7 June 2023

A Confession Exposes India’s Secret Hacking Industry


In the summer of 2020, Jonas Rey, a private investigator in Geneva, got a call from a client with a hunch. The client, the British law firm Burlingtons, represented an Iranian-born American entrepreneur, Farhad Azima, who believed that someone had hacked his e-mail account. Azima had recently helped expose sanctions-busting by Iran, so Iranian hackers were likely suspects. But the Citizen Lab, a research center at the University of Toronto, had just released a report concluding “with high confidence” that scores of cyberattacks on journalists, environmentalists, and financiers had been orchestrated by BellTroX, a company, based in New Delhi, that was running a giant hacking-for-hire enterprise. The operation had targeted numerous Americans. Burlingtons wondered: could Rey try to find out if Azima had been another BellTroX victim? He said yes.

Researchers at Citizen Lab had learned of BellTroX’s activities from someone that the company had tried to trick with “spear phishing”—sending a bogus message to trick a recipient into providing access to personal data. Citizen Lab spent three years investigating BellTroX, including by analyzing Web sites used to shorten and disguise phishing links, combing through social-media accounts of BellTroX’s employees, and contacting victims. Reuters, in coördination with Citizen Lab, published an exposé on BellTroX the same day as the report. But BellTroX’s owner denied any wrongdoing, the Indian authorities never publicly responded to the allegations, and the accusations remained unconfirmed.

Rey’s investigation into the Azima case shed new light not only on BellTroX but also on several other outfits like it, establishing beyond dispute that India is home to a vast and thriving cyberattack industry. Last year, Rey secured the first detailed confession from a participant in a hacking-for-hire operation. In court papers, an Indian hacker admitted that he had infiltrated Azima’s e-mail account—as had employees at another firm. Moreover, there were countless other Indian hackers for hire, whose work was often interconnected. John Scott-Railton, a senior researcher at Citizen Lab, who helped lead the BellTroX investigation, told me that the admissions Rey obtained are “huge” and “move the whole conversation forward.” He added, “You know how in some industries, everybody ‘knows a guy’ who can do a certain thing? Well, in hacking for hire, India is ‘the guy.’ They are just so prolific.”

Rey, whose firm is called Athena Intelligence, recently met with me at a Geneva coffeehouse. Over espresso, Rey, who has short black hair and a neatly trimmed beard, told me that he is not a programmer himself. But, when Burlingtons hired him to look into whether an Indian company had hacked Azima, he remembered hearing that, about a decade earlier, private intelligence firms across Europe had been approached by an Indian entrepreneur named Rajat Khare, who ran a company called Appin Security. “From what I have learned in this investigation, he e-mailed everybody,” Rey told me. Khare had pitched what he called “ethical hacking.” An Appin slide presentation, which was later published by Reuters, promised that the company could obtain “information that you imagine and also one that you didn’t imagine.” Some examples: “Get remote access to Email, Computers, Websites, devices which are not accessible. Collect confidential Information/Evidences and give your customers real satisfaction.”

“Everyone’s hackable,” one slide promised. The company charged twenty-five hundred dollars for a month of work by a single hacker, and the presentation said that it had taken less than two weeks for Appin to obtain confidential e-mails and photographs confirming a husband’s suspicion that his wife had cheated on him (“even though she was using an updated Norton 360 antivirus”). Other cases were more complicated: the company said that it had taken forty-seven days to unearth evidence of money laundering and criminal contacts from the e-mail account of a chief executive in Russia. Appin’s slides said that its clients included the Indian Army and the Indian Ministry of Defense. (A lawyer for Khare said that he did not remember the presentation and that his activity had been limited to “ethical hacking and robotics training.”)

Rey ran across Appin’s name again a few years later, while working in India to help a conglomerate upgrade its information security. In the course of this project, he befriended an Indian cybersecurity consultant named Aditya Jain. One day, Jain mentioned that, earlier in his career, he’d worked for Appin. They stayed in touch, and Jain later helped Rey test another client’s digital security. When Burlingtons hired Rey to take on the Azima case, he called his old friend, who was living near New Delhi. Did Jain have any ideas about who might have done the hacking?

Jain indeed had some ideas: he had hacked Azima himself.

Azima, who is eighty-two and based in Kansas City, owns an air-transportation company, but he has been involved in all sorts of deals across the Middle East, including gunrunning for the C.I.A. Over the years, he has made some enemies. When Rey was hired by Burlingtons, Azima was locked in a protracted legal battle with Ras Al Khaimah, one of the United Arab Emirates. In 2007, Azima formed a partnership with a Ras Al Khaimah investment fund to start a flight school, and he later helped the fund try to sell a luxury hotel in Tbilisi, Georgia. But Azima eventually fell out with the emir of Ras Al Khaimah, and in 2016 the investment fund sued Azima in a London court, accusing him of fraud and self-dealing.

Mysteriously, batches of Azima’s private e-mails surfaced on the Internet just as the lawsuit was filed. This was quite a convenient turn for Ras Al Khaimah, but a lawyer and various private investigators working for its fund testified that they had no idea what had happened: a public-relations consultant in their employ had somehow “discovered” the e-mails while searching the Internet. The court agreed to admit the serendipitous cache into evidence, and in May, 2020, it cited the leaked data when it ordered Azima to pay Ras Al Khaimah $4.2 million in damages and millions in legal fees.

Jain told Rey that he knew the real story of those leaks. (Jain declined to comment but his representatives confirmed this outline of events.) Jain had worked for a time as a hacker for hire, doing business under the name Cyber Defence and Analytics. In December, 2015, Jain said, a private investigator on the Ras Al Khaimah team commissioned him to access Azima’s online accounts, and by April, 2016, a spear-phishing e-mail had duped Azima into turning over his iCloud password. Jain monitored Azima’s iCloud account until the end of that July, turned the data over to his client, and earned nearly twenty-two thousand dollars for the gig.

The emir’s team, Jain informed Rey, had even better luck with another Indian hacking-for-hire firm: CyberRoot, which had been founded by former Appin colleagues, had robbed Azima of far more material, including e-mails, and arranged to post all of it on the Internet. Rey told me that a hacker at CyberRoot had confirmed to him that the company had stolen the files. (In court papers, the CyberRoot employee now disputes admitting this and denies any wrongdoing.) The private investigator on the Ras Al Khaimah team has acknowledged that he paid a million dollars to CyberRoot—a vast sum in the Indian tech industry. But he and CyberRoot have denied being involved in hacking and have said that the money was for undisclosed matters unrelated to cybercrime.

Although Jain freely discussed the hacking of Azima with Rey, and was willing to advance a petition for a retrial, he was nervous about retaliation from his former clients or from other hackers. He wanted to be identified in court filings only as an anonymous whistle-blower. On February 11, 2021, Rey submitted an affidavit referring to Jain as “Source 1.” The document said, “Source 1 informed me that it was in fact Cyber Root Risk Advisory Private Limited (‘CyberRoot’) that had been hired to carry out the hacking.”

Jain’s fear of backlash was well-founded. He had approached at least one other former colleague at CyberRoot on Rey’s behalf, and the tenuous anonymity of “Source 1” did not last long. Jain said that the private investigator on the Ras Al Khaimah team repeatedly texted Jain, offering to fly him to Dubai for a meeting. When Rey learned of this proposal, he was alarmed. “It’s a trap,” Rey told Jain. “They will lock you up and throw away the key.” (The private investigator declined to comment.) According to Rey, in August, 2021, his CyberRoot source called Jain, threatening, “If you and Jonas don’t back off, I will totally fuck you.” Around the same time, Jain received a late-night call from a man who claimed to be an officer on a special police task force. He warned Jain that he was about to be arrested for data theft. Jain agreed to a meeting the next day in the lobby of the Taj Palace Hotel, in New Delhi, where he had asked a lawyer to eavesdrop from a nearby table. The supposed policeman now said that he had been hired to beat up Jain and keep him quiet—but if Jain could deliver a payment at a 2 a.m. rendezvous in a deserted location, he could escape unharmed.

Rey told me that he warned Jain, “No real cop would want to meet you at 2 a.m. in the middle of nowhere. Get your ass on the first plane out of India.”

The next day, Rey had Jain and his wife flown to the Maldives—one of the few foreign countries where Indians can land without a visa. “I am not going to let one of my sources go dry,” Rey told me. Jain’s lawyer, meanwhile, reported that no charges had been filed against him, confirming that the “policeman” had been a hired goon.

With Jain’s cover blown, Rey was able to convince his friend that it would be safer to stop being an anonymous source: in the context of a legal case, squeezing Jain could constitute witness intimidation. Jain consented, and, in the fall of 2021, Azima’s lawyers declared in a court filing that Jain “has admitted also to hacking Mr. Azima’s data” on the orders of one of the emirate’s private investigators.

Another of those private investigators, Stuart Page, who had denied that any hacking had occurred, bolstered the credibility of the new filing by flipping and confirming the core of Jain’s story. Page, a former officer for Scotland Yard, submitted an affidavit acknowledging that he had lied about the hacking. “I apologise unreservedly for the part I played in misleading the Court,” Page said. He admitted that he had worked with an Israeli private investigator and former intelligence officer who, in turn, had hired “subcontractors located outside of Israel” who had used “hacking techniques” to obtain “confidential e-mails and unauthorised access to other confidential electronic data.” Nobody had accidentally discovered Azima’s hacked e-mails online, Page admitted: the Israeli investigator who had hired the hackers had sent him a link to the cache. Moreover, the investigator’s reports were clearly full of hacked data. Page wrote, “It was obvious to me (and it would have been obvious to anyone else reading the reports) that such documents were obtained as a result of unauthorised access to computers.” (The Israeli private investigator has disputed Page’s account.)

Page now said that, before giving his false testimony, he had participated in a “mock trial” in Switzerland with others on the Ras Al Khaimah team to rehearse their bogus story and “perfect the narrative that we were to tell the English court.” To hide his whereabouts, he had left his mobile phone at home, in England, and taken a circuitous train route from London to a luxury hotel in Bern, where “we made use of the hotel’s private chef and their wine from the hotel’s cellar” in what he described as “a mixture of eating, drinking and sections of cross-examination.”

Last year, the London court granted Azima a retrial, which is scheduled for next spring. (The Ras Al Khaimah investment fund has said that it “did not authorise or procure any hacking of Mr. Azima’s data.”)

In the meantime, a report in the London Sunday Times has claimed that Jain and Rey are more enmeshed in the Indian hacking-for-hire business than they have acknowledged. Working with the nonprofit Bureau of Investigative Journalism, the newspaper published an article last November in which a team of five reporters revealed that they had engaged in an elaborate ruse: posing as clients looking to hire a hacker. Jain, they wrote, had responded to their undercover inquiries via “a lengthy exchange of messages” and had boasted about his hacking exploits. The reporters also wrote that they were “given sight” of a “secret database” detailing Jain’s hacking activities; it showed that, between the beginning of 2019 and the spring of 2022, Rey hired Jain to target as many as four dozen people—including the President of Switzerland.

This time frame, however, is hard to reconcile with Jain’s decision to speak out as a whistle-blower early in that period, or with Rey’s simultaneous decision to link himself publicly to Jain. The article does not mention Jain’s public confession or Rey’s role in obtaining it. The reporters do note that Jain, when reached by text not long before the article’s publication, vehemently denied carrying out the alleged attacks or doing hacking for Rey. Rey told the paper that he had never commissioned hacking.

Rey contends that client names in the “secret database” were fake, and that the Sunday Times reporters were duped, possibly by hackers angry that Rey and Jain had exposed their secrets in court—and saw an opportunity to undermine their reputations. According to Rey, when Jain read the article he didn’t recognize any of the texts that he had supposedly sent the undercover reporters; moreover, the final text from a Sunday Times reporter—confronting him with the hacking allegations—was the first time he had heard from the journalists. Rey and Jain believe that an imposter took over an e-mail address once used by Jain—adi@whiteint.tech—then went undercover to catfish the undercover journalists. (The reporters declined to discuss whether they had corresponded with that address, or how they had communicated with Jain.)

After the article appeared, the industry publication Intelligence Online reported that an anonymous source had offered it unverified material strikingly similar to what the Sunday Times said was in the database. The publication said that the source’s “intentions were to make Jain’s repentance appear insincere, thereby discrediting his testimony at the Azima trial,” and characterized the Sunday Times article as the latest salvo in an “Indian hackers-for-hire gang war.” Rey has filed a defamation complaint against the newspaper in Switzerland. Jain has filed a police report in India alleging a conspiracy to impersonate and defame him. (Representatives of the Sunday Times and the Bureau of Investigative Journalism both said that they stand by the article.)

Whatever the outcome of those complaints—and of Azima’s retrial—the various disclosures and affidavits have offered crucial new insights about India’s hacking-for-hire industry. Cooper Quintin, a security researcher at the Electronic Frontier Foundation, told me, “Before, we had a solid trail of evidence. Now we have a confession.”

Rey said that, judging from the data he has obtained from Jain and his hacker colleagues, the hacking-for-hire business in India is much bigger than most experts had imagined. “In addition to BellTroX and CyberRoot, there are about ten to fifteen other Indian companies doing this,” he told me. “We have seen close to a hundred and twenty thousand victims over the past ten years, so it really is an industry.”

The hacking-for-hire business has prospered in India for some of the same reasons that I.T. outsourcing has: an abundance of inexpensive skilled labor in an open marketplace readily accessible to Western clients. But Indian hackers are also unusually brazen, with competing firms publicly touting “ethical” or “white hat” hacking services, and individual hackers bragging on LinkedIn about their spear phishing. In authoritarian havens such as Russia, Iran, and North Korea, cybercriminals do not advertise.

Yet, as both Rey and Scott-Railton, of Citizen Lab, told me, Indian hackers appear to share something important with their counterparts in those authoritarian nations: a tacit alliance with their government. Rey told me that, according to target lists and other information that he gained from Indian hackers, the top dozen Indian hacking-for-hire firms “have always tended to have the same profile—they always do a little bit of government work, with private work on the side.”

Scott-Railton said that cybersecurity researchers in both government and the private sector had observed the pattern. “Among those who’ve tracked them, it is widely seen that some of the Indian hacking-for-hire groups pivot into work in the interests of the Indian government.” (India’s fierce rivalries with China and Pakistan extend to cyber warfare.)

A representative of the Indian Embassy in Washington declined to comment on hacking. An official for the U.S. Justice Department declined to comment on India. But the official e-mailed me a passage from the department’s Comprehensive Cyber Review, a report issued last year that underscored the challenge of policing transnational cybercriminals like India’s. Under the heading “Foreign Governments Providing Safe Haven to Hackers,” the review warned, “These malicious actors have often ‘moonlighted’ by engaging in hacks for personal profit alongside those designed to advance their home countries’ strategic interests.”

This spring, federal prosecutors in New York who were armed with data provided by Citizen Lab secured a guilty plea from an Israeli private investigator named Aviram Azari, who had admitted to hiring Indian hackers to attack climate activists, investors, and many others. Azari, who faces a lengthy sentence, has refused to name his clients.

Prosecutors, drawing on information from Citizen Lab, linked Azari to Sumit Gupta, the founder of BellTroX, who appears to be an unnamed co-conspirator in the indictment. But Gupta need not worry. Federal prosecutors in San Jose also indicted him in 2015, in a case involving hacking on behalf of two California private detectives. Both investigators pleaded guilty and were sentenced to three years of probation. Gupta, presumably in India, remained open for business. ♦

No comments: