Swiggy Account Of Woman Hacked, Orders Worth Rs 97,000 Placed --Check Modus Operandi Used By Hackers

The accused Aniket Kalra (25) and Himanshu Kumar (23), used  ‘Interactive Voice Response (IVR) system as the modus operandi to hack people's Swiggy accounts, police said on Monday.

Swiggy Account Of Woman Hacked, Orders Worth Rs 97,000 Placed --Check Modus Operandi Used By Hackers

New Delhi: Two Haryana men, who allegedly duped people by hacking food and grocery delivery app Swiggy account, were arrested, a Delhi Police official said.

The accused Aniket Kalra (25) and Himanshu Kumar (23), used  ‘Interactive Voice Response (IVR) system to hack people's Swiggy accounts, police said on Monday.

After hacking the victim's account, the accused used to place grocery orders from their account and later sold the items at a lower price.

The accused were arrested when a woman from Sultanpur complained of being cheated of Rs 97,197 from her Lazy Pay account linked with the Swiggy account by some unidentified people.

The complainant received a call in the middle of the night from an Automated Telephony Interactive Voice Response (IVR) System in Pre-Recorded Voice Responses informing her that someone is attempting to access her Swiggy account. After, her Lazypay account which was linked with her Swiggy account was hacked and used to place online orders totalling Rs 97,197. This information was discovered through technical analysis of call details and financial transactions conducted during the investigation. 

“Further, CDR analysis of the calling number revealed that the mobile number from which the complainant received the call is an application-based generated number connected with IVR System. Simultaneously, details from Swiggy were obtained and it came to notice that the alleged orders were delivered in Gurugram,” said the Deputy Commissioner of Police (south) Ankit Chauhan.

The miscreants used mobile numbers registered on fake ownership to deliver the products. “The team worked on all the available aspects of the case. The efforts of the team bore fruits when during IMEI search, the location of the suspect was zeroed in Sector 7, Gurugram, Haryana,” said the DCP.

Modus Operandi Used By Hackers To Hack Into Swiggy Account

The police conducted raids and apprehended both Aniket and Himanshu. During interrogation, Aniket revealed that he had previously worked for Zomato and Swiggy as a delivery boy and the modus operandi these accused had used was to dupe people through IVR calling system.

“Thereafter, he started buying grocery items from online selling platforms at a lower price through offers and then used to sell them in the market, thus saving 5 per cent-10 percent on every order. Further, he along with co-accused Ansh, a resident of Punjab met on telegram and they both started duping people through IVR Calling system,” said the DCP.

Ansh has every detail of people who have linked their credit card/debit card/internet banking with their Swiggy account. “Ansh used to target victims by hacking their Swiggy account through pre-recorded voice responses and thereby accessing confidential data of victims. Then Aniket used to link a phone number registered on fake ownership with the Swiggy account of the victim and then used to place orders of Grocery items for as much amount as available in the account of the victim,” said the DCP.

To prevent any police action, they used to provide the random addresses of Gurugram to deliver the items. “Aniket and his friend Himanshu used to sell the grocery items in the local market at a discounted price and then used to send 50 percent profit to Ansh via cash depositing machines or various UPI Id’s,” said the DCP.

Himanshu, who has a medical shop in Gurugram, used to transfer the cheated amounts to various UPI IDs and accounts, and under the guise of the medical shop.

“Further investigation of the case is in progress to trace the co-accused and to link other cases,” the DCP added.

Meanwhile, Swiggy, reacting to the incident said, "This modus operandi is predominantly linked to Lazypay as a payment instrument and it has released a solution to delink user wallets and BNPL (Buy now pay later) accounts automatically on new device logins as well as contact number changes to prevent frauds. It is also in the process of scaling other security measures including 2 factor authentication."