Ahmedabad: A major cyber fraud amounting to Rs 7.34 crore has been detected at the Bhavnagar District Co-operative Bank, where a loophole in banking software was allegedly exploited to siphon off funds. The Cyber Centre of Excellence of CID Crime has arrested four accused, three from Ahmedabad and one from Mumbai, in connection with the case.

The arrested individuals have been identified as Adnan Sheikh (24) from Fatewadi, Rubina Sheikh (31) from Vasna, Sushilkumar Meghwal (32) from Rakhial, and Kishor Pardeshi (43), a home guard jawan from Mulund West in Mumbai.

According to investigators, the accused manipulated a vulnerability in the bank’s software to generate a fictitious balance and channel funds through multiple bank accounts. The probe has indicated possible links to a wider, multi-state cybercrime network. So far, authorities have managed to freeze over Rs 2 crore.

The case surfaced in 2026 after a hacking complaint related to the bank’s system was registered at the Cyber Centre of Excellence. During the investigation, police found that the accused had arranged numerous bank accounts to receive and route the defrauded money. Examination of their mobile phones revealed details of 42 additional bank accounts connected to the operation.

Further scrutiny through the national cybercrime portal suggested that the accused may be linked to more than 15 cybercrime cases across India, collectively involving around Rs 4 crore. These cases span several states, including Karnataka (five cases); Gujarat, Uttar Pradesh, and Haryana (two each); and Andhra Pradesh, Tamil Nadu, Punjab, and Maharashtra (one each).

Investigators said the group specifically targeted four dormant accounts in the Bhavnagar bank. They allegedly replaced the registered mobile numbers with ones under their control and created a virtual balance of approximately Rs 7.35 crore, closely matching the detected fraud amount.

Police said the accused exploited a flaw in the bank’s core banking system, a vulnerability that is suspected to have impacted 14–15 banks nationwide. The siphoned funds were subsequently transferred into 135 different bank accounts and distributed to evade detection.

Authorities believe the accused also obtained bank accounts from individuals on rent by offering money, using them as conduits to move illicit funds.

So far, Rs 2.04 crore has been frozen. Police have cautioned the public against renting out bank accounts, ATM cards, cheque books, or SIM cards, and advised victims to report cyber fraud immediately via helpline 1930, ideally within the first hour, to improve chances of recovery. DeshGujarat