According to Reuters, a little-known Indian IT company provided hacking services to customers and hacked more than 10,000 email accounts around the world in seven years.
Based on information disclosed by the company’s three former employees, reports from external researchers and various online evidence, New Delhi-based BellTroX information technology services company specifically targets European government officials, Bahamas gaming tycoons, and US private equity giant KKR. Famous investment institutions including Muddy Waters and short-selling institutions.
Five people familiar with the matter said that BellTroX’s hacking operations against US targets are facing investigations by US law enforcement agencies. But the US Department of Justice declined to comment.
The identity of BellTroX customers is unclear. But the company’s owner, Sumit Gupta, declined to reveal the identity of the customer in a telephone interview and denied any wrongdoing.
Carson Block, the founder of Muddy Waters, said, “I was disappointed when I learned that we might be the target of BellTroX customers, but I was not surprised.” KKR declined to comment.
Researchers at the Internet surveillance organization Citizen Lab spent more than two years figuring out the infrastructure used by hackers. These researchers released a report on Tuesday that they “fully believe” that BellTroX employees acted as behind the espionage activities.
“This is one of the largest espionage operations ever hired.” Citizen Lab researcher John Scott-Railton said.
He said that although “cyber mercenaries” have not received much attention compared with state-backed spy organizations or high-profile cyber thefts, these services have been widely used. “Our investigation found that no area is immune.”
Reuters conducted an in-depth study of this activity by looking at the data cache. The results showed that BellTroX sent thousands of messages designed to trick victims into revealing their passwords between 2013 and 2020. The data was anonymously provided to Reuters by the network service provider used by the hackers. Prior to this, Reuters had warned these companies that there were abnormal activities on their platforms.
This data is equivalent to a “blacklist”, listing the target and time of the attack. Reuters verified the authenticity of the data by comparing it with the emails received by the target.
The list includes judges from South Africa, politicians from Mexico, lawyers from France and environmental organizations in the United States. These dozens of people are just a small part of BellTroX’s thousands of targets. None of them responded or declined to comment.
It is still unclear how many hacking activities have been successful.
BellTroX’s Gupta was prosecuted in a 2015 hacking case in which two American private investigators admitted to paying him to hack into the accounts of marketing executives. Gupta was declared a fugitive in 2017, but the U.S. Department of Justice declined to comment on the current status of the case and also declined to disclose whether an extradition request has been filed.
Gupta denied the hacking by phone at his home in New Delhi, and he also stated that law enforcement agencies have never contacted him. He said that he helped them download the message from their email inbox after the private investigator provided them with their login details.
“I didn’t help them get anything, I just helped them download the email, and they provided me with all the detailed information.” He said, “I don’t know how they got these details, I just provided them with technical support.”
Reuters was unable to determine why private investigators asked Gupta to help them download emails. Gupta did not respond to follow-up news, and when a Reuters reporter visited his office on Monday, he was repeatedly rejected. Spokespersons for Delhi Police and the Ministry of Foreign Affairs of India did not comment.
According to data viewed by Reuters, BellTroX carried out activities in a small room above a closed tea stall in a retail complex in western Delhi. They used tens of thousands of malicious emails to “bomb” the target. Some messages will be disguised as colleagues or relatives of the target of the attack, and some emails will be disguised as Facebook login requests or unsubscribe emails from pornographic websites.
Safkhet Capital, Fahmi Quadir’s short-selling agency in New York, is one of 17 investment institutions targeted by BellTroX from 2017 to 2019. She said that shortly after she launched the fund, she noticed a surge in the number of emails in early 2018.
Initially “it did not appear to be a malicious email,” Quaid said, “it was just astrology or something. Then it turned into pornography.”
In the end, the hackers stepped up their attacks and sent her seemingly credible messages, pretending to be her colleagues, family members or other short-selling agencies. Quaid said: “They even want to impersonate my sister.” But she thought the attack was unsuccessful.
American lobbying organizations have repeatedly become targets. These include the digital rights organization Free Press and Fight for the Future, both of which lobby for the principle of net neutrality. These organizations said that a few employee accounts were compromised, but the wider network was not affected. The Electronic Frontier Foundation detailed the attacks on these organizations in a 2017 report, but it did not publicly link this to BellTroX.
Free Press Director Timothy Karr said, “Every time we participate in a heated and high-profile public policy debate, aggressive behavior increases.” Fight for the Future Deputy Director Evan Greer ( Evan Greer) said: “If companies and politicians can hire digital mercenaries to target civil society organizations, it will undermine our democratic process.”
Although Reuters could not determine who hired BellTroX to carry out the hacking, two former employees of the company stated that they and other similar companies usually sign contracts with private investigators, and the bosses behind these private investigators are actually the business of the attacked. Or political competitors.
Bart Santos of Bulldog Investigation, a private investigative company in San Diego, said that they had received hacking services advertisements from India. One of them claimed to be a former employee of BellTroX. These advertisements claim to provide “data penetration” and “email penetration” services. In fact, more than ten European and American private investigators have said they have received similar advertisements.
Santos said that he ignored these advertisements, but he can understand why some people would pay to hire these companies. “Indians have a good reputation for customer service,” he said.