Former Minister Bikram Pandey Among Defendants in Multi-Billion Rupee e-GP System Hacking and Manipulation Case
बैशाख २९, २०८३ २०:२२
Kathmandu. The hacking of the Public Procurement Monitoring Office’s (PPMO) electronic Government Procurement (e-GP) system, which allegedly manipulated contracts worth billions of rupees, has raised serious concerns over Nepal’s digital security infrastructure. The incident came to light after unauthorized access was detected in the system, even after bid submission deadlines had closed, with changes reportedly made to contract amounts and discount rates.
According to the Nepal Police investigation, a coordinated network involving government employees, construction entrepreneurs, and intermediaries was involved in the cyber intrusion. Following the investigation, the Office of the Government Attorney in Kathmandu filed a charge sheet at the Kathmandu District Court on Friday. Among the defendants are former minister and construction businessman Bikram Pandey, 70-year-old construction entrepreneur Rishikesh Gauli, government employee Diwakar Deuja, and 22 others. The case has been scheduled for a “hearing soon” by Judge Chunaram Khadka.
How did the incident surface?
The case was exposed after IMS Software Pvt. Ltd., the company responsible for managing the e-GP system server, lodged a complaint with the Cyber Bureau alleging unauthorized access to its cloud infrastructure. In a complaint filed on 11 February, 2026, Keshav Aryal, head of administration and finance at the company, stated that suspicious activity and unauthorized access were detected in a VPS server used for testing on the cloud platform of Data Hub Pvt. Ltd. The complaint included IP addresses and screenshots as evidence.
Preliminary police investigations revealed that attackers used Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) tools to access the system. They allegedly altered the “web users” database table to gain administrative privileges and subsequently accessed the PPMO server. Investigators found that financial response documents were modified even after the bid submission deadline had passed.
Further technical analysis traced the unauthorized access to an internet connection registered under Nepal Telecom. The connection was installed at a residence in Dhankuta where Diwakar Deuja, a computer operator at the Intensive Urban and Building Construction Project, was residing.
Method of Cyber Attack and Use of Cryptocurrency
Police findings indicate that the group used advanced digital techniques to exploit contractors, including the use of cryptocurrency to avoid banking channels. After gaining access, the attackers reportedly created a fake email address “[email protected]” and used WhatsApp number “9828861556”, impersonating a PPMO employee named “Jeevan Limbu.”
Through these channels, they allegedly contacted construction businessmen as “Jeewan Limbu”, claiming their bids were ranked second or third and offering to manipulate the system in exchange for money.
The charge sheet states that Bitcoin was used for transactions to avoid detection. For instance, Sanjay Bhatta, operator of “Soli Thumka Construction Services,” allegedly transferred Bitcoin equivalent to Rs 2.3 million to the impersonated “Jeevan Limbu” to secure a contract. The funds were reportedly converted into US dollars through Paras Ratna Tuladhar Dhakwa in the United States, based on coordination with Bhaskar Raj Aryal, Bhatta’s brother-in-law, and then deposited into the hacker’s Bitcoin wallet. The equivalent Nepali rupees were later transferred to Dhakwa’s mother in Nepal via banking channels.
Investigators also found that the mobile number used in the operation was registered under the name of Bharat Dhami.
Statement of the main defendant, Diwakar Deuja
Computer operator Diwakar Deuja, identified as a key technical figure in the case, has denied all allegations. In his statement to police, he said he only has basic technical knowledge and lacks the expertise to hack servers.
“I have been working at the Dhankuta office since 2019. I have already submitted the office laptop. I have not accessed the IMS server without authorization. I only have basic knowledge of programming and databases,” Deuja stated, adding that even if his IP address appeared in logs, it could have been misused by others.
Diwakar Deuja, considered the chief technical planner and a computer operator, has denied the allegations. In his statement to the police, he claimed that he has only basic technical knowledge and cannot hack servers.
Statement of Sanjay Bhatta and the facilitator
Contractor Sanjay Bhatta admitted to transferring funds in Bitcoin but claimed he was unaware of any hacking activity. He said he believed he was dealing with PPMO officials and was motivated by the prospect of securing a contract.
Bhatta stated:
“I received an email claiming the sender was a PPMO employee and that my bid was close to second position. They said they could adjust the contract for over two crore rupees. Initially, I ignored it, but later they sent a link showing the PPMO dashboard, which made it seem authentic. They demanded Rs 5.6 million. We finally agreed on Rs 4.5 million to be paid in Bitcoin. With help from my brother-in-law Bhaskar Aryal and a friend in the United States, I sent Bitcoin worth Rs 2.3 million in two installments. I knew it was illegal, but I still paid to secure the contract.”
Bhaskar Raj Aryal, who facilitated the transaction, stated he acted only upon his brother-in-law’s request. He said he contacted his friend Paras Dhakwal in the U.S. to transfer Bitcoin worth Rs 2.3 million, which was later paid to Dhakwal’s mother in Nepal through banking channels. Aryal claimed he was unaware the payment was linked to any contract manipulation or illegal activity.
Similarly, Bharat Dhami, whose name the SIM card was registered under, denied involvement, stating that he had given the SIM to his mother and sister during the lockdown and later lost track of it.
Statement of Former Minister Bikram Pandey and Other Construction Entrepreneurs
16 construction entrepreneurs, including Kalika Construction director and former minister of the Rastriya Prajatantra Party (RPP) Bikram Pandey, have also been named as defendants. Investigations show that contract values associated with Kalika Construction were allegedly reduced from Rs 675.1 million to Rs 605.4 million. However, Pandey has strongly denied any involvement.
“We have been recognized for quality work by institutions like the Asian Development Bank. Our company has a clean record. No bid was altered with any concession from our side. This appears to be an attempt by a criminal group to defame us. I am not aware how our name was linked to this case,” Pandey stated, adding that he never received any emails or WhatsApp messages related to the alleged hacking.
Rishikesh Gauli, director of Aashish Construction Services, also denied involvement, saying he neither sent money nor knew who accessed his bid. “After submission, the PPMO system locks automatically. I have no idea how someone accessed or modified the financial proposal,” he said.
Prakash Dhungana of Kalpabriksha Builders stated that his company’s bid reduction from 21 percent to 24 percent was done internally through the system and not through any external interference. He denied any unauthorized access.
Sagar Kutuwal of Kutuwal Construction said he received messages and a Bitcoin QR code demanding advance payment between Rs 500,000 and Rs 1 million, but claimed he did not make any payment. Other contractors, including Anil Shrestha, Tank Kumar Shrestha, and Amrit Bohora, also denied knowledge of any unauthorized alterations.
Police findings and legal action
The Central Investigation Bureau and Cyber Bureau concluded that the incident was a highly organized and technically sophisticated cybercrime. Investigators stated that the group led by Diwakar Deuja compromised the confidentiality and integrity of Nepal’s public procurement system.
Evidence presented in court includes digital forensic reports, recovered data from seized devices, ISP logs, and detailed Bitcoin transaction records.
Police have categorized the accused into four groups: Diwakar Deuja as the technical operator who accessed and altered the system; an unidentified “Jeevan Limbu” as the communications handler who negotiated with contractors; Bhaskar Raj Aryal as the financial intermediary handling cryptocurrency transactions; and contractors, including Sanjay Bhatta, as beneficiaries who sought to manipulate procurement contracts.
Charges have been filed under Sections 45 and 46 of the Electronic Transactions Act, 2063, relevant provisions of the Muluki Criminal Code, 2074, concerning cryptocurrency-related offenses, and the Organized Crime Control Act, 2070. For government employees, additional penalties and compensation for losses incurred by the PPMO have also been sought.
पछिल्लो अध्यावधिक: बैशाख २९, २०८३ २०:२२
