Cyber Incident Victim: Myntra

On December 30, 2016, representatives of gyftr.com, an e-commerce voucher administration platform, reported a fraud case to Delhi’s Hauz Khas police involving manipulated voucher transactions totaling ₹92 lakh (approximately $138,000 USD at the time). The perpetrators exploited vulnerabilities in the PayU payment gateway during voucher purchases on gyftr.com, which provided vouchers redeemable at major platforms including Myntra, Flipkart, Amazon, MakeMyTrip, Dominos Pizza, and Shoppers Stop. The group, led by 18-year-old BTech dropout Sunny Nehra, included three accomplices—two fellow BTech dropouts and a Delhi University BCA student—all trained in hacking techniques. They collaborated with international hackers from the Netherlands and Indonesia and utilized specialized software alongside a high-performance Dell laptop with 256GB RAM configured for hacking suites.

The attackers initiated fraudulent transactions by purchasing e-vouchers using credit/debit cards acquired through fake documents. During payment processing via PayU, they canceled transactions at the critical "do not refresh" stage to freeze the page, then altered payment parameters using pre-decoded source code. For instance, a ₹5,000 voucher payment was modified to ₹1 before completion. This manipulation allowed them to acquire high-value vouchers illegitimately, which they used to purchase luxury goods like iPhones and iPads or services while gyftr.com absorbed the financial loss. Police traced the IP addresses of devices bought with the vouchers, leading to Nehra’s Facebook profile. He was apprehended at a Gurgaon five-star hotel in January 2017, and his associates were subsequently arrested. The group funded a lavish lifestyle, renting luxury cars like Mercedes and BMWs and selling discounted electronics to peers via social media. Delhi Police described this as the city’s first major digital shoplifting case involving payment gateway exploitation.