BellTroX: How an Obscure Indian Firm Ran A Global Spying Operation

(Update: Arvind Kumar, who owns a herbal medicine business, was incorrectly identified by Reuters as Sumit Gupta, a hacker being investigated by the FBI . The Quint has retracted the image as well on 30 June in the story that was first published on 10 June)

An obscure IT company based in New Delhi has been named at the centre of a global spying and hacking operation which targeted thousands of individuals and hundreds of organisations.

BellTroX, headed by Sumit Gupta, is alleged to have spied on companies involved in high profile public events, criminal cases, financial transactions, news stories, and advocacy. Those targeted include senior politicians, government prosecutors, CEOs, journalists, and human rights defenders.

According to Reuters, the Delhi-based company helped clients spy on more than 10,000 email accounts over a period of seven years.

WHAT WE KNOW

The Citizen Lab, which had also helped expose the pegasus spyware attack on Indian nationals, mapped out BelltroX’s activities for over two years and have named the hack-for-hire group “Dark Basin”.

Targeted individuals were attacked with phishing e-mails containing malicious links. In 2017, a journalist who had been at the receiving end of repeated phishing attempts had approached the Lab for help.

Dark Basin likely conducted commercial espionage on behalf of their clients against opponents involved in high profile public events, criminal cases, financial transactions, news stories, and advocacy.

“We subsequently discovered that this shortener was part of a larger network of custom URL shorteners operated by a single group, which we call Dark Basin,” Citizen Lab states in its investigation report.

“Because the shorteners created URLs with sequential shortcodes, we were able to enumerate them and identify almost 28,000 additional URLs containing e-mail addresses of targets,” the report states.

BELLTROX IT COMPANY

The company, located in Netaji Subhash Place in New Delhi’s Shakurpur area, was hired by private investigators in the US to hack into emails on their behalf.

“Operating from a small room above a shuttered tea stall in a west-Delhi retail complex, BellTroX bombarded its targets with tens of thousands of malicious emails,” according to Reuters, which viewed data related to the attacks.

HOW WAS THE BELLTROX CONNECTION ESTABLISHED?

Researchers at Citizen Lab were able to identify several BellTroX employees whose activities overlapped with Dark Basin because they used personal documents, including a CV, as bait content when testing their URL shorteners.

Timestamps in hundreds of Dark Basin phishing emails are consistent with working hours in India’s UTC+5:30 time zone.

Employees also made social media posts describing and taking credit for attack techniques containing screenshots of links to Dark Basin infrastructure.

Moreover, on Sunday, 7 June 2020, Citzen Lab found the BellTroX website to be serving an error message. “We have also observed that postings and other materials linking BellTrox to these operations have been recently deleted,” the report says.

WHO IS SUMIT GUPTA?

According to Reuters, in a telephone interview, the company’s owner, Sumit Gupta, declined to disclose who had hired him and denied any wrongdoing.

BellTroX’s director, Sumit Gupta, was indicted in United States’s California for his role in a similar hack-for-hire scheme. He, however, was never arrested.

According to Reuters’ report, Gupta was declared a fugitive in 2017, although the US Justice Department declined to comment on the current status of the case or whether an extradition request had been issued.

WHO DID IT TARGET?

Judges in South Africa, politicians in Mexico, lawyers in France and environmental groups in the United States. These dozens of people, among the thousands targeted by BellTroX, did not respond to messages or declined comment.

Speaking with Reuters, Fahmi Quadir, who runs New York-based short selling firm Safkhet Capital said she was among 17 investment companies targeted by BellTroX between 2017 and 2019. She said she noticed a surge in suspicious emails in early 2018, shortly after she launched her fund.

Initially “it didn’t seem necessarily malicious,” Quadir told Reuters. “It was just horoscopes; then it escalated to pornography.”

Advocacy groups and organisations working on environmental issues and climate change were among the prime targets. “We discovered a large cluster of targeted individuals and organisations that were engaged in environmental issues in the US,” Citizen Lab’s report mentions. Some of the organisations who have consented to be named are:

• Rockefeller Family Fund
• Climate Investigations Center
• Greenpeace
• Center for International Environmental Law
• Oil Change International
• Public Citizen
• Conservation Law Foundation
• Union of Concerned Scientists
• M+R Strategic Services
• 350.org