A two-day digital nightmare has left a Hyderabad-based skincare startup grappling with a ₹12.7 crore advertising bill, after unidentified cybercriminals hijacked its Google Ads account to promote U.S.-based businesses. As investigations widen, the incident underscores alarming vulnerabilities in platform security and the high cost of unchecked automation in digital marketing.
The Cyber Ambush: How a Routine Budget Became a Multi-Crore Disaster
Old School Rituals (OSR), a natural skincare and wellness brand operating out of Hyderabad’s Financial District, typically spends ₹10,000–₹15,000 per day on online advertising. But on May 17 and 18, the company’s Google Ads account was manipulated to push thousands of international advertisements, generating an astronomical spend of ₹12.7 crore, a nearly 850x increase in budget.
The fraud came to light when ENSO Business Consulting, the brand’s long-time digital partner, flagged an uncharacteristic campaign with more than 2.1 million clicks, and not a single conversion.
OSR co-founder Shashanka Kancharla, in his formal complaint to the Telangana Cyber Security Bureau (TGCSB), stated that this was neither authorised by them nor aligned with their marketing strategy. ENSO’s internal report later confirmed that even ad alert notifications, typically routed to the team’s dashboard, were missing during the suspicious activity window.
Breach or Insider Leak? ENSO Probes Access Points While Authorities Search
While investigators haven’t ruled out hacking, ENSO’s initial findings suggest a potential compromise of user credentials, browser cookies, or even administrative permissions. No conclusive evidence of phishing or malware has been made public, but the surgical precision of the 48-hour ad blitz suggests technical sophistication, and possibly platform-level exploitation.
ENSO’s report, submitted on May 21, includes an hour-by-hour timeline of the unauthorized ad buys, IP addresses linked to ad triggers, and accounts involved in campaign setup. Some experts are pointing to possible API-level manipulation or script-based automation used by the attackers.
FCRF x CERT-In Roll Out National Cyber Crisis Management Course to Prepare India’s Digital Defenders
Google Responds; Legal Firepower Activated Under India’s New Penal Code
Following OSR’s complaint, a bill of ₹12.7 crore was raised by Google for the fraudulent ad campaigns, a figure that could potentially bankrupt a small- to medium-sized business. OSR has requested that Google reverse the charges, citing unauthorized access and breach of account integrity.
The Telangana Cyber Security Bureau registered a case under:
- Section 318(4) of the Bharatiya Nyaya Sanhita (cheating and dishonestly inducing delivery of property), and
- Sections 43, 66, and 66-C of the Information Technology Act deal with data breaches, unauthorised access, and identity theft.
The Cyber Police is now coordinating with Google’s fraud investigation team to obtain logs, access metadata, and any geolocation data that may help pinpoint the attacker.
What Comes Next: Policy Review, Platform Responsibility, and Rising Cyber Risk
The breach has once again raised alarms about platform accountability, particularly Google’s ad infrastructure. Experts are calling for more real-time fraud detection, better two-factor authentication policies, and spend-capping safeguards for small businesses.
For OSR, the damage may be more reputational than operational. Shashanka Kancharla and his wife, singer and entrepreneur Smita Valluripalli, remain vocal about pushing for accountability. As the digital economy becomes more interconnected, cases like OSR’s show that ad platforms are no longer just marketing tools. They’re potential vectors of financial devastation.
About the author – Prakriti Jha is a student at National Forensic Sciences University, Gandhinagar, currently pursuing B.Sc. LL.B (Hons.) with a keen interest in the intersection of law and data science. She is passionate about exploring how legal frameworks adapt to the evolving challenges of technology and justice.