A serious cyber breach has struck Aditya Birla Capital Digital Ltd (ABCD), resulting in the unauthorised sale of digital gold worth approximately ₹1.95 crore from 435 customer accounts. The fraud was discovered after customers reported suspicious transactions, prompting an internal investigation and a formal police complaint.
API exploited to bypass OTP verification
The incident occurred on June 9, when a threat actor successfully infiltrated the Application Programming Interface (API) linking ABCD’s mobile app to its backend systems. The breach allowed the attacker to circumvent the mandatory one-time password (OTP) verification process and initiate unauthorised transactions. The digital gold, purchased by users via MMTC-PAMP and processed through Razorpay, was sold and redirected into various personal bank accounts.
Aditya Birla Capital’s mobile app “ABCD” offers a suite of financial services, including digital gold, UPI, mutual funds, and insurance. Upon detection of anomalies, the company’s technical team suspended the gold sale feature and initiated a forensic audit.
Fraud escalates after user complaints
The breach came to light when multiple customers contacted the company’s call center, stating that their digital gold holdings had been liquidated without their knowledge or consent. The issue was escalated to the company’s internal cybersecurity team, which uncovered evidence of tampered transactions.
A complaint was subsequently filed by Ravindra Rajmal Chaudhary, Head of Fraud Risk Management at ABCD, with the Central Region Cyber Police in Mumbai. According to the FIR, digital gold had been illicitly sold without triggering standard security checks. Detailed user logs and a list of impacted accounts have been submitted to aid the ongoing investigation.
Also read: Kaspersky Flags Gaps in Industrial Cybersecurity
Critical infrastructure exploited through weak integration
The breach highlights the growing risk of cyberattacks exploiting fintech platforms via their API infrastructures. APIs, while critical for service integration, have increasingly become a vulnerable entry point if not rigorously secured. The absence of fail-safe mechanisms or dynamic verification processes allowed the hacker to override controls and access valuable digital assets.
This incident echoes a broader industry concern around API security hygiene, especially for platforms handling high-value digital commodities.
Authorities launch investigation; platform remains under review
The Central Cyber Police have initiated a technical investigation to trace the attacker’s digital footprint. Meanwhile, Aditya Birla Capital has disabled specific app functionalities and is reviewing its internal security protocols.
As digital assets like gold and cryptocurrencies gain traction, financial service providers face the mounting challenge of ensuring airtight security across transaction channels. This breach serves as a stark reminder of the cost of oversight and the urgent need for proactive cybersecurity frameworks tailored for mobile-first platforms.
