Cyberattack on Aditya Birla Capital App Leads to Rs1.95 Crore Digital Gold Fraud

Moneylife Digital Team 09 July 2025

Investor Interest

A major cybersecurity breach targeting Aditya Birla Capital Digital (ABCD), the financial super app launched by Aditya Birla group last year, has led to the unauthorised sale of digital gold worth around Rs1.95 crore from the accounts of 435 customers. The incident, which occurred last month, has raised fresh concerns about digital transaction security even as corrective measures have, since, been taken by the company.

The breach came to light after numerous customers — many of them based in Mumbai’s Prabhadevi locality — began reporting sudden, unauthorised transactions involving their digital gold holdings. Users contacted the company’s call centre in large numbers, with some also airing their concerns on social media platforms.

Following the complaints, Aditya Birla Capital Digital promptly filed a first information report (FIR) with the central region cyber police station in Mumbai. According to the complaint filed by Ravindra Choudhary, head of fraud risk management at the company, the internal technical team discovered that an unknown attacker had exploited a flaw in the app’s application programming interface (API). This allowed the hacker to bypass regular security checks, including one-time passcode (OTP)-based approvals and trigger sales of digital gold from multiple customer accounts.

The fraudulent activity took place on 9 June 2025, according to the company’s investigation and affected 435 customers in total. The proceeds from the digital gold sales were diverted to multiple personal bank accounts, now under investigation.

ABCD’s platform which allows users to invest in digital assets like gold and silver — sourced through government-recognised MMTC-PAMP — requires mobile number verification and OTP authentication to complete transactions. However, the hacker managed to alter the intended transaction flow, successfully bypassing these controls.

After detecting the breach, ABCD’s technology cell immediately halted digital gold transactions on the platform and froze fund transfers to accounts linked with the unauthorised activity. Company officials have confirmed that the technical vulnerability exploited in the hack has since been fixed.

The company is now collaborating with cyber experts, CERT-In (Indian Computer Emergency Response Team) and its cyber insurance partners to strengthen the app’s digital defences and prevent future intrusions.

The FIR has been filed under Sections 318(4) and 319(2) of the Bharatiya Nyaya Sanhita, dealing with cheating and impersonation, along with relevant provisions of the Information Technology Act. While investigations are ongoing, no arrests have been made at the time of reporting.

ABCD, launched in April 2024 as a comprehensive financial platform, offers a suite of services including bill payments, UPI transfers, mutual fund investments and gold purchases. Users can buy 24-carat gold with 999 purities starting at as low as Rs10, with the option to store it in secure vaults and sell it later via the app.

Despite the company’s assurances and swift action, the incident has left many users rattled. It highlights the persistent threat posed by cybercriminals to digital finance platforms, even those backed by well-established institutions.

As digital adoption grows across India, experts advise users to remain cautious and monitor their transaction histories regularly. Ensuring strong passwords, enabling two-factor authentication and promptly reporting suspicious activity are key to staying protected in an increasingly digital financial landscape.

Comments