights it has provided into the problematic state of cybercrime investigations in India.
From Hacking 'RuneScape' as a School Boy to Stealing Bitcoins
In a ‘voluntary statement’ given to Bengaluru police, Sriki admits to having carried out an attack targeting the Bitfinex cryptocurrency exchange, from which he claims to have stolen 2,000 bitcoins (valued at roughly Rs 800 crores at the time of writing this article). He claims this hack was done in 2015, when he was just 19 years old.
But what makes him unique is the trajectory that his dubious career took – from his early days to the time he allegedly hacked poker websites, bitcoin exchanges and even Karnataka’s e-procurement website.
Sriki claims his first exposure to computer security and hacking was as a school student with the multiplayer role-playing game ‘RuneScape’. He allegedly wrote a program to automate tediously repetitive tasks in the game, even making a small profit in the process. His statement is being contested in a Karnataka court by Sriki’s family, but it suggests he charted a unique path as a cybercriminal.
Sriki graduated from his modest 'RuneScape' exploits to more serious hacks shortly. He allegedly compromised user accounts on PayPal, an online payment and money transfer service used by millions around the world. Sriki claims he performed credential stuffing attacks against PayPal. Credential stuffing is where an attacker, usually with the help of a program, submits email and password combinations harvested via data breaches to target accounts on a given service on a mass scale.
Why should this modus operandi followed by Sriki in his early days as a cybercriminal be of interest to investigating agencies?
Here’s why. The documented cases of cybercrime in India show that most domestic cybercriminals carry out low-tech crimes – mostly cases of financial fraud usually carried out by way of phishing. To get a sense of such low-tech crimes, watch the Netflix series ‘Jamtara’, named after a town in Jharkhand that is a hotspot for such crimes. The point, however, is that even such low-tech cybercrime cases are not properly investigated.
In stark contrast, Sriki’s statement makes him different from the regular crop of cybercriminals in two significant ways – a considerable knowledge of computer systems, and an inclination to use his knowledge to conduct sophisticated and substantial cyberthefts of sums running into several crores of rupees.
Do Sriki’s arrest and subsequent cases indicate an emerging cybercrime trend in the country? Have more tech-savvy criminals entered India’s ‘cybercrimescape’?
Rise of a New Breed of Cybercriminals?
In his bid to compromise websites, Sriki appears to have primarily targeted web applications, where, after studying them, he would either exploit vulnerabilities that had already been publicly disclosed by a third party. Otherwise, he would attempt to hack into them on his own.
On one occasion, Sriki admits to having exploited a zero-day vulnerability in a program or application targeted by him. The term 'zero-day' or '0day' refers to a vulnerability that has not been publicly disclosed at the time it was exploited.
Meaning, Sriki could have found the vulnerability on his own. If confirmed, that would make him a lot more 'high-tech' than phishing fraudsters of Jamtara.
Sriki’s case, in terms of planning and execution, is similar to cases that have unfolded in the UK and the US. For instance, the 2020 case of 17-year-old Graham Ivan Clark, who was able to trick Twitter employees and break into several high-profile accounts on the platform, abusing the targeted accounts’ influence to solicit more than $100,000 in cryptocurrency.
The Indian hacker’s case is also similar to several others of individuals and groups involved in a practice known as SIM swapping – a method to gain access to victim’s phone numbers, to steal or extort sizeable amounts of Bitcoin and other cryptocurrencies.
Recent developments in the cybercrime space in the country indicate that Sriki could be the frontrunner of a new trend.
A report by Google’s Threat Analysis Group in 2020 sheds light on the trend of 'hack-for-hire' firms operating out of India. The same year, Toronto-based Citizen Lab published a detailed report attributing an array of sophisticated targeting campaigns aimed at hacking politicians, company executives, journalists and others, to an Indian company known as BellTroX InfoTech Services.
Given this, shouldn’t probe agencies in Karnataka and the country invest more to study Sriki's cybercrimes and to arrive at clinching evidence that would not just nail Sriki, but also give them the skill-set and experience to take on this new and more sophisticated genre of cybercrimes?
How to Lockdown the ‘Best’ Indian Cybercriminal?
While it is clear that more needs to be done, misguided proposals – such as the one by the Parliamentary Standing Committee on Home Affairs, which seeks to “curb cybercrime” by banning VPN services in India - are definitely not the answer. Virtual Private Network is a protected network connection.
Banning VPN services, which may at times be used to slowdown cyber criminals, will not ensure the prevention of cybercrimes. Why? Sriki could have still learned all of the skills he did, and performed the hacks he allegedly carried out despite a VPN ban, by using other anonymity services, like the Tor browser.
Law enforcement agencies in India need to bridge the clear gap in skill and preparedness when it comes to investigating sophisticated cybercrimes originating from or targeting users within the country.
In this regard, establishing a probe agency similar to the REACT Task Force in the US might be ideal. The task force was established in 1997 by the California State Department of Justice as a partnership between local, state, private and federal agencies in the country. The task force, in recent years, has helped investigate and prosecute many high-tech offenders.
Meanwhile, in Karnataka, cybercrime police and other investigation agencies are still struggling to find enough forensic evidence that could help them prosecute Sriki. Shouldn’t more cybercrime experts be consulted to prove him guilty if he indeed is a cybercrime mastermind?
But even as Indian agencies grope for evidence against Sriki, Indian users themselves may be in a position to limit the personal financial impact that the compromise of a cryptocurrency exchange could have.
For instance, users who are worried about the security of their funds, could withdraw cryptocurrency they have stored with third-party services and exchanges. In the case of trading platforms, as soon as a trade is made, funds should immediately be transferred out to a wallet under the user’s direct control, preferably to a hardware wallet or paper wallet.
While the process of moving funds out of third-party exchanges would incur certain fees, it may very well be a price worth paying to keep one’s funds safe.
As for Sriki, the probe needs to be strengthened, perhaps by bringing in expertise that the agencies may be lacking. The probe also needs to be transparent for it to lead to conviction.
(Karan Saini is a security researcher and public interest technologist based in Bangalore.)