LONDON / WASHINGTON (Reuters) – A little-known Indian IT company offered its hacking services to help customers spy on more than 10,000 e-mail accounts over a seven-year period.
Sumit Gupta, owner and director of cybersecurity company BellTroX InfoTech Services, leaves his office in New Delhi, India, on June 8, 2020. REUTERS / Alasdair Pal
BellTroX InfoTech Services, based in Delhi, targeted government officials in Europe, gambling tycoons in the Bahamas and well-known investors in the United States, including private equity giant KKR and small seller Muddy Waters, according to three former employees, external researchers and a trail. online evidence.
Aspects of the BellTroX hacking series aimed at American targets are currently under investigation by the U.S. police, five people familiar with the matter told Reuters. The US Department of Justice declined to comment.
Reuters does not know the identity of BellTroX customers. In a telephone interview, the company's owner, Sumit Gupta, declined to disclose who hired him and denied any wrongdoing.
Muddy Waters founder Carson Block said he was "disappointed, but not surprised, to learn that we were probably hacked by a BellTroX customer". KKR declined to comment.
Researchers from the Internet Citizen Lab surveillance group, who spent more than two years mapping the infrastructure used by the hackers, said they had "high confidence" that BellTroX employees were behind the espionage campaign.
"This is one of the largest hired spy operations ever exposed," said Citizen Lab researcher John Scott-Railton.
Although they receive a fraction of the attention devoted to state-sponsored espionage groups or headline theft, "cyber-mercenary" services are widely used, he said. "Our investigation found that no sector is immune."
A data cache reviewed by Reuters provides information about the operation, detailing tens of thousands of malicious messages designed to trick victims into giving up their passwords sent by BellTroX between 2013 and 2020. The data was provided on condition of anonymity by the service online providers used by hackers after Reuters alerted companies to unusual patterns of activity on their platforms.
The data is effectively a list of digital hits that shows who was the target and when. Reuters validated the data by checking against the emails received by the targets.
On the list: judges in South Africa, politicians in Mexico, lawyers in France and environmental groups in the United States. These dozens of people, among the thousands targeted by BellTroX, have not responded to messages or declined comments.
Reuters was unable to establish how many of the invasion attempts were successful.
BellTroX's Gupta was indicted in a 2015 hacker case, in which two private investigators from the U.S. admitted to paying him to hack into the accounts of marketing executives. Gupta was declared a fugitive in 2017, although the U.S. Department of Justice declined to comment on the current status of the case or whether an extradition request was issued.
Speaking on the phone at his home in New Delhi, Gupta denied the use of hackers and said he had never been contacted by the police. He said he had only helped private investigators to download messages from email inboxes after they provided login details.
"I didn't help them access anything, I just helped them download their emails and they provided me with all the details," he told Reuters. "I don't know how they got those details, but I was just helping them with technical support."
Reuters was unable to determine why private investigators may need Gupta to download emails. Gupta did not return follow-up messages and repeatedly refused to speak when a Reuters reporter visited him in his office on Monday. Spokesmen for the Delhi police and the Indian Foreign Ministry did not respond to requests for comment.
HOROSCOPES AND PORNOGRAPHY
Operating in a small room above a closed tea stall in a retail complex in western Delhi, BellTroX bombarded its targets with tens of thousands of malicious emails, according to data reviewed by Reuters. Some messages would imitate colleagues or relatives; others have made requests for Facebook login or graphic notifications to unsubscribe from pornography sites.
New York's Fahmi Quadir short selling company Safkhet Capital was among the 17 investment companies targeted by BellTroX between 2017 and 2019. She said she noticed an increase in suspicious emails in early 2018, shortly after the launch of its fund.
At first "it didn't necessarily look malicious," said Quadir. “It was just horoscopes; then it moved on to pornography. "
Eventually, the hackers increased their game, sending messages with credibility that appeared to have come from their coworkers, other short sellers or members of their family. "They were trying to imitate my sister," said Quadir, adding that she believes the attacks were unsuccessful.
US defense groups have also been targeted repeatedly. Among them were digital rights organizations Free Press and Fight for the Future, which lobbied for the net's neutrality. The groups said that a small number of employee accounts were compromised, but the networks of the larger organizations were untouched. Spying on these groups was detailed in a 2017 report by the Electronic Frontier Foundation, but has not been publicly linked to BellTroX so far.
Timothy Karr, director of Free Press, said his organization "sees an increase in attempts at violations whenever we are involved in heated, high-level public policy debates". Evan Greer, deputy director of Fight for the Future, said: "When companies and politicians can hire digital mercenaries to target civil society defenders, it undermines our democratic process."
Although Reuters was unable to determine who hired BellTroX to carry out the hacking, two former employees said the company and other companies like it used to be hired by private investigators on behalf of commercial rivals or political opponents.
Bart Santos of Bulldog Investigations, based in San Diego, was one of twelve private investigators in the United States and Europe who told Reuters they had received unsolicited advertisements for hacking services in India – including one from a person who described himself as former BellTroX employee. The argument offered to perform "data penetration" and "email penetration".
Santos said he ignored these proposals, but he could understand why some people did not.
"Indians have a reputation for customer service," he said.
Additional reporting by Alasdair Pal in NEW DELHI and Ryan McNeill in LONDON; Editing by Jonathan Weber, Chris Sanders and Edward Tobin