'Holi', 'Rongali', and 'Pochanchi' -- how investigators zeroed in on BellTroX, Sumit Gupta
Manoj Sharma June 10, 2020
"You desire, we do!" - that's the slogan of Delhi-based small tech firm BellTroX InfoTech Services, which has been linked with 'hack-for-hire' operations carried out across many countries, targeting individuals and companies. Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto, Canada, in its probe spanning several years has found that an organisation has targeted thousands of people and hundreds of institutions across six continents. It also concluded that most of these hacks were linked to one particular company, BellTroX, which is owned by Delhi-based Sumit Gupta.
The Citizen Lab probe suggests timestamps in hundreds of Dark Basin -- the name given to organisation behind global hack-for hire activities -- phishing emails are consistent with working hours in India's UTC+5:30 time zone.
The same timing correlations were found by the Electronic Frontier Foundation (EFF) in a prior investigation of phishing messages targeting net neutrality advocacy groups, which we also link to Dark Basin. Many of Dark Basin's URL shortening services had names associated with India: Holi, Rongali, and Pochanchi. While Holi is a famous Indian festival, Rongali is one of the three Assamese festivals of Bihu, and Pochanchi is likely a transliteration of the Bengali word for "fifty-five".
Additionally, Dark Basin left copies of their phishing kit source code available openly online, as well as log files showing testing activity, claims the Citizen Lab probe. "The logging code invoked by the phishing kit recorded timestamps in UTC+5:30, and log files show that Dark Basin appeared to conduct some testing using an IP address in India," the report revealed.
It was also found that several BellTroX employees, whose activities overlapped with Dark Basin, because they used personal documents, including a CV, as bait content when testing their URL shorteners. They also made social media posts describing and taking credit for attack techniques, containing screenshots of links to Dark Basin infrastructure.
Besides, BellTroX and its employees used euphemisms for promoting their services online, including "Ethical Hacking" and "Certified Ethical Hacker." On June 7, BellTroX website began serving an error message and postings and other materials linking BellTroX to such operations have been recently deleted.
The other observations that indicate BellTrox's is behind the major hacking scandals are an endorsement of the company and its employees' capabilities by individuals working in various fields of corporate intelligence and private investigation. For example, BellTroX and its employees received endorsements from individuals listing themselves as Canadian government officials, US Federal Trade Commission officials and contract investigator for US Customs and Border Patrol, and private investigators, many with prior roles in FBI, police, military and other branches of government, the report revealed.
Dark Basin that spied on over 10,000 email accounts for several years specifically targeted judges, politicians, journalists, gambling tycoons, and environmental groups, among others. They even targeted private individuals engaged in a divorce or other legal matters. As per Reuters, BellTroX also targeted well-known investors in the United States including private equity giant KKR and short-seller Muddy Waters. Citizen Lab researchers who were probing the company's hacking links for over two years said they had "high confidence" that BellTroX employees were behind the espionage campaign.