Aditya Birla Capital Digital Gold Hack | ₹1.95 Crore Stolen in API Breach, Services Restored

Table of Contents

• What Happened? A Snapshot of the Breach
• How the Attackers Pulled It Off
• Immediate Response Measures
• Why Digital Gold Platforms Are Attractive Targets
• Lessons for Fintech and GoldTech Players
• Impact on Customers and Brand Trust
• What Comes Next?
• Key Takeaways
•  Frequently Asked Questions (FAQs)

On 9 June 2025, Aditya Birla Capital Digital (ABCD) revealed a serious cyber incident in which attackers siphoned off ₹1.95 crore worth of digital gold from 435 customer accounts. Although all stolen holdings have since been fully restored, the breach highlights growing risks in India’s booming digital gold market and exposes vulnerabilities in fintech API security.

What Happened? A Snapshot of the Breach

How the Attackers Pulled It Off

Initial Vector: Investigators believe threat actors exploited weak authentication logic in ABCD’s backend API—specifically, the endpoint that validates one‑time passwords (OTP) during a gold‑sell transaction.

OTP Bypass Workflow

1. Token Replay or Manipulation – By intercepting traffic, attackers forged a valid session token.

2. Server‑Side Validation Flaw – ABCD’s server accepted the forged token without confirming the OTP challenge.

3. Automated Sell Requests – Scripts rapidly sold holdings from hundreds of wallets linked to Razorpay.

4. Fund Diversion – Proceeds transferred to mule accounts before anti‑fraud controls triggered alarms.

Key Weaknesses Identified:

• Insufficient rate limiting on the sell‑API.

• Lack of device binding and IP reputation checks.

• Overly permissive API keys granting write access without scope restriction.

Immediate Response Measures

Asset Restoration
ABCD and its government‑licensed bullion partner re‑credited gold grams within hours, ensuring no net loss to customers.

Service Suspension & Hardening

• Temporarily disabled the “Sell Gold” button.

• Patched OTP validation with a server‑side cryptographic nonce.

• Enabled mandatory device fingerprinting for high‑value sells.

• Added transaction velocity limits (₹2 lakh/day per account).

Law‑Enforcement & Regulatory Steps

• Filed an FIR under the Information Technology Act, 2000 and relevant IPC sections.

• Informed CERT‑In and insurance underwriters; opened threat‑intel sharing with Razorpay.

Why Digital Gold Platforms Are Attractive Targets

Lessons for Fintech and GoldTech Players

Strengthen API Security

• Adopt OAuth 2.0 with short‑lived, signed tokens.

• Enforce HMAC request signing to prevent tampering.

Harden User Authentication

• Shift from basic OTP to Step‑Up MFA (device biometrics + OTP).

• Implement context‑aware risk scoring (geo‑velocity, time‑of‑day anomalies).

Build Real‑Time Fraud Analytics

• Use machine‑learning models to flag unusual sell patterns.

• Correlate Razorpay disbursements with on‑chain ledger entries.

Tighten Incident‑Response Playbooks

• Conduct red‑team API penetration tests every quarter.

• Maintain cyber insurance that explicitly covers digital assets.

Impact on Customers and Brand Trust

Despite swift remediation, the incident underscores a key challenge: consumer confidence. Digital gold remains popular for micro‑savings in India, but repeated breaches can spur user churn toward better‑secured rivals. Transparent breach disclosures—like ABCD’s real‑time updates—are vital for reputation management.

What Comes Next?

• Forensic Deep Dive – ABCD’s SOC is reconstructing exact exploit chains.

• Legal Pursuit – Mumbai cyber police and CERT‑In tracking money‑mule accounts.

• Industry Wake‑Up Call – Other gold platforms likely to review OTP and API logic.

• Regulatory Guidance – SEBI and RBI may issue fresh directives on digital commodity storage and transactional controls.

Conclusion

The ABCD breach proves that API‑level flaws—not just malware or phishing—pose critical risks to fintech ecosystems. As digital gold adoption soars, security‑by‑design and rapid incident response will separate trustworthy platforms from the rest.

Whether you’re a fintech architect, compliance officer, or everyday investor, remember: tokenized assets require token‑proof security at every API call.

FAQs 

What happened to Aditya Birla Capital Digital on June 9, 2025?

Aditya Birla Capital Digital experienced a cyberattack that led to the theft of ₹1.95 crore in digital gold from 435 user accounts.

How much gold was stolen in the cyberattack?

₹1.95 crore worth of digital gold was illegally sold during the breach.

How did the hackers gain access?

The attackers exploited a vulnerability in the API to bypass OTP verification and sell digital gold.

Were user accounts restored after the breach?

Yes, all affected gold holdings were restored shortly after users reported the issue.

Is it safe to use ABCD’s digital gold services now?

Yes, the platform has patched vulnerabilities, restored services, and declared it secure.

What was the vulnerability exploited?

The attackers bypassed OTP authentication through the backend API and server.

Did ABCD suspend gold-selling temporarily?

Yes, gold-selling was suspended to prevent further damage and was resumed after fixes.

What steps were taken by ABCD after the breach?

They restored user assets, patched API flaws, filed an FIR, and involved CERT-In.

Which law enforcement is investigating the breach?

The Central Region Cyber Police is investigating, with support from CERT-In.

What role does Razorpay play in this ecosystem?

Razorpay processes the transactions for ABCD’s digital gold services.

Is Razorpay responsible for the breach?

There’s no public evidence of Razorpay’s systems being compromised.

Was customer money refunded?

Yes, digital gold holdings were re-credited to all affected customers.

Who reported the incident first?

The Free Press Journal was the first to report the breach.

What is CERT-In’s involvement?

CERT-In is providing cybersecurity assistance and forensic investigation support.

Were any customers financially impacted?

No permanent financial loss occurred; all holdings were returned.

What can users do to stay safe from similar breaches?

Enable 2FA, monitor accounts regularly, and use platforms with strong cybersecurity.

Could this happen again?

If platforms don’t address API security rigorously, similar incidents could recur.

What is an OTP bypass attack?

It’s when an attacker tricks a system into skipping the one-time password step in authentication.

What type of cyberattack was this?

It was a server-side API abuse attack exploiting poor authentication checks.

What is digital gold?

Digital gold is a way to buy, sell, or store real gold online through verified platforms.

Who regulates digital gold platforms in India?

Currently, they’re regulated under limited fintech norms, with SEBI and RBI stepping in.

Will this breach affect investor trust in digital gold?

Possibly, unless platforms significantly improve security and transparency.

Is ABCD working with cyber insurance providers?

Yes, they’re coordinating with cyber insurance firms for incident management.

Was the hacker identified?

As of now, no identity has been confirmed publicly.

What type of customers were affected?

Retail investors who bought or stored digital gold via ABCD’s platform.

Are such attacks common in fintech?

Yes, fintech platforms with weak APIs are common targets for cybercriminals.

Has ABCD faced cyberattacks before?

No major public attacks have been reported before this.

Will ABCD compensate for any loss of trust?

They have restored gold, hardened systems, and are actively communicating with users.

What should other fintech companies learn from this?

API security and real-time fraud monitoring must be top priorities.

Is investing in digital gold still safe?

Yes, if done via platforms with strong compliance, transparent architecture, and multi-layered security.