B.Tech Student Who Reported Bugs to Tech Firms Arrested for ₹1 Crore Fantasy-App Fraud

Ghaziabad: A 24-year-old B.Tech student, known in cybersecurity and bug-bounty circles, has been arrested for allegedly exploiting his skills to siphon off over ₹1 crore from a fantasy gaming platform. Ghaziabad Cyber Police said the accused manipulated the payment gateway of the Real 11 app, allowing him to deposit just ₹1 while generating wallet credits of ₹2,000 to ₹1 lakh.

A complaint was filed in November 2024 by Amit Yadav, a representative of Real 11, after the company detected suspicious wallet activity. An internal audit revealed fraudulent transactions worth ₹1.01 crore between July and November 2024 without corresponding user payments.

Police said the accused, Utsav Mandal, a final-year Computer Science student from Siliguri Institute of Technology and currently living in Bijnor, was identified as the mastermind after three men linked to the scam were arrested in April 2025. Mandal was detained on Saturday from the Ghantaghar Kotwali area.

Investigators said Mandal reverse-engineered the app’s API, discovered a loophole in the payment gateway and manipulated data packets to trick the backend into registering high wallet credits. He then transferred the inflated amounts to bank accounts linked to him.

Police said he created 20 user IDs using documents of family members, his wife, friends and acquaintances. Over five months, he allegedly carried out more than 100 fraudulent refund transactions and routed the proceeds through multiple bank accounts. Around ₹25 lakh has been recovered so far.

Authorities are now analysing bank and UPI IDs, digital wallets, transaction logs and data from his seized devices. A detailed forensic audit is in progress.

ADCP Crime urged app developers to strengthen API security, backend validation and payment-gateway monitoring to curb similar cyber frauds.