Pune Crime Files: Cyber attack on Cosmos Bank that funnelled Rs 94 crore in just 3 days

While around Rs 78 crore was withdrawn in more than 12,000 ATM transactions outside India, another 2,800 transactions of Rs 2.5 crore were made at different places within India. Further, on August 13, 2018, Rs 13.92 crore was transferred to a Hong Kong-based entity using the Society for Worldwide Interbank Telecommunications (SWIFT) facility. The transactions outside India were done through Visa cards, and those in India through RuPay cards, a probe found.

The police said a total of Rs 94 crore was siphoned off in this case, which was registered at the Chaturshringi police station under relevant sections of the Indian Penal Code and the Information Technology Act.

Perpetrators with global links and backing of foreign state entity

Multiple officers who have been part of the investigation of this case said their probe pointed to the involvement of a notorious group of global cybercriminals that is believed to have the backing of a foreign state entity.

“With the available investigative resources and jurisdictional access and complications, we could just scratch the surface of the case. The probe did identify some of the mid-tier perpetrators who were known to be operating from a country in the Middle East. Attempts have been made for their custody through a Red Corner Notice and an extradition notice but with no concrete outcome yet. It remains an open case of Pune

city police.” said an officer who was part of the probe.

The Special Investigation Team (SIT) of the Pune city police got the first breakthrough in September 2018 with the arrest of two people – Fahim Mehfuz Shaikh (then aged 27), a resident of Bhiwandi in Thane district, and Fahim Azim Khan (then aged 30) of Sillod in Aurangabad.

The SIT nabbed the duo based on footage from CCTV cameras installed in several ATM kiosks in Kolhapur, where the two and their accomplices allegedly withdrew over Rs 89 lakh using over 90 cloned cards. The probe revealed that money was withdrawn similarly from ATMs in Indore, Mumbai, Ajmer and other places in India using cloned cards. The police arrested 16 more accused during the further probe.

The police said most of those arrested were mainly involved in withdrawing money from various ATMs using cloned Cosmos Bank cards, as per the instructions of their handlers, who gave them some part of this money as a commission.

In December 2018, the SIT filed about 1,700 pages of chargesheet against nine accused in this case. Later, two supplementary chargesheets were filed against nine other accused. Meanwhile, four individuals wanted in the case, of whom three, identified as Kunal Shukla, Abdul Bhai and Sumer Shaikh, were suspected to be in Dubai, the police said.

On August 18, 2020, Interpol issued a Red Corner Notice against a prime suspect who was found to be residing in a foreign country. On April 15, 2023, a magistrate court in Pune convicted 11 accused.

Fahim Shaikh, Fahim Khan, Shaikh Mohammed Abdul Jabbar, Mahesh Rathod, Naresh Maharana, Mohammad Saeed Iqbal Hussain Jafari and Anthony were held guilty and awarded simple imprisonment of four years and seven months.

Abdulla Shaikh and Bashir Ahmed were awarded four years of simple imprisonment, while Feroz Shaikh and Salman Baig got three years of simple imprisonment.

Senior Inspector Minal Supe Patil from the cybercrime police station said. “The court has convicted 11 accused. For one wanted accused, an extradition has been processed through the Maharashtra CID. Our probe in the case continues.”

Meanwhile, the police and Cosmos Bank successfully retrieved Rs 5.72 crore that the cyber fraudsters had transferred into a bank in Hong Kong.

What is a malware attack?

The police said a malware attack is a malicious software infiltration of a computer system or network aimed at damaging or gaining unauthorised access primarily to steal sensitive information or compromise the system’s functionality.

In this case, the malware attack targeted specific vulnerabilities in Cosmos Bank’s online banking systems, enabling cybercriminals to gain unauthorised access and funnel large sums of money.

A police officer who investigated the case initially explained the malware attack was used to compromise a code, referred to as the ‘ATM switch’, that sends the cash withdrawal request to the bank for approval.