In the Karnataka case involving a bid to illegally delete voter names, the system to bypass transmission of One Time Passwords to real phone numbers, while registering for online services of the Election Commission, was created using “virtual SIM cards” from a US-based website, SMSAlert.
An SIT of the Karnataka CID, which is probing the attempts at deletion of names of 5,994 voters in the Aland Assembly constituency in Kalaburagi in the 2022-23 period, has found this.
The use of the services of SMSAlert, which has a domain name registered in Delaware, was uncovered following the arrest of Bapi Adya, 27, by the SIT on November 13 from Ghuguragachhi-Hanskhali region of the Nadia district of West Bengal, sources said. Adya was the first person arrested in the case.
The SIT will send a request to US authorities under the Mutual Legal Assistance Treaty for information on the US website, sources said.
The SIT has reportedly found that SMSAlert – which sells OTPs as a service – harvested OTPs using “virtual SIMs” for 72 random but real numbers in India, and passed them onto a website called OTPbazaar.com operated by Adya in India. He in turn allegedly passed on the numbers and the OTPs to the data centre in Kalaburagi which had been used as a base to gain illegal access to EC services.
The Aland case figured in the “vote chori” allegations made by Congress leader Rahul Gandhi in September.
The SIT has also found that ₹700 was deducted from the bank account of the Kalaburagi data centre operator for every OTP provided by OTPbazaar.com.
Story continues below this ad
An ‘Application Programming Interface (API)’ connected OTPbazaar.com with SMSAlert, and OTPs generated for EC sites were provided to the data centre in real time to allegedly initiate multiple voter deletion requests.
“It was not hacking of EC online services but a subversion of the telecom system by creating virtual SIMs for actual numbers. The OTPs were sent to both the original holder of the phone number and the virtual SIMs created by SMSAlert. The original owners did not know why they received the EC OTPs,” sources said.
Officials said that Adya converted the money he received from the data centre – ₹700 for every OTP – in his Indusind Bank account, to a crypto currency wallet and made payments to SMSAlert after retaining a small commission. The crypto wallet of Adya, which has been found by the SIT, reportedly did not contain a large amount of money.
Adya, who earlier ran a mobile phone repair store, was allegedly constantly online, which is how he discovered SMSAlert. For a small commission, he then marketed it in India after installing an interface on his own website to access SMSAlert.
Story continues below this ad
On Wednesday, Adya was remanded to judicial custody, at the end of 14 days of SIT custody.
The SIT probe has found that BJP leaders hired the services of the Kalaburagi data centre, whose operators in turn found the online service offered by OTPBazaar.
Incidentally, after Gandhi raised the issue of Aland vote deletion attempts, the EC introduced an Aadhaar-enabled OTP authentication system to access its online services. The previous EC registration system was purely based on OTPs sent to a phone number at the time of registration on the ECI site, which was misused in the Aland case.
The Aland illegal vote deletions case was first registered in February 2023, before the Assembly elections in the state, when the BJP was in power. It gained traction after Gandhi raised it at a press conference on September 18.
Story continues below this ad
Two days later, the SIT was set up, with earlier investigations by the Kalaburagi police having not made much progress.
The SIT has found that the OTPs generated were sent to as many as 72 phone numbers registered with the EC – ahead of placing requests in the names of hundreds of voters for the deletion of 5,994 names, between December 2022 and February 2023, when a summary revision of voter lists in Karnataka was underway. The 72 phone numbers belonged to individuals located in 17 states, who were unaware of the misuse of their numbers to access the EC services, police sources said.
Over 3,000 random phone numbers were put down for deletion requests for 5,994 voters of Aland, once the EC web services had been accessed with “OTP bypass”.
In October, the SIT conducted searches on the Kalaburagi data centre operators, identified as Md Akram, Ashfaq and three others, as well as the BJP’s Anand candidate in the 2023 polls, Subhash Guttedar, and his associates. The SIT probe found that the data centre operators received ₹80 for every illegal voter deletion request placed with the EC.
Story continues below this ad
Sources indicated that the services of the data centre for the illegal deletion and addition of voter names were used by multiple candidates in the Kalaburagi region in the run-up to the 2023 elections, especially in minority-dominated constituencies.