Ghaziabad Police arrest fantasy-app ‘digital mastermind’; turned ₹1 into ₹2,000–₹1 lakh through manipulated wallet credits.
Ghaziabad – A B.Tech student known in cybersecurity circles for identifying bugs in major companies’ apps and websites has been arrested for allegedly deploying the same expertise to orchestrate a massive fraud. According to the Ghaziabad Cyber Police, the 24-year-old manipulated the payment gateway of a fantasy gaming application, enabling him to deposit just ₹1 but make the app reflect inflated wallet credits ranging from ₹2,000 to ₹1 lakh. Over several months, this technique caused the company a loss exceeding ₹1 crore.
The Cyber Crime Police Station has seized the accused’s devices and initiated a forensic examination.
Internal audit uncovers ₹1.01-crore fraud
ADCP Crime stated that a representative of the Real 11 fantasy gaming application, Amit Yadav, filed a complaint in November 2024, reporting suspicious wallet activities.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
The firm’s internal audit revealed that between July and November 2024, fraudulent transactions amounting to ₹1.01 crore were registered without corresponding legitimate user payments.
In April 2025, police had already arrested three individuals—Deshraj, Abhishek and Aakash—linked to the scam. Interrogation of these suspects pointed to the real architect of the operation: Utsav Mandal, a 24-year-old final-year Computer Science student from Siliguri Institute of Technology, originally from East Bardhaman (West Bengal) and recently residing in Bijnor.
Police apprehended Mandal on Saturday from the Ghantaghar Kotwali area of Ghaziabad.
Exploited API loopholes to seize control of the payment gateway
During questioning, Mandal revealed that he had successfully solved several bug-bounty challenges for various companies. While exploring vulnerabilities, he came across weaknesses in the Real 11 application.
According to investigators, Mandal:
- Installed the app and reverse-engineered its API (Application Programming Interface)
- Identified a loophole in the payment gateway
- Manipulated data packets exchanged between the gateway and the mobile app
This manipulation allowed him to send a backend request showing he had deposited ₹1, while the app’s wallet reflected an artificially inflated value between ₹2,000 and ₹1,00,000.
He then transferred the falsely credited wallet balance to his linked bank accounts.
Police officials describe the method as “technically advanced, far beyond ordinary digital fraud techniques.”
Fraud executed through 20 fake IDs; family unknowingly became part of the network
Mandal admitted to creating 20 user IDs to run the operation, using documents belonging to:
- His mother
- His father
- His wife
- Friends
- Other acquaintances
He reportedly misled family members by claiming that the funds were “project payments,” thereby avoiding suspicion.
Through these 20 IDs, over a five-month period, he:
- Conducted over 100 fraudulent refund transactions
- Credited more than ₹1 crore to various wallets
- Gradually transferred the proceeds into multiple bank accounts
₹25 lakh recovered so far; police tracking digital trail
Police officials confirmed that ₹25 lakh has been recovered from accounts linked to the accused.
Investigators are now examining:
- Additional bank and UPI IDs
- Digital wallets used to route the money
- Transaction logs and session histories
- Data from his mobile phone, laptop and associated cloud accounts
A detailed forensic audit is underway.
Cyber police advisory: strengthen API and payment security
ADCP urged app developers to increase vigilance, noting that emerging cybercrime patterns rely heavily on API vulnerabilities and weak validation layers. He emphasised strengthening:
- API security protocols
- Payment-gateway logs
- Backend transaction validation and monitoring systems
