Unknown Indian IT “small workshop” 7 years of invasion of more than 10,000 mailboxes

A Recently, Reuters exclusively reported that an Indian company called BellTroX InfoTech Services had hacked users and monitored more than 10,000 email accounts over seven years, targeting multinational politicians, industry tycoons, social groups and prominent institutions.

Who’s Bell TroX?

BellTroX, based in New Delhi, is not a well-known company, and bellTroX was founded in 2011 as a provider of transcription and dictation services to hospitals, clinics, expert witnesses, independent practitioners and businesses, and has established partnerships with brands such as Philips and Olympus.

One of BellTroX’s retouchers is one of the world’s premiers, one of the industry leaders. It is said that its technical team has many years of dictation experience and is professionally trained in the medical, legal and commercial transcription fields to provide high-quality, low-cost solutions through long-term relationships with customers.

But according to three former employees and an outside researcher, and evidence on the web, the company is not as simple as the profile – BellTroX provides hacking services to clients, targeting European government officials, Bahamian gambling tycoons and prominent U.S. investment firms such as private equity giant KKR and Muddy Waters, a well-known shorting agency that has delisted a company for more than 20 days.

In response, Carson Block, founder of Murswater, said:

I was disappointed, but not surprised, to learn that we might be targeted by BellTroX customers.

Several other people familiar with the matter told Reuters that U.S. law enforcement has opened an investigation into Bell TroX.

Small workshops for mass-producing malicious mail

So how does such a “hanging sheep head sell dog meat” hire hacking company how?

Bell TroX’s office is actually a small room on top of a shop, and a malicious e-mail was sent from the small workshop.

Some messages are sent by colleagues or relatives of the target, while others are prompts for A Facebook login requests or unsubscribe sites.

In an interview with Reuters, Fahmi Quadir, founder of Safkhet Capital, a New York-boarded company, said:

Shortly after the launch of the fund in early 2018, the number of e-mails began to surge. At first the messages were related to constellations, they didn’t look like malicious messages, but then slowly they started to escalate to. Later, the quality of the mail improved and hackers began to imitate colleagues, family members, or other short-sellers.

In fact, Safkhet Capital is one of 17 investment companies targeted by Bell TroX for 2017-2019.

At the same time, some American advocacy groups are not immune , such as Free Press, a pro-net neutrality group, and Fight for the Future.

In response, Evan Greer, deputy director of the Fight for The Future organization, said:

When companies or politicians hire hackers like this to target civil society, our democratic process is undermined.

Reuters also reported that a large amount of data had previously been obtained from anonymous online service providers used by hackers, which was a “hit list” of target groups and specific times.

A Reuters review of emails received by target groups found that BellTroX sent tens of thousands of malicious messages between 2013 and 2020 to trick victims into giving up passwords.

Reuters is understood to have seen South African judges, Mexican politicians, French lawyers and U.S. environmental groups in the hit list. As John Scott-Railton, a researcher at Citizen Lab, an Internet watchdog, puts it:

Hiring hackers is not as high-profile as government-backed spy groups, but it has to be acknowledged that the services of “cyber-mercenaries” have spread to various areas. Our investigation found that no department was immune.

According to the Hit List, dozens of the thousands of people BellTroX targeted did not respond to emails or declined to comment, and it is difficult to know how many people are hooked.

Into the “dark basin”

At the same time, the relevant watchdogs have issued detailed reports to support the company’s potential hacking.

It’s worth noting that, as an Internet watchdog, Citizen Lab researchers spent more than two years groping and clarifying the hacking organization’s inside story, culminating in the release of the report on June 9, 2020, local time.

The report notes that the Dark Basin is a hired hacker group that targets thousands of individuals on six continents (such as senior politicians, government prosecutors, corporate CEOs, journalists and human rights defenders) and hundreds of institutions, including nonprofits and hedge funds, which Isalab has positioned as behind-the-scenes phishing.

The Dark Basin is widely targeted at u.S. nonprofits, including those working on activities called #ExxonKnew, which claims that Exxon Mobil, the world’s largest non-governmental oil producer, has hidden climate change information for decades.

John Scott-Railton, a research fellow at Citizen Lab, has said:

This is one of the biggest employment espionage activities ever.

It is worth noting that the report notes that Citizen Lab is highly confident that Bell TroX was involved in the espionage activities of the above-mentioned organizations.

Specifically, Citizen Lab confirms that some BellTroX employees use personal documents (such as resumes) as bait to test the URL abbreviation service, which coincides with the “dark basin.”

As shown in the figure below, the job responsibilities of an employee of the company LinkedIn are intriguing, including e-mail penetration, advertising, corporate espionage, sonic launch, and provision of cyber intelligence.

They also posted on social media praising the attack technique, along with screenshots of links to the “Dark Basin.”

Also suspicious is that Bell TroX and its employees have pages that include “Ethical Hacking” and “Certified Ethical Hacker,” which Citizen Lab sees as a euphemism for online business promotion.

In addition, on June 7, 2020, local time, the BellTrox website began to provide error messages, and some posts and content that indicate bellTroX’s hacking have been deleted.

The report also revealed important information about Sumit Gupta, owner and director of BellTroX.

In 2015, the U.S. Department of Justice indicted several U.S. private investigators and an Indian for hiring a hacking program. And this Indian is Sumit Gupta.

The U.S. Department of Justice noted that Sumit Gupta used the alias Sumit Vishnoi. Although Sumit Gupta has no record of being arrested on charges, someone used Sumit Vishnoi’s name to post an online reference to BellTroX.

It’s not hard to see how much of this information shows that Sumit Gupta is inextricably linked to hacking groups.

In fact, after learning of the news, Reuters also contacted Sumit Gupta (below), but Sumit Gupta declined to disclose customer information and denied any wrongdoing:

I didn’t help customers access anything, they provided me with details after I just helped them download the mail. I don’t know where some of the details came from, but I’m just providing technical support to my customers.

However, according to Citizen Lab, BellTrox and its employees LinkedIn pages with hundreds of endorsements from corporate intelligence and private investigators in various fields (LinkedIn has a feature similar to recognition of business, personal skills and expertise), including:

A Canadian government official;

An investigator of the United States Federal Trade Commission (former U.S. Customs and Border Patrol contract investigator);

Numerous current law enforcement officials in u.S. states and localities;

Numerous private detectives (many of them have served in the FBI, police, military, and other government departments).

There is no doubt that the group that endorses the company and its employees does not necessarily have some kind of contract with BellTrox, but Bart Santos of Bulldog Siago, a leading US detective agency, told Reuters that previous advertisements for hacking services in India had been unsolicited, including one by a man claiming to be a former employee of BellTroX, offering “data penetration” and “email penetration” services.

In fact, many detectives, investigators and a little-known IT company have a closer relationship, reflecting that BellTroX is by no means just a “world-leading provider of transcription services.”