Nepal Police's Central Investigation Bureau (CIB) has confirmed a coordinated, long-running compromise of the Public Procurement Monitoring Office (PPMO) electronic bidding platform, used to manipulate government contract awards. Investigators say an organised network deployed phishing portals, harvested confidential bid data, and altered financial figures mid-process, charging contractors Rs 8 to 9 million per rigged tender, often paid in cryptocurrency. More than a dozen suspects have been detained, and the Asian Development Bank has halted certain procurement activities after spotting irregularities.

What Happened

According to CIB investigators, attackers stood up counterfeit versions of the official PPMO procurement portal to lure contractors into submitting bids through look-alike sites. Confidential data captured from these fake portals, combined with unauthorised access to the live bidding system, allowed the group to view competitor offers and, in some cases, alter financial figures before official bid openings, despite rules that prohibit modification of submitted bids. The alleged ringleader, Diwakar Deuja, has prior convictions for hacking Nepal Telecom's servers and is accused of also distributing login credentials to expand access to the system. Contractors were then approached over Gmail and WhatsApp with competitor bid intelligence and offers to "manage" tenders for a fee.

What Was Taken

The intrusion exposed highly sensitive procurement data tied to active government tenders, including:

• Identities of bidding firms participating in PPMO tenders
• Confidential quoted bid amounts and competing offers
• Internal financial figures that, under policy, are sealed until the official opening
• Authentication credentials used to access the procurement platform

Investigators believe bid values in certain contracts were adjusted by three to five percent, translating to losses worth millions of rupees on individual awards.

Why It Matters

This case is a textbook example of cyber-enabled procurement fraud against critical government infrastructure. Beyond the direct financial damage, the incident undermines the integrity of Nepal's public spending pipeline, including donor-funded projects: the Asian Development Bank has already paused some procurement activity after detecting irregularities. Contractors named in the probe include Bikram Pandey of Kalika Construction, Rishikesh Gauli linked to ADB-funded projects, and Prakash Dhungana of Kalpabriksha Construction. For defenders, this is a reminder that e-procurement, e-tax, and e-customs platforms are high-value targets where a single insider or credential leak can convert into systemic corruption and sanctioned-vendor risk for international partners.

The Attack Technique

The operation combined classic phishing infrastructure with insider-style platform abuse:

1. Look-alike portals. Attackers cloned the official PPMO bidding site and lured users into submitting bid documents and credentials to attacker-controlled domains.
2. Credential distribution. The ringleader allegedly handed out valid logins to co-conspirators, enabling persistent unauthorised access to the genuine system.
3. Pre-opening data access. Using harvested and stolen credentials, the group viewed sealed bid information and reportedly altered financial figures before official bid opening, bypassing the platform's immutability controls.
4. Out-of-band monetisation. Targeted contractors were contacted via Gmail and WhatsApp, offered competitor bid intel, and charged Rs 8 to 9 million per "managed" tender, with payments routed through cryptocurrency to obscure the trail.

The combination of phishing, credential abuse, and weak server-side enforcement of bid immutability is what allowed a relatively small group to systematically rig outcomes.

What Organizations Should Do

Government agencies and operators of e-procurement, e-tendering, and other high-value transactional platforms should treat this case as a wake-up call:

1. Enforce phishing-resistant MFA (FIDO2/WebAuthn) on all administrative and bidder accounts; assume password-only access will be phished or shared.
2. Hunt for look-alike domains of your procurement, tax, and licensing portals using certificate transparency feeds and brand-monitoring services, and submit takedowns aggressively.
3. Cryptographically seal submitted bids with append-only logging, hash chains, or signed timestamps so that any post-submission modification is detectable and attributable.
4. Audit privileged access to bidding databases: review who can read sealed bids before opening, log every access, and alert on out-of-window queries.
5. Watch for collusion signals such as repeated near-miss losses, narrow undercutting margins (three to five percent), and bidders consistently winning against the same competitors.
6. Build a contractor reporting channel so vendors approached over Gmail, WhatsApp, or Telegram with insider bid information can report attempts without fear of disqualification.

Sources: CIB uncovers coordinated hacking of public procurement system - Peoples' Review