After months of investigation, a special investigation team (SIT) of Karnataka’s CID police has achieved key breakthroughs to suggest that Bengaluru Crime Branch police officers may have accessed Bitcoins worth crores of rupees found in the possession of hacker Srikrishna Ramesh alias Sriki, 29, who was arrested in November 2020.
The breakthrough in the form of digital evidence has led to the arrest of a police officer and a private cyber expert, as well as the naming of three police officers in a new first information report (FIR) registered by the CID police on January 24.
The Bitcoin scam from the BJP tenure of 2019-2023 is widely believed to have political ramifications in the state. The SIT was constituted in July 2023 by the new Congress government following allegations of large-scale corruption by the police in handling the cases.
During legal proceedings since the January 24 arrest of Police Inspector Prashant Babu, who previously headed the technical support team to the Bengaluru Central Crime Branch (CCB), and cyber expert Santhosh Kumar K S, the CEO of private firm Group Cyber ID Technologies (GCID), the SIT has outlined the course of its discoveries in the case.
The key findings
Among the key findings that the SIT has reported in court filings in recent weeks is the recovery of a new laptop that was specifically bought at arrested police officer Babu’s instance and was used by Sriki while in police custody.
Another key finding has been the fact that three nano ledgers or hardware crypto wallets were procured on behalf of the arrested cyber expert Kumar from Surat when Sriki was under arrest.
The SIT has found digital evidence to suggest that a large amount of Bitcoins from cloud wallets belonging to Sriki were transferred to the hardware wallets when the hacker was in custody.
The SIT investigations have also found digital evidence to indicate that police officers used the services of private cyber and crypto experts to wipe out the digital access history of crypto wallets stored on an Amazon Web Services (AWS) cloud server by Sriki (while he was in custody of the CCB police legally and illegally between November 2020 to January 2021).
A laptop, crypto wallets and a cloud server
In the course of court filings since January 24, the CID SIT has stated that it found that around December 8, 2020, Babu purchased a laptop manufactured by MSI for Rs 60,000 with the help of a cyber expert Gagan Jain of Cyber Safe, a private firm which offers expertise to the police in cyber investigations.
The laptop was not initially produced before the SIT by the arrested Crime Branch officer despite multiple notices but was eventually produced on October 13, 2023, and handed over to the SIT. The laptop was produced before the SIT a week after the team carried out searches at the homes of four police officers and two cyber experts on October 6, 2023.
When the new laptop was subjected to forensic analysis, it was found that it had been used while Sriki was in police custody to remotely access crypto wallets on his AWS server account from the police technical cell and the office of the GCID. The details of the wallet files on the Amazon cloud servers or their presence were not recorded in police files.
“The forensic analysis of the laptop has revealed that it was used to hack and attempt to hack sites and carry out other illegal activities while the hacker was in police custody,” the SIT has said in court documents.
The SIT also found that the digital trail of the access of AWS cloud wallets of the hacker was erased by the police with the assistance of cyber experts and a Bitcoin expert who are also under investigation.
The SIT has alleged that the private cyber experts Jain, Kumar and Sathvik V, the director of Unocoin Technologies, were used to delete the bash history to access the AWS. “As a result, crucial information on the Bitcoin wallets in the Amazon Web Server was erased and put out of reach of investigations,” the SIT alleged
The SIT has also found that when Sriki was in custody, Kumar obtained three nano ledgers or hardware crypto wallets from Surat through his associates – one of which was given to Babu. A large quantity of Bitcoin that was in Sriki’s wallets was transferred to these hardware wallets on January 16, 2021, the SIT has alleged.
The SIT has reported the recovery of one of the three hardware crypto wallets and is seeking to find the two other hardware crypto wallets that were allegedly used for the transfer of Bitcoins. “There is information about the transfer of Bitcoins and wallets of Sriki to nano ledgers (hardware crypto wallets),” B N Jagadeesh, a special public prosecutor for the SIT, said during arguments in court proceedings for bail this week.
During a bail hearing for Babu on Friday, his senior counsel Shyam Sundar argued that the case brought by the CID against him borders on the realm of imagination and is not based on concrete evidence. The hearing was adjourned to Monday.
Puzzling timeline
Incidentally, as per records in the case proceedings, on January 5, 2021, on Babu’s instructions, cyber expert allegedly gained access to the crypto wallets, email and bank accounts of Sriki and his associate and accountant Robin Khandelwal and changed the logins and passwords in the absence of witnesses or court orders.
On January 6, 2021, Kumar allegedly transferred Bitcoin worth Rs 1.86 lakh to his own crypto wallet from a crypto wallet belonging to Khandelwal – after gaining illegal access to the wallet with the changed passwords.
On January 8, 2021 the Crime Branch carried out an official seizure process for 31 Bitcoins that were claimed to be located in a wallet indicated by Sriki. Kumar facilitated the seizure of the 31 Bitcoins in the presence of private panchas from the state electricity board.
However, on January 22, 2021, when the police wallet into which the 31 Bitcoins seized from Sriki were transferred on January 8 was opened, there were no Bitcoins.
Cyber experts Kumar and Sathvik provided their expert opinion on the disappearance of the 31 Bitcoins by stating that Sriki had duped the police into believing that the Bitcoins located in a cryptocurrency exchange belonged to him.
Hacker’s claims
After he was arrested in 2020, hacker Sriki revealed to the police, as per documents including his voluntary statements filed in the courts, that he was in possession of 400 Bitcoins and was pressured into giving it away by the police.
“I understood the case scenario that even if I do not give them the Bitcoins they can use forensic methods to find the Bitcoins after a talk with the investigating officer. So post consultations I voluntarily accepted to give away the Bitcoins which I had kept in various wallets in different cryptocurrencies,” reads a statement attributed to Sriki, which is a part of the chargesheet in one of the hacking cases filed against the hacker in 2021.
At the time of Sriki’s arrest, the value of one Bitcoin was in the range of $ 25000 (around Rs 20 lakh) and soared to as high as $ 60000 (around Rs 50 lakh) by April 2021. Investigators estimate the Bitcoin scam to be in the range of Rs 80 crore to Rs 200 crore.
The SIT has stated that further investigation is needed to ascertain the veracity of Sriki’s allegations. “The digital trail cannot be hidden in cybercrimes. They will invariably provide leads. The SIT has found some leads,” a senior police officer said. Officers of the SIT and others had analysed the digital and other information gathered in the investigation over months before filing a new FIR on January 24 and carrying out arrests, the police official said.
The SIT has also named three former Bengaluru Crime Branch officers – Sridhar Poojar (now a deputy superintendent of police) and inspectors Chandradhar S R and Lakshmikanthaiah – in the FIR filed on January 24 where the officers are accused of illegal confinement of Sriki and his accountant, breach of trust by a public servant, and destruction of evidence.
Cop’s interim anticipatory bail rejected
Sridhar Poojar, one of the police officers named in the FIR and the investigating officer in some of the hacking cases probed by the Crime Branch against Sriki in the 2020-2021 period, was denied interim anticipatory bail on Thursday by a special court.
“I am of the opinion that before passing any order on bail application, the respondent is to be heard. Therefore without hearing the respondent, it cannot be decided. Hence application for interim bail is rejected,” a special CID court said Thursday.
The court on Wednesday had granted anticipatory bail to Unocoin Technologies Pvt Ltd co-founders Sathvik V and Harish B V, who have been summoned for investigation by the SIT. Sathvik is alleged to have assisted Kumar monitor Sriki’s hacking activity in police custody and facilitated the deletion of the cyber trail for the illegal access of cloud wallets of the hacker while he was in police custody.
The co-founders of the crypto exchange are alleged to have paid Rs 7 lakh to Babu to recover cryptocurrency that was hacked and stolen from the exchange by Sriki in 2017.
