Bitcoin Hacker Sriki Deceived Bengaluru Cyber Cops, Tech Analysis Reveals

(This is the first in The Quint's five-part series on the Bengaluru Bitcoin Scam.)

Srikrishna Ramesh, the 25-year-old hacker who is at the centre of Bengaluru's ‘bitcoin scam’, obscured his hacking history and web exploits in his 12-page-long ‘voluntary statement’. But this was not challenged by the Central Crime Branch-Bengaluru (CCB), a tech analysis of the statement has revealed.

The Quint, with the assistance of cybersecurity experts, has found several loopholes in the 'voluntary statement' which is part of the chargesheet filed by the CCB. In essence, Srikrishna Ramesh alias Sriki's, seemingly detailed statement does not reveal the extent of his hacks. Why then, did CCB-Bengaluru look the other way?

What’s the Glitch in Sriki's 'Statement'?

“His statement is consistent but sketchy,” said Karan Saini, Bengaluru-based cybersecurity researcher and technologist. Hyderabad-based information security analyst Krishna Chaitanya Maduri said, “So many basic details about how he hacked certain bitcoin exchanges and website are missing from his statement.”

How did Sriki cover his tracks?

However, while cybersecurity experts that The Quint consulted could find these anomalies, why has CCB-Bengaluru refused to dig deeper?

The CCB has so far concentrated only on probing Sriki's poker website hacks and drug peddling crimes. This, even as it is unclear whether other investigating agencies probing the hacker – Karnataka-CID, CBI-Interpol, and the ED – have even looked into the statement that Sriki gave while being probed by the CCB.

The CCB had also employed a private security agency for forensic analysis of the six hard disks recovered from laptops of Sriki and his friend. Hacking data from one of the hard disks is recovered, CCB claims in the chargesheet.

The Quint has gathered that while the forensic analysis has recovered a text note which dates back to 2018, details of the final hack in 2019 that led to transfer of money, is still sketchy. This, even as the chargesheet has no mention of any technical analysis on Sriki's statement.

Sriki's father Gopal Ramesh, had recently alleged that he gave his detailed statement under duress and influence of drugs that "the police had provided him". The Bengaluru police has denied the claim.

Here are some key points on which Sriki seems to have been given a free pass, because no investigation agency tried to verify significant chunks of the claims he had made.

Missing Links in the Big Hacks: Bitfinex and BitcoinTalk

Sriki wrote casually in his statement that he hacked Bitfinex, one of the leading bitcoin exchanges in the world. Though he detailed a hacking pathway for this cyber intrusion, The Quint found that his claims were half-truths.

While Sriki claims that he had exploited a bug in the data centre of Bitfinex, and rebooted the server, cybersecurity expert Maduri said, “Even if he had gained access into the host operating system, to reboot the server he needs physical access. Even if he was only referring to the virtual machine or the guest operating system, a reboot would have been possible only in a shared environment and not a dedicated environment like that of Bitfinex.”

Meaning, the hacking path could be incorrect and so could the nature of the transactions that he described. In the same statement Sriki has confessed to having hacked 2000 bitcoins from the exchange.

Why didn't CCB spot the anomaly and find it worthy of further investigation?

Sriki was arrested on 4 November 2020 for allegedly buying hydroganja , a narcotic drug, on the darknet and allegedly selling it to clients. Bengaluru police made the arrest which led to a probe into more of his cyber crimes. However, despite Sriki's admission that he had hacked international sites and exchanges, Bengaluru police allowed months to go by before bringing other investigative agencies into the picture. They roped in the CBI-Interpol only on 28 April 2021. The Enforcement Directorate was informed on 3 March 2021.

Karnataka Chief Minister Basavaraj Bommai was the Home Minister of Karnataka when Sriki was arrested.

In another instance, Sriki boasts of having hacked, Bitcointalk.org, the forum where Satoshi Nakomoto, the person believed to have developed bitcoin, was once a member. “I hacked this by exploiting a bug in the Kayako support suite...," he writes. While Sriki says this was a deserialisation exploit, the profit he made from the hack in US dollars or India rupees is not known. But that is only the tip of the iceberg.

Meaning, in this hack, the access Sriki had, could have helped him to perform more tasks, and do more damage than what he has admitted to in his statement.

Shouldn't it be probed whether he logged into each of the accounts of the users to steal bitcoins? If this were the case, the number of bitcoins that he obtained illegally could be a lot higher than 5,100 – which is the number he has admitted to, through his hacks into Bitfinex, BTC-e.com and Bitclub network.

Moreover, as the statement went unquestioned, it was not just the probe into his bitcoin hacks that got obfuscated. His alleged hacking of Karnataka government's e-procurement website, too was not properly scrutinised.

Anomaly in E-Procurement Hack

Sriki writes in his statement that he succeeded in hacking the state government's e-procurement website by taking advantage of a 'remote code execution' (RCE) vulnerability. He, however, does not state which specific code he used for the hack.

Besides, other basic details of this notorious hack are still missing. For instance, how did Sriki attempt to transfer a total of Rs 46 crore from the e-procurement website into three accounts when money transaction could not have been achieved by the first hack? Sriki claims, co-accused Hemant Muddappa had given two of the accounts to which transfers were made. The third was given by another accused, Sunish Hegde.

"To transfer money, he would have had to lodge a separate phishing attack, harvest the credentials of the account user and perhaps perform sim swapping attack to access OTPs," Maduri said.

According to the CCB's chargesheet, they have forensic evidence to the e-procurement hack. However, the findings pertain only to proxy bank account transactions, of which no pathway was established.

Meanwhile, in Bengaluru police's own words, Sriki had misguided them. The police had initially claimed in 2020 that they had secured 31 bitcoins from the hacker’s wallet. However, in November this year, as the bitcoin controversy raged on, Bengaluru Police Commissioner Kamal Pant denied this.

The CCB's initial apathy towards a thorough probe could have affected other investigations of CBI and ED into Sriki's alleged crimes.

Why Are Technical Details Crucial for the Probe?

A cybersecurity expert who has collaborated with the Intelligence Bureau, told The Quint, “The hacking path and the nature of exploits are important on two counts. One, it will be easier to access the forensic evidence that the investigating officer needs. Two, it will lead to the bitcoin trail, which will reveal the identity of those involved in the transactions."

“Now, without the wallets and the keys, it will be difficult to obtain forensic evidence, especially since his hacking paths are half written and the details of his exploits are not complete,” the IB expert, who spoke on the condition of anonymity, said.

Meanwhile, Sriki seems to be roaming free even as the police, by their own design, have only scant details of his bitcoin and e-procurement website hacks.

Sriki Walks Out on Bail and is Now 'Unavailable'

The hacker was released on bail twice because the police had not clinched the evidence at hand, the bail order issued by First Additional Chief Metropolitan Magistrate on 9 March 2021, implied. Sriki also procured a second bail on 7 April, against all charges that the CCB had slapped on him.

Interestingly, at the moment, Sriki is reportedly ‘unreachable’ to both the police and his family. While this violates his bail conditions, it also accentuates fears that a section of politicians in Karnataka had raised. Will there be a threat to Sriki's life, as he has alleged links with several clients who may not want the police to crackdown on them?

His unverified statement, meanwhile, clearly indicates that he was aware of what would incriminate him the most. He wrote, “I was held in police custody for almost 50 days. Although, I had the intention of giving the bitcoins to the police, my lawyer and friend, Sunish Hegde advised me against it saying that if I give them the bitcoins, the case against me will become stronger and that I will never get bail.”