Cyber Incident Victim: Domino's Pizza

In late December 2016, representatives from gyftr.com—an e-commerce platform facilitating voucher sales—reported a fraud case to Delhi’s Hauz Khas police. The complaint detailed unauthorized voucher acquisitions worth ₹92 lakh (approximately $138,000 USD at the time) between November and December 2016. Investigations revealed a group of four hackers, led by 18-year-old BTech dropout Sunny Nehra, had exploited vulnerabilities in the PayU payment gateway. Nehra, alongside associates (including two other 18-year-olds—one engineering student and one Delhi University BCA student), had collaborated with international hackers from the Netherlands and Indonesia to refine their techniques. They used high-end equipment, including a Dell laptop with 256GB RAM configured for hacking suites, and obtained credit/debit cards via fake documents to initiate transactions.

The attackers targeted gyftr.com by selecting vouchers for platforms like Dominos Pizza, MakeMyTrip, Flipkart, and Amazon. During payment processing via PayU, they canceled transactions at the “do not refresh” stage, freezing the page to manipulate values using decoded source code. For instance, a ₹5,000 voucher’s value was altered to ₹1 before completing the payment. The acquired vouchers funded luxury purchases (e.g., iPhones, iPads) and extravagant activities, including renting Mercedes/BMW vehicles. Gyftr.com detected discrepancies and alerted police on December 30, 2016. A special police team traced device IP addresses to Nehra’s Facebook profile, locating him at a Gurgaon five-star hotel in January 2017. His arrest led to the apprehension of three accomplices. The cybercrime unit confirmed this was Delhi’s first recorded case of large-scale “digital shoplifting” via payment gateway tampering, with losses solely impacting gyftr.com and the redeeming e-commerce platforms.