A dramatic cyber-fraud episode has emerged in Mumbai’s Prabhadevi locality, where a malicious actor exploited a technical flaw in Aditya Birla Capital Digital Limited’s (ABCD) mobile application to illicitly sell ₹1.95 crore worth of digital gold from 435 customer accounts.

What Happened?

• Breach details: On June 9, 2025, ABCD’s security team detected unauthorized activity when customers began reporting that their digital gold had been sold without consent—and they hadn’t received any money.

• Attack vector: The attacker gained access via a compromised API between ABCD’s servers and its mobile app, bypassing OTP protections designed to authenticate gold-sale transactions.

• Scale of impact: The perpetrator executed unauthorized digital gold sales from 435 users, moving proceeds into multiple personal bank accounts.

Response & Recovery

• Immediate intervention: ABCD promptly suspended the digital gold selling feature within the app to prevent further unauthorized trades.

• Regulatory action: A First Information Report (FIR) was filed with the Central Region Cyber Police in Mumbai. The complaint was lodged by Ravindra Rajmal Chaudhary, Head of Fraud Risk Management at ABCD.

• Remediation measures:

  • The technical flaw—rooted in the API—has been identified and rectified, restoring the security of the digital gold module.

  • All affected customer holdings have been fully reinstated, ensuring no financial losses.

Investigation & Future Protections

• ABCD is collaborating closely with Mumbai Cyber Police, CERT‑In, and its cyber-insurance partners to deepen the investigation and trace the perpetrators.

• The company has also reinforced its platform’s protection, enhancing API security, enforcing stricter OTP checks, and intensifying monitoring post-breach.

Industry & Regulatory Insight

This incident highlights a growing vulnerability in the fintech sector—especially within digital-asset services. The breach:

• Bypassed OTP controls—a fundamental authentication step.

• Exposed API weaknesses, suggesting deeper security lapses in backend infrastructure.

• Compromised a large user base (435 accounts), underscoring the potential scale and impact of such attacks.

Key takeaways for the wider BFSI industry:

1. Enforce zero-trust architecture and rigorous API security auditing.

2. Implement dynamic, multi-factor authentication, not solely OTP-based systems.

3. Use real-time anomaly detection to monitor for unauthorized bulk transactions.

Final Word

While ABCD’s swift reaction—disabling sales, patching the bug, restoring holdings, and working with authorities—is commendable, this breach serves as a cautionary tale. It underscores the critical importance of proactive defenses in fintech environments handling digital assets.

Until the attackers are apprehended and further safeguards are validated, users and regulators alike must remain vigilant. The incident is being monitored closely by India's cybersecurity community and financial watchdogs.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.