14 April,2024 04:09 AM IST | Mumbai | Gautam S Mengle
Cyber-researcher Ketan Raikwar, who has been probing one such scam
"Cut off one head," said the evil HYDRA operative in Captain America: The First Avenger, "and two more will take its place."
For the last one month, a 26-year-old cybersecurity researcher from Madhya Pradesh has been discovering pretty much this about a widespread cyber-scam that was last busted four years ago. In 2020, the Hyderabad police called out the "colour prediction" scam - a long-drawn internet-based con job that lures people into "investing" money by asking them to guess a colour and win money. The scam's spoils totalled Rs 1600 crore and the links were traced all the way to China, where the mastermind was allegedly operating from.
Three months ago, Ketan Raikwar, a bug bounty hunter from Indore, noticed a sudden influx of paid ads on Instagram, all of them leading to websites that promoted colour-prediction lotteries. Raikwar, who shared his findings exclusively with mid-day, explained, "The ads take you to a website with a âregistration' page. To register, you have to pay a small amount, say Rs 100. You bet on a colour and if it pops up on screen when you play the âgame', you win. Like other scams of this nature, the victims are paid Rs 200 or some such. Ridiculously simple but the perpetrators rake in crores!"
ALSO READ
Conducting free and fair elections is our duty: DGP Sanjay Verma
Maharashtra Assembly Elections 2024: FIR against Sanjay Raut's brother
Sena (UBT) expels five functionaries for 'anti-party activities' ahead of polls
Traffic restrictions issued in BKC ahead of MVA's poll campaign launch rally
How WR managed Diwali and Chhath festival passenger rush at Bandra Terminus
What makes this one different from other investment scams currently trending, he adds, is that most of them make the victims do some work, like leaving behind positive feedback on products or âliking' YouTube videos in exchange for the initial pay out. Here, the victim has to simply guess a colour, which leads him/her to think, what could go wrong?
As soon as the first "bet" is "won", the perpetrator adds the victim to a Telegram group. Here, s/he is given "insider tips" on which colour to place the next bet on. The victim accepts the tips and also "wins" in the first instance. This makes him believe they he has found a shortcut to riches. Next comes the lure of bigger returns for bigger "investments", which start at Rs 10,000. For every deposit the victim makes, the app shows double the returns. But this money can never be withdrawn, nor is it deposited into his bank account.
When Raikwar noticed the ads, he reached out to the ethical hacker community and together they delved deep into five websites over one month, while also examining scores of Instagram accounts that promoted these websites. "We found that the influencers were getting commissions or cuts from the money that the victims were paying," says Raikwar. "For example, if 10 people registered with the website using a referral code shared by one influencer, the influencer got a percentage of the amount that the victim lost. It is like a multi-level marketing chain; the victims lose money every day."
A Telegram group that is part of the scam (right) An Instagram profile promoting the scam
Using their bug bounty hunting skills, Raikwar and his collaborators, who prefer to remain anonymous, sniffed around the edges of the website till they found a vulnerability that let them hack one. Through this backdoor, they accessed the account of a person promoting the website on social media. This section had details of how many people the promoter had lured so far, how much money they had paid, how much commission the promoter, who was categorised as a "Level 6 VIP", had been paid and how much he was owed.
"We were shocked by the findings," he says. "A total of 64,306 people had paid Rs 59 crore. And this is to just one promoter of one website." Raikwar shared screenshots of his discovery with mid-day, and this writer saw that a sum of Rs 8.5 lakh had been earmarked as "commissions" in the same section.
He also made another serious discovery while searching for the extent of the internet scam. The scammers have hacked multiple Bihar government websites and posted ads for their scams on these pages. Even in a Google search, the preview text includes promotions like "Most trusted colour prediction app" (see image). "These are the top results thrown up by a search engine whenever one searches for them," he says.
The preference for anonymity is not without reason. Ever since the pandemic began, Raikwar and his fellow researchers have been flagging online scams to the cyber police in various states, and they now find themselves on the radar of the scammers. Three times this year, Raikwar created Instagram pages to raise awareness about cyber-scams. Every time, the pages were reported to Meta en masse and the tech giant disabled the pages because of the sheer volume of reports. "But our efforts are also encouraging others to speak up. People have been reaching out to us via social media and some of the stories are heartbreaking. The most recent one was about a teenager who stole R50,000 from his parents, hoping to make one lakh rupees, and has now run away from home because he is scared to face them," Raikwar tells mid-day.
People are speaking up on other platforms too. On a recent Reel posted as a paid ad by an influencer, over 4000 people have left comments, asking him to either give them the returns he promised or have their money refunded. "The money is long gone, of course," says Raikwar. "Such scammers don't keep money in a single account for long."
How hard is it, we ask, to design a dummy game to fool people? Raikwar laughs. "The entire source code is available for free online. Not just that, there are people who design these websites for as low as Rs 300 to Rs 500. It is an entire ecosystem at work."
Raikwar has turned over his findings via email to the cyber police in MP, Maharashtra and Delhi, requesting action. He says he will continue to probe deeper in the meantime.