(This is the first in The Quint's five-part series on the Bengaluru Bitcoin Scam.)
Srikrishna Ramesh, the 25-year-old hacker who is at the centre of Bengaluru's ‘bitcoin scam’, obscured his hacking history and web exploits in his 12-page-long ‘voluntary statement’. But this was not challenged by the Central Crime Branch-Bengaluru (CCB), a tech analysis of the statement has revealed.
The Quint, with the assistance of cybersecurity experts, has found several loopholes in the 'voluntary statement' which is part of the chargesheet filed by the CCB. In essence, Srikrishna Ramesh alias Sriki's, seemingly detailed statement does not reveal the extent of his hacks. Why then, did CCB-Bengaluru look the other way?
What’s the Glitch in Sriki's 'Statement'?
“His statement is consistent but sketchy,” said Karan Saini, Bengaluru-based cybersecurity researcher and technologist. Hyderabad-based information security analyst Krishna Chaitanya Maduri said, “So many basic details about how he hacked certain bitcoin exchanges and website are missing from his statement.”
How did Sriki cover his tracks?
Simple, apart from hiding details of his bitcoin wallets and keys, he did not reveal one major aspect– the correct paths that he had adopted to hack bitcoin exchanges and websites. He even obscured the path of his alleged hack of Karnataka e-procurement website.
However, while cybersecurity experts that The Quint consulted could find these anomalies, why has CCB-Bengaluru refused to dig deeper?
The CCB has so far concentrated only on probing Sriki's poker website hacks and drug peddling crimes. This, even as it is unclear whether other investigating agencies probing the hacker – Karnataka-CID, CBI-Interpol, and the ED – have even looked into the statement that Sriki gave while being probed by the CCB.
The CCB had also employed a private security agency for forensic analysis of the six hard disks recovered from laptops of Sriki and his friend. Hacking data from one of the hard disks is recovered, CCB claims in the chargesheet.
The Quint has gathered that while the forensic analysis has recovered a text note which dates back to 2018, details of the final hack in 2019 that led to transfer of money, is still sketchy. This, even as the chargesheet has no mention of any technical analysis on Sriki's statement.
The statement was filed as part of the chargesheet on 22 February 2021.
Sriki's father Gopal Ramesh, had recently alleged that he gave his detailed statement under duress and influence of drugs that "the police had provided him". The Bengaluru police has denied the claim.
Here are some key points on which Sriki seems to have been given a free pass, because no investigation agency tried to verify significant chunks of the claims he had made.
Missing Links in the Big Hacks: Bitfinex and BitcoinTalk
Sriki wrote casually in his statement that he hacked Bitfinex, one of the leading bitcoin exchanges in the world. Though he detailed a hacking pathway for this cyber intrusion, The Quint found that his claims were half-truths.
While Sriki claims that he had exploited a bug in the data centre of Bitfinex, and rebooted the server, cybersecurity expert Maduri said, “Even if he had gained access into the host operating system, to reboot the server he needs physical access. Even if he was only referring to the virtual machine or the guest operating system, a reboot would have been possible only in a shared environment and not a dedicated environment like that of Bitfinex.”
Meaning, the hacking path could be incorrect and so could the nature of the transactions that he described. In the same statement Sriki has confessed to having hacked 2000 bitcoins from the exchange.
Why didn't CCB spot the anomaly and find it worthy of further investigation?
Sriki was arrested on 4 November 2020 for allegedly buying hydroganja , a narcotic drug, on the darknet and allegedly selling it to clients. Bengaluru police made the arrest which led to a probe into more of his cyber crimes. However, despite Sriki's admission that he had hacked international sites and exchanges, Bengaluru police allowed months to go by before bringing other investigative agencies into the picture. They roped in the CBI-Interpol only on 28 April 2021. The Enforcement Directorate was informed on 3 March 2021.
Karnataka Chief Minister Basavaraj Bommai was the Home Minister of Karnataka when Sriki was arrested.
In another instance, Sriki boasts of having hacked, Bitcointalk.org, the forum where Satoshi Nakomoto, the person believed to have developed bitcoin, was once a member. “I hacked this by exploiting a bug in the Kayako support suite...," he writes. While Sriki says this was a deserialisation exploit, the profit he made from the hack in US dollars or India rupees is not known. But that is only the tip of the iceberg.
Cybersecurity researcher Karan Saini told The Quint, “All the early adopters of bitcoin with large wallets congregate on Bitcointalk. With access to private messages of every user, he could have gained a lot of useful insight or stolen dormant bitcoin wallets.”
Meaning, in this hack, the access Sriki had, could have helped him to perform more tasks, and do more damage than what he has admitted to in his statement.
Shouldn't it be probed whether he logged into each of the accounts of the users to steal bitcoins? If this were the case, the number of bitcoins that he obtained illegally could be a lot higher than 5,100 – which is the number he has admitted to, through his hacks into Bitfinex, BTC-e.com and Bitclub network.
Moreover, as the statement went unquestioned, it was not just the probe into his bitcoin hacks that got obfuscated. His alleged hacking of Karnataka government's e-procurement website, too was not properly scrutinised.
Anomaly in E-Procurement Hack
Sriki writes in his statement that he succeeded in hacking the state government's e-procurement website by taking advantage of a 'remote code execution' (RCE) vulnerability. He, however, does not state which specific code he used for the hack.
Why should the sleuths know such minute details? Cybercrime experts say it is important to know the code because it could have been purchased on the dark web. If such a transaction had happened, detection of this could strengthen the case against Sriki.
Besides, other basic details of this notorious hack are still missing. For instance, how did Sriki attempt to transfer a total of Rs 46 crore from the e-procurement website into three accounts when money transaction could not have been achieved by the first hack? Sriki claims, co-accused Hemant Muddappa had given two of the accounts to which transfers were made. The third was given by another accused, Sunish Hegde.
"To transfer money, he would have had to lodge a separate phishing attack, harvest the credentials of the account user and perhaps perform sim swapping attack to access OTPs," Maduri said.
Did the CCB fail to conduct even such an elementary investigation because they did not have the technical knowhow?
According to the CCB's chargesheet, they have forensic evidence to the e-procurement hack. However, the findings pertain only to proxy bank account transactions, of which no pathway was established.
Meanwhile, in Bengaluru police's own words, Sriki had misguided them. The police had initially claimed in 2020 that they had secured 31 bitcoins from the hacker’s wallet. However, in November this year, as the bitcoin controversy raged on, Bengaluru Police Commissioner Kamal Pant denied this.
“No bitcoin was transferred from hacker Srikrishna’s account…The accused had showed a BTC wallet with 31.8 BTC and the wallet password was changed in the presence of cyber experts and panchas and the recording of the process was submitted to the court. But after the court granted permission…cyber experts told us the account claimed by the accused as his personal account was in fact a live wallet of an exchange and the accused chargesheet did not have the private key for it. So, the account was left untouched."Bengaluru Police Commissioner Kamal Pant
The CCB's initial apathy towards a thorough probe could have affected other investigations of CBI and ED into Sriki's alleged crimes.
Why Are Technical Details Crucial for the Probe?
A cybersecurity expert who has collaborated with the Intelligence Bureau, told The Quint, “The hacking path and the nature of exploits are important on two counts. One, it will be easier to access the forensic evidence that the investigating officer needs. Two, it will lead to the bitcoin trail, which will reveal the identity of those involved in the transactions."
While the Opposition in Karnataka has been raising questions about ‘influential’ people who could have benefited through Sriki, a tech analysis and forensic study of the statement could have yielded results, experts said.
“Now, without the wallets and the keys, it will be difficult to obtain forensic evidence, especially since his hacking paths are half written and the details of his exploits are not complete,” the IB expert, who spoke on the condition of anonymity, said.
Meanwhile, Sriki seems to be roaming free even as the police, by their own design, have only scant details of his bitcoin and e-procurement website hacks.
Sriki Walks Out on Bail and is Now 'Unavailable'
The hacker was released on bail twice because the police had not clinched the evidence at hand, the bail order issued by First Additional Chief Metropolitan Magistrate on 9 March 2021, implied. Sriki also procured a second bail on 7 April, against all charges that the CCB had slapped on him.
Meaning, he was allowed out of police custody even before his alleged hacking escapades, detailed in his statement, were thoroughly probed.
Interestingly, at the moment, Sriki is reportedly ‘unreachable’ to both the police and his family. While this violates his bail conditions, it also accentuates fears that a section of politicians in Karnataka had raised. Will there be a threat to Sriki's life, as he has alleged links with several clients who may not want the police to crackdown on them?
His unverified statement, meanwhile, clearly indicates that he was aware of what would incriminate him the most. He wrote, “I was held in police custody for almost 50 days. Although, I had the intention of giving the bitcoins to the police, my lawyer and friend, Sunish Hegde advised me against it saying that if I give them the bitcoins, the case against me will become stronger and that I will never get bail.”
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)