Delhi-based ‘hack-for-hire’ firm linked to global hacking scam; allegedly spied on politicians, investors globally

In a startling revelation, a New Delhi-based technology company, BellTroX InfoTech Services, has been linked to a massive ‘hack-for-hire’ operation that targeted thousands of individuals and organisations in six continents, including senior politicians, government prosecutors, CEOs, journalists and human rights defenders. BellTroX targeted government officials in Europe and well-known investors in the US.

Named ‘Dark Basin’ by Citizen Lab, a laboratory based at the Munk School of Global Affairs and Public Policy of the University of Toronto, the organisation offered its hacking services to help clients spy on more than 10,000 email accounts over a period of seven years. The ‘hack-for-hire’ organisation extensively targeted American nonprofits, including organisations working on a campaign called #ExxonKnew, which asserted that ExxonMobil hid information about climate change for decades. “With high confidence, we link Dark Basin to BellTroX InfoTech Services (BellTroX), an India-based technology company, and related entities,” Citizen Lab said in a detailed statement.

“We also identify Dark Basin as the group behind the phishing of organisations working on net neutrality advocacy, previously reported by the Electronic Frontier Foundation,” it added.

To recall, BellTroX’s director, Sumit Gupta, was indicted in California in 2015 for his role in a similar hack-for-hire scheme.

Some of the targeted organisations are Rockefeller Family Fund, Climate Investigations Center, Greenpeace, Center for International Environmental Law, Oil Change International, Public Citizen, Conservation Law Foundation, Union of Concerned Scientists and several others.

“Over the course of our multi-year investigation, we found that Dark Basin likely conducted commercial espionage on behalf of their clients against opponents involved in high profile public events, criminal cases, financial transactions, news stories, and advocacy,” said Citizen Lab. The investigation found that some “high value” targets were sent more than 100 phishing attempts with very diverse content. The investigators were able to identify almost 28,000 additional URLs containing email addresses of the targets.

The story goes back to 2017 when a journalist who had been targeted with phishing attempts contacted Citizen Lab and asked if they could investigate.

The research team linked the phishing attempts to a custom URL shortener, which the operators used to disguise the phishing links.

Citizen Lab subsequently discovered that this shortener was part of a larger network of custom URL shorteners operated by a single group now called ‘Dark Basin’.

“Because the shorteners created URLs with sequential shortcodes, we were able to enumerate them and identify almost 28,000 additional URLs containing e-mail addresses of targets,” says Citizen Lab.

The team used open source intelligence techniques to identify hundreds of targeted individuals and organizations, yielding several clusters of interest, including two clusters of advocacy organizations in the US working on climate change and net neutrality.

Dark Basin’s targets were often on only one side of a contested legal proceeding, advocacy issue or business deal. The timings of sending phishing emails were consistent with working hours in India’s time zone. Additionally, ‘Dark Basin’ left copies of their phishing kit source code available openly online, as well as log files showing testing activity. The logging code invoked by the phishing kit recorded timestamps in India time zone, and log files show that Dark Basin appeared to conduct some testing using “an IP address in India”.

Citizen Lab collaborated with consumer cybersecurity brand NortonLifeLock and unearthed numerous technical links between the campaigns and individuals associated with BellTroX. “In at least one case, Dark Basin repurposed a stolen internal email to re-target other individuals. This incident led us to conclude that Dark Basin had some success in gaining access to the email accounts of one or more advocacy groups,” said the report.

BellTroX employees sent phishing emails masquerading as targets’ colleagues and friends. The individuals that Dark Basin chose to target showed that it had a deep knowledge of informal organizational hierarchies (masquerading as individuals with greater authority than the target).

“We used open source intelligence techniques to identify hundreds of targeted individuals and organisations. We later contacted a substantial fraction of them, assembling a global picture of Dark Basin’s targeting,” said the researchers. Dark Basin’s targets were often on only one side of a contested legal proceeding, advocacy issue, or business deal.

“Dark Basin has targeted dozens of journalists in multiple countries. Citizen Lab has notified and worked with some of these journalists over the past three years to assist them in investigating this case,” said the report.

Several of Dark Basin’s URL shortening services had names associated with India: Holi, Rongali and Pochanchi (likely a transliteration of the Bengali word for ‘fifty-five’).

The researchers were able to identify several BellTroX employees, whose activities overlapped with Dark Basin because they used personal documents, including a CV, as bait content when testing their URL shorteners. According to the report, “They also made social media posts describing and taking credit for attack techniques containing screenshots of links to Dark Basin infrastructure.” BellTroX and its employees appear to use euphemisms for promoting their services online, including ‘Ethical Hacking’ and ‘Certified Ethical Hacker’. BellTroX’s slogan is: “You desire, we do!”

On June 7, the BellTroX website began serving an error message. The Citizen Lab researchers also observed that postings and other materials linking BellTroX to these operations have been recently deleted.

In 2015, the US Department of Justice (DOJ) indicted several US-based private investigators and an Indian national, Sumit Gupta (for whom the DOJ notes also use the alias Sumit Vishnoi), for their role in a hack-for-hire scheme. “To our knowledge, Gupta was never arrested in relation to the indictment. An aggregator of Indian corporate registration data lists Sumit Gupta as the Director of BellTroX, and online postings by a ‘Sumit Vishnoi’ contain references to BellTroX,” said the report.

BellTroX staff activities listed on LinkedIn include email penetration, exploitation, corporate espionage, phone pinger and conducting cyber intelligence operations. BellTroX’s LinkedIn pages, and those of their employees, have received hundreds of endorsements from individuals working in various fields of corporate intelligence and private investigation. “Dark Basin has a remarkable portfolio of targets, from senior government officials and candidates in multiple countries, to financial services firms such as hedge funds and banks, to pharmaceutical companies,” according to the report.