For early-stage D2C founders, the incident highlights the importance of access control, backend permissions management, and audit tracking—especially in high-growth e-commerce environments.
Gully Labs, a Shark Tank India-backed sneaker startup, reportedly lost ₹2 lakh after a customer support employee exploited a backend promo code loophole to generate 100% discount orders.
A Shark Tank Success Story Hits a Costly Snag
Gully Labs, the sneaker brand that famously scored a huge deal with Aman Gupta on Shark Tank India, recently had to navigate a massive internal betrayal. What seemed like a routine business move ended up teaching the founders a painful lesson that cost them right around ₹2 lakh.
How the ₹2 Lakh Fraud Happened
The trouble started innocently enough when the company brought on a new customer support representative. In the e-commerce world, you typically hand these reps just enough backend access to issue small 10% or 20% apology discounts, which is a standard tactic to pacify angry shoppers and prevent negative reviews.
This particular employee, however, decided to completely flip the script. He snooped around the company’s admin dashboard until he uncovered a hidden loophole that let him generate custom promo codes for a full 100% off. Because these codes completely wiped out the shopping cart balance, the backend system automatically signalled to the warehouse team that the orders were fully paid. Unaware of the scam, the fulfilment crew simply packed the boxes, allowing the new hire to ship out about ₹2 lakh worth of brand-new sneakers to himself, his friends, and his relatives—all within his first week on the job.
Legal Fallout: When the Employee Sent Notices
The moment the stolen merchandise was dispatched from the facility, the employee abruptly handed in his resignation and disappeared. It didn’t take long for the founders to uncover the theft and track him down to demand their inventory back.
While he did return roughly half of the sneakers, he casually mentioned that the rest were either already worn out or simply “lost”. The real shocker? Instead of showing any remorse, the former employee actually retaliated by sending legal notices to the startup. His defence was that the company was “harassing” him by attempting to recover the stolen goods.
Key Security Lessons for Startups
When one of the co-founders shared the frustrating ordeal online, it immediately struck a chord with the wider entrepreneurial community. It perfectly captures one of the most heartbreaking realities of building a business: founders often strive to create a relaxed, high trust work culture, only to have a single bad actor exploit it so severely that they are forced to lock down their internal systems like Fort Knox.
What happened to Gully Labs after Shark Tank?
Gully Labs, a Shark Tank India-backed sneaker startup, reportedly lost ₹2 lakh after an employee misused backend access to generate 100% discount promo codes.
How did the Gully Labs fraud happen?
The employee allegedly exploited a backend loophole that allowed full-discount codes, which triggered warehouse fulfillment without payment.
What can startups learn from the Gully Labs case?
Startups should implement strict access controls, monitor backend permissions, and enable audit trails to prevent internal fraud.
