How a little known Delhi-based cyber firm became top spy for hire

Until earlier this month, chances are you would've never heard of Sumit Gupta and his firm BellTrox InfoTech Services. This little-known firm based in the Shakurpur area of New Delhi has been accused of being one of the largest “spy-for-hire” operations ever exposed.

However, the cybersecurity community in India was not surprised. “It’s just a matter of who gets caught. A lot of people do this kind of work, but it's a matter of covering your tracks well,” says a Mumbai-based hacker.

According to revelations made by Canada-based Citizen Lab, and first reported by Reuters, the underlying technology BellTrox used to allegedly target “thousands of individuals and organisations on six continents, including senior politicians, government prosecutors, CEOs, journalists, and human rights defenders” is phishing.

Phishing attacks could either be in the form of an e-mail from a trusted source asking for information, such as passwords, bank details, and personal details, or it could mimic an existing website or webpage and trick a user into entering confidential information.

Gupta, however, has a bit of history. In 2015, he was charged, along with five others, with a conspiracy involving e-mail hacking. The Department of Justice's press release dated February 11, 2015, said Gupta, who apparently hails from Jabalpur, Madhya Pradesh, and a person called Trent Williams were hired by two private investigators “to hack into the victims’ e-mail accounts, Skype accounts, and protected computers. In addition to that conduct, the defendants allegedly installed and used a keylogger — a tool that intercepts and logs the particular keys struck on a keyboard in a covert manner so that the person using the keyboard is unaware that his or her actions are being monitored”. While the private investigators pleaded guilty to conspiring to hack into computers, Gupta and two others continued to face charges of conspiracy as of July 2015.

While US federal prosecutors never specified how Gupta was hired, a web portal called Global News reported in May 2015 that he responded to a listing on a freelancing website that offered between $250-$750 for a software program that would compromise computer systems operating Home windows and Microsoft Workplace.

“When a company looks for hackers, it goes to freelancing websites where hackers put up their projects. Among the ways companies test these hackers are by giving them tasks like getting into someone’s website, getting hold of (a rival's) customer data and so on,” said Sunny Vaghela, founder and CEO,  cybersecurity consulting firm Techdefence Labs. “They may also ask hackers to find things on the dark web. For example: As an initial assignment, a hacker may be asked to get data from the dark web that was already breached by someone. They may then be asked to find people who haven't changed their passwords from that list, and monitor their compromised accounts and do a kind of espionage.”

People familiar with the way Gupta worked said he kept a small team comprising young members, who offered a range of services — from e-mail hacking to espionage. They were assigned tasks, without being told the identity of the client.
 

According to Vaghela, 13- to15-year olds can easily learn hacking and take assignments to make quick money. The minimum amount a hacker expects for a task is $500, and for the maximum, the sky's the limit, depending on the criticality of the job and willingness of the person asking. A large corporate targeting rivals, for example, could even be willing to pay over Rs 2-3 crore for a single task.

According to Google's Threat Analysis Group report, in the first quarter of 2020, “there was new activity from 'hack-for-hire' firms, many based in India, that have been creating Gmail accounts spoofing the World Health Organisation,” an indication that hacking activity originating in India is increasing.

However, despite the negative connotation around the word hacker, the community has also done great work in preventing cybercrime.

According to a recent report by crowdsourced security platform BugCrowd, there was an 83 per cent increase in the number of hackers living in India, making it the top country for hackers in the world. It also reported $8.9 billion worth cybercrime prevented by hackers on the platform in the last 12 months.

Many of them participate in programmes called bug bounties, which are monetary rewards offered by technology companies to geeks who spot bugs, errors and security flaws before malicious hackers or cyber criminals spot them. The fine line between doing the task ethically and unethically makes all the difference.