A few weeks after hacking for ViSalus, Sumit Gupta registered BellTroX Infotech Services Private Ltd in May 2013, Indian business records
. Gupta was only 24, but Moser remembers a sharply dressed, self-assured young man at the other end of his Skype calls.
“If you want this information,” Moser recalled him saying, “I can get it.”
Carrying the motto “you desire, we do!” BellTroX was headquartered in west Delhi and openly advertised “ethical hacking” services online. On one business development website, Gupta
that the “clients I am seeking” include “private investigators” and “corporate lawyers.”
The hackers’ office resembled a low rent call center, former employees said. Conversation was discouraged, personal phone use was forbidden and surveillance cameras monitored every keystroke, they said.
By 2016, BellTroX employed dozens of workers, according to the former employees and online resumes reviewed by Reuters. A month’s salary could be as low as 25,000 rupees (then worth about $370), according to two former workers and company salary
Gupta, as BellTroX co-owner, could charge from a few thousand dollars per account to up to $20,000 for “priority” targets, said Chirag Goyal, a former BellTroX executive who split from Gupta in 2013 and has since launched several tech startups in India.
Goyal said repeat customers comprised much of BellTroX’s income. “In this industry, genuine work comes only from recommendations,” Goyal said. Reuters was unable to determine the total annual revenue of Gupta’s firm.
Before launching BellTroX, Gupta had worked for Appin, an Indian company that initially made its name in cybersecurity training franchises and mainstream IT security work.
By 2010 a division of Appin began hacking targets on behalf of governments and corporate clients, according to six ex-employees, a former U.S. intelligence official, private detectives and Appin
Matthias Willenbrink, a German private investigator and former president of the World Association of Detectives, said he received one such spy proposal from Appin around that time.
Willenbrink said he would not normally use hackers and worked with Appin only once, amid a high-stakes inheritance dispute in 2012 for a wealthy German businessman. The client, who Willenbrink declined to name, wanted to know who was trying to blackmail him anonymously.
Willenbrink was tasked with identifying the culprit. He said he paid Appin about $3,000 to successfully get into the target’s email account. “I was deeply impressed,” said Willenbrink, who solved the case. “They sent me all their communications in three days.”
The Indian hackers were recruited in big name lawsuits too.
Around the time that Willenbrink was hunting the blackmailer, Israeli private detective Aviram Halevi hired Appin for a “considerable amount” to hack a Korean businessman amid a legal dispute over the rights to distribute KIA Corp cars in Israel, according to a
issued last year in Tel Aviv.
The judge overseeing the case ordered Halevi to pay compensation and destroy the hacked data. Halevi, who admitted to hiring the Indian hackers in
, declined to comment. A KIA spokesperson also declined to discuss the case. An attorney for the Korean victim didn’t return emails.
Several India-based cyber defense training outfits still use the Appin name – the legacy of a previous franchise model – but there’s no suggestion those firms are involved in hacking. Appin itself largely disappeared from the internet after the publication of a 2013 cybersecurity
which connected it to alleged hacking.
Rajat Khare, Appin’s co-founder and the former head of several Appin companies, including the Appin Security Group, did not respond to messages seeking an interview. His attorney denied any wrongdoing and said Khare “will not comment on a company he left ten or so years ago.”
As Appin’s reputation grew, so did its competition. Gupta was part of a cohort of Appin alumni who left the firm around 2012 to found similar companies.
“If you want this information, I can get it.”
Another Indian spy firm registered within a few months of BellTroX was CyberRoot Risk Advisory Private Ltd, based in the Delhi suburb of Gurugram, two former employees and two private investigators familiar with the matter told Reuters.
Appin, BellTroX and CyberRoot have shared computer infrastructure and staff, according to
and cybersecurity researchers. LinkedIn, Google and Mandiant researchers who reviewed Reuters’ data said it shows a mix of hacking activity linked to the companies between 2013 and 2020.
CyberRoot has not responded to messages seeking comment. There was no trace of CyberRoot or BellTroX at the addresses listed for the firms when a Reuters reporter visited recently. Neighbors said they were unfamiliar with the companies.
When Reuters contacted Gupta two years ago, he denied wrongdoing. He was no spy, he said, although he acknowledged he helped private detectives with their IT. “It’s not a big deal to provide them a little technical support,” he said. “Downloading mailboxes can be a part of it.”
In 2017, one of those mailboxes found its way into a $1.5 billion international legal battle.
Hacking the ‘real truth’
That June 11, an explosive email landed in the inbox of international arbitrators weighing the fate of lucrative Nigerian oil fields.
, entitled “The real truth about Pan Ocean Oil vs Nigeria,” seemed to torpedo the Nigerian government’s case in a lawsuit that pitted it against the heirs of Italian businessman Vittorio Fabbri over control of the Pan Ocean Oil Corporation Ltd.
Fabbri had bought the company in 1983, allowing him to pump crude oil in a block of Niger Delta fields known as OML-98. A power struggle later saw him frozen out of the company in favor of local management. After he died in 1998, his heirs fought to regain control, eventually accusing government officials of supporting efforts to oust them.
In 2013 the Fabbris took the fight to the Washington-based International Centre for Settlement of Investment Disputes, which arbitrates legal fights between investors and governments. Patrizio Fabbri, Vittorio’s son, told Reuters it was a bid to pull the litigation out of slow-moving Nigerian courts and extract $1.5 billion in compensation.
The mysterious June 11 email appeared to promise victory for the Fabbri side. Attached were documents from Nigeria’s legal team addressed to the managing director of Pan Ocean, asking him to reimburse the government’s legal fees. “I wish to remind you of the outstanding fees due to my firm,” one of the documents
, requesting that “a sizeable portion” be “paid immediately.”
The Fabbris saw the request as a key admission because their case hinged on proving that Pan Ocean and the Nigerian government had colluded to deny the family control of the company.
Bizarrely, the email appeared to have been sent to the arbitrators by Oluwasina Ogungbade, an attorney for the Nigerian government. The lawyer seemed to be sabotaging his client’s case. Patrizio said he was thrilled to learn of the apparent admission.
“Wow,” he recalled thinking. “Finally somebody in Nigeria is honest.”
In interviews with Reuters, Ogungbade declined to address the documents’ authenticity but did say he never sent them to the tribunal. Instead, he said, hackers stole the documents, created a fake email in his name and used it to send the material to the arbitrators.
An October 2017 Nigerian police report reviewed by Reuters backs his account,
“there is a strong suspicion that some unknown suspect(s) were the authors” of the message.
Pan Ocean and Nigerian officials did not respond to messages seeking comment.
The Indian hacking records reviewed by Reuters fill the gaps in the story.
Gupta’s BellTroX made repeated attempts to hack Ogungbade’s account. Also targeted were more than 100 employees of Pan Ocean and other lawyers for the Nigerian government, according to the Indian hit list and other data gathered by cybersecurity researchers.
Shortly after, BellTroX created a WikiLeaks-style website titled Nigeriaoilleaks.com, promising to expose corrupt Nigerian politicians and sharing a larger cache of stolen Pan Ocean emails for download.
Over Ogungbade’s objections, the tribunal
the files sent under his name, although it warned that it “may decide to give the documents little or no weight” if their provenance remained in doubt.
In 2020 the tribunal ruled against the Fabbri family, finding that the government wasn’t a party to the takeover; the stolen emails were barely mentioned in
Still, Ogungbade believes the leaks convinced arbitrators to deny the Nigerian government most of its legal costs. While Reuters couldn’t independently verify that claim, the government was awarded just $660,000 of the $3.8 million it had sought.
Reuters wasn’t able to learn who commissioned the hack. Patrizio Fabbri said he had “nothing to do” with it. His family’s Nigerian lawyer, Olasupo Shasore, said he and colleagues were “all confounded” by their sudden stroke of luck.
Such high-stakes court cases can feature multiple third parties, including litigation financiers, with an interest in the outcome. Two of the tribunal’s arbitrators – Boston University professor William Park and arbitrator Julian Lew – did not respond when contacted by Reuters. The third, former Kenyan High Court judge Edward Torgbor, declined comment.
Torgbor had aired concerns about the leak, however. In a 2018 minority opinion he
that accepting documents of “dubious character” posed a “grave risk” to the tribunal’s integrity. “How does the Tribunal discover or uncover the ‘real truth’ from an unknown person whose own identity and probity are under cover?”
As India’s mercenary hacking industry grows, lawyers around the globe are increasingly grappling with similar questions.
As Reuters contacted victims of the Indian spy campaign, targets involved in at least seven different lawsuits have each launched their own inquiries.
One of the most prominent was WeWork co-founder Adam Neumann, who hired New York’s Seiden Law Group after learning from Reuters that he and other company executives’ email accounts were targeted by the Indian hackers starting in August 2017, according to four people familiar with the matter.
The hacking attempts against Neumann unfolded as WeWork prepared to announce a $4.4 billion investment from Japan’s SoftBank, a giant infusion for a startup then burning through capital.
By the time Neumann learned of the hacking in 2020, the partnership had collapsed and he was suing SoftBank after being ousted from WeWork. SoftBank executives were quizzed by Neumann’s lawyers about the hacking in depositions just weeks before he received a roughly $500 million settlement from the Japanese investment giant, according to four people familiar with the matter. The executives denied any knowledge of the spying, the sources said.
Reuters was unable to determine who hired the Indian hackers to spy on Neumann or his colleagues. Representatives for Neumann and SoftBank did not return messages. WeWork said the hacking attempts were blocked but did not elaborate. The Seiden Law Group confirmed it had been hired by Neumann to investigate a cybersecurity issue; it declined further comment.
Private eyes alleged to have worked as middlemen between their clients and the Indian hackers are coming under increased pressure as victims and law enforcement push for answers.
One of them is former Israeli policeman Aviram Azari, who was arrested by the FBI in 2019. He recently
in New York to wire fraud, identity theft and hacking-related charges after hiring Indian spies to target “a large number” of people, including New York hedge fund employees, prosecutors said in a
Authorities have released few
about Azari’s scheme, but four people familiar with the matter say he hired BellTroX to carry out the hacking. Azari’s lawyer, Barry Zone,
in April that the private eye was prosecuted in relation to his work for the now-defunct German financial firm Wirecard. Zone has not responded to follow-up emails.
Former Wirecard boss Markus Braun was arrested in June 2020 following revelations that 1.9 billion euros were missing from the company’s accounts. The firm collapsed shortly thereafter.
Braun’s legal team declined to comment on Wirecard’s relationship with Azari or BellTroX. Braun has been accused of fraud and market manipulation, charges he denies. His trial is ongoing. Five lawyers for other former top Wirecard executives didn’t return messages.
The hit list seen by Reuters shows BellTrox heavily targeted short sellers, reporters and financial analysts who had voiced skepticism of Wirecard’s business practices before it went bust. In several instances, these hacks coincided with legal threats made by Wirecard.
Azari had other customers, U.S. prosecutors alleged in their filing, saying the Israeli also worked on behalf of numerous undisclosed American clients. “There are thousands of potential victims,” the filing
. Azari is due to be sentenced later this year, when he faces a prison term of at least two years plus expulsion from the country, prosecutors have said.
Yet the publicity around Azari’s arrest has not deterred India’s mercenary hacking industry. As recently as December, security researchers at Facebook
BellTroX-linked spies were still trying to penetrate the private files of unidentified attorneys across the world.
Jonas Rey, whose Geneva-based company Athena Intelligence is investigating Indian hacks on behalf of several victims, believes some officials in Delhi turn a blind eye to the country’s hack-for-hire market.
Asked about the hacker-for-hire industry, an official with India’s Ministry of Justice referred Reuters to a cybercrime hotline, which did not respond to a request for comment. Delhi police did not return repeated messages seeking comment on Gupta or his hacking business.
a fugitive from U.S. justice. ViSalus, the company that Gupta worked for in 2013, is currently
an up to $925 million class action judgment for placing unsolicited robocalls. Ryan Blair, ViSalus’ CEO,
the firm in 2016.
Blair’s former director of security, Carlo Pacileo, now runs a fitness retreat deep in the mountains of Japan’s Shikoku Island. Nathan Moser, the former private eye, is working on his mental health at a Utah rehabilitation facility following his time in Iraq and Afghanistan.
Reflecting on the Gupta episode recently, Moser said private eyes face immense pressure because they work in “a results-based industry.”
“Hacking is the easiest way to get results,” he said.